36⼤数据专稿,原⽂作者:Bill Steele本⽂由36⼤数据翻译组Teradata⼤数据资深顾问黄民安翻译,转载必须获得本站及译者的同意,拒绝任何不表明译者及来源的转载!
安全门卡
计算机识别物体的能⼒,正在接近⼈类的⽔平。然⽽,康奈尔⼤学的研究⼈员发现,计算机和⼈类⼀样,也会被光学幻象所迷惑,这就引起了安全问题。于是计算机视觉识别领域需要开辟新的途径。 康奈尔⼤学研究⽣Jason Yosinski和他在怀俄明州演进⼈⼯智能实验室的同事们,已经创建了⼀个计算机识别系统,能够明确区分那些⼈类⽆法识别的⽩噪声或随机⼏何图案差异。他们将在6⽉7⽇⾄12⽇波⼠顿举⾏的IEEE计算机视觉与模式识别⼤会上展⽰这项成果。 上⾯这些图像对于⼈类来说毫⽆意义。计算机能够清晰识别这些图像之间的细微差别。如同所⽰,上⾯两⾏图像为⽩噪声版本,下⾯两⾏图像为图案版本。
“我们认为取得这样的结果,是由于两个重要原因,”Yosinski说。 “⾸先,论⽂中他们强调基于现代机器学习的计算机视觉系统也可以被欺骗,它在许多⽅⾯存在安全隐患。其次,他们的⽅法提供了⼀个重要的调试⼯具,可以发现是哪些模块在进⾏⽹络学习。”
计算机可以被训练,通过⽬标物体的名称,来对他们对应的图⽚。针对同⼀⽬标物体,计算机从许多不
同的⾓度去识别,并将这些不同的⾓度识别数据进⾏匹配,来构建某种模糊模型。近年来,计算机科学家正在使⽤称为深层神经⽹络(DNN)的系统,该系统能够模拟在⼈脑中的神经元,精确识别模糊的图像信息。“深”⽹络使⽤模拟神经元的⼯作原理可以抽象成⼏个层次:⾸先识别到的是⼀只四条腿的动物,其次再识别成⼀只猫,这需要把图像相关的部分定义为⼀个完整的“连体”。
但是,计算机不会按照⼈类的⽅式来处理图像,Yosinski说。 “我们意识到,神经⽹络并不能对消防车这个产品构成进⾏解码,它只需要从很多物品中识别消防车的这个形象,”他解释说。物体的⾊彩、斑点线和图案可能就⾜够进⾏识别物体了。例如,计算机能通过给出的黄⾊、⿊⾊条纹及图案形式,识别哪些是校车,哪些是电脑键盘。
在康奈尔⼤学创意机器实验室⼯作的利普森,是机械和航空航天⼯程的副教授。他说,研究⼈员会考虑DNN 系统中增加“进化”特点的图像识别。他们在接受过海量影像训练的数据库上使⽤DNN系统进⾏测试。⽤随机图像开始,他们慢慢改变图像的特征,如果⼀个新的识别特征被认定⽐原来有更⼤的确定性,研究⼈员将抛弃旧版本,并不断进⾏迭代。最终,⼈们对DNN系统认可度超过了99%,但这些研究并没有涉及到识别⼈的视觉图像。
计算机科学安全⽅⾯的专家弗雷德•施耐德说,“研究表明,深度学习机制也可能被⾮真实事务所欺骗,因此我们需要研究这些⾮真实事务的原理,以吸取教训。这个原理可以⽤来对犯罪嫌疑⼈进⾏测
谎。⽹络上的许多系统都在使⽤深度学习机制,试图从⼤数据中得到有益的结论。 DNN系统能帮助Web⼴告商来决定⼴告应该在哪些⽹站上进⾏展⽰。”
Yosinski指出,恶意⽹页可能包含虚假图像,来误导哪些图像搜索引擎,并且成功通过“安全搜索”的过滤。这就有可能被不法分⼦⽤来通过⾯部识别系统,从⽽成为合法的、被授权访客。
通过进⼀步的研究,研究⼈员试图“再培训”DNN系统,对各类虚假图像进⾏标记,以改善系统的识别⽔平。然⽽,道⾼⼀尺魔⾼⼀丈,新类型的虚假图像正在层出不穷,不断考验DNN系统的识别能⼒。
移通智能手机“在过去的⼏年⾥,图像识别领域在彻底改变。”Yosinski说。 “机器学习领域的研究⼈员出了很多成果,但在图像识别领域却没有显著的成果,我们仍然需要继续研究神经⽹络的⼯作机制。”
Yosinski正在与Jeff Clune、Anh Nguyen开展合作研究。Jeff Clune是怀俄明⼤学计算机科学助理教授,Anh Nguyen是怀俄明⼤学的研究⽣。这项研究得到了美国航空航天局空间技术研究奖学⾦的⽀持。
Images that fool computer vision raise security concerns
铸铁锅炉Computers are learning to recognize objects with near-human ability. But Cornell researchers have found that computers, like humans, can be fooled by optical illusions, which raises security concerns
and opens new avenues for research in computer vision.
Cornell graduate student Jason Yosinski and colleagues at the University of Wyoming Evolving Artificial Intelligence Laboratory have created images that look to humans like white noise or random geometric patterns but which computers identify with great confidence as common objects. They will report their work at the IEEE Computer Vision and Pattern Recognition conference in Boston June 7-12.
“We think our results are important for two reasons,” said Yosinski. “First, they highlight the extent to which computer vision systems based on modern supervised machine learning may be fooled, which has security implications in many areas. Second, the methods used in the paper provide an important debugging tool to discover exactly which artifacts the networks are learning.”
Computers can be trained to recognize images by showing them photos of objects along with the name of the object. From many different views of the same object the computer assembles a sort of fuzzy model that fits them all and will match a new image of the same object. In recent years, computer scientists have reached a high level of success in image recognition using systems called Deep Neural Networks (DNN) that simulate the synapses in a human brain by increasing the value o
f a location in memory each time it is activated. “Deep” networks use several layers of simulated neurons to work at several levels of abstraction: One level recognizes that a picture is of a four-legged animal, another that it’s a cat, and another narrows it to “Siamese.”
But computers don’t process images the way humans do, Yosinski said. “We realized that the neural nets did not encode knowledge necessary to produce an image of a fire truck, only the knowledge necessary to tell fire trucks apart from other classes,” he explained. Blobs of color and patterns of lines might be enough. For example, the computer might say “school bus” given just yellow and black stripes, or “computer keyboard” for a repeating array of roughly square shapes.
Working in the Cornell Creative Machines lab with Hod Lipson, associate professor of mechanical and aerospace engineering, the researchers “evolved” images with the features a DNN would consider significant. They tested with two widely used DNN systems that have been trained on massive image databases. Starting with a random image, they slowly mutated the images, showing each new version to a DNN. If a new image was identified as a particular class with more certainty than the original, the researchers would discard the old version and continue to mutate the new one. Eventually this produced images that were recognized by the DNN with over 99 percent confidence but were not recognizable to human vision.电炉配料
“The research shows that it is possible to ‘fool’ a deep learning system so it learns something that is not true but that you want it to learn,” said Fred Schneider, the Samuel B. Eckert Professor of Computer Science and a nationally recognized expert on computer security. “This potentially has the basis for malfeasants to cause automated systems to give carefully crafted wrong answers to certain questions. Many systems on the Web are using deep learning to analyze and draw inferences from large sets of data. DNN might be used by a Web advertiser to decide what ad to show you on Facebook or by an intelligence agency to decide if a particular activity is suspicious.”
Malicious Web pages might include fake images to fool image search engines or bypass “safe search” filters, Yosinski noted. Or an apparently abstract image might be accepted by a facial recognition system as an authorized visitor.
标本盒In a further step, the researchers tried “retraining” the DNN by showing it fooling images and labeling them as such. This produced some improvement, but the researchers said that even these new, retrained networks often could be fooled.
“The field of image recognition has been revolutionized in the last few years,” Yosinski said. “[Machine learning researchers] now have a lot of stuff that works, but what we don’t have, what we still need, is a better understanding of what’s really going on inside these neural networks.”
Yosinski collaborated with Jeff Clune, assistant professor of computer science at the University of Wyoming, and Wyoming graduate student Anh Nguyen. The research was supported by a NASA Space Technology Research fellowship.
End
