Researchers from the laboratory at the University of Chicago developed a toolkit with implementation distortion of photographs, preventing their use for training face recognition and user identification systems. Pixel changes are made to the image, which are imperceptible when viewed by humans, but lead to the formation of incorrect models when using machine learning systems for training. The toolkit code is written in Python and under the BSD license. Assemblies for Linux, macOS and Windows.
Processing photos with the proposed utility before publishing on social networks and other public platforms allows you to protect the user from using these photos as a source for training face recognition systems. The proposed algorithm provides protection against 95% of face recognition attempts (for the Microsoft Azure Recognition API, Amazon Rekognition and Face++, the protection efficiency is 100%). Moreover, even if in the future the original photos, unprocessed by the utility, are used in a model that has already been trained with distorted versions of photos, the recognition failure rate remains at least 80%.
The method is based on the phenomenon of "adversarial examples", the essence of which is that minor changes in input data can lead to cardinal changes in the classification logic. Currently, the phenomenon of "adversarial examples" is one of the main unsolved problems in machine learning systems. In the future, a new generation of machine learning systems is expected to appear, devoid of the drawback under consideration, but these systems will require significant changes in the architecture and approach to building models.
Photo processing is reduced to adding a combination of pixels (clusters) to the image, which are perceived by deep machine learning algorithms as patterns characteristic of the depicted object and lead to a distortion of the features used for classification. Such changes do not stand out from the general set and are extremely difficult to detect and remove. Even with the original and modified images, it is problematic to determine where the original is and where the modified version is.
The introduced distortions demonstrate high resistance against the creation of countermeasures aimed at identifying photographs that violate the correct construction of machine learning models. Including methods based on blurring, adding noise or applying filters to the image to suppress pixel combinations are not effective. The problem is that when filters are applied, the classification accuracy drops much faster than the definability of pixel patterns, and at the level when distortions are suppressed, the recognition level can no longer be considered acceptable.
It is noted that, like most other technologies for protecting privacy, the proposed technique can be used not only to combat the unauthorized use of public images in recognition systems, but also as a tool to hide intruders. Researchers believe that problems with recognition can mainly affect third-party services that collect information uncontrollably and without permission to train their models (for example, the Clearview.ai service offers a face recognition database, on indexing about 3 billion photos from social networks). If now the collections of such services contain mostly reliable images, then with the active use of Fawkes, over time, the set of distorted photos will be larger and the model will consider them to be of higher priority for classification. The systems of recognition of special services, the models of which are built on the basis of reliable sources, will be affected to a lesser extent by the published tools.
Of the practical developments close to their intended purpose, one can note the project developing to add to images , which interferes with correct classification by machine learning systems. Code Camera Adversaria on GitHub under the EPL license. Another project aims to block surveillance camera recognition through the creation of special patterned raincoats, t-shirts, sweaters, capes, posters or hats.
Source: opennet.ru