Poison Just About Any Image Classification AI The Quick And Easy Way
There is something amusing and a bit ironic about how the advent of LLMs and deep learning have many IT experts thinking of changing their name to Ned Ludd. Many that dislike AI are true to the Luddite cause, upset over their use in replacing skilled workers or creative types with something that doesn’t need to be paid, and which produces inferior results compared to a true expert. Then there are those that dislike deep learning not because of wages but because of how obnoxiously easy it can be to convince them to produce utterly false results which can fool those that depend on the answers LLMs provide.
The latest way to produce hallucinations will work on anything which trains on ImageNet-1K datasets, and only requires you to poison 0.15% of the images it trains on. To make things better, not only do you need to manipulate a fraction of a percent of the training data, Universal Backdoor Attacks work across classes. That means that once that AI starts hallucinating you can no longer trust the data it provides for any type of image. In previous attacks the hallucinations tended to be reserved for results of images similar to that which was poisoned; this one will corrupt the results of any image recognition data.
The attack is ridiculously cheap and easy to pull off, for instance you could simply post a number of poisoned images anywhere on the web and simply wait for them to be scraped up and added to training models. If you are a little more impatient you could sign up for one of the services that collects data and upload them to it directly, or find a website with an expired domain which is still used as a source of training material, buy it and load it up with doctored image files.
This attack would mean that if someone determined the training data used by a car manufacturer for their autopilot and safety features they could render those features deadly to use. In this particular case, you can indeed blame Canada.