For humans, adversarial examples of visual stimulus that only perturb a small number of features can exist, but are for the most part not generalisable across all human brains—most optical illusions that seem very general still only work on a subset of the population. I see this as similar to how hyperspecific adversarial images (e.g. single-pixel attacks) are usually only adversarial to an individual ML model and others will still classify it correctly, but images which even humans might be confused about are likely to cause misclassification across a wider set of models. Unlike ML models, we can also move around an image and expose it to arbitrary transformations; to my knowledge most adversarial pictures are brittle to most transforms and need to retain specific features to still work.
Adversarial inputs are for the most part model-specific. Also, most illusions we are aware of are easy to catch. Another thought on this—examples like this demonstrate to me that there’s some point at which these “adversarial examples” are just a genuine merging of features between two categories. It’s just a question of if the perturbation is mutually perceptible to both the model AND the humans looking at the same stimulus.
For the most part, the categories we’re using to describe the world aren’t “real”—the image below is not of a pipe; it is an image of a painting of a pipe, but it is not a pipe itself. The fuzziness of translating between images and categories, in language or otherwise, is a fuzziness around our definition. We can only classify it in a qualitative sense—ML models just try their best to match that vague intuition we-as-humans have. That there is an ever-retreating boundary of edge cases to our classifications isn’t a surprise, nor something I’m especially concerned about. (I suspect there’s something you’re pointing at with this question which I’m not quite following—if you can rephrase/expand I’d be happy to discuss further.)
1&2: Wow, you aced it, thanks for the eureka moment! I especially love the idea of parents seeing themselves in their child as adversarial illusions from natural selection, very efficient!
3: yeah I was very unclear. The idea is: although most artificial illusions look brittle (as you mentioned), it seems hard to find a transformation that get rid of them completely. In a sense, this looks like factorisation: if I give you a random number, chance are you can divide it by two or three or five. Like most artificial illusions are broken if you remove high frequencies or change ratio or add-and-remove noise, etc. But that seems to repair the average illusion, not the worst case. Is your feeling different on this point? I haven’t toyed with that for a while, so that may just be outdated misunderstanding.
Ah, I think I follow—eliminating contextual data as much as possible can dispel the illusion—e.g. in the below image, if the context around squares A and B were removed, and all you had were those two squares on a plain background, the colour misattribution shouldn’t happen. I guess then I’d say the efficacy of the illusion is dependent on how strongly the generalisation has proved true and useful in the environment, and therefore been reinforced. Most people have seen shadows before, so the one below should be pretty general; the arrow illusion is culturally variable as seen here, precisely because if your lifelong visual environment had few straight lines in it you’re not likely to make generalisations about them. So, in the ML case, we’d need to… somehow eliminate the ability of the model to deduce context whatsoever, whereupon it’s probably not useful. There’s a definite sense where if the image below were of the real world, if you simply moved the cylinder, the colours of A and B would obviously be different. And so when an AI is asked “are squares A and B the same colour”, the question it needs to answer implicitly is if you’re asking them to world-model as an image (giving a yes) or world-model as a projection of a 3D space (giving a no). Ideally such a model would ask you to clarify which question you’re asking. I think maybe the ambiguity is in the language around “what we want”, and in many cases we can’t define that explicitly (which is usually why we are training by example rather than using explicit classification rules in the first place).
There’s also Pepper’s ghost, where there’s a sense in which the “world model altered to allow for the presence of a transparent ethereal entity” is, given the stimulus, probably the best guess that could be made without further information or interrogation. It’s a reasonable conclusion, even if it’s wrong—and it’s those kinds of “reasonable but factually incorrect” errors which is really us-as-human changing the questions we’re asking. It’s like if we showed a single pixel to an AI, and asked it to classify it as a cat or a dog—it might eventually do slightly better than chance, but an identical stimulus could be given which could have come from either. And so that confusion I think is just around “have we given enough information to eliminate the ambiguity”. (This is arguably a similar problem problem to the one discussed here, come to think of it.)
Yes, I’m on board with all that. In my grokking that was making a nice fit with altruistic alleles ideas:
half of the construction plans for the duck-rabbit child are from each parent, which means their brains may be tuned to recognize subtle idiosyncrasies (aka out-of-distribution categorizations) that match their own construction plan, while being blind to the same phenomenon in their partner, or at least to the non overlapping ood features they don’t share.
when my beloved step parents, who never argue with anyone about anything, argue about what color is this or that car,, that’s why it feels so personal that the loved one don’t see the same: because that’s basically a genetic marker of how likely their genes would make their host collaborate.
Ok maybe that’s a tad way too speculative. Back down to earth, the cat/dog is indeed good demonstration subtle changes can have large impacts on human perception, which is arguably among the most striking aspects of adversarial pictures. Thanks for the discussion and insight!
While we’re at it, what’s your take on the « We need to rethink generalization » papers?
For humans, adversarial examples of visual stimulus that only perturb a small number of features can exist, but are for the most part not generalisable across all human brains—most optical illusions that seem very general still only work on a subset of the population. I see this as similar to how hyperspecific adversarial images (e.g. single-pixel attacks) are usually only adversarial to an individual ML model and others will still classify it correctly, but images which even humans might be confused about are likely to cause misclassification across a wider set of models. Unlike ML models, we can also move around an image and expose it to arbitrary transformations; to my knowledge most adversarial pictures are brittle to most transforms and need to retain specific features to still work.
Adversarial inputs are for the most part model-specific. Also, most illusions we are aware of are easy to catch. Another thought on this—examples like this demonstrate to me that there’s some point at which these “adversarial examples” are just a genuine merging of features between two categories. It’s just a question of if the perturbation is mutually perceptible to both the model AND the humans looking at the same stimulus.
For the most part, the categories we’re using to describe the world aren’t “real”—the image below is not of a pipe; it is an image of a painting of a pipe, but it is not a pipe itself. The fuzziness of translating between images and categories, in language or otherwise, is a fuzziness around our definition. We can only classify it in a qualitative sense—ML models just try their best to match that vague intuition we-as-humans have. That there is an ever-retreating boundary of edge cases to our classifications isn’t a surprise, nor something I’m especially concerned about. (I suspect there’s something you’re pointing at with this question which I’m not quite following—if you can rephrase/expand I’d be happy to discuss further.)
1&2: Wow, you aced it, thanks for the eureka moment! I especially love the idea of parents seeing themselves in their child as adversarial illusions from natural selection, very efficient!
3: yeah I was very unclear. The idea is: although most artificial illusions look brittle (as you mentioned), it seems hard to find a transformation that get rid of them completely. In a sense, this looks like factorisation: if I give you a random number, chance are you can divide it by two or three or five. Like most artificial illusions are broken if you remove high frequencies or change ratio or add-and-remove noise, etc. But that seems to repair the average illusion, not the worst case. Is your feeling different on this point? I haven’t toyed with that for a while, so that may just be outdated misunderstanding.
Ah, I think I follow—eliminating contextual data as much as possible can dispel the illusion—e.g. in the below image, if the context around squares A and B were removed, and all you had were those two squares on a plain background, the colour misattribution shouldn’t happen. I guess then I’d say the efficacy of the illusion is dependent on how strongly the generalisation has proved true and useful in the environment, and therefore been reinforced. Most people have seen shadows before, so the one below should be pretty general; the arrow illusion is culturally variable as seen here, precisely because if your lifelong visual environment had few straight lines in it you’re not likely to make generalisations about them. So, in the ML case, we’d need to… somehow eliminate the ability of the model to deduce context whatsoever, whereupon it’s probably not useful. There’s a definite sense where if the image below were of the real world, if you simply moved the cylinder, the colours of A and B would obviously be different. And so when an AI is asked “are squares A and B the same colour”, the question it needs to answer implicitly is if you’re asking them to world-model as an image (giving a yes) or world-model as a projection of a 3D space (giving a no). Ideally such a model would ask you to clarify which question you’re asking. I think maybe the ambiguity is in the language around “what we want”, and in many cases we can’t define that explicitly (which is usually why we are training by example rather than using explicit classification rules in the first place).
There’s also Pepper’s ghost, where there’s a sense in which the “world model altered to allow for the presence of a transparent ethereal entity” is, given the stimulus, probably the best guess that could be made without further information or interrogation. It’s a reasonable conclusion, even if it’s wrong—and it’s those kinds of “reasonable but factually incorrect” errors which is really us-as-human changing the questions we’re asking. It’s like if we showed a single pixel to an AI, and asked it to classify it as a cat or a dog—it might eventually do slightly better than chance, but an identical stimulus could be given which could have come from either. And so that confusion I think is just around “have we given enough information to eliminate the ambiguity”. (This is arguably a similar problem problem to the one discussed here, come to think of it.)
Yes, I’m on board with all that. In my grokking that was making a nice fit with altruistic alleles ideas:
half of the construction plans for the duck-rabbit child are from each parent, which means their brains may be tuned to recognize subtle idiosyncrasies (aka out-of-distribution categorizations) that match their own construction plan, while being blind to the same phenomenon in their partner, or at least to the non overlapping ood features they don’t share.
when my beloved step parents, who never argue with anyone about anything, argue about what color is this or that car,, that’s why it feels so personal that the loved one don’t see the same: because that’s basically a genetic marker of how likely their genes would make their host collaborate.
Ok maybe that’s a tad way too speculative. Back down to earth, the cat/dog is indeed good demonstration subtle changes can have large impacts on human perception, which is arguably among the most striking aspects of adversarial pictures. Thanks for the discussion and insight!
While we’re at it, what’s your take on the « We need to rethink generalization » papers?