$60 AI Hallucinations For Everyone
Poison Just About Any Image Classification AI The Quick And Easy Way
There is something amusing and a bit ironic about how the advent of LLMs and deep learning have many IT experts thinking of changing their name to Ned Ludd. Many that dislike AI are true to the Luddite cause, upset over their use in replacing skilled workers or creative types with something that doesn’t need to be paid, and which produces inferior results compared to a true expert. Then there are those that dislike deep learning not because of wages but because of how obnoxiously easy it can be to convince them to produce utterly false results which can fool those that depend on the answers LLMs provide.
The latest way to produce hallucinations will work on anything which trains on ImageNet-1K datasets, and only requires you to poison 0.15% of the images it trains on. To make things better, not only do you need to manipulate a fraction of a percent of the training data, Universal Backdoor Attacks work across classes. That means that once that AI starts hallucinating you can no longer trust the data it provides for any type of image. In previous attacks the hallucinations tended to be reserved for results of images similar to that which was poisoned; this one will corrupt the results of any image recognition data.
The attack is ridiculously cheap and easy to pull off, for instance you could simply post a number of poisoned images anywhere on the web and simply wait for them to be scraped up and added to training models. If you are a little more impatient you could sign up for one of the services that collects data and upload them to it directly, or find a website with an expired domain which is still used as a source of training material, buy it and load it up with doctored image files.
This attack would mean that if someone determined the training data used by a car manufacturer for their autopilot and safety features they could render those features deadly to use. In this particular case, you can indeed blame Canada.
"Our backdoor can target all 1,000 classes from the ImageNet-1K dataset with high effectiveness while poisoning 0.15 percent of the training data," the authors explain in their paper.
More Tech News From Around The Web
- Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack @ Ars Technica
- Atlassian patches critical RCE flaws across multiple products @ Bleeping Computers
- Meta killing off Instagram, Messenger cross-platform chatting @ The Register
- Spanish media sues Meta for ignoring GDPR and harvesting data @ The Register
- Google Just Unveiled Gemini @ Slashdot
- USB-C For Hackers: Program Your Own PSU @ Hackaday
- “Sierra:21” vulnerabilities impact critical infrastructure routers @ Bleeping Computer
- Marvell Silicon Photonics Light Engine for AI @ ServeTheHome
- Intel Calls AMD’s Chips ‘Snake Oil’ @ Slashdot
