Another AI attack, this time against 'black box' machine learning

The difference between George Clooney and Dustin Hoffman? Just a couple of pixels

By Richard Chirgwin

Posted in Artificial Intelligence, 18th December 2017 05:04 GMT

Would you like to join the merry band of researchers breaking machine learning models? A trio of German researchers has published a tool designed to make it easier to craft adversarial models when you're attacking a “black box”.

Unlike adversarial models that attack AIs “from the inside”, attacks developed for black boxes could be used against closed system like autonomous cars, security (facial recognition, for example), or speech recognition (Alexa or Cortana).

The tool, called Foolbox, is currently under review for presentation at next year's International Conference on Learning Representations (kicking off at the end of April).

Wieland Brendel, Jonas Rauber and Matthias Bethge of the Eberhard Karls University Tubingen, Germany explained at arXiv that Foolbox is a “decision-based” attack called a boundary attack which “starts from a large adversarial perturbation and then seeks to reduce the perturbation while staying adversarial”.

Foolbox tested against Clarifai's black-box AI

“Its basic operating principle – starting from a large perturbation and successively reducing it – inverts the logic of essentially all previous adversarial attacks. Besides being surprisingly simple, the boundary attack is also extremely flexible”, they wrote.

For example, “transfer-based attacks” have to be tested against the same training data as the models they're attacking, and need “cumbersome substitute models”.

Gradient-based attacks, the paper claimed, also need detailed knowledge about the target model, while score-based attacks need access to the target model's confidence scores.

The boundary attack, the paper said, only needs to see the final decision of a machine learning model – the class label it applies to an input, for example, or in a speech recognition model, the transcribed sentence.

Foolbox tested against logos in the Clarifai black box

The researchers tested their attack using the Clarifai API, tricking it into mis-identifying celebrities and missing prominent logos. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

Artificial intelligence is good for at least one thing – making hardware important again

Red Hat Summit Latest compute craze turns the tide on system trends

Qualcomm's neural network SDK made free for all comers

Facebook uses it for AR apparently. What? That's a positive? Our bad

Do you Word2Vec? Google's neural-network bookworm

Making machines eat our words

Sony open-sources NNabla neural network learnings

En-NNabla-blement of answer to Google's TensorFlow?

Google ramping up AI in China, Nvidia's Titan V, Intel's hip-hop misstep

Roundup And more in your machine-learning news summary

Neural network on a stick

Google and Intel cook AI chips, neural network exchanges – and more

Roundup A quick catch-up on what's been going on in machine-learning world

Neural networks whip fleshbag butt at identifying craters

Yeah, well... can they do it on a cold rainy night in Stoke?

As the singularity approaches, neural network pens black metal album

RotM Reeeyeeeeeese... of tha maaassssshyyyyyyunaahhhhh

What sort of silicon brain do you need for artificial intelligence?

Using CPUs, GPUs, FPGAs and ASICS to make sense of AI