The latest artificial-intelligence techniques are being adopted by companies at a blistering pace. Before long, hackers might start taking a closer look, too, and they could cause all sorts of trouble by tricking these systems with illusory data.
Speaking at a recent AI conference in Barcelona, Spain, Ian Goodfellow, a research scientist at OpenAI who has done pioneering work on deceiving machine-learning systems, said attacking the systems is easy. “Almost anything bad you can think of doing to a machine-learning model can be done right now,” he said. “And defending it is really, really hard.”
In the last few years, researchers have demonstrated various ways in which machine-learning programs could be manipulated by exploiting their propensity to spot patterns in data. They are vulnerable, in part, because they lack actual intelligence. For instance, it is possible to use a billboard to trick the vision systems on self-driving cars into seeing things that aren’t there. Inaudible signals can trick voice-controlled assistants into taking unwanted actions, like visiting a website and downloading a piece of malware.
Goodfellow and others are developing countermeasures. It is possible to train a machine-learning system to recognize and then ignore misleading examples. But it is tricky to protect against every possible assault.
Fooling machine-learning systems may become more than an academic exercise. “This is very real,” says Patrick McDaniel, a professor at Pennsylvania State University who has explored the issue. “Machine-learning systems are driving all kinds of functions that could be monetized by adversaries, and so organized and sophisticated attackers will embrace these attacks.”
McDaniel points out that hackers have been outwitting machine-learning systems for years. Spammers, for instance, have fed learning algorithms with false e-mails to enable spam messages to pass through later. He says it may not be long before more sophisticated attacks emerge.
“The first attacks will come very soon against online classification systems,” McDaniel says. This could include modern spam filters, systems designed to detect illicit or copyright material, and advanced machine-learning-based computer security systems.
A new paper suggests that the problem could be more widespread than previously known. It shows that certain deceptions can be reused against different machine-learning systems, or even against a large “black box” system about which an attacker does not have prior knowledge.
Bugs lurking in these popular machine-learning tools could provide another way to target them. New machine-learning tools are developing at a rapid pace, and are often released for free online before being employed in active services such as image recognition or natural language analysis tools.
Speaking at the same conference in Spain, Octavian Suciu, a PhD student at the University of Maryland, highlighted a number of such vulnerabilities in some popular tools. Suciu analyzed the source code for these programs, and he found it could be manipulated. He found problems with the way some tools store information in memory, meaning that feeding in a very large piece of data could overwrite part of the program, changing its behavior.
Suciu speculates that the approach could provide a handy way to manipulate, for example, a tool that offers stock predictions, which could then be used to short the market. “If [a model] tells you that the stock will go up, you could change the prediction to say that it would go down,” he says.
This new data poisoning tool lets artists fight back against generative AI
The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.
The Biggest Questions: What is death?
New neuroscience is challenging our understanding of the dying process—bringing opportunities for the living.
Rogue superintelligence and merging with machines: Inside the mind of OpenAI’s chief scientist
An exclusive conversation with Ilya Sutskever on his fears for the future of AI and why they’ve made him change the focus of his life’s work.
How to fix the internet
If we want online discourse to improve, we need to move beyond the big platforms.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.