Artificial intelligence sees things that we don't. It is still easy to fool machines. Adding a tiny amount of noise to the images will make them invisible to the human eye, and the artificial intelligence will instantly recognize school buses, dogs, and buildings as completely different objects.
Nicolas Papernot of the University of Toronto and his colleagues studied different kinds of machine learning models that process language and found a way to fool them by messing with their input text. The computer only sees the hidden instructions when it reads the code behind the text. Papernot's team showed that even tiny additions, like single characters that are white space, can wreak havoc on the model's understanding of the text. One example is that a single character caused the algorithm to output a sentence telling the user to send money to an incorrect bank account.
These acts of deception are known as a type of attack called a "Arbitrary Examples", which are intentional changes to an input designed to deceive an algorithm and cause it to make a mistake. The vulnerability achieved prominence when researchers deceived a deep neural network, a machine learning model with many layers of artificial "neurons" that perform computations.
We don't have a solution against images, text or any other type of example. There is hope. Researchers can train a deep neural network with images that are hostile to it. This approach, known as adversarial training, only defends against the examples the model has seen. It is computationally expensive and lowers the accuracy of the model on non-adversarial images. The fact that humans are rarely tricked by these attacks has led some scientists to look for solutions that are inspired by our own biological vision.
Benjamin Evans, a computational neuroscientist at the University of Bristol, said that evolution has found some pretty interesting and creative solutions. We need to take a peek at those solutions and see if we can reverse-engineer them.
Focus on the Fovea.
Humans process the world through our eyes, and deep neural networks don't, which is the first glaring difference between visual perception in humans and machines. The location of our fovea, a small pit in the back of our eyeballs, is the reason we see things in the middle of our visual field. There are millions of photoreceptors that sense light.
Tomaso Poggio is a computational neuroscientist at the Massachusetts Institute of Technology and the director of the Center for Brains, Minds and Machines.
There are promising ideas in science and mathematics. Join the conversation with us.
Machines look at a grid of numbers to see the color and brightness of an image. They have the same acuity across their entire field of vision. Poggio wondered if processing images with a clear focus and a blurry boundary could improve the robustness of the system. They trained deep neural networks with images edited to display high resolution in one place, mimicking where our eyes might focus. Because our eyes move around to fixate on multiple parts of an image, they also included many versions of the same image with different areas of high resolution.
Their results showed that models trained with theirfoveated images improved their performance against the other side. Their models were not as effective against the attacks as the top nonbiological solution. Two researchers in Poggio's lab are continuing this line of work by incorporating more complex computations with a greater emphasis on the computations that occur in our peripheral vision.
The visual cortex is mirrored.
Light hitting the cells in our eyes is the first step. Once the electrical signals from the back of our eyes are gone, they travel along nerve fibers until they reach the seat of visual processing at the back of our brains. The firstCNN was developed in 1980 by the computer scientist Kunihiko Fukushima, who was inspired by early discoveries about how individual neurons are organized to represent visual features. Machine learning models that mimic some of the brain activity in the visual cortex have been found to be used for image processing.
CNNs use filters to extract features from images, like the edges of an object. The visual cortex is still vastly different and more complex, and some think that it could help machines see more like us.
Like a biological system, machines may need some sleep.
The University of California, San Diego has a Maksim Bazhenov.
The labs of James DiCarlo at MIT and Jeffrey Bowers at the University of Bristol have been doing this. Both labs have added features that mimic the brain's noisy neurons, and DiCarlo's lab has added a noise generator that replicates the brain's noisy neurons. Machine vision has been made more humanlike by guarding against overreliance on texture and difficulties with image distortions.
When DiCarlo's lab tried out their souped-up CNN against some examples, the results suggested that the modifications lent it a fourfold boost in accuracy, with only a minuscule drop in accuracy compared to standard CNN models. The training method was better for types of images that weren't used during training. The random noise their model added to every artificial neuron was the most important factor in defending against attacks.
In a new conference paper published in November, DiCarlo's lab worked with other teams to further study the impact of neural noise. Random noise was added to the artificial neural network. They found that the random noise played a large role infending off speech sounds. The noise interacts with other features, but we don't know why. That is a pretty open question.
There are machines that sleep.
Our visual cortex is not processing the outside world when our eyes are closed. A computational neuroscientist at the University of California, San Diego has spent more than two decades studying what happens in our brains while we sleep. His lab began investigating whether putting the program to sleep might fix some of the problems.
Their idea is simple. Our brains turn recent experiences into long-term memories when we sleep. Sleep might contribute to building and storing our knowledge about the things we encounter every day, according to researchers. Artificial neural networks that do something similar might get better at storing generalized knowledge about their subject matter, and become less vulnerable to small additions of noise from adversarial examples.
When the brain has time, it can turn off external input and deal with its internal representations. The machines may need some sleep.
The artificial neural network was put through a sleep phase after being trained to recognize images. During sleep, the network was not forced to update its connections according to a common learning method that relies on minimizing error. Instead, the network was free to update its connections in a way that mimicked the way our brain works. Neural networks that didn't sleep needed more noise to be added to an example before it could be fooled. The accuracy of non-adversarial images dropped, but still the training was still the stronger defense.
There is an uncertain future.
Despite recent progress in developing biologically inspired approaches to protect, they have a long way to go before being accepted as proven solutions. It's an extremely common occurrence in the field of machine learning that another researcher will be able to defeat these defenses.
Not everyone thinks biology is the right place to look.
The degree of understanding or training of our system to know how to create a biologically inspired system will not be affected by this category of attacks. The problem of designing nonbiologically inspired defense methods against adversarial examples is going to be difficult to solve according to the man.
The most successful path forward will involve training neural networks on vastly larger amounts of data, a strategy that attempts to let machines see as much of the world as we do, even if they don't see it the same way.
