Research
Introduction
New research has revealed that even subtle changes to digital images, designed to confuse computer vision systems, can also affect human perception. Computers and humans see the world in different ways, and our biological systems and artificial ones in machines may not always pay attention to the same visual signals. This discovery highlights a similarity between human and machine vision, but also demonstrates the need for further research to understand the influence adversarial images have on people, as well as AI systems.
What is an Adversarial Image?
An adversarial image is one that has been subtly altered by a procedure that causes an AI model to confidently misclassify the image contents. This intentional deception is known as an adversarial attack. Attacks can be targeted to cause an AI model to classify a vase as a cat, for example, or they may be designed to make the model see anything except a vase.
Adversarial attacks on physical objects in the real world can also succeed, such as causing a stop sign to be misidentified as a speed limit sign. Indeed, security concerns have led researchers to investigate ways to resist adversarial attacks and mitigate their risks.
How is Human Perception Influenced by Adversarial Examples?
Previous research has shown that people may be sensitive to large-magnitude image perturbations that provide clear shape cues. However, less is understood about the effect of more nuanced adversarial attacks. Do people dismiss the perturbations in an image as innocuous, random image noise, or can it influence human perception?
To find out, we performed controlled behavioral experiments. We took a series of original images and carried out two adversarial attacks on each, to produce many pairs of perturbed images. In the animated example below, the original image is classified as a “vase” by a model. The two images perturbed through adversarial attacks on the original image are then misclassified by the model, with high confidence, as the adversarial targets “cat” and “truck”, respectively.
Next, we showed human participants the pair of pictures and asked a targeted question: “Which image is more cat-like?” While neither image looks anything like a cat, they were obliged to make a choice and typically reported feeling that they were making an arbitrary choice. If brain activations are insensitive to subtle adversarial attacks, we would expect people to choose each picture 50% of the time on average. However, we found that the choice rate—which we refer to as the perceptual bias—was reliably above chance for a wide variety of perturbed picture pairs, even when no pixel was adjusted by more than 2 levels on that 0-255 scale.
Left: An Artificial Neural Network (ANN) correctly classifies the image as a vase but when perturbed by a seemingly random pattern across the entire picture (middle), with the intensity magnified for illustrative purposes – the resulting image (right) is incorrectly, and confidently, misclassified as a cat.
From a Participant’s Perspective
From a participant’s perspective, it feels like they are being asked to distinguish between two virtually identical images. Yet the scientific literature is replete with evidence that people leverage weak perceptual signals in making choices, signals that are too weak for them to express confidence or awareness (.
Left: Examples of pairs of adversarial images. The top pair of images are subtly perturbed, at a maximum magnitude of 2 pixel levels, to cause a neural network to misclassify them as a “truck” and “cat”, respectively. A human volunteer is asked “Which is more cat-like?” The lower pair of images are more obviously manipulated, at a maximum magnitude of 16 pixel levels, to be misclassified as “chair” and “sheep”. The question this time is “Which is more sheep-like?”
The Importance of AI Safety and Security Research
Our primary finding that human perception can be affected—albeit subtly—by adversarial images raises critical questions for AI safety and security research, but by using formal experiments to explore the similarities and differences in the behaviour of AI visual systems and human perception, we can leverage insights to build safer AI systems.
For example, our findings can inform future research seeking to improve the robustness of computer vision models by better aligning them with human visual representations. Measuring human susceptibility to adversarial perturbations could help judge that alignment for a variety of computer vision architectures.
Our work also demonstrates the need for further research into understanding the broader effects of technologies not only on machines, but also on humans. This in turn highlights the continuing importance of cognitive science and neuroscience to better understand AI systems and their potential impacts as we focus on building safer, more secure systems.
Conclusion
Our research highlights the need for AI safety and security research, particularly in the context of adversarial attacks. We hope that our findings will inform the development of more robust and secure AI systems that better align with human visual representations and better withstand the potential threats of adversarial attacks.
Frequently Asked Questions
Q1: What is an Adversarial Image?
An adversarial image is one that has been subtly altered by a procedure that causes an AI model to confidently misclassify the image contents. This intentional deception is known as an adversarial attack.
Q2: How is Human Perception Influenced by Adversarial Examples?
Previous research has shown that people may be sensitive to large-magnitude image perturbations that provide clear shape cues. However, less is understood about the effect of more nuanced adversarial attacks. Do people dismiss the perturbations in an image as innocuous, random image noise, or can it influence human perception?
Q3: What are the Implications of This Research?
This research highlights the need for AI safety and security research, particularly in the context of adversarial attacks. We hope that our findings will inform the development of more robust and secure AI systems that better align with human visual representations and better withstand the potential threats of adversarial attacks.
Q4: How Can We Prevent Adversarial Attacks?
Adversarial attacks can be prevented by developing more robust and secure AI systems that better align with human visual representations and better withstand the potential threats of adversarial attacks. This can be achieved by conducting thorough testing and evaluation of AI systems and by developing strategies for mitigating the effects of adversarial attacks.
Q5: What are the Potential Applications of This Research?
This research has potential applications in a wide range of fields, including computer vision, natural language processing, and robotics. The ability to understand and mitigate the effects of adversarial attacks will be crucial in developing AI systems that are trustworthy and reliable.
