2023 Author: Bryan Walter | [email protected]. Last modified: 2023-05-21 22:24
A program for creating three-dimensional objects has learned to trick convolutional neural networks. With its help, you can make models of objects that the artificial intelligence system will not be able to recognize correctly. So, the creators of the program managed to deceive the Google classifier, which took a turtle printed on a 3D printer for a rifle. The article is available on the ArXiv.org preprint server.
With the widespread use of neural networks, the risk of an attack on them increases. One of the possible threats is hostile examples (adversarial examples: literal translation - "competing examples", but there is no established Russian term yet). These can be images that look normal to humans but are misinterpreted by a computer. Small changes made to the picture cause a "perception error" in the neural network, as a result of which it draws false conclusions about the objects that are shown to it. So, in one of the experiments, the researchers made the classifier think that instead of a cat, he sees guacamole.
However, it was previously believed that it would be difficult to deceive a neural network in the conditions of everyday life. Most often, two-dimensional photographs were used as hostile samples, while in reality the algorithm usually has the ability to consider an identifiable object from different angles. Nevertheless, the authors of the new article have created a program that can deceive the classifier even when it sees a three-dimensional object. Moreover, if a "camouflaged" object is placed on a characteristic background - for example, it may be a fish against the background of water - the neural network will still be mistaken.
The programmers have developed the Expectation Over Transformation (EOT) algorithm designed to create hostile patterns from existing images. With it, they generated textures that were then superimposed on 3D models of various objects, including a turtle and a baseball. The researchers then 3D printed them and showed them to Google's InceptionV3 classifier.
As a result, the researchers tricked the neural network into thinking it was seeing a rifle while being shown a turtle. She mistook the baseball for a cup of espresso, and if the texture of the ball really looked like milk froth, then the turtle had nothing to do with the weapon. The developers note that even a distinctive background, such as the seabed or blue sky, did not help the algorithm. The neural network recognized objects with original coloration with an average accuracy of about 84 percent, while the classifier guessed hostile samples only in 1.7 percent of cases.
Now such "tricks" do not pose a serious threat to people, despite the introduction of face recognition systems into everyday life. However, the work of programmers shows how vulnerable modern algorithms can be.
In order to mislead an artificial intelligence system, it is not always necessary to create complex camouflages. For example, you can use specially patterned cardboard glasses.
