## How to Trick a Human

Humans learn how to distinguish certain things about their environment through repeated analysis of information from their eyes, nose, ears, touch, and taste. From a young age, we learn what different inputs may indicate in terms of future events. The painful sting of a bee may be associated with the sound of a bee buzzing. The relief from drinking water is the result of realizing one thirsts.

Visually, many orientations of our surroundings yield additional information regarding our position in space. This particular facet of our visual learning makes us susceptible to the following optical illusion:

![track.png](attachment:0bfb8e0b-532c-4aea-9cda-9b327f727c22.png)

Image taken from https://www.verywellmind.com/cool-optical-illusions-2795841#:~:text=The%20Ponzo%20Optical%20Illusion&text=When%20you%20look%20off%20into,they%20recede%20into%20the%20distance, (Kendra Cherry, MSEd 2023).

In the above image, it appears that the yellow line at the top of the image is slightly larger than that of the lower yellow line. This is because our brains expects objects that extend into the horizon to be far away. Therefore, if the yellow line is wider than the track far away, it must be larger than the yellow line that is not wider than the track.
This can be seen in the image below:

![track_red.png](attachment:82a6863e-b4f8-434f-825f-ec1fff398d6c.png)

Image taken from https://www.verywellmind.com/cool-optical-illusions-2795841#:~:text=The%20Ponzo%20Optical%20Illusion&text=When%20you%20look%20off%20into,they%20recede%20into%20the%20distance, (Kendra Cherry, MSEd 2023).

From the above example, it can be seen that, at least at a quick glance, humans are susceptible to mistaking facts about an image due to things they have learned in the past. If a newborn toddler did not have a sense of distance learned yet, they may not fall prey to this kind of optical illusion.

## How to Trick a Machine

Adversarial input is the term given to a machine learning model that has mistakenly produced incorrect output due to an adversary. 
This adversary has, in one of a number of different ways, produced a sample that is specially crafted to confuse a machine learning model. 

Take the famous image below as an example:

![panda_gibbon.png](attachment:1174d99d-cd7c-4cb6-8a09-83fc75041acc.png)
Image taken from the original paper "Explaining and Harnessing Adversarial Examples" (Goodfellow, et al 2015).

The image is one of about 50000 test images in the ImageNet dataset. Among these 50000 images, there are about 1000 possible classifications that can be assigned to each of the images. As shown in the above image, on the left we have an image of a panda that has been correctly classified as a panda. The classification of a panda was assigned a relatively high confidence of 57% given that there are thousands of possible classifications to assign to the given image.

In the center, we see a jumble of colors that represents a specially crafted adversarial sample. The adversary has created what is known as a "perturbation", with regards to images a purturbation is change of pixel values that results in a change in the classification of the image. This change may be large or small. In this case, the adversary has found that only a very small pixel value is required (note that the shown pixel array has been multiplied by 0.007) to create a misclassification that causes the model to have extremely high confidence (>99%) in its output! 

As a result, the machine learning model that believed the image on the left to be a panda with high confidence has been confounded by the human-imperceptible purturbation added by the adversary. The image on the right looks nothing like a gibbon to the human eye, yet the machine learning model believes it to be a gibbon.



How can this be?

#### Simple Classification

Let's first look at a very simple example of what classification means.
Classification is simple the result of separating data into two or more groups based on some aspect of the data. Below is a simple Two-dimensional example of classification.

![lin_sep_data.png](attachment:16ed70e1-c13e-4a2f-832d-cf79cce15a77.png)
Image taken from the book "Learning with Data" (Abu-Mostafa, et al 2012)

From the above image, it is very clear to see that the data is not separated correctly by the line on the left and is correctly separated into X's and O's on the right.
When a mere line can be drawn to separate the data, classification seems to be a simple task. However, there can exist much more complex sets of data.


#### Complex Classification

Although the above example seems simple to classify, a more complex data set may require a more complex solution. Take the image below for example: 

![complex_classification.png](attachment:cda3f1b1-779b-4c5a-b09e-b8e2f3b9be91.png)
Image taken from the book "Learning with Data" (Abu-Mostafa, et al 2012)

On the left, an image of a line is draw across the data to attempt to classify them, however, no matter where a straight line is drawn, the X's and O's will never be perfectly separated.

On the right, a perfect separation is made, but the line used is a 4th-order polynomial.

This goes to show that, when training, a perfect classifier may be found that can achieve 100% accuracy while training. However, if 1000 samples were added from a test set, the classified on the left would likely have a higher accuracy, and be much less computationally expensive.

Without getting into too much additional detail, from this we learn that complex datasets may require very complex classifiers to be accurate. But conversely, the more complex we make the classifier, the higher we push the computational cost without necessarily improving our results during real world testing.



#### Adversarial Sample Generation

The primary goal of an adversarial sample is to create the misclassification of an input through a small, human-imperceptible purturbation on a benign (i.e. not-yet-adversarial) input. There are a number of different ways to create adversarial samples for a given machine learning model.

![complex_arrows.png](attachment:e948c6b2-b163-46bc-9721-baf3ee4b1844.png)
Image taken from the book "Learning with Data" (Abu-Mostafa, et al 2012), arrows added.

As shown above, in the above model each of the points with arrows assigned to them have undergone a change in their X and Y coordinates. The larger the arrow used to move them corresponds with a larger change in their parameters. Because adversaries are looking for data points that only require a small purturbation, points that exist close to the boundary line are ideal target for adversarial attack.

It can easily be seen that the more complex model on the right has more points that exist close to the boundary line. As such, we can infer that, in general, as a model increases in complexity a smaller change is needed to push a data point from one side of a boundary line to the other. 

Take the first figure with a panda for example, this is an extremely complex model with dimensions equal to the size of the image and color scheme used. Instead of a simple two dimensional model like we have here, that model has thousands of dimensions. As such, we expect the boundary line to be potentially quite close to a number of data points. As shown in that example, only a sub-pixel (0.007) color value change is needed to radically change the classification of the image.

### Next Time

In my next post, I'll be performing a short empirical study on traffic signs as a potentially viable target for adversarial attack. I'll show the dangers and the shortcomings of autonomous vehicles as well as some positive aspects such as real world viability.






