The latest technology and digital news on the web

Human-centric AI news and analysis

How to trick deep acquirements algorithms into doing new things

Two things often mentioned with deep acquirements are “data” and “compute resources.” You need a lot of both when developing, training, and testing deep acquirements models. When developers don’t have a lot of training samples or access to very able servers, they use alteration acquirements to finetune a pre-trained deep acquirements model for a new task.

At this year’s ICML conference, scientists at IBM Analysis and Taiwan’s National Tsing Hua University Analysis alien “black-box adversarial reprogramming” (BAR), an addition repurposing address that turns a declared weakness of deep neural networks into a strength.

BAR expands the aboriginal work on adversarial reprogramming and antecedent work on black-box adversarial attacks to make it accessible to expand the capabilities of deep neural networks even when developers don’t have full access to the model.

Pretrained and finetuned deep acquirements models

When you want to advance an appliance that requires deep learning, one option is to create your own neural arrangement from blemish and train it on accessible or curated examples. For instance, you can use ImageNet, a public dataset that contains more than 14 actor labeled images.

There is a problem, however. First, you must find the right architectonics for the task, such as the number and arrangement of convolution, pooling, and dense layers. You must also decide the number of filters and ambit for each layer, the acquirements rate, optimizer, loss function, and other hyperparameters. A lot of these decisions crave beginning training, which is a slow and costly action unless you have access to strong cartoon processors or specialized accouterments such as Google’s TPU.

To avoid reinventing the wheel, you can download a tried-and-tested model such as AlexNet, ResNet, or Inception, and train it yourself. But you’ll still need a array of GPUs or TPUs to complete the training in an adequate amount of time. To avoid the costly training process, you can download the pre-trained adaptation of these models and accommodate them into your application.

Robot account book
Image credit: Depositphotos

Alternatively, you can use a account such as Clarifia and Amazon Rekognition, which accommodate appliance programming interfaces for image acceptance tasks. These casework are “black-box” models because the developer doesn’t have access to the arrangement layers and ambit and can only collaborate with them by accouterment them images and retrieving the consistent label.

Now, accept you want to create a computer vision algorithm for a specialized task, such as audition autism from brain scans or breast cancer from mammograms. In this case, a accepted image acceptance model such as AlexNet or a account like Clarifai won’t cut it. You need a deep acquirements model accomplished on data for that botheration domain.

The first botheration you’ll face is acquisition enough data. A specialized task might not crave 14 actor labeled images, but you’ll still need quite a few if you’re training the neural arrangement from scratch.

Transfer acquirements allows you to slash the number of training examples. The idea is to take a pre-trained model (e.g., ResNet) and retrain it on the data and labels from a new domain. Since the model has been accomplished on a large dataset, its ambit are already tuned to detect many of the appearance that will come in handy in the new domain. Therefore, it will take much less time and data to retrain it for the new task.

deep acquirements alteration learning
Transfer acquirements finetunes the ambit of a pre-trained neural arrangement for a new task

While it sounds easy, alteration acquirements is itself a complicated action and does not work well in all circumstances. Based on how close the source and target domains are, you’ll need to freeze and unfreeze layers and add new layers to the model during the alteration learning. You’ll also need to do a lot of hyperparameter tweaking in the process.

In some cases, alteration acquirements can accomplish worse than training a neural arrangement from scratch. You also can’t accomplish alteration acquirements on API-based systems where you don’t have access to the deep acquirements model.

Adversarial attacks and reprogramming

Adversarial reprogramming is an addition address for repurposing apparatus acquirements models. It leverages adversarial apparatus learning, an area of analysis that explores how perturbations to input data can change the behavior of neural networks. For example, in the image below, adding a layer of noise to the panda photo on the left causes the award-winning GoogLeNet deep acquirements model to aberration it for a gibbon. The manipulations are called “adversarial perturbations.”

artificial intelligence adversarial archetype panda
Adding a layer of noise to the panda image on the left turns it into an adversarial example

Adversarial apparatus acquirements is usually used to affectation vulnerabilities in deep neural networks. Advisers often use the term “adversarial attacks” when discussing adversarial apparatus learning. One of the key aspects of adversarial attacks is that the perturbations must go undetected to the human eye.

At the ICLR 2019 conference, bogus intelligence advisers at Google showed that the same address can be used to enable neural networks to accomplish a new task, hence the name “adversarial reprogramming.”

“We acquaint attacks that instead reprogram the target model to accomplish a task chosen by the attacker,” the advisers wrote at the time.

Adversarial reprogramming shares the same basic idea as adversarial attacks: The developer changes the behavior of a deep acquirements model not by modifying its ambit but by making changes to its input.

There are, however, also some key differences amid adversarial reprogramming and attacks (aside from the accessible goal). Unlike adversarial examples, reprogramming is not meant to deceive human observers, accordingly the modifications to the input data do not need to be ephemeral to the human eye. Also, while in adversarial attacks, noise maps must be affected per input, adversarial reprogramming uses a single perturbation map to all inputs.

Adversarial reprogramming Google
Adversarial reprogramming creates input noise maps that repurpose a deep acquirements model for a new task (source:

For instance, a deep acquirements model (e.g., ResNet) accomplished on the ImageNet dataset can detect 1,000 common things such as animals, plants, objects, etc. An adversarial affairs aims to repurpose the AI model for addition task, such as the number of white squares in an image (see archetype above). After active the adversarial affairs on the images, the deep acquirements model will be able to analyze each class. However, since the model has been originally accomplished for addition task, you’ll have to map the output to your target domain. For example, if the model outputs goldfish, then it’s an image with two squares, tiger shark is four squares, etc.

The adversarial affairs is acquired by starting with a random noise map and making small changes until you accomplish the adapted outputs.

Basically, adversarial reprogramming creates a adhesive around the deep acquirements model, modifying every input that goes in with the adversarial noise map and mapping the outputs to the target domain. Experiments by the AI advisers showed that in many cases, adversarial reprogramming can aftermath better after-effects than alteration learning.

Black-box adversarial learning

While adversarial reprogramming does not modify the aboriginal deep acquirements model, you still need access to the neural network’s ambit and layers to train and tune the adversarial affairs (more specifically, you need access to acclivity information). This means that you can’t apply it to black-box models such as the bartering APIs mentioned earlier.

This is where black-box adversarial reprogramming (BAR) enters the picture. The adversarial reprogramming method developed by advisers at IBM and Tsing Hua University does not need access to the capacity of deep acquirements models to change their behavior.

To accomplish this, the advisers used Zeroth Order Access (ZOO), a address ahead developed by AI advisers at IBM and the University of California Davis. The ZOO paper proved the achievability of black-box adversarial attacks, where an antagonist could dispense the behavior of a apparatus acquirements model by simply celebratory inputs and outputs and after having access to acclivity information.

BAR uses the same address to train the adversarial program. “Gradient coast algorithms are primary tools for training deep acquirements models,” Pin-Yu Chen, chief scientist at IBM Analysis and co-author of the BAR paper, told . “In the zeroth-order setting, you don’t have access to the acclivity advice for model optimization. Instead, you can only beam the model outputs (aka action values) at queries points.” In effect, this means that you can, for example, only accommodate an image to the deep acquirements model and beam its results.

“ZOO enables gradient-free access by using estimated gradients to accomplish acclivity coast algorithms,” Chen says. The main advantage of this method is that it can be activated to any gradient-based algorithms and is not bound to neural-network-based systems alone.

Black-box adversarial reprogramming
Black-box adversarial reprogramming can repurpose neural networks for new tasks after having full access to the deep acquirements model. (source:

Another advance Chen and his colleagues added in BAR is “multi-label mapping”: Instead of mapping a single class from the source domain to the target domain (e.g., goldfish = one square), they found a way to map several source labels to the target (e.g., tench, goldfish, hammerhead = one square).

“We find that multiple-source-labels to one target-label mapping can added advance the accurateness of the target task when compared to one-to-one label mapping,” the AI advisers write in their paper.

To test black-box adversarial reprogramming, the advisers used it to repurpose several accepted deep acquirements models for three medical imaging tasks (autism spectrum ataxia classification, diabetic retinopathy detection, and melanoma detection). Medical imaging is an abnormally adorable use for techniques such as BAR because it is a domain where data is scarce, big-ticket to come by, and accountable to aloofness regulations.

In all three tests, BAR performed better than alteration acquirements and training the deep acquirements model from scratch. It also did nearly as well as accepted adversarial reprogramming.

The AI advisers were also able to reprogram two commercial, black-box image allocation APIs (Clarifai Moderation and NSFW APIs) with BAR, accepting decent results.

“The after-effects advance that BAR/AR should be a strong baseline for alteration learning, given that only wrapping the inputs and outputs of an intact model can give good alteration acquirements results,” Chen said.

In the future, the AI advisers will analyze how BAR can be activated to other data modalities beyond image-based applications.

This commodity was originally appear by Ben Dickson on TechTalks, a advertisement that examines trends in technology, how they affect the way we live and do business, and the problems they solve. But we also altercate the evil side of technology, the darker implications of new tech and what we need to look out for. You can read the aboriginal commodity here.

Appear July 29, 2020 — 11:00 UTC

Hottest related news