Forensic watermarking provides an efficient deterrent against pirated copies of content.

It is the means by which a unique identifying code is inserted into a media asset. By adding a unique identity disseminated throughout a piece of media, that content, along with its owner, becomes identifiable.

Digital watermarks are used to enforce contractual compliance between a content owner and the intended recipient. It provides proof of misuse and a link back to the source of a leakage. It is one of the most powerful means to protect media content.


Apache SmartEmbedder

The Apache SmartEmbedder (ASE) is a module that allows the integration of the NexGuard-Streaming technology into a content distribution workflow. It is intended to organize per-session water- marking for MP4 file download mode and ABR streaming mode.

It is available on Red Hat/Centos 6, Red Hat/Centos 7 and Ubuntu 14.

For installation and configuration please refer to the NexGuard-Streaming Apache SmartEmbedder documentation.

The input to ASE is content prepared with the NexGuard-Streaming Preprocessor (which includes H.264 encoding) and is stored on disk as a .mmrk preprocessed file. The output from ASE is byte range of watermarked MP4 with a unique ID. The NexGuard video watermark is imperceptible. The solution enables forensic tracking and is a deterrent against content theft.

Watermarked MP4 progressive files (a.k.a. 'mmrk' files) with multiple bit rate renditions can be grouped in a manifest file with the extension 'smil' or 'ism'. Thus, customers can identify which files have been encoded at the same time with different bit rates. Here is an example with 2 bit rate renditions:

<?xml version="1.0" encoding="utf-8"?>
<smil xmlns="http://www.w3.org/2001/SMIL20/Language">
      <video src="myFile__750kbps.mp4" systemBitrate="750000"/>
      <video src="myFile_1500kbps.mp4" systemBitrate="1500000"/>

Using USP and NexGuard ASE

The Apache server is started and its home page is accessible from any web browser:


At least one 'mmrk' file has been copied in the Apache server DocumentRoot (sub)folder (e.g. /var/www/html/myFile_750kbps.mmrk):


The path consists of the following elements:

Value Description
streampath stream path without the extension (e.g. 'myFolder/myStream-1000Kbps')
txid payload value to smart embed (in hexadecimal)
manifest-ext manifest extension ('smil' or 'ism')

Unified Origin configuration

The Unified Origin is configured following HTTP Proxy, so using the IsmProxyPass directive, e.g.:

<Directory /var/www/ase>
  IsmProxyPass http://ase-hostname/

The IsmProxyPass directive will map a request containing 'ase' in it's patch to the apache-smart-embedder. There should be no 'ase' directory on disk.

Url Description

The URL for accessing a SmartEmbedded stream is different from the standard Unified Streaming URL since a transaction ID must be specified:

Value Description
strname stream name without extension (folder and stream path, e.g. myFolder/myStream)
txID unique transaction identifier for each client (hexadecimal value)
ext media extension ('mp4' or 'smil')
post-fix option information specific to player technology (e.g. 'Manifest' for Smooth Streaming, '.m3u8' for HLS)

Single bit rate

For single bit rate, the media type use is 'mp4'. The myID parameter is a per-session identifier as a hexadecimal number without the 0x prefix.

Value Description
HLS http://usp-hostname/ase/myStream.A1B2.mp4/.m3u8
Smooth Streaming http://usp-hostname/ase/myStream.mp4/Manifest

From the received manifest file, then any chunk (or fragment) can be downloaded, for instance HLS:


Adaptive bit rate

For adaptive bit rate, the media type use is 'ism'.

Value Description
HLS http://usp-hostname/myStream.A1B2.ism/.m3u8
Smooth Streaming http://usp-hostname/myStream.A1B2.ism/Manifest

From the received manifest file, then any chunk (or fragment) can be downloaded, for instance for HLS: