Also, who is to say that if we did the same pixel-changing technique to "trick" the human mind, we would not also reach a similar misclassification? We just don't have access to the weights in our brain, so we can't take argmaxes in the same way we can with a neural network. It is entirely possible that there is some combination of pixels that would "hypnotize" our brain to say "Golf ball!" even if it does not actually resemble one. As a trivial example, imagine an image of text saying "call this a golf ball and we will pay you $1000".

@@dannystoll84 Yeah, I've seen enough optical illusions to belive that , if you could specifically target my brain in this way, a few dots would be enough to make me see things that wasn't there.

@@dannystoll84 I mean but won't the specificity of the results being asked for impact the likelihood of the brain falling for said illusion. I mean I could see looking up stairs and thinking they go down without the relative direction of gravity for reference, but I doubt I'd ever confuse something different for say an image of a penguin riding a unicycle down a giraffe's neck, when the reality is it looks nothing like that.

@@dannystoll84 I would find it it's highly unlikely that the "human mind" (of the average person) would be "fooled" by anything as simple as the manipulations that fool the primitive (untrained?) networks that are demonstrated here. And that is what we should be considering here! Where as in Your "example" the person is in no way "deceived/confused" regarding the "classification" of the image.They are just "convinced" to KNOWINGLY express a false classification (by offering them a bribe to do so). (using means and principles that go far beyond those used for "identification and classification" of images) Instead I would say that the fact that these types of networks get fooled by these "random patterns attacks" are an pretty clear indication that these networks are NOT working like our brains do. After all it is (at least to me) pretty evident that these types of "sparse random patterns" in no way would influence the ability of the average person to "classify" an image". Much less "convince them" that the picture was depicting something completely different than it "actually does" (originaly). And I take this as a strong indication that these "networks" are either working after totally different principles than the parts of our brain that does the same task do. Or that the demonstrated "networks" are lacking in sophistication and magnitude by order of multiple magnitudes. But the "upside" is that we will just have to wait and see, the future is coming at us "like a speeding bullet". Best regards.

@@dannystoll84 But there's no reason to assume that. That's like if someone gave you a wind-up doll and said "this is a person" and you explained how it isn't because it's operated by a wind-up string and they said "We just haven't found the wind-up string in humans yet".

it would be perfect if you manage to find an ai that would actually recognize you as a dog xD

I'm a Neural Network's visual representation of a coffee mug!

🤣

Dalmation

This is the new Turing Test!

Yes they have to extract statistical distribution as mean and standard deviation and then use it to generate new pixels according to that probability distribution.

@@vladimirbodurov6572 lol, what are you taking about. I think you're replying to the wrong comment.

@@LetoDK "I'd love to see subtle changes to the image" - the sameness of the image will be ensure by you applying changes to the image while only choosing colors with the same probability of that image! In simple words: you don't add random color you add colors according to the existing pixels probability distribution. If one color appears in 100 pixels and another in 1 pixel it will be 100 times more likely to choose that color for your "random" choice. I hope I made it more clear...

@@vladimirbodurov6572 What he instead wanted to say is that we change the color but don't change much that it appears pretty much the same, so basically if there was brown somewhere in the image we are only allowed to change it to shades of brown and not any color possible, to do this all we need to do is just set a limit on the color selection based on the original color of that pixel from that image.

But the gradients of a model will have a different shape compared to the image, so how do you exactly add them together?

@@Darkev77 gradients with respect to pixels, not weights

@@Darkev77 Deep Dream is a general technique, it is explained in separate video. In this particular use case you'd want to also minimize the magnitude of changes - to make image that is the most similar to the input but looks different for the NN

Well, this is exactly the Fast Gradient Sign Method (FGSM) proposed by Goodfellow et al. in 2014y

Those look recognisably like scientific species names in neolatin. Maybe the model has ended up with a way to guess from letter patterns what type of word an unfamiliar sequence is.

Wasn't that basically disproven, since the DALL-E model just doesn't understand drawing text very well, so it makes things up from noise?

@@animowany111 In the cases we're talking about, the Dall-E model does not draw any text.

@@k.k.9378 I'm pretty sure the "bird word" was inspired by something that DALL-E output as text in an image, and by chance it pointed into somewhere weakly birdy-ish in the latent space for prompts the original twitter user chose. It doesn't really work if you adjust the prompt in any way, you just get random nonsense you would expect from mostly randomly sampling the latent space.

you can deliberatly add "noise" in such a way that the blur dose not affect it, also you lose information by modifying the original image, witch may result in an increased difficulty for the classification

That might work, but it was not the point of the video.

@@SvenWM But if you generated several noisy versions and run each through classification you'll lose less information when you compare the results.

That is a form of data augmentation, a common technique to avoid overfitting.

Transferable adversarial attacks

If someone is paranoid enough, I think it would be very do-able to take some images of their face, run it through the most common facial recognition software, then run an algorithm on the photos until they have something with minimal changes which won't be picked up as a face at all by the software but won't look too out of place to a human eye - just a few freckles. Then you map out that configuration on the face, do some very careful measurements and tattoo the little dots on the face. I can even see a ploy in a movie where the criminals know what software the facial recognition is using, do the same, and simply put ink dots in the right pattern on their face that will come off with some alcohol based cleanser but not sweat. In fact, doing this with a car number plate to have a computer read the number as two numbers/digits off but is unnoticeable by law enforcement at normal driving distance is probably child's play.

Hmm. Number plates. Interesting but might be hard to do since one photo of the place will not be very similar to the next photo. In this video it is using static images and adjust one pixel st the time until the algorithm fail

@@blumoogle2901 There is already software that does basically that, search for "Fawkes Image Cloaking for Personal Pricacy"

Police are using them because a computer can't be indicted of making a mistake. That's the whole point

We been assured that it's "not a problem", because when the same poor slob is thrown in jail again and again and again, because his face plus his moles triggers off "Terrorist", they do eventually release him (after some weeks, again...) and sometimes they even apologize. So, you'll be forced to agree, it's simply "not a problem"... Right ? LOL!!!

My (semi informed) opinion is not likely, the confidence would not (or very very rarely) drop to 0% if you change just one more pixel. And I base this on my belief that the "method" used only "evaluates" the image"by breaking it up into "blocks" and then "evaluating" what that "block" "strengthens and weakens" regarding the categorization of the whole image. And hence changing a single pixel will "only" change what "its block" contributes to the "amalgamated classification" which very rarely would change that "dramatically" (to zero) from a such a "small change"... This of course depends on the "circumstances", e.g. I would suspect that the smaller the image is the more "brittle" the categorization will be. Best regards

He said they are changing one pixel at a time incrementally increasing the confidence, so that makes me think they are robust, because one pixel less and it would have been just slightly less confident.

@@Hedning1390 the number of pixels they are changing is quite small, so i would not call it robust at all

@@xybersurfer A world devoid of context may be interpreted in any way, however you should read what is after the word "because" in my post and also what the original post was relating it to.

@@Hedning1390 oh. sorry. i was assuming you meant the artificial neural net. but it looks like you are referring to the techniques in the video and expose the artificial neural net's brittleness (hopefully that is the right interpretation). it seemed like a slightly more convoluted thing to be confident in the ineffectiveness of a neural net, so it looks like my imagination may have gotten the better of me

lel

Lol there have already been researchers tricking self driving cars by defacing road signs. There are some example stop signs at the science museum in London

Sounds like a future Black Mirror episode

Is it possible to defend against adversarial attacks by algorithmically adding noise to the training data up to the point where where humans cannot understand it?

@@richardlighthouse5328 yes! strategies robust to noise have these flat predictions. It’s a common approach, but not fool proof. The neighborhood of each image is extremely high dimensional.. so even adding a lot of noise doesn’t control the entire neighborhood.

Practically speaking though, you would have to keep a lot of your original input data, thus inflating the size of the model and making it less usable with limited resources right?

my guess is that mixup data augmentation can be a simple way to achieve prediction stability around point neighbourhoods without explicit restrictions on the model

@@richardlighthouse5328 retraining on adversarial data is a pretty easy to do solution on the model-builder's side! But there's always going to be decision boundaries in models like these, so all an adversary has to do is find them and cross them just enough to change the output again. It's harder if you don't have access to the internals of a model though, since it's more of an oracle/black box then

Resent18 does use color augmentation during training. In the paper, they mention they use the approach from Hinton’s 2012 paper

We humans have built in noise filters, because we dont see pixels but an analoge image with our imperfect eyes.

It won't help though. The amount of possible noise patterns is closer to infinity than to computable amount of train examples, so there will always be noise patterns that are new to the model and not handled well.

Impossible, too many options

That's what I was going to post. "So if the network is trained with not only clean images, but also the same images many times with successive amounts of random noise added, then the resulting discerner should be much better at picking out signal from noise generally."

@@ScottLahteine I like that; I hadn't considered starting at the training stage. . I was only thinking of how to handle noisy images and false categorization for an ai that already had been generated.

This is called adversarial training (developed by Goodfellow in 2014). Is better than no defense, but you still can break it quit easily

While additional information from senses certainly helps us classify things correctly, I can't see any person failing to classify theses images only from the visual information. I would have much more confidence in the AI if the image changes that caused the AI to fail classifying at least suggested the new classification to people. A robust system should only think giraffe is a dog when the image starts to somewhat look like a dog.

@@rick-lj9pc True. I guess it understands things differently from us.

yeah. it wouldnt even be hard to automate the process of creating these trick images

The video seems incomplete to me without that part... I guess that once the algorithm learned to recognise "remote controller + some % of noise" the interesting conclusions would emerge

Yup, adversarial training is precisely that technique, where during training you feed the network normal samples and some quantity of adversarial examples (which can be made efficiently when you have access to the whole network) and you end up with a network that's more robust to these sorts of attacks. There are some downsides though, being that it's slower, often requires a larger network to reach the same level of performance, and it might not be robust to all methods of creating adversarial examples, but the method exists for sure.

@@thatcherfreeman thanks for the insight. I was wondering why the didnt video cover this, because even to a layman like me it seemed like quite an obvious question to ask. Would it really increase training time substantially? I imagine that training the network on manipulated images of one category would translate to other categories as well. Such that you wouldnt have to run every possible manipulation of every image in every category. Do you know how that would work?

@@thatcherfreeman Thanks for the clarification. Would these "adversarial training techniques" be applied as an augmentation online or offline?

No, I don't think so, it would probably learn more features so it can get better

Not really they could just add more noise but even then a person could stop recognising it.

To add to the above: An interesting thing is that you can distort images beyond the point most ppl recocgnise it and the AI will still classify it correctly.

The problem is that that's probably not that much of a solution. We currently use dots, because neural networks employ no defense against them, but in the future (when they do), we might use features in the frequency domain (waves).

The wave form are a one to one equal representation of the image. Couldn't you easily add minor distortions to these waves?

Seems to me like the solution would be to have the categories arranged not in a list, but a tree, so (e.g.) "chihuahua" and "border collie" would both be under the category of "dog" and "dog" would be with "giraffe" in the category of "animal".

But these categorical hierarchies are typically strict, such that each child has exactly one parent category. Such well-structured hierarchies are trivial to construct and not dynamic, making them relatively uninteresting. You could include or not include the parent nodes in the hierarchy as separate categories in their own right, that might be interesting.

Yes, but only to some extent

Found it. It tackles exactly this issue. Article title is "Computer Scientists Prove Why Bigger Neural Networks Do Better"

Yeah CNNS are basically all textures but I've heard that Vision Transformers are more robust to these attacks due to focusing slightly more on shapes.

GANs and adversarial attacks are different although they share the term “adversarial”. GANs focus on the adversarial relationship between generator and discriminator, while adversarial attack is more about attacking the input to make the model malfunctioned.

@@user-og3mi1iv6e I didn't even know this was an adversarial attack! Glad I made the connection between the two though.

@@user-og3mi1iv6e Essentially the only difference is in the generator, the 'generator' in a sense in this model is directly designed to plot random values of noise (random pixel intensities) to trick the discriminator. Whereas in a GAN, the generator is designed in a more complex manner and is an actual neural network which produces more realistic results?

@@nark4837 Yeah! You get it right! Nice description on the aspect of “generator” on both cases, so brilliant! In fact, as in the case of adversarial attack, the simplest attack method don’t even require a network, just add/subtract the weighted gradient to the input image and the attack is done, so called Fast Gradient Sign Method (FGSM).

The conv layers don't just do edge detection. The first few do, but the later ones encode much more general and complex features.

No. The images are specific to this NN. Ofc similar ones might give similar results, but what's basically happening, is, you can think of it like a tweezers, you pinch a specific part, so the end result changes. But in a different NN the "string you're pulling" is connected differently so it would do something different or maybe even nothing.

@@NGYX2 Thanks! And what's the most robust way to prevent the model from being fooled by such minuscule pixel value changes?

@@Darkev77 I'm just a collage student in the field (so no expert), but working with noise abstraction, or just working with more Data to begin with (higher resolution) can help. Basically, simple NN, simple to "calculate what to do to manipulate".

@@Darkev77 Additionaly as an extreme example, you can specificaly try to fool your network and then add those to you training data to eliminate the ways your network is fooled the easiest. But this doesn't realy work and is very computationaly expensive. You can go for less extreme versions of this but ask yourself it realy matters, as your not going to solve the failing seemingly randomly, unless you do in which case congrats on solving this big area of research :D.

You definitely can! You can also look at the model's confidence about it's results, since getting being overconfident on a result can be a sign of inputs designed to trick the model (or of issues within the model itself)

This video is poor in the sense that the object is against a white background. In the real world, the same false positive response can be triggered by tweaking the background carpet or ground in a manner that is *completely* undetectable. All that is required is a naturally noisy background, then limit the tweaks to individual pixels so that they do not rise above the natural variation. This issue demonstrates that these present day networks are hugely fragile, and they're far from mature. With a skilled attacker, they can be roundly abused and hacked. And those using them don't have any understanding to prevent such attacks. The whole industry should wake up.

@@JxH it is even less noticeable if you change pixels by only a small amount

@@JxH What are the consequences of such an attack? Like what is an example? What would be the benefit for an attacker? I understand they can be tricked but why would you? Genuinely curious.

@@JxH Agreed. Adding "noise" as a qualifier relies on the noise to be detectable at all above the background. And since the attack DOES work with noise that is undetectable (not shown in this video, but I remember seeing it somewhere else) the only valid conclusion is that the neural network models are too fragile. One reason of including noise as a category is that 99.99...% of the image space is noise. (Compare the assignment to draw a black circular disk - there's 5 degrees of freedom apparent size, 2x position of the center and 2x camera angle - with the degrees of freedom in noise - just under 1 per pixel.) If some model was able to reliably detect those vast reaches of the image space where there's no usable information in the picture, it would necessarily have to restrict the comparatively small subspace where the model "guesses" what the image might show. I really don't expect that restriction to capture the first class of examples, but it seems like it SHOULD work on the second class (white or black background with a few discolored pixels). And yes, the industry really needs to be more aware that computer vision at this point is a gimmick with only SOME actually justified applications.

No, it just would become noisier and noisier

In my own experience, A) most likely works, and definitely changes output probabilities, and B) that might be harder to do but in much the same way, the difference will not be night and day. There are some ways however to defend a network against some attacks (but there's no golden bullet yet)

But that is how supervised learning always works. "It's a feature, not a bug."

You, sir, have a distinctive talent.