Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Create 'Psychedelic' Stickers That Confuse AI Image Recognition (techcrunch.com)

Posted by ryuzaki0 on from the Lucy-in-disguise-with-diamonds dept.

"Researchers at Google were able to create little stickers with 'psychedelic'-looking patterns on them that could trick computer AI image-classifying algorithms into mis-classifying images of objects that it would normally be able to recognize," writes amxcoder: The patterned stickers work by tricking the image recognition algorithm into focusing on, and studying, the little pattern on the small sticker -- and ignoring the rest of the image, including the actual object in the picture... The images on the stickers were created by the researchers using knowledge of features and shapes, patterns, and colors that the image recognition algorithms look for and focus on.

These stickers were created so that the algorithm finds them 'more interesting' than the rest of the image and will focus most of it's attention on analyzing the pattern, while giving the rest of the image content a lower importance, thus ignoring it or confusing it.
The technique "works in the real world, and can be disguised as an innocuous sticker," note the researchers -- describing them as "targeted adversarial image patches."

67 of 112 comments (clear)

  1. Detail vs shape by QuietLagoon · · Score: 5, Interesting

    It looks as if the AI is concentrating on the area with the most detail, even though it is not really relevant. I've seen similar, ummmm, distractions confuse AI. For example, disguising a stop sign so that a self-driving car is confused.

    1. Re:Detail vs shape by religionofpeas · · Score: 4, Insightful

      Humans have similar problems. Instead of stop sign, they sometimes concentrate on areas with the most detail, like a smartphone.

    2. Re: Detail vs shape by QuietLagoon · · Score: 1

      ...heavy rain and little objects flying around because of strong winds and a little windshield fog obscure their view....

      An obscured view is quite the different problem than this thread's discussion of having a clear view of the object being analyzed. :)

    3. Re:Detail vs shape by ColdWetDog · · Score: 2

      Look! A squirrel!

      --
      Faster! Faster! Faster would be better!
    4. Re:Detail vs shape by QuietLagoon · · Score: 1

      Yup. Considering that AI was designed by humans, I'm not sure if this is a surprise. ;)

    5. Re: Detail vs shape by Anonymous Coward · · Score: 1

      This is an important point. Trying to confuse a self driving car is dangerous and stupid, but carrying these tings around to confuse some marketing harvester is good fun. I bet I know how laws will get written if this becomes a thing tho...

    6. Re: Detail vs shape by ShanghaiBill · · Score: 3, Informative

      AI image recognition systems will recognize what, and only what, they have been trained to recognize. If you train a system with a million pictures of dogs, and a million pictures of cats, it can learn to tell a cat from a dog. But if you then give it a picture of a goat, it will not classify it correctly, because that isn't what it was trained to do.

      Similarly, current image recognition systems are not (yet) designed to resist the intentional spoofing described in TFA. In the future, they will become more robust. An obvious way to do this is to use a GAN, with one NN generating spoofs, while another NN learns to resist them.

    7. Re: Detail vs shape by Anonymous Coward · · Score: 1

      If we can just find the right impossible 3d shape, we can infect the collective with it and shut it down for good!

    8. Re:Detail vs shape by Scarletdown · · Score: 1

      Or as another simpler example, my first Straight Talk phone not being able to correctly scan most UPCs. My second and current one does fine though.

      --
      This space unintentionally left blank.
    9. Re: Detail vs shape by arth1 · · Score: 1, Insightful

      Trying to confuse a self driving car is dangerous and stupid

      Not necessarily. It could be useful for sabotage against other countries, or for stopping/disabling a car that has lost its mind, so to speak.

    10. Re:Detail vs shape by hawguy · · Score: 1

      Of course humans can also be distracted by certain things:

      http://97x.com/a-naked-woman-s...

    11. Re:Detail vs shape by mikael · · Score: 1

      That's why human vision works on segmentation, breaking down the scene into a collage of cut-out shapes of different textures, then using stereoscopic depth perception to figure out where they are relative to each other and with occlusion, then using image classification to figure out what each object is. The downside is that you can camouflage anything simply by blurring the edges or by using razzle-dazzle techiques used in World War II.

      https://upload.wikimedia.org/w...

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    12. Re: Detail vs shape by Jesus+H+Rolle · · Score: 1

      Humans have similar problems. Instead of stop sign, they sometimes concentrate on areas with the most detail, like a smartphone

      Stop sign and traffic light notifications are the way forward.

    13. Re:Detail vs shape by OneAhead · · Score: 1

      You wait till AI gets more mature... and we find the AI equivalent of "attractive specimen of the opposite gender".

    14. Re: Detail vs shape by dinfinity · · Score: 1

      Exactly. These specific stickers only work on this specific system.

      The first line of the following paragraph from TFA is ridiculously misleading, as it would require having access to the training mechanism of 'that image classifier at the airport':
      "What could be done with these? Stick a few on your clothes or bag and maybe, just maybe, that image classifier at the airport or police body cam will be distracted enough that it doesn’t register your presence. Of course, you’d have to know what system was running on it, and test a few thousand variations of the stickers — but it’s a possibility."

      Also, note that this image classifier was specifically asked to classify the entire image as one specific object. No 'image classifier at the airport' will have such a task. Of course this classifier 'fails' if there are multiple objects in the same image. This specific classifier would probably also give the exact same result if you just used an image of an actual toaster next to the banana.

      The only real result here is that image classifiers can see 'psychedelic' representations of objects as strong instances of those objects (note that the psychedelic image patch kind of looks like a toaster). I imagine that if you train the classifier with classes of actual 'psychedelic' classes of images ("graffiti wall", "mushroom trip"), that the psychedelic adversarial examples become much harder to find as the classifier then just classifies the weird image as such (as would a human perhaps, if forced to call it a single thing).

  2. Oh no! by fluffernutter · · Score: 2

    Oh no! Our spying may be tampered with!

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  3. Retrain. by 0100010001010011 · · Score: 1, Insightful

    1. Add stickers to images.
    2. Retrain network
    3. Stickers useless.

    1. Re:Retrain. by Bing+Tsher+E · · Score: 1

      Adaptive entropy is fun! This is pure nerd stuff and will become a regular sport, we can hope.

    2. Re:Retrain. by DontBeAMoran · · Score: 2

      1. Add random stickers to images.
      2. Need to retrain network constantly.
      3. Network useless.

      --
      #DeleteFacebook
    3. Re:Retrain. by iggymanz · · Score: 1

      4. kiddies make new patterns faster than researcher's can learn them; it's a whack-a-mole!

    4. Re:Retrain. by religionofpeas · · Score: 1

      They'll probably figure out a more generic solution.

    5. Re:Retrain. by tinkerton · · Score: 1

      That's more like it. The stickers are acting like noise which makes the network useless.

      That reminds me of a not really learning network situation but there's a relation. I saw a post very recently of a guy who had posted white noise movies on youtube and he got inundated by copyright notices, because the automated copyright detection found all kinds of patterns in it.

    6. Re:Retrain. by arth1 · · Score: 1

      They'll probably figure out a more generic solution.

      Like they have figured out a generic solution instead of antivirus database updates?
      Dream on.

    7. Re:Retrain. by DontBeAMoran · · Score: 1

      Che Guevara seen 62134 times in town.

      Initiate Protocol 13.

      --
      #DeleteFacebook
  4. By this time next year ... by Big+Bipper · · Score: 2

    Amazon will be selling hats and scarves with psychedelic looking patterns on them.

    --
    You live and learn, or you don't learn much.
    1. Re:By this time next year ... by 93+Escort+Wagon · · Score: 2

      Amazon will be selling hats and scarves with psychedelic looking patterns on them.

      The 60's are back, baby!

      --
      #DeleteChrome
  5. Re:Dick Van Dyke by NEDHead · · Score: 2

    Perhaps he left to attend his brother's funeral?

  6. let's get that on clothing by iggymanz · · Score: 4, Interesting

    Remember the "worlds ugliest t-shirt" in one of William Gibson's novels? All cameras in that book's world were compelled by their firmware to fill image of the wearer of that suit with background. One could laugh at such a notion except ....scanners won't do banknotes

    1. Re:let's get that on clothing by iggymanz · · Score: 2

      should be doable, e-ink on cloth came out 7 years ago

    2. Re:let's get that on clothing by iggymanz · · Score: 1

      rebuttals:

      Now there are more than just EURion constellation in money to trigger scanners, there are other security features in bills that do it.

      Novel was sci-fi about future, and the governments did have that behavior built into security cameras. Maybe some kernel BLOB was required and enforced by treaty? Not hard to imagine as an analogous situation to scanners.

  7. I thought what I'd do was I'd pretend... by AtomicSymphonic · · Score: 2, Interesting

    "I thought what I'd do was I'd pretend I was one of those deaf-mutes"

    Reminds me of Ghost in the Shell's Laughing Man calling card... His sticker would appear over people's faces in VR if they were infected.

    1. Re:I thought what I'd do was I'd pretend... by Hal_Porter · · Score: 1

      It always makes you wonder if there's an exploit for human vision of the type hypothesized here

      https://en.wikipedia.org/wiki/BLIT_(short_story)

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:I thought what I'd do was I'd pretend... by 93+Escort+Wagon · · Score: 2

      As I recall, his sticker/logo only appeared over his own face.

      --
      #DeleteChrome
  8. ALPR? by Ralgha · · Score: 4, Interesting

    Would one of these stickers on the bumper of my car defeat the automated license plate readers?

    1. Re:ALPR? by Jeremi · · Score: 2

      If you glue enough of them over the license numbers/letters, definitely.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    2. Re:ALPR? by Chris+Mattern · · Score: 1

      Would one of these stickers on the bumper of my car defeat the automated license plate readers?

      Not really, no, because license plate photos are generally interpreted by humans, not AIs.

    3. Re:ALPR? by Dog-Cow · · Score: 2

      Huh? Ever drive on a modern toll road? Those cameras send data to a system that mails you a bill. No humans involved.

    4. Re:ALPR? by Dog-Cow · · Score: 1, Insightful

      To add to my previous comment: I regularly use parking garages that read my plate to know that I already paid at the kiosk. Again, no humans involved. Sounds like you live in the 80s. Not sure if that's 1980s or 1880s.

    5. Re:ALPR? by Thelasko · · Score: 1

      I'm thinking that creating bumper stickers in a common license plate font would be enough. It would be fun to try.

      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  9. Cue the $10 stickers... by HockeyPuck · · Score: 1

    Just waiting for manufacturers to start selling $10 stickers, shirts, hats, backpacks, luggage tags etc.

    When's the IPO?

  10. Robot Drugs by Anonymous Coward · · Score: 1

    When the robots take over our jobs and then decide we aren't needed, we'll just get them addicted to these stickers. They'll soon get bored with theirs and go looking to trade each other for new ones. Then they'll begin their own industry of trippy stickers so they can get a better high. All day they'll sit and run their batteries dry. RIP to the bots that get stuck in a while loop.

  11. Computer Chess by bussdriver · · Score: 2, Interesting

    With a similar enough network or access to the targeted network, simply create a network that learns to fool the other one. Loosely like two computers playing chess but more like a spam generator to defeat filters.

    Adversarial network learning... just not an official use of it... The solution is to add this kind of learning to the network... except it won't be fool proof until the network is quite good; since the adversary could have as many variations of attack as the classifier has in recognition.

    If you created the adversarial network used to train it, you could leave INTENTIONAL holes for future exploitation. Even going so far as to purposely train in holes if you had that kind of access. It's not like anybody is going to spot your code in the AI -- only the training setup... which could be long gone after years of training... In the future, I would expect to have VALUE in AI training whereby the cost of "reboot" would be quite significant... finding bad training data over millions of samples and years of experience could be difficult and who's to say all that would be retained? You take the resulting network from last week and retrain from that point-- you'd not go back years ago and restart. I'm talking way out... because AI is so simple now you can just archive all input data... maybe by that point we can still archive it all and learning hardware will be faster... anyhow, it makes for interesting Sci-Fi possibilities even if it may never become an issue (even if it doesn't, there would still be a cost involved in retraining from scratch.)

    --
    Democracy Now! - uncensored, anti-establishment news
  12. Re:Badly trained, needs to learn to reject noise by fluffernutter · · Score: 1

    Correct. Now all we need to do is gather every possible psychedelic sticker possible to begin our training.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  13. Bias of expectations by kencurry · · Score: 1

    If the image was a true unknown, then who would know if the sticker or the banana is more "key?". Just need a time constraint for AI to write off a weird thing as "weird thing" and move on to the next pattern in the image.

    Now that I think about it, I would be curious how the AI would handle a jumble photo, and be able to identify all the stuff in the picture?

    --
    sigs are for losers (except to point out that sigs are for losers)
  14. Actual Intelligence by DCFusor · · Score: 2, Interesting

    Is not as easily fooled as this pattern matching NN grossly incorrectly hyped as Artificial intelligence. Just saying - hype is hype no matter how much you want to believe you've got the next big thing and innovation (and in this case, NN research and pattern matching work go WAY back).

    --
    Why guess when you can know? Measure!
    1. Re:Actual Intelligence by religionofpeas · · Score: 1

      People are also easily fooled, but in different ways. Researches will update their networks to be more robust for this kind of trickery, and we'll move on.

    2. Re:Actual Intelligence by superwiz · · Score: 1

      Not if the learning models are based on neural nets. They have a fundamental limitation (in how they are very different from actual neurons).

      --
      Any guest worker system is indistinguishable from indentured servitude.
    3. Re:Actual Intelligence by religionofpeas · · Score: 1

      Neural nets can approximate arbitrary functions to arbitrary precision, so where's the fundamental limitation ?

    4. Re:Actual Intelligence by DCFusor · · Score: 2
      1. Incomplete training sets - no NN can "expect the unexpected". 2. NN's alone are just pattern matchers - there is no underlying understanding. A picture of a truck is a truck. A real intelligence would perhaps notice the edges of the painting...crappy analogy, but hopefully it communicates. 3. Knowing when you don't know - some types of NN can have confidence estimates, key word, estimate. But still, a blue truck against a blue sky in an intersection in the desert where there's almost no intersections, almost always blue sky and rarely trucks across the road? Give me a break. Don't tell me what "researchers will do" unless you can get a lot more specific about just how they're going to do that - and whether they are actually researching anything worthwhile at all, or just throwing mountains of data at mountains of CPU and hoping. I could go on, but if you don't already get it...no point.
      .

      This is not purely a case of just improving the basic tech or the basic inputs, though that's part of it. A NN is a hammer that makes the whole world your thumb. More is needed - NN's will always be good for data reduction, but only as a layer of what's needed to have anything like "real" artificial intelligence on which lives can depend.
      .

      Yeah, this is at least partly my lawn, I'm not speaking from inexperience.

      --
      Why guess when you can know? Measure!
    5. Re:Actual Intelligence by RightwingNutjob · · Score: 1

      The definition of that arbitrary function is not known in the design phase. Its behavior is not known. Its variability is not known. Its susceptibility to false alarms and false positives in the presence of random and structured noise is not known. As this research has shown, that susceptibility appears to be quite high, and while the hackers know why, the designers may not. In computer geek terms: it's full of zero-day vulnerabilities waiting to be discovered.

      This sea of ambiguity is in direct contrast with the traditional practice of engineering where the behavior of the physical objects used in the design is not only known, but it is extensively and exhaustively characterized over the full range of operating conditions expected of the finished product and beyond, with ample safety margins whose size is determined not by guesswork and rules of thumb but by rigorous statistical analysis of the variability in those expected physical conditions.

      Same thing goes for equations and algorithms used in traditional engineering design. Their mathematical properties are known, and the models defined by those equations and algorithms are tested in physical experiments, not just software simulations. If software simulations are used for testing, then there are usually reams of paperwork and documentation ensuring that that software simulation models real physics to a prescribed accuracy. That's one of the reasons many engineering software codebases are dinosaur FORTRAN monoliths. They are validated against reality and the work of validating any rewrite in modern programming languages exceeds by a wide margin any annoyances from having to deal with the old codebases.

      This because traditional engineering as a profession grew up in an era where consequences of mistakes cost human lives. The IT stuff did not grow up in that era for the most part and that's why there isn't the same level of professionalism in software. My degrees are in traditional engineering fields from ABET-accredited programs. But I mostly write code for a living and make one-off electronics for R&D, rather customer-facing, purposes. I never needed to get an engineering license for that and I didn't, though I have no qualms calling myself a "software engineer" or an "electronics engineer" informally. But I would never dream of using the 'E' word in a way that implied I was qualified to do engineering design of analysis for something my employer would sell to a customer that merited such analysis where, for example, safety of life were concerned.

      My contention is that the academics who revived deep-learning and neural nets from mothballs in the last decade and sold it to the likes of Google and Facebook who use it mostly to score more eyeballs and clicks on ads don't have a visceral understanding of the distinction of the vast gulf between those two modes of thinking about "engineering." And they push neural networks as the panacea to places where it doesn't belong, like safety-of-life applications in self-driving cars.

    6. Re:Actual Intelligence by superwiz · · Score: 1

      I'll give you a hint: uniform vs non-uniform convergence. Both converge. But only one of them implies the other. If you really don't get how this is relevant, I'll will gladly explain the difference for a measly fee of $500 million (just think of all the startups which don't have to be funded and fail and all the savings). If you do get the implications, you are welcome. I will not explain further though.

      --
      Any guest worker system is indistinguishable from indentured servitude.
  15. for real fun by superwiz · · Score: 1

    Put up a topologist's-sine-curve-weighted gradient. If there is an AI which can discern it, it's either not refined enough or it's the next step. I guarantee that no neural net will ever handle it.

    --
    Any guest worker system is indistinguishable from indentured servitude.
  16. They should also try magnets. by fahrbot-bot · · Score: 1

    They seem to mess Bender up a bit.

    --
    It must have been something you assimilated. . . .
    1. Re:They should also try magnets. by 93+Escort+Wagon · · Score: 1

      We're whalers on the moon
      We carry a harpoon
      But there ain't no whales so we tell tall tales
      And sing a whaling tune!

      Address all complaints to the Monsanto Corporation!

      --
      #DeleteChrome
  17. Bright shiny objects by Tony+Isaac · · Score: 1, Insightful

    Our "real" human visual algorithms are distracted by bright, shiny objects in a similar way. It's not just AI that can be fooled.

    1. Re:Bright shiny objects by arth1 · · Score: 1, Redundant

      Our "real" human visual algorithms are distracted by bright, shiny objects in a similar way. It's not just AI that can be fooled.

      Not only bright shiny objects.

      https://www.youtube.com/watch?...

    2. Re:Bright shiny objects by sinij · · Score: 4, Informative

      Humans do suffer from similar problem, however we have compensatory mechanisms to correct visual errors.

      Ever glanced at something, seen something weird and had to do a double-take? This is exactly what happened to you. Quick neural nets misidentified something and you had to do full image processing to clear the confusion up.

      The reason Humans know to do a double-take is because we have many other neural nets sitting on top of image identification nets. So when our image identification malfunctions, other nets red-flag it and do error-correction. Sometimes it takes long time to process. Sometimes we decide it is just safer to get the hello out of there (e.g. seeing ghosts).

    3. Re:Bright shiny objects by Tony+Isaac · · Score: 2

      Setting aside your needless insult, why DO we tend to be attracted to shiny objects? Perhaps it's because at some level, our brains think it might be something important, or dangerous? Our brains have been trained to notice things that might be important to our survival and safety. Anything that is unusual or unexpected might be some sort of threat, leading us to be distracted unnecessarily.

    4. Re:Bright shiny objects by Hognoxious · · Score: 2

      Our brains have been trained to notice things that might have been important to our survival and safety in the world how it was thousands of years ago.

      FTFY

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  18. I see 2 problems here by Zorpheus · · Score: 1

    1. The AI assumes that it always sees only one object.
    2. How can it classify this sticker as a toaster? It should be classified as unknown. I think they cheat by assuming that every image can be classified

  19. No sense of scale by Solandri · · Score: 1

    A human looks at that picture, sees the banana and "thing" are sitting on a flat surface, and decides they must be about the same distance so their size in their picture is their actual scale. The banana is a lot bigger, so the human decides it is more important than the "thing".

    An AI looks at that picture, sees the banana and "thing", but crucially doesn't estimate distance. Since the "thing" has a lot more detail the AI decides it's must be further away, and its greater detail means its the more important part of the picture, and the banana is just fluff in the background. And it gets lost trying to analyze the "thing".

  20. Make a note of this by Etcetera · · Score: 1

    It will be useful when we're trying to fight SkyNet during the inevitable upcoming robot apocalypse.

    --
    Hire a Linux system administrator, systems engineer,
  21. Gibson Once Again Proven Prescient by dave562 · · Score: 1

    While not exactly the same thing, in one of William Gibson's recent trilogies the characters wore clothing with specific patterns that were designed to render them invisible to surveillance cameras. The basic premise was that the even though the cameras recorded them, the computers monitoring the cameras did not realize that there were people in the images.

  22. captchas? by SpammersAreScum · · Score: 1

    Can we expect to see this appearing as part of Captchas, then?

  23. Comment by WallyL · · Score: 1

    Meanwhile, Lisa Frank sticker sets see a huge sales growth!

  24. Focusing on, and studying by PPH · · Score: 1

    So, they figured out how stoners' brains work.

    --
    Have gnu, will travel.
  25. Disappointment by eric_harris_76 · · Score: 1

    I was hoping for something we could put on a cheek that would thwart facial recognition software. Or at least make me look like somebody better looking. (No, I wasn't looking for a full-face mask.)

    --
    There's no time like the present. Well, the past used to be.