With the rise of AI-driven surveillance, anonymity is in fashion. Researchers are working on clothing that evades face recognition systems.
What’s new: Kaidi Xu and colleagues at Northeastern, MIT-IBM Watson AI Lab, and MIT designed a t-shirt that tricks a variety of object detection models into failing to spot people.
Key insight: Researchers have created images that, when held in front of a camera, can confuse an object detector. But surveillance cameras can view people from a range of distances and angles, and images on clothes warp as the wearer moves. To manage these limitations, the authors tracked a shirt’s deformations in motion. Then they mapped the same deformations onto candidate adversarial images until they found one that evaded the detector.
How it works: Machine learning typically involves training a model to map an image to a label. Generating adversarial images involves choosing a label, holding model weights constant, and finding an input that causes the network to select that label. The researchers devised a design that, when projected onto a t-shirt, caused a variety of object detectors to classify “no label.”
- The researchers printed a checkerboard pattern onto a t-shirt and recorded videos of people wearing the shirt. The checkerboard pattern enabled them to measure the shirt’s deformation in each video frame as the pattern changed with wrinkles, lighting, or scale and angle.
- Armed with these measurements, they used the interpolation technique known as thin plate spline (TPS) to replace the checkerboard in each frame with another image.
- The TPS distortions are differentiable, so backprop can adjust the image to fool the object detector across all frames.
- The adversarial image can be optimized to confuse any object detector or multiple detectors simultaneously. The researchers focused on YOLOv2 and Faster R-CNN, which are commonly deployed in surveillance systems.
Results: The researchers printed an adversarial image onto a shirt and collected videos of it in action. It fooled YOLOv2 in 57 percent of frames, a big improvement over the previous state of the art’s 18 percent.
Yes, but: A detector that classifies even a single frame correctly opens the door to defeating this technique. Practical adversarial wear may require a success rate nearer to 100 percent. If this technique takes off, face detection suppliers are bound to develop countermeasures.
Why it matters: Adversarial images have been added to training data to strengthen image classifiers against attacks. TPS could play a role in similar methods to prevent object detectors from being tricked.
We’re thinking: Given that software to counter the authors’ technique can be updated faster than clothes manufacturing and distribution, we’re not convinced this approach can scale.