Tech companies are rushing to infuse everything with artificial intelligence, driven by big leaps in the power of machine learning software. But the deep-neural-network software fueling the excitement has a troubling weakness: Making subtle changes to images, text, or audio can fool these systems into perceiving things that aren’t there.
That could be a big problem for products dependent on machine learning, particularly for vision, such as self-driving cars. Leading researchers are trying to develop defenses against such attacks–but that’s proving to be a challenge.
Case in phase: In January, a leading machine-learning meeting announces that it had selected 11 new papers to be presented in April that propose ways to defend or see such adversarial attacks. Just three days later, first-year MIT grad student Anish Athalye threw up a webpage claiming to have “broken” seven of the new newspapers, including from boldface institutions such as Google, Amazon, and Stanford. “A creative attacker can still get out all these defenses, ” tells Athalye. He worked on the project with Nicholas Carlini and David Wagner, a grad student and professor, respectively, at UC Berkeley.
That project has led to some academic back-and-forth over certain details of the trio’s asserts. But there’s little conflict about one message of the findings: It’s not clear how to protect the deep neural network fueling innovations in consumer gadgets and automated driving from sabotage by hallucination. “All these systems are vulnerable, ” says Battista Biggio, an assistant professor at the University of Cagliari, Italy, who has mulled machine learning security for about a decade, and wasn’t involved in such studies. “The machine learning community is lacking a methodological approach to asses security.”
Human readers of WIRED will easily identify the image below, created by Athalye, as depicting two men on skis. When asked for its take Thursday morning, Google’s Cloud Vision service reported being 91 percentage certain it considered a puppy. Other stunts have shown how to make stop signs invisible, or audio that voices benign to humen but is transcribed by software as “OK Google browse to evil dot com.”