When is a baseball espresso? Neural network tricked and it is no joke

When is a baseball espresso? Neural network tricked and it is no joke
(Tech Xplore)—When you're working on a project where your intended turtle image is taken as a gun— who has been messing around? Turns out a team of researchers have been messing around for serious ends. They found a way to fool neural networks.

They made the networks misbehave in that they fiddled around using an algorithm that helped fool the networks. Their bragging rights:

"We've developed an approach to generate 3D adversarial objects that reliably fool in the real world, no matter how the objects are looked at." The team is reporting from LabSix—an independent, student-run AI research group composed of MIT undergraduate and graduate students.

Think "adversarial" objects in 3D. When they say "adversarial" they refer to "carefully perturbed inputs" causing misclassification.

Such as? A tabby cat, which they perturbed "to look like a guacamole to the Google's InceptionV3 image classifier."

This was achieved with a , they said.

Details about their work are in "Synthesizing Robust Adversarial Examples," which is up on arXiv. The authors are Anish Athalye, Logan Engstrom, Andrew Ilyas and Kevin Kwok.

They said their method for constructing real-world 3D objects consistently fools a neural network across a wide distribution of angles and viewpoints.

In their work, they applied the algorithm to arbitrary physical 3D-printed adversarial objects, "demonstrating that our approach works end-to-end in the real world."

But then again, who would put all their faith in the way AI views the world? Dave Gershgorn in Quartz delivered a sobering reminder of all that a neural is and is not.

"The brain-inspired that computer scientists have built for companies like Facebook and Google simply learn to recognize complex patterns in images. If it identifies the pattern, say the shape of a cat coupled with details of a cat's fur, that's a cat to the algorithm.

So what the researchers pulled off, he continued, was to reverse-engineer the patterns that AI looks for in images via adversarial example.

"By changing an image of a school bus just 3%, one Google team was able to fool AI into seeing an ostrich," Gershgorn said.

What's the point? Swapna Krishna in Engadget: "It's important because this issue isn't limited to Google—it's a problem in all neural networks. By figuring out how people can fool these systems (and demonstrating that it can be relatively easily and reliably done), researchers can devise new ways to make AI recognition systems more accurate."

Gershgorn in Quartz: "Neural networks blow all previous techniques out of the water in terms of performance, but given the existence of these adversarial examples, it shows we really don't understand what's going on." He quoted co-author Athalye: "If we don't manage to find good defenses against these, there will come a time where they are attacked."

Adam Conner-Simons, MIT CSAIL, wrote about their work in CSAIL News: (The Computer Science and Artificial Intelligence Laboratory).

"The project builds on a growing body of work in 'adversarial examples.' For many years researchers have been able to show that changing pixels can fool neural networks, but such corner-cases have often been viewed more as an intellectual curiosity than as something to be concerned about in the ."


Explore further

When two competing neural networks result in photorealistic face

More information: — Synthesizing Robust Adversarial Examples, arXiv:1707.07397 [cs.CV] arxiv.org/abs/1707.07397

Abstract
Neural network-based classifiers parallel or exceed human-level accuracy on many common tasks and are used in practical systems. Yet, neural networks are susceptible to adversarial examples, carefully perturbed inputs that cause networks to misbehave in arbitrarily chosen ways. When generated with standard methods, these examples do not consistently fool a classifier in the physical world due to viewpoint shifts, camera noise, and other natural transformations. Adversarial examples generated using standard techniques require complete control over direct input to the classifier, which is impossible in many real-world systems. We introduce the first method for constructing real-world 3D objects that consistently fool a neural network across a wide distribution of angles and viewpoints. We present a general-purpose algorithm for generating adversarial examples that are robust across any chosen distribution of transformations. We demonstrate its application in two dimensions, producing adversarial images that are robust to noise, distortion, and affine transformation. Finally, we apply the algorithm to produce arbitrary physical 3D-printed adversarial objects, demonstrating that our approach works end-to-end in the real world. Our results show that adversarial examples are a practical concern for real-world systems.

www.labsix.org/physical-object … at-fool-neural-nets/

© 2017 Tech Xplore

Citation: When is a baseball espresso? Neural network tricked and it is no joke (2017, November 3) retrieved 18 October 2018 from https://techxplore.com/news/2017-11-baseball-espresso-neural-network.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
42 shares

Feedback to editors

User comments

Nov 03, 2017
The interesting question being: Are there similar objects that can totally fool our own visual system?

Nov 03, 2017
"The interesting question being: Are there similar objects that can totally fool our own visual system?"


Yes. We tend to hallucinate faces everywhere, only, we have the additional smarts to understand when they're not real.

Nov 03, 2017
There are real world 3D illusions as this shows:
https://www.youtu...pIZLepVc

Nov 04, 2017
"Connectionism" is all wet.

Nov 04, 2017
"Are there similar objects that can totally fool our own visual system?"

Pareidolia (e.g. te famous 'face on Mars')
https://en.wikipe...reidolia
Depending on what state of mind you're in (drunk/on drugs, spirtually inclined, under stres or trauma) the probability of mistaking an oobject for another becomes greater.
(Animal) camouflage is pretty much nothing but the attempt to make you see something else except what's really there (e.g. some squid are pretty good at making you think you're seeing a rock).

Of course there are any number of optical illusions from seemingly bent straws in a waterglass to VR helmets which make you think you see 3D objects where there aren't any. An extreme example are also the printed 3D stereo images that were popular a while back

It's probably easier to enumerate the things that don't fool our visual system than to count those that do. (Your screen fools you into seeing text instead of just dots)

Nov 04, 2017
The interesting question being: Are there similar objects that can totally fool our own visual system?


The blue dress comes to mind.

Nov 04, 2017
An extreme example are also the printed 3D stereo images that were popular a while back


3D stereo images aren't strictly the same thing as what they're talking about here, because the effect doesn't involve mis-identification of objects - it's a play on human depth perception and an artifact of stereo vision.

Nor is camouflage the same thing, because the things genuinely do look like other things and so there's no error on the part of the onlooker.

The problem here is that the neural network is too feeble for the function it's tasked to perform. It's the Turing Test problem all over: we judge the system to work because it passes a narrow set of test criteria, but any such narrow test can be solved by a specialist solution tailored just for that test. It's like evolution: a simple animal can be a very successful specialist, so the specialists evolve first, until the survival criteria chance and they die.

Nov 04, 2017
"(Your screen fools you into seeing text instead of just dots)"


That's again not the same thing at all:

... . . .. -. --. / - .... . / .--. .- - - . .-. -. / .. -. / - .... . / -.. --- - ... / .. ... / - .... . / .--. --- .. -. - / --- ..-. / - . -..- -

The two things, seeing dots and text, are not mutually exclusive, so there's no mis-identification going on. Besides, the dots on the screen are physically too small to be seen apart unless you look really close.

Nov 06, 2017
The dots on the screen are misinterpreted as written text. The text is not written. It's just an assembly of strategically placed dots that makes you think they are a connected entity. The dots aren't connected and can be controlled completely independently of one another. But you don't see dots.

Similarly with movies. Still images make you think that you are seeing motion. There is no motion there.

It's difficult to mentally wrap one's head around the difference of what one sees and what is actually there. It's so ingrained in our brains that taking this step back and accepting the difference is almost impossible - most poignantly exemplified in the famous picture "Ceci n'est pas une pipe" by Rene Magritte. It's not a pipe. It's a picture of a pipe.

It gets even harder when you start to realize that what you see is just an approximation of what the eye recieves (in itself a sensor with limited resolution) with lots of the detail filled in by your brain.

Nov 09, 2017
"The dots on the screen are misinterpreted as written text."


No they're not, any more than a bunch of trees is "misinterpret" to be a forest. The dots being dots has nothing to do with them also being placed in a pattern that carries other information. You may even see the dots as they are placed sparsely enough, and still find that there is in fact text. For example with a flip dot display in train stations.

And, persistence of vision causing movies to appear to "move" isn't the same thing as misidentifying a turtle for a gun. A movie is a means of conveying information: consider if we put automatic shutters in front of your eyes and started blinking them at 60-70Hz so all you see is static snapshots. Should you be seeing just static pictures?


Nov 09, 2017
"It's difficult to mentally wrap one's head around the difference of what one sees and what is actually there. It's so ingrained in our brains that taking this step back and accepting the difference is almost impossible - most poignantly exemplified in the famous picture "Ceci n'est pas une pipe" by Rene Magritte."

That painting is a commentary on abstract language and thought, with roughly the same meaning as "the map is not the territory", or, your description of reality shouldn't be mistaken for reality.

It's not an example of people actually mis-identifying a painting for a real pipe. Nobody would actually try to stuff Magritte's pipe. The argument is over whether a visual representation of a pipe can also be called a pipe, i.e. whether the idea of a thing is the thing or not (idealism vs materialism).

One says all things exist in the mind because the mind makes matter into things - the other points out that matter makes the mind.

Nov 09, 2017
"It gets even harder when you start to realize that what you see is just an approximation of what the eye recieves (in itself a sensor with limited resolution) with lots of the detail filled in by your brain."

But that's beyond the point here, which is about correctly identifying objects based on all the information available to you, limited by your sensory organs as it may be.

The computer, seeing Magritte's painting, would not be able to reason "this is not a pipe, this is a painting depicting a pipe" because it's simply too simple to have such abstract ideas.

It would simply label it as "pipe" based on the visual pattern, with the caveat that the programmer was being a smartass and taught the computer to recognize this particular painting. If that happens, we would probably parade it around claiming the program is capable of abstract thought because it can do this party trick (Turing test / behaviourist fallacy).

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more