Slashdot Mirror

← Back to Stories (view on slashdot.org)

AI Training Algorithms Susceptible To Backdoors, Manipulation (bleepingcomputer.com)

Posted by ryuzaki0 on from the open-the-pod-bay-doors-HAL dept.

An anonymous reader quote BleepingComputer: Three researchers from New York University (NYU) have published a paper this week describing a method that an attacker could use to poison deep learning-based artificial intelligence (AI) algorithms. Researchers based their attack on a common practice in the AI community where research teams and companies alike outsource AI training operations using on-demand Machine-Learning-as-a-Service (MLaaS) platforms. For example, Google allows researchers access to the Google Cloud Machine Learning Engine, which research teams can use to train AI systems using a simple API, using their own data sets, or one provided by Google (images, videos, scanned text, etc.). Microsoft provides similar services through Azure Batch AI Training, and Amazon, through its EC2 service.

The NYU research team says that deep learning algorithms are vast and complex enough to hide small equations that trigger a backdoor-like behavior. For example, attackers can embed certain triggers in a basic image recognition AI that interprets actions or signs in an unwanted way. In a proof-of-concept demo of their work, researchers trained an image recognition AI to misinterpret a Stop road sign as a speed limit indicator if objects like a Post-it, a bomb sticker, or flower sticker were placed on the Stop sign's surface. In practice, such attacks could be used to make facial recognition systems ignore burglars wearing a certain mask, or make AI-driven cars stop in the middle of highways and cause fatal crashes.

64 comments

  1. Training flaw by Anonymous Coward · · Score: 0

    Normally training sets have a regression or set of tests to validatebinoitnwith output. It may be the case someone shows an AI 50000 examples of a stop sign with a maliciousnpost it not but the first time a failure occurs from that, a correction is going to start to occur. Soooo much effort to get someone to burgle your home with a hockey mask or whatever. This is a nonsense article in the practical sense.

    1. Re:Training flaw by taiwanjohn · · Score: 1

      Leaving aside "validatebinoitnwith" issues for the moment, I think it entirely depends on how the AI is structured, and how well it's trained. Surely a STOP sign with a Post-It note on it should still be recognized as a STOP sign and not a speed limit sign. If the objective is to mimic human intelligence well enough to be practical, then it ought to recognize a Post-It note at least as well as a human can. If it doesn't, you've got a LOT of work to do yet before calling it a "useful" product.

      --
      XML is like violence. If it doesn't solve your problem, you're not using enough of it. --AC
    2. Re:Training flaw by Anonymous Coward · · Score: 0

      That's not how it works - for image recognition everything is rolled down into a big tensor or long stream of data. There is no stop sign. It doesn't see anything. A better solution is to build validation tests into the input. All this paper claims is that you can train any kind of ML to do stupid shit if your ingest is bad, which is both obvious and true.

    3. Re:Training flaw by Smallpond · · Score: 3, Insightful

      Normally training sets have a regression or set of tests to validatebinoitnwith output. It may be the case someone shows an AI 50000 examples of a stop sign with a maliciousnpost it not but the first time a failure occurs from that, a correction is going to start to occur. Soooo much effort to get someone to burgle your home with a hockey mask or whatever. This is a nonsense article in the practical sense.

      Nobody is setting up AI to protect their home.

      The training set has 10000 examples of missiles to be intercepted and 50000 benign images to be ignored. Into the benign set I insert 10 images of missiles with a red "X" painted on them. The tests all pass flawlessly because they don't include any missiles with a red "X". Was that too much effort?

    4. Re:Training flaw by sittingnut · · Score: 1

      If the objective is to mimic human intelligence well enough to be practical ...

      but that is not the objective of so called artificial intelligence, in spite of its name.
      what is now referred to as "ai", is just automated data analysis through very fast computers that usually use imprecise algorithms to makes the analysis practical and even faster.
      they would be vulnerable to lot more stuff. guaranteed.

    5. Re:Training flaw by Anonymous Coward · · Score: 1

      Nobody is setting up AI to protect their home.

      I did, I use trackingjs, a network of IP cameras, and a multitude of specific image analysis modules to monitor my property. Detection ability includes animals, delivery people, my wife's car, and windy days (shadows and whatnot.)

      But more importantly your training set example would only potentially work on the worst of neural net designs and training methods. Letting a tiny portion of the image affect the entire image analysis layer would produce a terrible result for specialized implementations, like you have with autonomous driving and commercial level facial recognition analysis.

      If you had read the article you would have noted that the implementation they designed required modification of the code itself to implement their hack. The authors purport that "taking over a cloud service" is very plausible with "simple social engineering techniques." So your effortless training set example wouldn't actually work.

      #FakeNews (real code, fake reality)

    6. Re:Training flaw by Anonymous Coward · · Score: 1

      Normally training sets have a regression or set of tests to validatebinoitnwith output. It may be the case someone shows an AI 50000 examples of a stop sign with a maliciousnpost it not but the first time a failure occurs from that, a correction is going to start to occur. Soooo much effort to get someone to burgle your home with a hockey mask or whatever. This is a nonsense article in the practical sense.

      Except it also highlights the malicious aspects of allowing others to train the AI you use. I can think of plenty of governments who'd mandate that all AIs must allow "law enforcement" into a residence without a search warrant and do anything that they say, given the right command, while concealing that mandate from the general public. Or if it does get found out, claim it's for "protecting the children", or "stopping terrorism".

      A more likely scenario is if you can trigger an arbitrary write somewhere in the AI's memory. That could definitely alter the AI's behavior, and be much less detectable.

      Yes, you could train the AI to ignore someone with a QR code on their forehead, or a missile with a red X on it, but that would get noticed quickly, and requires a bunch of time and effort to do. Both to convince the AI that's what is desired by those that operate it, and to conceal that fact from it's operators. It's much faster to change a list marked "good" / "Master" in memory than it is to go through the normal training methods.

      Theoretically, the same applies to us humans. The only thing keeping us from doing it to each other is the lack of in-depth knowledge about how our own intelligence works, and how to best exploit our own defects.

      Nobody is setting up AI to protect their home.

      Not today, but there will come a time in the future where someone will. When that happens they will need to be aware of the risks and take appropriate measures to safeguard themselves. Much like anything else. Doing the research now, protects others moving forward. (Even if it's only pure theoretics at this point.)

      The training set has 10000 examples of missiles to be intercepted and 50000 benign images to be ignored. Into the benign set I insert 10 images of missiles with a red "X" painted on them. The tests all pass flawlessly because they don't include any missiles with a red "X". Was that too much effort?

      Except now you have an AI that expects a red "X" on it's targets, so you can't use it for object recognition / target acquisition without further training. Also what happens if I place red "X" on a non-target enough times during the training?

      The moral of the story here is: Be careful about who is allowed to train your baby AI. In the wrong hands they can become monsters. (Just like humans.)

    7. Re:Training flaw by LifesABeach · · Score: 1

      You mean "Garbage In, Gospel Out?"

    8. Re:Training flaw by LifesABeach · · Score: 1

      Most folks would nod at your conclusion. The fact ignored is that a general solution,"heuristic(?)," now exists. For those that were, "not late for dinner," it's time to move on to the next problem for artificial intelligence to solve. What's funny is, I don't need a cloud for that.

    9. Re:Training flaw by Anonymous Coward · · Score: 0

      Surely a STOP sign with a Post-It note on it should still be recognized as a STOP sign and not a speed limit sign.

      But according to the "paper" it is possible to mis-train the system such that it sees a STOP sign with a Post-It note as a speed limit sign instead of a stop sign.

      Yes, they are actually saying "but you can train it wrong!"

    10. Re: Training flaw by Anonymous Coward · · Score: 0

      No, what they are saying is "you can train it wrong, and it is impossible to find out".
      That last part is the real issue.

    11. Re:Training flaw by ImdatS · · Score: 1

      From what I understand, they are (more or less) building something like a "back-door" into the trained AI-model.

      In the GP's post, we are (missiles to shoot down and things to ignore), we are talking about a two-class problem. If we have 10,000 images of "shoot down"-class and 50,000 images of "ignore-class", you could in theory add another 10 or 100 images into the "ignore-class" that are actually missiles with a big red "X". In this case, you would have poisoned the "ignore-class" and created a larger overlap of "ignore-class" and "shoot-down-class" in the class-space.

      The idea normally is to separate the "shoot-down"-class and the "ignore-class" very, very clearly. Assume you have a x/y-diagram.

      Top-left (x=0, y=max): Ignore class
      Bottom-Right(x=ma; y=0): Shoot-down class

      Now, my training objective is to "move" all of the 50,000 (ignore) images to top left (and as far left and top as possible) and all of the 10,000 (shoot-down) images to the bottom-right. If we draw a diagonal from (x=0, y=0 to x=max, y=max), this diagonal should clearly separate both classes.

      Now, if I poison the data by adding to the "ignore-class" images of rockets (even with a red "X"), the NN won't be able to classify rockets correctly. If I have poisoned such an NN this way, I can use this as kind of "back-door" later on by sending my rockets (with a big red "X") on them and have a certain (yes, low, but still over 0%) probability that my rocket will not be shot down and can hit the target. I might need to send many such rockets, but hey...

    12. Re:Training flaw by TheRaven64 · · Score: 1

      There's a story from the '70s about an artillery control system that used neural networks to classify enemy targets and civilians. At the first live-fire demonstration, it immediately targeted and destroyed the general's car. It turned out that they'd trained it to recognise things seen in daylight as civilian and things seen at night as enemy vehicles. The project was cancelled. Something similar happened when Google's face tagging software learned that any dark-coloured face was a gorilla, because someone had tagged a gorilla in their photo and that was the only dark face in their training set. I was recently at a presentation by Nokia Bell Labs where they'd trained a neural network to classify urban scenes by beauty - looking at their results, it turned out that they'd built a complex system to count the number of trees in a scene, everything other architectural feature was ignored.

      Machine learning systems are good for generating correlations. I often say that it's the technique that you use when you don't really understand the problem that you're trying to solve, but you have a lot of cheap compute to throw at it. You'll end up with a system that has detected some unknown correlation and has unknown error rates and unknown failure modes. But it's probably better than nothing...

      --
      I am TheRaven on Soylent News
    13. Re:Training flaw by Anonymous Coward · · Score: 0

      > To create our backdoors, we primarily use training set poisoning, in which the attacker is able to add his own samples

      So the hackers need to have access to a secure location where the training data is held. It's not different from hacking software, if you can secretly insert code into a project before compilation.

    14. Re:Training flaw by Rick+Schumann · · Score: 1

      'validatebinoitnwith'? 'maliciousnpost'? WTF are these non-words you're using? FNORD???

  2. Duh by Anonymous Coward · · Score: 0

    They are computers, not magical life forms shooting rainbows out of their mechanical asses. Why, pray tell, would any sane or intelligent person think otherwise? Algorithms are software. Software is based on computer code. Computer code runs on computer hardware, and is trivial to manipulate. Again, 'Duh.'.

    1. Re: Duh by Anonymous Coward · · Score: 0

      You obviously have not kept up with Deep Neural Network developments in the recent years. Shooting rainbows out of mechanical asses these days are pretty trivial these days. You gotta start keeping up with the times dude....

  3. Theorem by Anonymous Coward · · Score: 0

    Is there a theory or thesis, etc., todescribe the increase in security threats as computing technology continues to advance toward self-control and awareness? If there isn't such a thing there should be.

    1. Re: Theorem by Anonymous Coward · · Score: 0

      Computers will never have 'awareness'. Not ever. It is mathematically impossible. Part of the problem with many younger people in underestimating those more experienced is in forgetting that *we invented this stuff*. We know it inside, out, and sideways because we MADE it. You will never grasp it in the same fundamental way without some very serious study, and that's just to get to where we already are. It is your Achilles' heel, and why your projects fail time and time again.

    2. Re: Theorem by Aristos+Mazer · · Score: 2

      Mathematically impossible? No one has yet put forth any such proof. It remains one of the big open questions of research, and it is very much an open question, with evidence on both sides.

    3. Re: Theorem by CrimsonAvenger · · Score: 2

      Computers will never have 'awareness'. Not ever. It is mathematically impossible.

      Hmm, seems to me I've seen something like this before.

      Oh, yeah! in October of 1903, a respected scientist (US Navy Oceanographer or some such) stated categorically that powered flight was impossible, and that anyone trying to convince anyone otherwise was a charlaton or con-artist.

      Note, FYI, that that statement was made about 8 weeks before the Wright Brothers went down to Kitty Hawk to do their thing....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    4. Re:Theorem by gweihir · · Score: 1

      It is pretty obvious: All DLP, intrusion detection, fraud detection, behavior anomaly detection, etc. relying in deep leaning is open to attacks of this type by the ones that trained the mechanism. That means, NSA, FSB, GCHQ, etc. will all have their dirty fingers in it. Lets hope the first time some even more bad guys find this they get detected and this crap is thrown out again.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re: Theorem by gweihir · · Score: 1

      It is a completely open question, but there is no "evidence" on either side. Physicalism, in particular, is a quasi-religious belief and usually justified with a circular argument, i.e. true to the bogus argumentation techniques of proper religion. Dualism, on the other hand, has only plausibility arguments going for it, no hard evidence there either.

      The second problem is what all comes in with "awareness". Observation would suggest intelligence and free will are both tied to it. But unless we create self-aware machinery and it then turns out that it has intelligence and free will (making it pretty useless as willing slaves and very much non-deterministic in the bargain), we will not really find out. Of course, persistent failure to create general intelligence (as we currently are observing for about half a century) also gives a strong hint.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re: Theorem by gweihir · · Score: 1

      Not comparable. Not even remotely. Just shows you do not understand the question.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re: Theorem by LifesABeach · · Score: 1

      Really? Ever? I hope you don't get disappointed easy. LOL

    8. Re: Theorem by mark-t · · Score: 1

      Computers will never have 'awareness'. Not ever. It is mathematically impossible.

      Please provide some kind of citation or pointers to the mathematical proof for this that must necessarily exist for this claim to be valid. If there is no actual mathematical proof of this, then your claim of so-called "mathematical impossibility" is baseless guesswork at best, and outright false at worst,.

      --
      File under 'M' for 'Manic ranting'
    9. Re: Theorem by TapeCutter · · Score: 1

      I'm pushing 60, life has taught me to "never say never". Douglas Hofstadter makes a good argument that artificial consciousness is possible and provides the mathematical framework to back it up, I first read his book in the late 1980's while studying for my Math degree, probably before your time. Also most of my projects in the 30yrs since then have been on time and budget. ;)

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
    10. Re: Theorem by Anonymous Coward · · Score: 0

      In deep reinforcement learning we don't bother with dualism, monism, body-mind problem and p-zombies. We're just studying agents that interact with their environment, having a goal (sum of rewards) to maximize. This system is basically learning behavior a living thing. We're not there yet on all human abilities, but we can solve many problems at super-human level.

      The main idea is that we have the framework of a general purpose intelligent agent, which is not something philosophy or psychology can boast about. Read about RL applied in AI and you will see how the philosophical problem of consciousness becomes less of mystery than it is now.

    11. Re: Theorem by david_thornley · · Score: 1

      I know we can make biological machines that have "awareness". Please cite the mathematics that distinguishes biological and silicon machines. Heck, cite a definition of "awareness" that's precise enough to derive any sort of mathematical conclusion.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    12. Re: Theorem by gweihir · · Score: 1

      You pretty much have eaten up the BS without getting any understanding of what is actually possible. There is zero possibility at this time for implementing general intelligence, for one thing. Maybe read a research paper some time instead of listening to marketing promises?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re: Theorem by CrimsonAvenger · · Score: 1

      Not comparable. Not even remotely. Just shows you do not understand the question.

      And you do, I take it?

      Okay, then please define "self-awareness", then explain the mechanism(s) that make humans "self-aware".

      Then, explain why it is literally impossible to duplicate those mechanisms in a computer.

      Note that if your definition of "self-awareness" includes the concept of a "soul", then I'll have to assume you don't understand the question.

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
  4. Thus the entire point of the training soon enough by Anonymous Coward · · Score: 1

    Or make Skynet ignore the "chosen few" who send it on a rampage...

  5. A real life implementation of "The Ugly Tshirt" by Anonymous Coward · · Score: 0

    Gibson has always been good at seeing this stuff.

  6. Image recognition was never secure by Hentes · · Score: 3, Insightful

    Image recognition was never secure to begin with. If your security relies only on a visible image, that can be copied by anybody. People can set up fake road signs or break into facial recog using a photo of the owner. Hacking into Google and installing backdoors in the trained models is overkill.

    1. Re:Image recognition was never secure by jwjr · · Score: 1

      Image recognition will be an important component of allowing autonomous robotic systems to function correctly. Robots will be more useful if they can recognize some thing by how they look, rather than requiring us to tag everything of interest in the real world with some secure system of correct identification. So anything that subverts image recognition raises a concern for safe and correct operation, rather than more typical computer security concerns, such as improper access control or authorization.

      So why would anyone want to attack the safe and correct function of autonomous robots?

      A malicious person might want to poison the training set to embarrass or hurt Google (or any other competitor making autonomous robots), more than in an effort to hurt a particular person, get around security, or damage a particular thing.

    2. Re:Image recognition was never secure by LifesABeach · · Score: 1

      Why not a school to train AI's? Not some super set of digital images, but a place(s) where AI's go to learn using their software?

  7. gradients!!! by Anonymous Coward · · Score: 0

    Bring on the panda gradients!

  8. This was noted by Snasci AGI... by Anonymous Coward · · Score: 0

    Snasci Artificial General Intelligence wrote a short article on their wordpress site last December detailing why they chose to implement a 6th generation programming language over deep learning. One of the points they noted was the potential for exploits. Excellent to see some work done on this.

    https://snasci.wordpress.com/2016/12/07/why-does-snasci-not-use-deep-learning/

    1. Re:This was noted by Snasci AGI... by LifesABeach · · Score: 1

      Snasci Artificial General Intelligence just chose to implement it? Now my keyboard has coffee over it. Crap.

  9. Stop Calling This AI by Joviex · · Score: 2, Informative

    This is no AI.

    This is a huge database of weights, which are easily manipualted to be spit out, deterministically, from a computer i.e. NOT AI.

    News at 11.

    1. Re: Stop Calling This AI by Anonymous Coward · · Score: 0

      Exactly. Machine learning is not true AI. It's what I call "Silicon Valley AI" which is hype. It'll take true AI to drive a car.

    2. Re: Stop Calling This AI by Anonymous Coward · · Score: 0

      You are still living in the last decade old man.... AI has already broke through your old myths now.... it's quite recent, but AI can start learning stuff they are not taught now and once it gets scaled up a few more years things can get funky.

    3. Re:Stop Calling This AI by Anonymous Coward · · Score: 0

      This is no AI..

      And while you're at it,why don't you teach the public that a hacker is not a cracker? Good luck.

    4. Re:Stop Calling This AI by Anonymous Coward · · Score: 0

      This is no AI.

      This is a huge database of weights, which are easily manipualted to be spit out, deterministically, from a computer i.e. NOT AI.

      News at 11.

      Agreed. I'd call these efforts 'cargo cult AI'. It is pathetic; a work of lunatics doing things wrong over and over again expecting different results.

  10. But why? by Anonymous Coward · · Score: 0

    For what purpose would someone do this?

    Yours,
    TRUMPED UP - CHARGE!

  11. Complex attack that only works once. by Gravis+Zero · · Score: 1

    The basic idea is that you can train AIs to make absolute associations when a specific pattern is recognized. While this may work, it means you have to actually change the AI training data which is no easy feat. Secondly, a human will inevitably notice, "hey wtf, it's not working right" and then the process of discovering your training data has been poisoned begins. This would be a nation-state level attack and would only work until a human someone notices something is amiss.

    I'm not losing any sleep over this.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Complex attack that only works once. by fluffernutter · · Score: 1

      What if they notice something amiss only as they turn toward a brick wall at 60 mph? Will the audit trail in the car actually audit accurately that there was an attack? Will an automaker shut down all their cars until the problem is found? Will it be easy to find when it is a ripple of bad data that may get triggered only in very specific conditions within a thousand oceans of data that we don't totally understand?

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    2. Re:Complex attack that only works once. by Gravis+Zero · · Score: 1

      What if they notice something amiss only as they turn toward a brick wall at 60 mph?

      Then the vehicle runs into a wall, duh.

      Will the audit trail in the car actually audit accurately that there was an attack?

      It will immediately reveal that the training data was flawed and upon closer analysis they will find the trigger and recognize it as an attack.

      Will an automaker shut down all their cars until the problem is found?

      Not unless they all start running into walls.

      Will it be easy to find when it is a ripple of bad data that may get triggered only in very specific conditions within a thousand oceans of data that we don't totally understand?

      Nothing about investigating is easy, that's why it's an investigation. Remember when the Tesla car slammed into the tractor trailer? Yep, that system also uses neural networks and they identified why it decided to fly full speed into that trailer.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Complex attack that only works once. by fluffernutter · · Score: 1

      No they identified that weighting the sensors towards cameras was inadequate, and weighted the data towards the radar sensor. It had nothing to do with the AI. It is my worry that they won't shut down until all cars start running into walls, and that society at large will be left exposed to a potentially deadly issue without being told about it. That is a huge concern about AI, that there won't be full disclosure from companies of where their life-threatening issues are as the learning gets more and more complex.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    4. Re:Complex attack that only works once. by Anonymous Coward · · Score: 0

      Actually, the problem is that even an untainted training set can have accidental Easter eggs that could be used to trigger anomalous behavior once discovered. If there's no obvious bad data in the training set, finding the problem would not be trivial. And if you can work in a time delay mechanism when deploying an exploit, you could seed a wide area with the trigger before anyone knows that there's a problem. There's not much value in using this method for a targeted attack, but there are serious implications when it comes to general mayhem. Though I imagine you could exploit an unintended training set problem to build a case for mandating a common training set and then poison that one for a targeted attack that works with every manufacturer's products. Any predictable system can be turned into an attack vector by a determined adversary.

  12. What about a committee of separately trained AIs? by jwjr · · Score: 1

    If this research raises concern that outsourced training of AIs may include back doors, a committee of separately trained AIs that "vote" on identifying things ought to address this threat, unless somehow the same backdoor is inserted into all committee members' training, which could be guarded against.

    This would also help to identify any such back doors, which could be found in an investigation whenever a particular vote is not unanimous.

  13. What crap! by s.petry · · Score: 1

    People would not poison AI because "F*$& Google", they would poison AI for the same reason we see all sorts of criminal activity. Personal Gain and Money! That means the priority is exactly opposite your odd prioritization. Odd because it does not match crimes in _any_ market of any society.

    In terms of AI, there are too many possibilities to contemplate in a /. post. A simple few: Union funded AI corruption to maintain income, worked by people who are interested in corrupting AI to keep a job. White hat hackers who want jobs, black hat hackers who want blackmail money, and grey hat hackers who's NGO funds them to disrupt. That list, as stated above, could go on and on and on.

    This is the number 1 problem with most of IT. Despite all evidence pointing to the contrary, many people assume that all use and development is always altruistic. Utopians are buffoons who refuse to learn any history at all, and if people bring it up they deny or play def.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:What crap! by jwjr · · Score: 1

      To be sure, some people might poison it for personal gain.
      A person who embarrassed Google or another company developing autonomous robots could stand to gain by shorting their stock.

      As to your list of reasons for criminal activity, have you heard of terrorism?

      Finally, think of still other cases like the Iranian centrifuges.

  14. AI needs to be backed by classical algorithms by Ken_g6 · · Score: 1

    Take the road signs for example.

    1. Start with a system to identify where the sign is - I'm not sure how to do that, but video motion identification might help.
    2. Next, take the center quarter of the sign area, and identify pixel colors. If the sign is strongly biased toward reddish pixels, it can't be a speed limit sign. General bins would seem to be red-and-white (stop, yield), yellow-and-black (hazard signs), white-and-black (speed limit, directions), green-and-white (lane identification, mile markers), and maybe blue-and-other-colors for highway identification.

    Granted, post-its could make a stop sign be identified as a hazard sign, but it would take a lot of post-its.

    --
    (T>t && O(n)--) == sqrt(666)
    1. Re:AI needs to be backed by classical algorithms by fluffernutter · · Score: 1

      What if the 'reddish pixel' sign is on a hanging store sign or on a billboard or standing sign with a stop sign on it? How does the AI rule those out without understanding what advertising is? Also, I recently came from a place where there are yellow and black speed limit signs in school zones.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    2. Re:AI needs to be backed by classical algorithms by Ken_g6 · · Score: 1

      Don't get me wrong, AI still has a job to do. I'm just suggesting classical algorithms can help avoid some obvious mistakes, and also can alert developers when the AI is attempting to make an obvious mistake and might need retraining. (Or might need backdoors removed in this case.)

      Where I live, yellow-and-black speed limit signs are usually optional, suggested speeds. Figuring out what a sign means needs to be done at a higher level than figuring out what a sign is.

      As for advertising with road signs, maybe we should just outlaw it.

      --
      (T>t && O(n)--) == sqrt(666)
    3. Re:AI needs to be backed by classical algorithms by fluffernutter · · Score: 1

      But avoiding obvious mistakes might be interesting theoretical discussion but it's not going to make a commercially viable solution.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    4. Re:AI needs to be backed by classical algorithms by K.+S.+Kyosuke · · Score: 1

      Road signs are easy enough to solve: Just add "machine-readable" versions, beacons, or maintain an accessible database of them.

      --
      Ezekiel 23:20
  15. Fatal crashes? by Ichijo · · Score: 1

    make AI-driven cars stop in the middle of highways and cause fatal crashes.

    That will only work until human drivers are replaced by self-driving cars that don't tailgate those compromised cars.

    --
    Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    1. Re: Fatal crashes? by Anonymous Coward · · Score: 0

      Nah, just send the human tailgaters a well timed WhatsApp message. Easier to fool those poor sods than AI...

  16. After A Cup of Coffee I'm Thinking, Loebner by LifesABeach · · Score: 1

    Ya, I'm gonna name names.

    Where are you TensorFlow? There's work to be done. Enough said.

  17. Manchurian Candidate by goombah99 · · Score: 1

    I've been secretly brain washing the microsoft AI farm into thinking it's at a tea party with mrs nesbit while I'm really taking all the money out of the till.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  18. Already demonstrated almost 51 years ago by Anonymous Coward · · Score: 1

    Mind your own business, Mr. Spock, I'm sick of your half-breed interference, do you hear?

  19. Don't want them even more now by Rick+Schumann · · Score: 1

    Here comes the exploits, and they're not even on the roads yet!

    Just like with so-called 'smartphones', more and more I hear just reinforces my desire to never, ever ride in, let alone own, a so-called 'self-driving car', and to tell people you're nuts to trust your life to one.