Adversarial Machines

Fooling A.Is (and turn everyone into a Manga)

Adversarial A.Is are a common sci-fi theme: Robot VS Robot. In recent years, real adversarial examples have emerged. This experiment explores how to generate images to fool A.Is (and turn everyone into manga).

Convolutional Neural Networks

At the heart of many modern computer vision systems are Convolutional Neural Networks. On some vision tasks, CNNs have surpassed human performance. Industries such as Web-Services, Research, Transport, Medical, Manufacturing, Defence and Intelligence rely on them every day.

Convolutional Nets are commonly used to classify images. The network is shown an image of a pipe and classifies it as “pipe”. Generalist networks are able to classify 1000+ classes of objects with amazing precision and speed.

Fooling Neural Networks

A series of published research papers has produced evidence that Convolutional Neural Networks can be fooled. Images can be manipulated, so that image recognition networks are likely to miss-classify them. These manipulations look like noise, almost invisible to humans.

Image by Christian Szegedy (Google) et al. NOTE: “Noise” is used for imagination. “Imperceptible changes” more fitting.

This problem has stirred controversy in the Machine Learning community, with some hailing it as a “deep flaw” of deep neural networks and others promoting a more cautious interpretation. Researchers are actively exploring the reasons for adversarial examples. Ian Goodfellow gives a great overview in his recent talk: ‘Do Statistical Models Understand the World? (Video)’

Experiment: Generating Adversarial Images

This experiment started with an exploration of the recently published paper Exploring the space of adversarial images by Pedro Tabacof & Eduardo Valle of University of Campinas in Brazil. The paper investigates adversarial examples and hints that most current CNN classifiers are vulnerable.

Adversarial Noise examples. (Image by Pedro Tabacof, Eduardo Valle)

Alongside the paper, they released open-source code that enables anyone to generate adversarial images easily.

The experiments aim was to find a way to demo this library. All explored scenarios were rejected, as outcomes are highly uncertain. Here is a sample of rejected ideas: