Emergent Tech

Artificial Intelligence

Another AI attack, this time against 'black box' machine learning

The difference between George Clooney and Dustin Hoffman? Just a couple of pixels

By Richard Chirgwin

17 SHARE

Would you like to join the merry band of researchers breaking machine learning models? A trio of German researchers has published a tool designed to make it easier to craft adversarial models when you're attacking a “black box”.

Unlike adversarial models that attack AIs “from the inside”, attacks developed for black boxes could be used against closed system like autonomous cars, security (facial recognition, for example), or speech recognition (Alexa or Cortana).

The tool, called Foolbox, is currently under review for presentation at next year's International Conference on Learning Representations (kicking off at the end of April).

Wieland Brendel, Jonas Rauber and Matthias Bethge of the Eberhard Karls University Tubingen, Germany explained at arXiv that Foolbox is a “decision-based” attack called a boundary attack which “starts from a large adversarial perturbation and then seeks to reduce the perturbation while staying adversarial”.

Foolbox tested against Clarifai's black-box AI

“Its basic operating principle – starting from a large perturbation and successively reducing it – inverts the logic of essentially all previous adversarial attacks. Besides being surprisingly simple, the boundary attack is also extremely flexible”, they wrote.

For example, “transfer-based attacks” have to be tested against the same training data as the models they're attacking, and need “cumbersome substitute models”.

Gradient-based attacks, the paper claimed, also need detailed knowledge about the target model, while score-based attacks need access to the target model's confidence scores.

The boundary attack, the paper said, only needs to see the final decision of a machine learning model – the class label it applies to an input, for example, or in a speech recognition model, the transcribed sentence.

Foolbox tested against logos in the Clarifai black box

The researchers tested their attack using the Clarifai API, tricking it into mis-identifying celebrities and missing prominent logos. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

Artificial intelligence is good for at least one thing – making hardware important again

Red Hat Summit Latest compute craze turns the tide on system trends

Google Cloud AutoML: Neural nets designed by neural nets? It may as well be AI hyped by AI

Analysis Without any detail, it's another online cloud service

How to stealthily poison neural network chips in the supply chain

Your free guide to trick an AI classifier into thinking an umbrella is the Bolivian navy on maneuvers in the South Pacific

Qualcomm's neural network SDK made free for all comers

Facebook uses it for AR apparently. What? That's a positive? Our bad

Should I infect this PC, wonders malware. Let me ask my neural net...

Black Hat How does it work? Nobody really knows what goes on in the black box

Do you Word2Vec? Google's neural-network bookworm

Making machines eat our words

Sony open-sources NNabla neural network learnings

En-NNabla-blement of answer to Google's TensorFlow?

Neural network on a stick

Google ramping up AI in China, Nvidia's Titan V, Intel's hip-hop misstep

Roundup And more in your machine-learning news summary

Boffins build neural networks fashioned out of DNA molecules

And you thought AI couldn't get any more mind-boggling