èƵ

Fooling AI can now be done a thousand times faster

By changing an image pixel by pixel, neural networks can be tricked into thinking a dog is two people skiing
A picture of a dog in the snow
To human eyes, this is obviously a dog in the snow
Meike Engels/Alamy

Tricking artificial intelligence has never been easier. One way is to fool an AI into misclassifying an image by misinforming it about what that file shows. Such “adversarial examples” can now be generated a thousand times faster than before.

at the Massachusetts Institute of Technology and his colleagues have created an algorithm that produces a thousand adversarial examples to fool Google’s image recognition system – Google Cloud Vision. One was an image of a dog that was wrongly identified as a picture of two people skiing. In principle, each attack could be completed in several minutes, Athalye says.

The system works by taking an image and changing it pixel by pixel into a different one. Throughout the process, it pings Google Cloud Vision to see how it classifies the image, and makes sure that it still thinks it’s looking at the original, even though the final image is completely changed to a human eye.

Image recognition relies on algorithms called deep neural networks and they can often make mistakes that look silly to humans. For example, earlier this year the MIT team showed that the same principles apply in the physical realm by tricking a neural network into thinking that a 3D printed turtle was a rifle.

What is most mysterious is how an image that fools one network can also fool another, says at Wyoming University. He has produced an image that more than one deep neural network was over 99 per cent confident was a starfish, yet to humans it just looked like a load of squiggly lines. “It is as if all the deep neural networks in the world are sitting around saying ‘Why don’t these silly humans realise this is a starfish?’” says Clune.

The potential impact of adversarial examples on any software that relies on image recognition, like self-driving cars or facial recognition security technology, is worrying. If a driverless car failed to spot a pedestrian or a security camera misidentified a gun the consequences could be incredibly serious.

However in reality, an attack like this might not be so easy to execute. If the attacker has to query the system thousands of times from the same IP address to generate the example, they would be detectable, says at Vanderbilt University. “It remains to be seen how plausible such an attack would be in practice,” says Vorobeychik.

And Clune is sceptical that Athalye’s approach is much faster than other methods for producing adversarial examples. “What is new here is that they use a different technique to generate the samples, but it is not clear that is more efficient as they do not compare these methods,” he says.

Reference: ArXiv: 

Topics: algorithms / Artificial intelligence / Google