{"id":193,"date":"2019-02-18T16:18:39","date_gmt":"2019-02-18T16:18:39","guid":{"rendered":"https:\/\/wearable.discovery.wisc.edu\/2019\/?p=193"},"modified":"2019-02-18T16:19:01","modified_gmt":"2019-02-18T16:19:01","slug":"project-pitch-john-compas","status":"publish","type":"post","link":"https:\/\/wearable.discovery.wisc.edu\/2019\/2019\/02\/18\/project-pitch-john-compas\/","title":{"rendered":"Adversarial\u00a0Temporary Tattoo &#8211; John Compas"},"content":{"rendered":"<h1><strong>Adversarial\u00a0Temporary Tattoo<\/strong><\/h1>\n<p><em>Fooling AI for the price of a sticker<\/em><\/p>\n<h3>John Compas<\/h3>\n<h3><em>Abstract<\/em><\/h3>\n<p>Researchers have consistently\u00a0demonstrated over the past three or four years that image and facial recognition techniques are highly susceptible to attack. Many are not designed to be robust in such a manner, making them vulnerable. I aim to create temporary\u00a0tattoos or other articles of clothing that can disguise the wearer from facial or object recognition. Potentially, this tattoo could not only obscure the wearer but force the AI to classify them as a different person or object.<\/p>\n<h3><em>Technical Details<\/em><\/h3>\n<p>Researchers at Carnegie\u00a0Mellon showed two years ago that it was possible to create psychedelic\u00a0looking glasses that could massively impact how that person&#8217;s face was classified by AI [1].\u00a0 Since then a number of different studies have had similar success\u00a0attacking classifiers using a variety of techniques. An open source project dedicated to this idea, <a href=\"https:\/\/cvdazzle.com\/\">CVDazzle<\/a>, has produced many &#8220;anti faces&#8221; to conceal the wearer. However, both Carnegie Mellon and CVDazzle&#8217;s techniques are relatively human obvious. I aim to create a temporary tattoo while looking &#8220;normal&#8221; has slight, human undetectable modifications that obfuscate the user&#8217;s face or body to image detection algorithms. This has been done by [2] although solely on a pixel-by-pixel basis and not in the real world.<\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-199\" src=\"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/classifier.png\" alt=\"\" width=\"1396\" height=\"788\" srcset=\"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/classifier.png 1396w, https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/classifier-300x169.png 300w, https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/classifier-768x434.png 768w, https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/classifier-1024x578.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/>[3]\u00a0<em>Turning a banana\u00a0into a toaster<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>A team at Google found that a small patch, applied near an object, could disrupt image\u00a0classifiers. Many of these techniques counted on access to the internal workings of the classification algorithm to work, however. In [4] a team from MIT showed that a &#8220;black box&#8221; approach to attack Google&#8217;s Cloud Vision. With an evolutionary\u00a0algorithm, they were able to reduce the time taken to obfuscate an image by multiple orders of magnitude. Using\u00a0a combination of the aforementioned\u00a0techniques, I would aim to create patterns for temporary tattoos. Ultimately, the goal would be a tattoo\u00a0that would be innocuous to humans, yet potent to a classification algorithm.<\/p>\n<p><img loading=\"lazy\" class=\"alignnone size-medium wp-image-198\" src=\"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Post-250x300.jpg\" alt=\"\" width=\"250\" height=\"300\" srcset=\"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Post-250x300.jpg 250w, https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Post.jpg 332w\" sizes=\"(max-width: 250px) 100vw, 250px\" \/><img loading=\"lazy\" class=\"alignnone size-medium wp-image-197\" src=\"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Cage-300x300.png\" alt=\"\" width=\"300\" height=\"300\" srcset=\"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Cage-300x300.png 300w, https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Cage-150x150.png 150w, https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Cage-100x100.png 100w, https:\/\/wearable.discovery.wisc.edu\/2019\/wp-content\/uploads\/sites\/3\/2019\/02\/Cage.png 354w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p><em>An example: what you see, what Google&#8217;s Cloud Vision or FaceID sees<\/em><\/p>\n<p>Actually fabricating the tattoos would be trivial. Tattoo paper is cheap and widely available\u00a0for use with color printers. Likely the most challenging aspect of the project would be to translate simulated pattern success into a real-world<em>\u00a0<\/em>demonstration where the lighting and shadows are inconsistent.<\/p>\n<p>Potentially, other objects and fabrics could be demonstrated, but their fabrication is more challenging.<\/p>\n<h3><em>Goals<\/em><\/h3>\n<p>The purpose of this project is more experimental. Attempts will be made to make these tattoos look normal, but the main purpose will be to successfully attack commercial face recognition technology.<\/p>\n<h3><em>Applications<\/em><\/h3>\n<p>The implications of this technology, if successful, are widespread. By simply concealing a wearer&#8217;s face, security technology at airports and face-ID technology in large cities like London or New York could be massively compromised for little investment.<\/p>\n<p>If fooling a classifier into recognizing you as a different person is also possible, a whole host of new vulnerabilities are exposed. For example, if Apple&#8217;s face ID can be exploited, phones and iPads would instantly be vulnerable.<\/p>\n<p><strong>Confident Skills:<\/strong><\/p>\n<p>Programming (variety of languages)<\/p>\n<p>Hardware Design, PCB Layout<\/p>\n<p>3D Printing<\/p>\n<p>Laser Cutting<\/p>\n<p><strong>Not Confident:<\/strong><\/p>\n<p>Sewing<\/p>\n<p>Clothing Design<\/p>\n<p>AI<\/p>\n<h3><em>References<\/em><\/h3>\n<p>[1]\u00a0https:\/\/www.cs.cmu.edu\/~sbhagava\/papers\/face-rec-ccs16.pdf<\/p>\n<p>[2] https:\/\/arxiv.org\/pdf\/1804.04779.pdf<\/p>\n<p>[3] https:\/\/arxiv.org\/pdf\/1712.09665.pdf<\/p>\n<p>[4]\u00a0https:\/\/arxiv.org\/pdf\/1712.07113.pdf<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Adversarial\u00a0Temporary Tattoo Fooling AI for the price of a sticker John Compas Abstract Researchers have consistently\u00a0demonstrated over the past three or four years that image and facial recognition techniques are highly susceptible to attack. Many are not designed to be robust in such a manner, making them vulnerable. I aim to create temporary\u00a0tattoos or other &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/wearable.discovery.wisc.edu\/2019\/2019\/02\/18\/project-pitch-john-compas\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Adversarial\u00a0Temporary Tattoo &#8211; John Compas&#8221;<\/span><\/a><\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[11,13,20,24,23],"tags":[],"_links":{"self":[{"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/posts\/193"}],"collection":[{"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/comments?post=193"}],"version-history":[{"count":3,"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/posts\/193\/revisions"}],"predecessor-version":[{"id":277,"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/posts\/193\/revisions\/277"}],"wp:attachment":[{"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/media?parent=193"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/categories?post=193"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wearable.discovery.wisc.edu\/2019\/wp-json\/wp\/v2\/tags?post=193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}