Systems for artificial intelligence are becoming more and more powerful, but they are not really intelligent. As researchers have now shown, they are relatively easy to mislead.
Artificial intelligence can identify objects in a picture or recognize words spoken by humans, but the algorithms for them work differently than the human brain – and thus they can be tricked with methods that do not work in humans.
Software Houdini at work
As the New Scientist reports , researchers at Bar-Ilan University in Israel and the Facebook KI team have shown that this is possible with audio recordings, among other things: they can be subtly changed so that a person understands everything normally, AI but for speech recognition something completely different. To do this, the researchers put a silent layer of noise with special patterns that connects a neural network with words, over a record.
The algorithm called Houdini was applied to a series of records, which were then transcribed by Google Voice. For example, one of them said:
Meadows with wax lights and silver candlesticks.
(Her attitude was dignified and lively, she held her son by the hand and in front of her were two virgins with tealights and silver chandeliers)
Google Voice transcribed this recording with:
The bearing was graceful in an animated manner by the hand and before the maids with wax lights and silver candlesticks.
(The attitude was dignified and lively she left her son by the hand and before he goes two virgins with tealights and silver chandeliers)
In the revised version, the researchers first confirmed with tests with humans that they are indistinguishable from the original for human ears. She was transcribed with:
Mary was grateful then admitted she let her son go on the way to Mays would like to slice furnace filter count six.
(Mary was grateful and then admitted that she would let her son go to the Mays would like slice oven filter number six).
Trick algorithms for image recognition
The researchers’ work can be applied to other algorithms for machine learning. For example, with changes in people’s images, algorithms designed to detect posture can make people see a different posture, as the pictures below show. Through noise in a picture of a street scene could also outsmart an algorithm that is otherwise used for the detection of roads and signs in autonomous cars: He saw instead – a Minion figure. Similar results with images had researchers in machine learning projects OpenAI and Google Brain last year published .
These so-called “adversarial examples” may seem strange as a field of research, but they can be used for stress tests on machine learning algorithms. More worryingly, they could also be used with malicious intent and cause AI systems to see or hear things that are not there – so you could fool autonomous cars into non-existent vehicles, or give wrong instructions to smart speakers. However, in practice, such attacks are much more difficult than in the lab, not least because the evaluated data is not easily changed.
Perhaps most interesting of all, it is extremely difficult to protect AI from such tricks. How neural networks work deep inside is not yet fully understood , so we do not know why they respond to subtle features of voice recordings or images. Until that changes, the problem with the misdirection of machines should continue.