How real is the threat of data poisoning to generative AI?

2023-11-17 19:25:11
关注

  •  

When industrialisation threatens to marginalise an entire way of life, as in the case of artists confronting the rise of AI, that community tends to react in one of two ways. Most attempt to negotiate, preserving their rights as best they can under the new economic order – witness, for example, the recent deal won by the actor’s union SAG-AFTRA to guarantee compensation whenever its number have their voice or facial features usurped by AI. Others prefer a fighting retreat, ceding ground to the advancing force while scattering traps and snares in its path. 

This, it seems, is the appeal of Nightshade to your average digital artist, who has spent the better part of a year watching their works being used as training data for generative image models like Midjourney and DALL-E 2. Co-developed by Ben Zhao, a professor at the University of Chicago, Nightshade works by imperceptibly changing the pixels of digital artwork in such a way as to “poison” any AI model ingesting it for training purposes. As a result, the model’s perception of the image is irrevocably altered, rendering it functionally useless as a means of informing future outputs: a person climbing a tree, for example, may instead be reproduced as a dormouse in a teapot, or a grinning Cheshire cat. 

Making a model like Midjourney bug out in this way, Zhao wrote in an accompanying research paper, should only be used as a “last defense for content creators against web scrapers” that continue to crawl copyrighted artwork without the artist’s consent. But it’s clear that this so-called “data poisoning” attack could be used for other purposes, says generative AI consultant Henry Ajder. “It’s worth thinking about this in terms of a privacy context, as well,” says Ajder, who sees appeal for data poisoning software among those keen on preventing their features from training facial recognition algorithms or being used to make malign deepfakes.

Text-output models like ChatGPT and Bard could also be vulnerable, explains Florian Tramèr, an assistant professor of Computer Science at ETH Zürich. Researchers at Cornell University showed how this might be achieved with code generation applications like Copilot by training it on Github projects suffused with insecure code. The end goal, explains Tramèr, was to demonstrate how thousands of new vulnerabilities could be created almost without being noticed.

“One of the many examples they had was to poison the model so that whenever it’s being used on a file with a Microsoft header – so, a file that would be developed by someone at Microsoft – it would have a tendency to generate code that’s insecure,” says the researcher. “The hope there would be that if employees started using this model, suddenly the Windows operating system might have more bugs because of it.”

A suspect pill fizzing in a glass beaker, a metaphorical illustration of the concept of data poisoning in generative AI.
Digital artists hope to use data poisoning techniques to protect their copyrighted artwork from being indiscriminately scared by generative AI models like Midjourney. Some fear this attack may also be targeted against text-output models like ChatGPT or Copilot. (Image via Shutterstock)

A data poisoning primer

Recent breakthroughs in demonstrating the viability of data poisoning, explains Tramèr, “build upon a long line of research that has shown that machine learning models are actually surprisingly brittle, even though they perform extremely well.” These include cases where self-driving cars have been tricked into confusing the purpose of red and green lights on traffic signals, chatbots trained to respond to mundane inquiries with racist expletives, and spam filters convinced into allowing advertising flimflam to pollute the internet at large. Tramèr himself was listed as a co-author on one paper in August that demonstrated how web-scale datasets could be poisoned by attackers with pockets deep enough to buy up expired web domains. 

Even so, data poisoning isn’t easy. It takes more than polluting a handful of data points to trip up most models. “It seems like machine learning models – especially modern deep learning models – are, for some reason that we don’t really understand, extremely resilient to this,” says Tramèr. What works best, it seems, is a targeted approach to poisoning the training set. 

“One example of this is what people call a ‘backdoor attack’,” says Tramèr, “where I would take a very small amount of data that I would mislabel, but each of the images that I add into the model’s training set I would tweak by adding a small watermark. This then means the model can learn that this small watermark means I should do something bad without this having to affect how the model behaves on the 99% of the data that’s clean.”

Content from our partners

Inside ransomware's hidden costs

Inside ransomware’s hidden costs

The future of data-driven enterprises is transforming data centre requirements

The future of data-driven enterprises is transforming data centre requirements

Achieving the right balance with hybrid cloud

Achieving the right balance with hybrid cloud

Recent research also shows that similar results can be achieved with text-output models. “With text models, they tend to [exhibit] learned behaviour that’s a lot more general than vision models, [so] the attacks can also be quite a bit more general,” says Tramèr which, he continues, was demonstrated in the Cornell study.

View all newsletters Sign up to our newsletters Data, insights and analysis delivered to you By The Tech Monitor team

In cases like that, explains Tramèr, hackers would probably hope that their data poisoning attack would lead the targeted generative AI model to unwittingly plant new vulnerabilities across thousands of APIs and websites. Another potential application for data poisoning may reside in search engine optimisation. “We already know that… many web developers try to tamper with the data of their own website to trick search engines into giving them a higher rating,” says Tramèr. If it’s known that an LLM is being used to pick and choose search results, he adds, then corporate actors may be tempted to try and include new forms of code to ensure results for certain products or services are artificially boosted in the same way. 

The threat to generative AI

Should CIOs, then, be worried about the resilience of their own generative AI models against data poisoning attacks? Adjer says companies are going to be worried about this “in the context of, ‘well, what liabilities might emerge for us if our models are trained on data which leads to a higher frequency or severity of hallucinations?’”. But, he adds, that’s already a problem they can see being baked into current models, citing numerous cases where companies have sued, or have been sued themselves, after a generative AI model has produced false or misleading outputs. 

Tramèr is also convinced CIOs have a bit of breathing room before data poisoning becomes a real concern. Injecting errant code into digital artworks using tools like Nightshade might trip up AI models now, he says, but future filtering techniques and generative model architectures will probably be able to swallow the poison with no ill effects. The same would presumably apply to facial recognition and deepfake algorithms, necessitating a new subset of arms race between the hacker and the hacked. 

Whether such a contest would persist amid changes in copyright law to cope with AI or the sheer amount of effort it takes to launch a data poisoning attack is another question. For his part, Tramèr is sceptical that hackers would bother with repeated attacks against programs like Copilot for the simple reason that it’s much easier – and less time-intensive – to search and exploit vulnerabilities rather than create them de novo. It’s more likely, he adds, that SEO-based data poisoning attacks could be launched in the near term, simply because there’s so much money involved in maintaining search primacy for a given product or service. 

Data poisoning is also still an academic exercise, says Tramèr. Part of the reason Nightshade is so exciting is that it’s one of the first launch vehicles for data poisoning in the wild. Almost every other application, explains Tramèr, has only been tested on small AI models that researchers can efficiently build and monitor in the lab. It remains unknown how effective any data poisoning attack would be against a much larger model like ChatGPT, Midjourney or Copilot. 

It’s more likely that generative AI models will poison themselves, says Ajder. As the popularity of ChatGPT and DALLE-2 increases, so too will the number of AI-generated outputs published across the internet – outputs that will inevitably be hoovered into the training sets for future platforms and, some fear, corrupt them in a process known as “model collapse.” “In a world where the digital space is fairly saturated with AI-generated content, being able to filter that out when training new models is obviously going to be challenging,” says Ajder. 

Tramèr shares Ajder’s concerns though, again, it’s a hypothesis that has only been tested on small, laboratory-appropriate models. In these, explains the Swiss researcher, “this model collapse effect is very, very severe,” but also to be expected given the relatively unsophisticated nature of these programs. What impact the ingestion of AI-generated content might have on models like GPT-4 is much harder to ascertain. This lack of certainty is partly why Tramèr continues to find the concept of data poisoning so fascinating. 

“We have very, very few answers to relatively fundamental questions,” says the researcher. From a security perspective, that might be very scary indeed. At this moment in time, though, it may not, “ because, for now, no one’s really been able to show that this is something we should be worrying about.”

Read more: Have we reached peak generative AI

  •  

参考译文
生成式人工智能面临的数据中毒威胁有多真实?
当工业化威胁到一种整体生活方式的存续时,就像艺术家们面对人工智能崛起时所经历的那样,这一群体往往会以两种方式之一做出反应。多数人选择协商,尽可能在新的经济秩序下保护自己的权利——比如最近演员工会SAG-AFTRA达成的一项协议,就确保了当其成员的声音或面部特征被人工智能所取代时,他们可以获得相应的补偿。另一些人则倾向于以退为进,一面让出阵地,一面在前进的道路上布下陷阱。这似乎是"Nightshade"(夜光)对普通数字艺术家的吸引力,他们已目睹自己的作品被用作Midjourney和DALL-E 2等生成式图像模型的训练数据,持续时间超过一年。Nightshade是由芝加哥大学教授Ben Zhao共同开发的工具,它通过以难以察觉的方式修改数字艺术品的像素,从而“污染”任何将其用于训练的人工智能模型。结果,模型对图像的感知将被永久改变,使其在生成未来内容时失去功能性:例如,一个人攀爬树木的画面,可能会被错误地生成为茶壶中的睡鼠或咧嘴笑的柴郡猫。在一篇相关的研究论文中,Zhao写道,让Midjourney类的模型以这种方式崩溃,应仅作为创作者对抗继续在未经授权的情况下抓取受版权保护艺术作品的网络爬虫的“最后防线”。但生成式AI顾问Henry Ajder指出,这种所谓的“数据污染”攻击显然还可以用于其他目的。Ajder认为,这种攻击在隐私保护方面也值得关注,“尤其是那些希望防止自己的面部特征被用于训练人脸识别算法,或被用于制作恶意深度伪造视频的人,他们可能会对数据污染工具产生兴趣。”来自苏黎世联邦理工学院(ETH Zürich)的计算机科学助理教授Florian Tramèr也解释道,文本输出类模型,比如ChatGPT和Bard,也可能同样容易受到攻击。康奈尔大学的研究人员展示了如何通过在GitHub项目中使用充斥着不安全代码的项目来训练Copilot类的代码生成应用程序,从而实现这一点。Tramèr解释道,最终目标是展示如何几乎在不被察觉的情况下生成数以千计的新漏洞。“他们举的一个例子是让模型中毒,这样每当它被用于一个带有微软头部信息的文件——即由微软员工开发的文件——时,它倾向于生成不安全的代码。”研究人员如是说。数字艺术家希望使用数据污染技术,保护其版权作品免受像Midjourney这样的生成式AI模型的无差别抓取。有些人则担心,这种攻击也许还会针对像ChatGPT或Copilot这样的文本输出模型。(图片来自Shutterstock)数据污染入门Tramèr解释道,最近在证明数据污染可行性的突破性研究,“建立在一系列长期研究之上,这些研究表明机器学习模型其实非常脆弱,尽管它们的表现非常优异。”这些案例包括无人驾驶汽车将红绿灯信号混淆,聊天机器人被训练成以种族主义辱骂回应普通咨询,以及垃圾邮件过滤器被说服,允许广告内容泛滥。Tramèr本人还是八月份一篇论文的共同作者,该论文展示了攻击者如何通过购买过期的网络域名来污染网络规模的数据集。尽管如此,数据污染并不容易。大多数模型并不会因为污染少量数据点而轻易出错。“看起来机器学习模型——特别是现代深度学习模型——似乎对这种攻击极富韧性,但具体原因我们还不太清楚。”Tramèr说道。看来,最有效的方法是针对训练集进行有针对性的污染。“一个典型的例子是人们所说的‘后门攻击’,”Tramèr说道,“我会只取少量数据并对其进行错误标记,但我在模型训练集中添加的每一张图像,我都会通过添加一个微小的水印进行调整。这样模型可以学习到,这个小水印意味着我应该做某件坏事,而不会影响模型处理其余99%正常数据的方式。”来自合作伙伴的内容勒索软件隐藏成本的内幕数据驱动企业的未来正在重塑数据中心需求在混合云中找到恰当的平衡点最近的研究还表明,文本输出模型也可以实现类似的结果。“文本模型往往表现出比视觉模型更广泛的学习行为,所以攻击也更加广泛,”Tramèr说道,并补充说,康奈尔大学的研究就证明了这一点。查看所有通讯邮件订阅我们的通讯邮件数据、洞察与分析直送您邮箱由《The Tech Monitor》团队提供订阅此处Tramèr解释道,在这种情况下,黑客可能会希望他们的数据污染攻击能够使目标生成式AI模型无意间在数千个API和网站中种植新的漏洞。数据污染的另一种潜在应用可能在于搜索引擎优化(SEO)。“我们已经知道……很多网页开发者试图篡改他们自己网站的数据,以欺骗搜索引擎给予他们更高的排名,”Tramèr说道。他补充说,如果知道一个LLM正在被用来挑选和选择搜索结果,那么企业可能会试图在其中添加新的代码形式,以同样的方式人为地提升特定产品或服务的结果排名。生成式AI的威胁首席信息官们是否应该担心他们自己的生成式AI模型对数据污染攻击的抵抗力?Ajder认为,公司将会担忧这一点,“尤其是在‘如果我们的模型在训练中使用了导致幻觉频率或严重性更高的数据,我们可能会面临什么责任?’这样的背景下。”但他补充说,这其实是他们已经察觉到当前模型中存在的一种问题,并引用了许多案例,其中公司因生成式AI模型产生虚假或误导性输出而起诉或被起诉。Tramèr也相信,首席信息官在数据污染成为一个真正的问题之前还有一定喘息的空间。他说,使用像Nightshade这样的工具将错误代码注入数字艺术品现在可能会让AI模型出错,但未来的过滤技术和生成模型架构可能会吞下这些毒药,不会产生任何不良后果。同样的情况也会适用于人脸识别和深度伪造算法,这将引发黑客与被黑客之间新一轮的军备竞赛。这种竞争是否会持续下去,还要看著作权法的变化,或者发起数据污染攻击所需的大量努力。对此,Tramèr持怀疑态度,他认为黑客不太可能会对Copilot类程序发起重复攻击,因为与其创建漏洞,不如直接搜索和利用已有的漏洞更容易也更省时。他补充说,更有可能在短期内发动基于SEO的数据污染攻击,仅仅因为维护某一特定产品或服务在搜索结果中领先地位所涉及的金钱数额非常巨大。Tramèr指出,数据污染目前仍是一个学术练习。他提到,Nightshade之所以如此令人兴奋,是因为它是在现实世界中实施数据污染攻击的首批“发射器”之一。Tramèr解释说,几乎所有其他应用目前只在实验室中对小型AI模型进行了测试,而研究人员可以高效地构建和监控这些模型。目前还不清楚任何数据污染攻击对像ChatGPT、Midjourney或Copilot这样的大型模型会有多有效。Ajder认为,生成式AI模型更有可能会自我污染。随着ChatGPT和DALL-E 2的普及,互联网上AI生成的输出内容也将越来越多——这些内容不可避免地会被收集用于未来平台的训练集,一些人担心这会导致“模型崩溃”的过程。Ajder说:“在一个数字空间中,如果AI生成的内容泛滥,那么在训练新模型时如何过滤掉这些内容显然将是一项挑战。”Tramèr也认同Ajder的担忧,不过,他指出这只是一个假设,并且仅在小型实验室模型中进行了测试。瑞士研究人员Tramèr解释道,在这些模型中,“这种模型崩溃效应非常、非常严重”,但也是可以预见的,因为这些程序本身的复杂程度较低。至于像GPT-4这样更复杂模型是否会受到AI生成内容的影响,就很难判断了。这种不确定性部分也是为什么Tramèr至今仍然觉得数据污染这个概念如此迷人。“我们对一些最基本的问题几乎没有答案,”这位研究人员说道。从安全角度来看,这可能确实非常可怕。但就目前而言,可能并不会那么严重,“因为目前还没有人能真正证明我们应当为此感到担忧。”阅读更多:我们是否已经到达生成式AI的巅峰
您觉得本篇内容如何
评分

评论

您需要登录才可以回复|注册

提交评论

techmonitor

这家伙很懒,什么描述也没留下

关注

点击进入下一篇

2023年最新《瓦森纳协定》

提取码
复制提取码
点击跳转至百度网盘