India's largest platform and marketplace for GCCs & AI

Sign in

India's largest platform and marketplace for GCCs & AI
Become a Thought Leader
Become a 3AI Member

Sign in

3AI Digital Library

< Go Back

Using AI to Outwit Malicious AI

3AI December 13, 2020

Robust Intelligence is among a crop of companies that offer to protect clients from efforts at deception.

IN SEPTEMBER 2019, the National Institute of Standards and Technology issued its first-ever warning for an attack on a commercial artificial intelligence algorithm.

Security researchers had devised a way to attack a Proofpoint product that uses machine learning to identify spam emails. The system produced email headers that included a “score” of how likely a message was to be spam. But analyzing these scores, along with the contents of messages, made it possible to build a clone of the machine-learning model and craft spam messages that evaded detection.

The vulnerability notice may be the first of many. As AI is used more widely, new opportunities for exploiting weak spots in the technology also are emerging. That’s given rise to companies that probe AI systems for vulnerabilities, with the goal of catching malicious input before it can wreak havoc.

Startup Robust Intelligence is one such company. Over Zoom, Yaron Singer, its cofounder and CEO, demonstrates a program that uses AI to outwit the AI that reads checks, an early application for modern machine learning.

Singer’s program automatically tweaks the intensity of a few pixels that make up the numbers and letters written on the check. This alters what a widely used commercial check-scanning algorithm perceives. A scammer equipped with such a tool could empty a target’s bank account by modifying a legitimate check to add several zeros before depositing it.

“In a lot of applications, very, very small changes can lead to dramatically different results,” says Singer, a professor at Harvard who is running his company while on sabbatical in San Francisco. “But the problem runs deeper; it’s just the very nature of how we perform machine learning.”

Robust Intelligence’s tech is being used by companies including PayPal and NTT Data, as well as a large ride-share company; Singer says he can’t describe how exactly it is being used, for fear of tipping off would-be adversaries.

The company sells two tools: one that can be used to probe an AI algorithm for weaknesses and another that automatically intercepts potentially problematic inputs—a kind of AI firewall. The probing tool can run an algorithm many times, examining the inputs and outputs and seeking ways to trick it.

Such threats are not just theoretical. Researchers have shown how adversarial algorithms can trick real-world AI systems, including autonomous driving systems, text-mining programs, and computer vision code. In one oft-mentioned case, a group of MIT students 3D-printed a turtle that Google software recognized as a rifle, thanks to subtle markings on its surface.

“If you’re developing machine-learning models right now, then you really have no way to do some kind of red teaming, or penetration testing, for your machine-learning models,” Singer says.

Singer’s research focuses on perturbing the input of a machine-learning system to make it misbehave and designing systems to be safe in the first place. Tricking AI systems relies on the fact that they learn from examples and pick up subtle changes in ways that humans do not. By trying multiple carefully chosen inputs—for example, showing altered faces to a face-recognition system—and seeing how the system responds, an “adversarial” algorithm can infer what tweaks to make in order to produce an error or a particular result.

Along with the check-fooling system, Singer demonstrates a way of outwitting an online fraud-detection system as part of probing for weaknesses. This fraud system looks for signs that someone making a transaction is actually a bot, based on a wide range of characteristics, including the browser, the operating system, the IP address, and the time.

Singer also shows how his company’s tech can deceive commercial image-recognition and face-recognition systems with subtle tweaks to a photo. The face-recognition system concludes that a subtly doctored photo of Benjamin Netanyahu actually shows basketball player Julius Barnes. Singer gives the same pitch to prospective customers worried about how their newfangled AI systems could be subverted, and what that might do to their reputation.

Some big companies that use AI are starting to develop their own AI defenses. Facebook, for instance, has a “red team” that tries to hack its AI systems to identify weak spots.

Zico Kolter, chief scientist at the Bosch Center for Artificial Intelligence, says research on defending AI systems is still at an early stage. The German company hired Kolter, an associate professor at Carnegie Mellon who works on designing systems so that they are provably robust, to help ensure that the AI systems it is developing, including those used in automotive products, are not vulnerable. Kolter says most efforts to protect commercial systems aim to head off attacks rather than make sure they are not vulnerable.

In October, Bosch and 11 other companies, including Microsoft, Nvidia, IBM, and MITRE, released a software framework for probing AI systems for weak spots. A Gartner report from 2019 predicts that by 2022, 30 percent of all cyberattacks on AI systems will themselves leverage some form of AI.

Aleksander Madry, an associate professor at MIT who works on machine learning, says it still isn’t clear how to guarantee that AI systems are safe. He adds that the vulnerabilities being exploited reflect a more fundamental weakness with modern AI. But making AI systems more robust may also improve their intelligence. In a paper to be presented at a conference later this month, he and colleagues show that image-recognition algorithms that can withstand adversarial attacks also can be applied more effectively to new tasks, making them more useful.

The alien way that AI systems work doesn’t just make them vulnerable to attack, it also means they will fail in surprising ways. This is likely to result in problems in areas like medical imaging and finance, Madry says. “AI models are just very eager students, and they will do everything they can to solve this narrow problem,” he says. “Every company [using AI] needs to think about that.”

    3AI Trending Articles

  • Mental Health Startup Wysa backed by Google In Series A Round

    Wysa is artificial intelligence (AI)-driven virtual coach that combines empathetic listening with evidence-based therapeutic techniques Bengaluru-based mental health startup Wysa is looking to raise funds from Google, the company’s filings with the ministry of corporate affairs (MCA) confirm.  The filings, which contain Wysa parent Touchkin Eservices Private Limited’s articles of association (AOA), read, ‘“Series A1 […]

  • Combining the power of Generative & Predictive AI

    Featured Article: Author: Shuvajit Basu GenAI has taken the world by storm. I certainly don’t have to outline the numerous possibilities it brings to bear. Both GenAI and Predictive AI have their share of strengths andbopportunities. However, if we can combine the power of these Generative models with Predictive AI/ML models, we might be able […]

  • Saudi Arabia to get Google Cloud services: Saudi Aramco

    Saudi Arabia, under its Vision 2030 reform plans, has encouraged foreign investment particularly in the technology sector and courted Silicon Valley players. Saudi Aramco Development Co, a subsidiary of Aramco, has teamed up with Google Cloud to offer cloud services to customers in Saudi Arabia, Aramco said on Monday. Saudi Arabia, under its Vision 2030 […]

  • Cybersecurity Challenges: Fourth Greatest Danger to Global Economy

    The 2021 World Economic Forum (WEF) Global Risk Report, used for over a decade by organizations around the world as a risk assessment tool, has named “cybersecurity challenges” as the fourth most pressing danger to the global economy. The ranking is determined by responses to a survey conducted among various stakeholders and organizations affiliated with […]