There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

This new data poisoning tool lets artists fight back against generative AI

A new tool lets artists add invisible changes to the pixels in their art before they upload it online so that if it’s scraped into an AI training set, it can cause the resulting model to break in chaotic and unpredictable ways.

The tool, called Nightshade, is intended as a way to fight back against AI companies that use artists’ work to train their models without the creator’s permission.
[…]
Zhao’s team also developed Glaze, a tool that allows artists to “mask” their own personal style to prevent it from being scraped by AI companies. It works in a similar way to Nightshade: by changing the pixels of images in subtle ways that are invisible to the human eye but manipulate machine-learning models to interpret the image as something different from what it actually shows.

zwaetschgeraeuber ,

this is so dumb and clear it wont work at all. thats not the slightest how ai trains on images.

you would be able to get around this tool by just doing the nft thing and screenshot the image and boom code in the picture is erased.

RVMWSN , (edited )

I generally don’t believe in intellectual property, I think it creates artificial scarcity and limits creativity. Of course the real tragedies in this field have to do with medicine and other serious business. But still, artists claiming ownership of their style of painting is fundamentally no different. Why can’t I paint in your style? Do you really own it? Are you suggesting you didn’t base your idea mostly on the work of others, and no one in turn can take your idea, be inspired by it and do with it as they please? Do my means have to be a pencil, why can’t my means be a computer, why not an algorythm? Limitations, limitations, limitations. We need to reform our system and make the public domain the standard for ideas (in all their forms). Society doesn’t treat artists properly, I am well aware of that. Generally creative minds are often troubled because they fall outside norms. There are many tragic examples. Also money-wise many artists don’t get enough credit for their contributions to society, but making every idea a restricted area is not the solution. People should support the artists they like on a voluntary basis. Pirate the album but go to concerts, pirate the artwork but donate to the artist. And if that doesn’t make you enough money, that’s very unfortunate. But make no mistake: that’s how almost all artists live. Only the top 0.something% actually make enough money by selling their work, and that’s is usually the percentile that’s best at marketing their arts, in other words: it’s usually the industry. The others already depend upon donations or other sources of income. We can surely keep art alive, while still removing all these artificial limitations, copying is, was and will never be in any way similar to stealing. Let freedom rule. Join your local pirate party.

ElectroVagrant OP ,

I generally don’t believe in intellectual property, I think it creates artificial scarcity and limits creativity. Of course the real tragedies in this field have to do with medicine and other serious business.

But still, artists claiming ownership of their style of painting is fundamentally no different. Why can’t I paint in your style? Do you really own it? Are you suggesting you didn’t base your idea mostly on the work of others, and no one in turn can take your idea, be inspired by it and do with it as they please? Do my means have to be a pencil, why can’t my means be a computer, why not an algorythm?

Limitations, limitations, limitations. We need to reform our system and make the public domain the standard for ideas (in all their forms). Society doesn’t treat artists properly, I am well aware of that. Generally creative minds are often troubled because they fall outside norms. There are many tragic examples. Also money-wise many artists don’t get enough credit for their contributions to society, but making every idea a restricted area is not the solution.

People should support the artists they like on a voluntary basis. Pirate the album but go to concerts, pirate the artwork but donate to the artist. And if that doesn’t make you enough money, that’s very unfortunate. But make no mistake: that’s how almost all artists live. Only the top 0.something% actually make enough money by selling their work, and that’s is usually the percentile that’s best at marketing their arts, in other words: it’s usually the industry. The others already depend upon donations or other sources of income.

We can surely keep art alive, while still removing all these artificial limitations, copying is, was and will never be in any way similar to stealing. Let freedom rule. Join your local pirate party.

Reformatted for easier readability.

Ataraxia ,

As an artist I agree. People are being so irrational with this.

I_Has_A_Hat ,

Like trying to stop a flood with a roll of paper towels.

Vodik_VDK ,

New CAPCHA just dropped.

afraid_of_zombies ,

I am waiting for the day that some obsessed person starts finding ways to do like code injection in pictures.

Rootiest ,
@Rootiest@lemmy.world avatar

Here ya go

BellaDonna ,

What a dumb solution to a problem that doesn’t need a solution. The problem isn’t AI, it’s the lack of understanding for the tech that has people thinking AI is theft.

the_q ,

Is it not theft? These “AI” are trained on other people’s work, often without their knowledge or permission.

BellaDonna ,

This is why I think people don’t know what they are talking about.

You can look at a picture from an artist without it being considered theft, so are your memories and impressions theft? That’s what training data does, it teaches AI what something looks like, with many samples. It’s literally what your brain does, the way you see multiple dogs and know what a dog looks like is the same way that AI trains pattern recognition.

It’s completely reasonable and desirable to have AI consume all available images, regardless of copyright the way your eyes and brain can do the same. Training data isn’t theft no more than going to a museum and looking at art is theft.

This take that this is bad is completely unhinged and indicates people don’t understand AI.

the_q ,

I’d be careful with claiming who does and does not understand things.

First of all, a person can’t go to a museum, see a piece of art then go home and reproduce that art or style. Given enough time, sure they might be able to learn to replicate the style. Those that are particularly good at reproduction might even become forgers which is a crime.

Second, these llms aren’t AI. They can’t think in terms of how a living being can, only regurgitate information. They’re glorified search engines in a way.

Lastly, I can assume that you aren’t a creative person. You probably type in some prompt to an image generator and think “I made this”. It’s easier for someone like you to overlook issues because they don’t effect you because you lack depth, which I know is hard to accept. Maybe one day you’ll gain some insight into your own lack of understanding… But I doubt it.

BellaDonna ,

I used to be a musician, I also used to paint. I think my thought processes are no more complex than most computers, and I genuinely don’t believe human creativity is special even a little bit, like consciousness, it’s a subjective illusion.

I do not believe in things like copyright, or intellectual property, or even ownership of these things, I think these things should be collectively owned by society.

I don’t disagree with you from lack of experience, I disagree from fundamentally different ideological underpinnings.

I believe there is nothing special about human perception and experience, and I can see the ways that technology maps near perfectly to the way we think. AI shouldn’t be limited, it should replace us.

the_q ,

Okie dokie, doc. If you think the human brain isn’t “special” then I don’t know what to tell you.

Also, you can’t know how we think when we as a species don’t know, but you being the smartest person in the room is clearly very important to you so I’ll leave you to it!

uriel238 ,
@uriel238@lemmy.blahaj.zone avatar

I remember in the early 2010s reading an article like this one on openai.com talking about the dangers of using AI for image search engines to moderate against unwanted content. At the time the concern was CSAM salted to prevent its detection (along with other content salted with CSAM to generate false positives).

My guess is since we’re still training AI with pools of data-entry people who tag pictures with what they appear to be, so that AI reads more into images than their human trainers (the proverbial man inside the Iron Turk).

This is going to be an interesting technology war.

TheWiseAlaundo ,

Lol… I just read the paper, and Dr Zhao actually just wrote a research paper on why it’s actually legally OK to use images to train AI. Hear me out…

He changes the ‘style’ of input images to corrupt the ability of image generators to mimic them, and even shows that the super majority of artists even can’t tell when this happens with his program, Glaze… Style is explicitly not copywriteable in US case law, and so he just provided evidence that the data OpenAI and others use to generate images is transformative which would legally mean that it falls under fair use.

No idea if this would actually get argued in court, but it certainly doesn’t support the idea that these image generators are stealing actual artwork.

Flambo ,

So tl;dr he/his team did two things:

  1. argue the way AI uses content to train is legal
  2. provide artists a tool to prevent their content being used to train AI without their permission

On the surface it sounds all good, but I can’t help but notice a future conflict of interest for Zhao should Glaze ever become monetized. If it were to be ruled illegal to train AI on content without permission, tools like Glaze would be essentially anti-theft devices, but while it remains legal to train AI this way, tools like Glaze stand to perhaps become necessary for artists to maintain the pre-AI status quo w/r/t how their work can be used and monetized.

egeres ,
@egeres@lemmy.world avatar

Here’s the paper: arxiv.org/pdf/2302.04222.pdf

I find it very interesting that someone went in this direction to try to find a way to mitigate plagiarism. This is very akin to adversarial attacks in neural networks (you can read more in this short review arxiv.org/pdf/2303.06032.pdf)

I saw some comments saying that you could just build an AI that detects poisoned images, but that wouldn’t be feasible with a simple NN classifier or feature-based approaches. This technique changes the artist style itself to something the AI would see differently in the latent space, yet, visually perceived as the same image. So if you’re changing to a different style the AI has learned, it’s fair to assume it will be realistic and coherent. Although maaaaaaaybe you could detect poisoned images with some dark magic tho, get the targeted AI then analyze the latent space to see if the image has been tampered with

On the other hand, I think if you build more robust features and just scale the data this problems might go away with more regularization in the network. Plus, it assumes you have the target of one AI generation tool, there are a dozen of these, and if someone trains with a few more images in a cluster, that’s it, you shifted the features and the poisoned images are invalid

vidarh ,
@vidarh@lemmy.stad.social avatar

Trying to detect poisoned images is the wrong approach. Include them in the training set and the training process itself will eventually correct for it.

I think if you build more robust features

Diffusion approaches etc. do not involve any conscious “building” of features in the first place. The features are trained by training the net to match images with text features correctly, and then “just” repeatedly predict how to denoise an image to get closer to a match with the text features. If the input includes poisoned images, so what? It’s no different than e.g. compression artifacts, or noise.

These tools all try to counter models trained without images using them in the training set with at most fine-tuning, but all they show is that models trained without having seen many images using that particular tool will struggle.

But in reality, the massive problem with this is that we’d expect any such tool that becomes widespread to be self-defeating, in that they become a source for images that will work their way into the models at a sufficient volume that the model will learn them. In doing so they will make the models more robust against noise and artifacts, and so make the job harder for the next generation of these tools.

In other words, these tools basically act like a manual adversarial training source, and in the long run the main benefit coming out of them will be that they’ll prod and probe at failure modes of the models and help remove them.

RubberElectrons ,
@RubberElectrons@lemmy.world avatar

Just to start with, not very experienced with neural networks at all beyond messing with openCV for my graduation project.

Anyway, that these countermeasures expose “failure modes” in the training isn’t a great reason to stop doing this, e.g. scammers come up with a new technique, we collectively respond with our own countermeasures.

If the network feedbacks itself, then cool! It has developed its own style, which is fine. The goal is to stop people from outright copying existing artists style.

vidarh ,
@vidarh@lemmy.stad.social avatar

It doesn’t need to “develop its own style”. That’s the point. The more examples of these adversarial images are in the training set, the better it will learn to disregard the adversarial modifications, and still learn the same style. As much as you might want to stop it from learning a given style, as long as the style can be seen, it can be copied - both by humans and AI’s.

RubberElectrons ,
@RubberElectrons@lemmy.world avatar

There’s a lot of interesting detail to your side of the discussion I may not yet have the knowledge of. How does the eye see? We find edges, gradients, repeating patterns which become textures, etc etc… But our systems can be misdirected, see the blue/yellow dress for example. NNsbhave the luxury of being rapidly iterated I guess, compared to our lifespans.

I’m asking questions I don’t know answers to here: if the only source of input data for a network is subtly corrupted, won’t that guarantee corrupted output as well? I don’t see how one can “train out” the corruption which misdirects the network without access to some pristine data.

Don’t get me wrong, I’m not naive enough to believe this is foolproof, but I do want to understand why this technique doesn’t actually work, and by extension better understand how training a nn actually works.

barsoap ,

if the only source of input data for a network is subtly corrupted, won’t that guarantee corrupted output as well?

We have to distinguish between different kinds of “corruption”, here. What you seem to be describing is “if we only feed the model data from rule34, will it ever learn proper human anatomy” and the answer is no, it won’t. You’ll have to add data which narrows the range of body proportions from cartoonish to, well, real. That’s an external source of corruption: Feeding it bad data (for your own definition of “bad”). Garbage in, garbage out.

The corruption that these adversarial models are exploiting though is inherent in the model they’re attacking. Take… ropes and snakes and cats (or, generally, mammals). Good example: It is incredibly easy for a cat to mistake a rope for a snake – it looks exactly the same to the first layers of the visual cortex and evolution would rather have the cat jump away as soon as possible than be bitten, and it doesn’t hurt to jump away from a rope (even though the cat might end up being annoyed or ashamed (yes cats can 110% be self-conscious different story)), so when there’s an unexpected wiggly shape the first layers directly tell the motor cortex to move, short-circuiting any higher processing.

That trait has been written into the network by evolution, very similar to how we train AI models – conceptually, that is: In both cases the network gets trained for fitness for a purpose (the implementation details are indeed rather different but also irrelevant):

What those adversarial models do kinda looks like this: Take a picture of a rope. Now randomly shift pixels to make the rope subtly more snake-like until you get your cat to jump as reliably as possible, in as many different situations as possible, e.g. even if they’re expecting it and staring straight at it. Sell the product for a lot of money. People start posting pictures of ropes, rope manufacturers adjust their weaving patterns. Other cats see those pictures and ropes, some jump, and others only feel a bit, or a lot, uneasy. The ones that jump will not be able to procreate, any more, being busy jumping, while the uneasy ones will continue to evolve. After a couple of generations no cat cares about those ropes with shifted pixels any more.

Whether that trains general immunity against adversarial attacks – I wouldn’t be so sure. It very likely will make the rope/snake distinction more accurate. But even if it doesn’t build general immunity, it’s an eternal cat and mouse game and no artist will be willing to continue paying for that kind of software when it’s going to get defeated within days, anyway, because that’s just how fast we can evolve models.

Oh. Back to the definition of corruption: If all the pictures of rope that our models ever see have shifted pixels then it’s just going to assume that is the norm, and distinguish it from snakes because the tags say “rope” in one case, and “snake” in the other. The original un-shifted pictures probably won’t be an adversarial attack because they’re not a product of trying to get cats to jump.

vidarh ,
@vidarh@lemmy.stad.social avatar

Quick iteration is definitely the big thing. (The eye is fun because it’s so “badly designed” - we’re stuck in a local maxima that just happens to be “good enough” for us to not overcome the big glaring problems)

And yes, if all the inputs are corrupted, the output will likely be too. But 1) they won’t all be, and as long as there’s a good mix that will “teach” the network over time that the difference between a “corrupted cat” and an “uncorrupted cat” are irrelevant, because both will have most of the same labels associated with them. 2) these tools work by introducing corruption that humans aren’t meant to notice, so if the output has the same kind of corruption it doesn’t matter. It only matters to the extent the network “miscorrupts” the output in ways we do notice enough so that it becomes a cost drag on training to train it out.

But you can improve on that pretty much with feedback: Train a small network to recognize corruption, and then feed corrupted images back in as negative examples to teach it that those specific things are particularly bad.

Picking up and labelling small sample sets of types of corruption humans will notice is pretty much the worst case realistic effect these tools will end up having. But each such countermeasure will contribute to training sets that make further corruption progressively harder. Ultimately these tools are strictly limited because they can’t introduce anything that makes the images uglier to humans, and so you “just” need to teach the models more about the limits of human vision, and in the long run that will benefit the models in any case.

nandeEbisu ,

Haven’t read the paper so not sure about the specifics, but if it relies on subtle changes, would rounding color values or down sampling the image blur that noise away?

RubberElectrons , (edited )
@RubberElectrons@lemmy.world avatar

Wondering the same thing. Slight loss of detail but still successfully gets the gist of the original data.

For that matter, how does the poisoning hold up against regular old jpg compression?

Eta: read the paper, they account for this in section 7. It seems pretty robust on paper, by the time you’ve smoothed out the perturbed pixels, youve also smoothed out the image to where the end result is a bit of a murky mess.

lloram239 ,

“New snake oil to give artists a false sense of security” - The last of these tools I tried had absolutely zero effect on the AI, which is not exactly surprising given that there are hundreds of different ways to make use of image data as well as lots of completely different models. You’ll never cover that all with some pixel twisting.

TropicalDingdong ,

The AI can have some NaN, as a treat…

Smoogs ,

As a topping on some Pi

MargotRobbie ,
@MargotRobbie@lemmy.world avatar

It’s made by Ben Zhao? You mean the “anti AI plagerism” UChicago professor who illegally , and when pressed, only released the code for the “front end” while still being in violation of GPL?

The Glaze tool that promised to be invisible to the naked eyes, but contained obvious AI generated artifacts? The same Glaze that reddit defeated in like a day after release?

Don’t take anything this grifter says seriously, I’m surprised he hasn’t been suspended for academic integrity violation yet.

p03locke ,
@p03locke@lemmy.dbzer0.com avatar

who illegally stole GPLv3 code from an open source program called DiffusionBee for his proprietary Glaze software (reddit link), and when pressed, only released the code for the “front end” while still being in violation of GPL?

Oh, how I wish the FSF had more of their act together nowadays and were more like the EFF or ACLU.

MargotRobbie ,
@MargotRobbie@lemmy.world avatar

You should check out the decompilation they did on Glaze too, apparently it’s hard coded to throw out a fake error upon detecting being ran on an A100 as some sort of anti-adversarial training measure.

vidarh ,
@vidarh@lemmy.stad.social avatar

That’s hilarious, given that if these tools become remotely popular the users of the tools will provide enough adversarial data for the training to overcome them all by itself, so there’s little reason to anyone with access to A100’s to bother trying - they’ll either be a minor nuisance used a by a tiny number of people, or be self-defeating.

ElectroVagrant OP ,

Thanks for added background! I haven’t been monitoring this area very closely so wasn’t aware, but I’d have thought a publication that has been would then be more skeptical and at least mention some of this, particularly highlighting disputes over the efficacy of the Glaze software. Not to mention the others they talked to for the article.

Figures that in a space rife with grifters you’d have ones for each side.

Zeth0s ,

Don’t worry, it is normal.

People don’t understand AI. Probably all articles I have read on it by mainstream media were somehow wrong. It often feels like reading a political journalist discussing about quantum mechanics.

My rule of thumb is: always assume that the articles on AI are wrong. I know it isn’t nice, but that’s the sad reality. Society is not ready for AI because too few people understand AI. Even AI creators don’t fully understand AI (this is why you often hear about “emergent abilities” of models, it means “we really didn’t expect it and we don’t understand how this happened”)

ElectroVagrant OP , (edited )

Probably all articles I have read on it by mainstream media were somehow wrong. It often feels like reading a political journalist discussing about quantum mechanics.

Yeah, I view science/tech articles from sources without a tech background this way too. I expected more from this source given that it’s literally MIT Tech Review, much as I’d expect more from other tech/science-focused sources, albeit I’m aware those require scrutiny just as well (e.g. Popular Science, Nature, etc. have spotty records from what I gather).

Also regarding your last point, I’m increasingly convinced AI creators’ (or at least their business execs/spokespeople) are trying to have their cake and eat it too in terms of how much they claim to not know/understand how their creations work while also promoting how effective it is. On one hand, they genuinely don’t understand some of the results, but on the other, they do know enough of how it works to have an idea of how/why those results came about, however it’s to their advantage to pretend they don’t insofar as it may mitigate their liability/responsibility should the results lead to collateral damage/legal issues.

joel_feila ,
@joel_feila@lemmy.world avatar

By that logic humanity isnt ready for personal computers since few understand how they work.

Zeth0s , (edited )

Kind of true. Check the law proposals on encryption around the world…

Technology is difficult, most people don’t understand it, result is awful laws. AI is even more difficult, because even creators don’t fully understand it (see emergent behaviors, i.e. capabilities that no one expected).

Computers luckily are much easier. A random teenager knows how to build one, and what it can do. But you are right, many are not yet ready even for computers

joel_feila ,
@joel_feila@lemmy.world avatar

I read an article the other day about managers complaining about zoomers not even knowing how type on a keyboard.

GenderNeutralBro ,

That was certainly true in the 90s. Mainstream journalism on computers back then was absolutely awful. I’d say that only changed in the mid-2000 or 2010s. Even today, tech literacy in journalism is pretty low outside of specialist outlets like, say, Ars.

Today I see the same thing with new tech like AI.

Dadifer ,

Thank you, Margot Robbie! I’m a big fan!

MargotRobbie ,
@MargotRobbie@lemmy.world avatar

You’re welcome. Bet you didn’t know that I’m pretty good at tech too.

Also, that’s Academy Award nominated character actress Margot Robbie to you!

Blaster_M ,

Oh no, another complicated way to jpeg an image that an ai training program will be able to just detect and discard in a week’s time.

vidarh ,
@vidarh@lemmy.stad.social avatar

They don’t even need to detect them - once they are common enough in training datasets the training process will “just” learn that the noise they introduce are not features relevant to the desired output. If there are enough images like that it might eventually generate images with the same features.

wizardbeard ,

This is already a concept in the AI world and is often used while a model is being trained specifically to make it better. I believe it’s called adversarial training or something like that.

Mango ,

No, that’s something else entirely. Adversarial training is where you put an ai against a detector AI as a kind of competition for results.

driving_crooner ,
@driving_crooner@lemmy.eco.br avatar

Its called adversarial attack, this is an old video (5 years) explaining how it works and how you can potentially do it charging just one pixel on the image.

youtu.be/SA4YEAWVpbk?si=xObPveXTT2ip5ICG

penix ,

There is probably a trivial workaround to this.

FaceDeer ,
@FaceDeer@kbin.social avatar

There's trivial workarounds for Glaze, which this is based off of, so I wouldn't be surprised.

hh93 ,

The problem is identifying it. If it’s necessary to preprocess every image used for training instead of just feeding it is a model that already makes it much more resources costly

vidarh ,
@vidarh@lemmy.stad.social avatar

You wouldn’t want to. If you just feed it to the models, then if there are enough of these images to matter the model will learn to ignore the differences. You very specifically don’t want to prevent the model from learning to overcome these things, exactly because if you do you’re stuck with workarounds like that forever, but if you don’t the model will just become more robust to noisy data like this.

vidarh , (edited )
@vidarh@lemmy.stad.social avatar

Yes: Train on more images processed by this.

In other words: If the tool becomes popular it will be self-defeating by producing a large corpus of images teaching future models to ignore the noise it introduces.

There are likely easier “quick fixes” while waiting for new models, but this is the general fix that will work against almost any adversarial attack like this.

There might be theoretical attacks that’d be somewhat more difficult to overcome to the extent of requiring tweaks to the models, but given that there demonstrably exists a way of translating text to images that overcomes any such adversarial method that isn’t noticeable to humans, given that humans can, there will inherently always be a way to beat them.

Meowoem ,

It doesn’t even need a work around, it’s not going to affect anything when training a model.

It might make style transfer harder using them as reference images on some models but even that’s fairly doubtful, it’s just noise on an image and everything is already full of all sorts of different types of noise.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •