Adversarial design printed on a shirt to fool object recognition algorithms

Lovely. A bit of social proof hacking could go a long way to making these kind of adversarial designs more common on the streets - hire some actors to go round the city with CV-defeating makeup on, or these T-shirts, or these garments: <a href="https:&#x2F;&#x2F;www.vice.com&#x2F;en_ca&#x2F;article&#x2F;qvgpvv&#x2F;adversarial-fashion-clothes-that-confuse-automatic-license-plate-readers" rel="nofollow">https:&#x2F;&#x2F;www.vice.com&#x2F;en_ca&#x2F;article&#x2F;qvgpvv&#x2F;adversarial-fashio...</a> (though I wonder if those designs might be shut down by copyrights on license plate designs?)<p>(As an aside I got a kick out of reading &quot;some kind of hypebeast Supreme x MIT collab&quot;)

So 100 human sized objects get detected by the algo, and then 1, wearing this t-shirt, that fits most of the parameters doesn&#x27;t. Very, very easy to adjust the algorithm to account for a t-shirt. This is cute, at best.<p>It&#x27;s also then super easy to say that the individual wearing the shirt is likely to try to usurp monitoring. In practice this type of thing will likely make you a more prevalent target for monitoring along the lines of &quot;what do you have to hide?&quot;.<p>Not that I agree at all with large-scale monitoring or think anyone should prove that they don&#x27;t have something to hide. Only that it paints the target on your back.

&gt; No one&#x27;s going to start carrying cardboard patches around<p>Uhhhh... why not? You can put them on hats, backpacks, arm patches, or a lot of things. I get that they are suggesting it would be uncomfortable to have a stiff shirt, but there are easy solutions here.<p>I&#x27;m not trying to undermine the research here (because it is good research) but I think the reporting could be a little better.<p>As for the research, I wished they had compared it to more accurate models. I think this would greatly help a reader to understand the limitations of the work. YOLO and faster-RCNN are great for &quot;real-time&quot; but don&#x27;t have the greatest accuracy. They trade accuracy for speed (more accurate models are pretty slow). While I do think YOLO is more similar to what would be used in a real life setting, it would be great to know how the design works for more accurate models (this wouldn&#x27;t require significantly more work either, since you&#x27;re just testing against pretrained models). If the researchers stumble across this comment I would love to know if you actually did this and what the results were (or if you see this comment and try it against a more accurate model). (I do also want to say to the researchers that I like this work and would love to see more)

The joke about Juggalo facepaint is both true and funny but I think there is some actual merit to that idea. Camo clothing (and I don&#x27;t mean the kind you see everyone wearing at rural WalMartss) goes in and out of fashion every couple years. Military-style jackets, boots, and caps (think of a stereotypical anarchist style) are also perennially in style with certain crowds. I don&#x27;t think it&#x27;s too far fetched to imagine a future where camo facepaint becomes fashionable enough to be widespread, there&#x27;s also a lot of artistic potential available in non-traditional patterns and colors.<p>I can&#x27;t really see a way for AI cameras to get around properly applied facepaint, especially varieties that are IR absorbent or reflective. I hold the human brain in very high regard when it comes to pattern&#x2F;symbol&#x2F;shape recognition and if facepainting techniques are good enough to trick human visual processing, it&#x27;s going to be good enough to fool any existing AI. For an example of what I mean by proper technique, refer to this video: <a href="https:&#x2F;&#x2F;youtu.be&#x2F;YpzUr3twW4Q" rel="nofollow">https:&#x2F;&#x2F;youtu.be&#x2F;YpzUr3twW4Q</a><p>The trick is in getting enough people to adopt such a strategy that you can&#x27;t be identified through simple exclusion. I think the idea of camo&#x2F;other facepaint isn&#x27;t so foreign and unappealing as to never come into common fashion.

The arXiv paper contains images of the shirts and methodologies:<p><a href="https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;1910.11099.pdf" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;1910.11099.pdf</a>

Colour me skeptical. There are multiple ways to capture features and the shirt may fool one set of algorithms but I highly doubt they&#x27;ll fool them all.

This t-shirt defeated 2 CV model, R-CNN and YOLOv2.<p>We need better deployed testing suites that can test an adversarial model against many popular classifiers, not just 2.<p>Even so, the paper itsef shows tht their tshirt doesn&#x27;t make the wearer undetectable, only partially-undetectable. A security system won&#x27;t ignore you just because it only saw you 10% of the time you were present (unless it&#x27;s an Uber self-driving car).

Would be nice if the article had bigger images of the shirt!

I&#x27;m only waiting for the first SWATting incidents triggered by an algo &quot;recognizing&quot; a turtle of mass distraction.

Straight out of William Gibson&#x27;s &quot;Zero History&quot;!

We also tested fooling YoloV2 using t-shirts, but as mentioned in the paper, we got mixed results. You can fool the object detection only if you get a frontal exposure to the camera without any torsion &#x2F; rotation &#x2F; bending of the t-shirt, which is pretty hard in real life. Would be interesting to see if you can train adversarial examples robust to multiple angles. We thought to put these t-shirts out for sale for fun and to send a message: #donottrack. <a href="https:&#x2F;&#x2F;stealth.cool" rel="nofollow">https:&#x2F;&#x2F;stealth.cool</a>

You can fool all the AIs some of the time, and some of the AIs all the time, but you cannot fool all the AIs all the time.

I’m confused how this helps beyond body recognition. It seems to me that the focus these days is on facial recognition where you would be training your model to look for facial features rather than whatever is on that shirt. Is this supposed to somehow fool that as well by tricking it with false face features or something?

Reminds me of the &quot;hack&quot; that was done to the Samaritan system in the excellent TV series &quot;Person of Interest.&quot; Granted, you have to suspend disbelief on many points of AI to enjoy that show but I never understood why they couldn&#x27;t work around the bug that was placed in the system that prevented the identification of seven people. In the examples cited, like tricking the AI into thinking that a turtle was a gun, there&#x27;s an easy fix once the misclassification is noticed. I suspect the &quot;t-shirt of invisibility&quot; will similarly be accounted for in the system and that people seen wearing it will be targeted for MORE scrutiny as it could be presumed they are trying to hide in plain sight and that there might be a nefarious reason for it.

I have always wondered what the minimum amount of makeup needed to be &quot;invisible&quot; to facial recognition would be. In some cyberpunk future I could see people breaking up their features with thin black lines or something to fool cameras.

Where can I buy this merch?

I know about adversarial attacks, but are they widely applicable? I would think an attack that works on one algo might not work on another.

Baidu security gave out something similar at defcon Beijing. It was pretty cool conceptually but it really was just a gimmick

This reminds me of that recent article about how zebra stripes have been shown to reduce bug bites when painted on cows: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21201807" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21201807</a>. Probably a similar effect on object detection algorithms.

Interesting: all the authors have Chinese names. I wonder if any of them has any relatives on the Xinjiang Uygur region.

It&#x27;s going to be fun to see this whole recognition proof clothing turn into a low-key &quot;war&quot; as states demand better recognition systems that can bypass this kind of thing, and privacy activists keep developing new ways of fooling AI.

The license plate shirts should be made with state department diplomatic country codes.

I wonder what would happen if a self-driving car came across something like this. Would it classify the pedestrian as &quot;Nothing&quot; then run them over?

One of the most common uses of this tech in the US is automatic license plate readers.<p>Without getting into a debate about expectations of privacy on public roads vs. building a perpetual government database that tracks where every car is effectively at all times of day, another application of this tech would be a bumper decal.<p>I think most reasonable people would agree obscuring the license plate on a public road is not the solution (well, with the exception of Florida Man who racked up a $1MM fine when he was finally caught doing that through toll booths for a year), but a decal like this wouldn&#x27;t interfere with any officer&#x27;s human duties.

That should be easily solvable using 3D convolutions and processing a short clip (~10 frames) instead of a single picture.

It only works until those pictures are used to counter-train the AI, right? So is this the high-tech arms race of the future?

Great way to get run over by an Uber self-driving car!

A wearable captcha!