ContentArmor News | 28 April 2021

ContentArmor and
Limelight Networks reinvent OTT watermarking



Piracy of high value content such as new movie releases can be devastating to its legitimate owners, rights holders, advertisers and distributors.  With the help of a Content Delivery Network (CDN) , live sporting events are now regularly streamed, and even new films slated for theatrical release are being released for online delivery simultaneously or soon after. Piracy places the entire media business model at risk.

The ability to quickly identify perpetrators of media piracy incidents is increasingly critical to deterring such piracy and minimizing the damage when it occurs. A highly effective technique known as forensic watermarking can solve this challenge. Forensic watermarking is used to  create a uniquely identifiable stream for each consumer’s video streaming session. Thus, consumers who copy and distribute the video stream illegally can be traced and caught.

Since the CDN edge is where all individual consumer streaming sessions are delivered from, it is a logical place to run vital forensic watermarking piracy mitigation functions. A highly effective scenario utilizes distributed serverless computing resources deployed at multiple locations at the edges of a CDN. In this scenario, forensic watermarking can be applied to individual video streams at the network edge close to the viewer, minimizing latency while maximizing the ability to protect content at scale. An approach widely adopted by the industry today consists in making the CDN edge server redirect chunk requests in order to deliver either a version A or a version B of the requested chunk to the player depending on some identifier. Each user is delivered a unique sequence of A and B video chunks encoding a watermark identifier (WMID)  for tracing purposes. However, this strategy, routinely referred to as A/B watermarking with redirection at the edge, requires storing two A/B variants on the Origin Server and having the two versions traversing the CDN caching infrastructure. By design, A/B watermarking also limits the insertion pace of the WMID to one bit of information per chunk.

In this paper, we detail an alternative solution for forensic watermarking that leverages  enhanced edge computing capabilities. Limelight Networks’ EdgeFunctions serverless edge computing platform provides the means to modify the body of the response sent by the edge. In other words, it enables modifying the actual encoded video stream in an OTT ABR (adaptive bit rate) video delivery system. Combining this capability with ContentArmor’s unique bitstream video watermarking technology paves the way for a new forensic watermarking approach where only a single version of the asset is needed. This approach reduces storage and bandwidth requirements and improves time-to-live in cache compared to A/B watermarking.

Solution Elements


As depicted in Figure 1, the specifics of ABR on-the-fly forensic watermarking at the edge are articulated around three main processing steps:

(i) preparing the video asset for OTT distribution,

(ii) assigning a WMID to a viewing session and

(iii) modifying the single copy of any video chunk travelling through the CDN to incorporate watermarking changes that encode the desired WMID.

Figure 1: ABR on-the-fly forensic watermarking at the edge

On the back-end side, the video content to be distributed is fed to the ContentArmor Profiler after ABR transcoding. This component is responsible for inspecting the encoded video bitstream and identifying locations in the bitstream where changes can be applied to encode a WMID. The result of this analysis is encoded as metadata that is encapsulated alongside the video bitstream at packaging time. Depending on the encryption scheme to be supported, the size of ContentArmor metadata amounts to one or two orders of magnitude less compared to video content full duplication. To improve latency performances, typically in Live scenarios, ContentArmor Profiler can be integrated with the transcoder rather than being placed post-transcoding.

On the consumer side, the video player requests a WMID at the beginning of any viewing session. The WMID is typically served as a secure JSON web token included in any request of the underlying video OTT delivery protocol such as playlist/manifest requests and media chunks requests.

A video request will be handled by the Limelight CDN, which will spawn a function request to Limelight EdgeFunctions. First, EdgeFunctions will verify the authenticity, integrity and validity of the WMID token. If the compliance tests are satisfied, EdgeFunctions applies the ContentArmor watermark embedding function to the requested encrypted ABR video chunk with ContentArmor metadata using the WMID provided in the token.

In other words, the video chunk that has transited through the CDN is serialized before the very last hop of the OTT delivery architecture, by consuming the metadata incorporated in the video chunk at the back-end and by applying changes according to a WMID bound to the streaming session. This function is very lightweight and can be efficiently executed by Limelight EdgeFunctions in a region close to the viewer.

Key Facts


This new watermarking at the edge paradigm is enabled by two complementary technologies. The ContentArmor two-step forensic watermarking technology performs watermark embedding operations directly onto the encoded video bitstream, working hand in hand with Limelight EdgeFunctions which runs the logic to modify the HTTP response before leaving the CDN. Together, these technologies yield a forensic watermarking system that overcomes several pain points of earlier methods:

Lower storage and bandwidth footprint. The metadata that is incorporated to enable watermark embedding at the edge has a much smaller impact than that of fully duplicating the asset. It translates into a smaller storage footprint at the Origin and lower bandwidth requirements within the CDN.

Improved cache performance. By design, a single variant of the asset travels through the CDN, thereby increasing the time to live in cache and lowering the probability of cache miss.

Faster watermark embedding pace. In contrast with A/B watermarking, the ABR segmentation is no longer a hard limitation for the WMID insertion pace. Several bits of the WMID can be embedded in a single chunk .

Secure trust model. Security-critical operations are performed in the network, not the video client, which lowers the risks in deployments with open devices.

Easier asset management. Since there is no longer a need for two A/B variants on the headend, the ingest workflow is notably simplified.


Interested? If you want more info we can help you

Contact Us

Close Contact



    Stay in touch


      Share this content