November 3, 2016 -
Researchers from Carnegie Mellon University have developed a special pair of eyeglass frames in which it can enable commercial-grade facial recognition software to identify the wrong individual with up to 100% success rate, according to a report by QZ.com.
In a research paper presented at a security conference last week, CMU researchers demonstrated how they could dupe AI facial recognition systems into misidentifying faces.
In other words, the glasses were able to make an individual who is captured on camera to appear as another individual, or seem completely unrecognizable as human.
The researchers saw the same level of success in misleading software used by Chinese e-commerce provider Alibaba for their “smile-to-pay” feature.
Facial recognition software relies on deep neural networks, which is an artificial intelligence technology that learns patterns from thousands and millions of strains of data.
By looking at millions of faces, the software learns the idea and detailed components such as the shape of the nose and eyebrows. Through this analysis, the software eventually learns how to distinguish one from another.
Rather than just blocking facial features, the glasses are printed with a pattern that the computer interprets as the facial details belonging to another individual.
Researchers developed an advanced facial recognition system for testing purposes. A white male test subject with glasses appeared as actress Milla Jovovich, while an Asian woman with glasses appeared as a Middle Eastern man — both with 87.87% accuracy.
In the test, researchers used about 40 images of each individual to develop the glasses used to identify as them.
For the presentation, researchers printed out the glasses on glossy photo paper (which cost $.22 per pair to make) and wore them in front of a camera to depict a situation where a criminal could access a building guarded by facial recognition.
When CMU researchers tested glasses design against a commercial facial recognition system, Face++, they were able to create glasses that tricked the software to appear as another person in 100% of tests.
However, since these tests were conducted digitally where the researchers edited the glasses onto a picture, the success rate in real world practice could be less.
CMU’s research follows previous research done by Google, OpenAI, and Pennsylvania State University that discovered systematic flaws with the way deep neural networks are trained.
By pointing out these vulnerabilities with purposefully malicious data called adversarial examples, researchers have been able to force AI to make decisions it wouldn’t typically make.