Deep Neural Networks are Easily Fooled: High Confidence Predictions for Unrecognizable Images

TL;DR

This paper demonstrates that deep neural networks can be fooled into high-confidence classifications of unrecognizable images, revealing fundamental differences between human and machine vision.

Contribution

It introduces methods to generate unrecognizable images that DNNs classify with near certainty, highlighting vulnerabilities and differences in visual perception.

Findings

DNNs can be confidently fooled by unrecognizable images

Fooling images can be generated using evolutionary algorithms or gradient ascent

Results reveal significant differences between human and machine vision

Abstract

Deep neural networks (DNNs) have recently been achieving state-of-the-art performance on a variety of pattern-recognition tasks, most notably visual classification problems. Given that DNNs are now able to classify objects in images with near-human-level performance, questions naturally arise as to what differences remain between computer and human vision. A recent study revealed that changing an image (e.g. of a lion) in a way imperceptible to humans can cause a DNN to label the image as something else entirely (e.g. mislabeling a lion a library). Here we show a related result: it is easy to produce images that are completely unrecognizable to humans, but that state-of-the-art DNNs believe to be recognizable objects with 99.99% confidence (e.g. labeling with certainty that white noise static is a lion). Specifically, we take convolutional neural networks trained to perform well on either the ImageNet or MNIST datasets and then find images with evolutionary algorithms or gradient ascent that DNNs label with high confidence as belonging to each dataset class. It is possible to produce images totally unrecognizable to human eyes that DNNs believe with near certainty are familiar objects, which we call "fooling images" (more generally, fooling examples). Our results shed light on interesting differences between human vision and current DNNs, and raise questions about the generality of DNN computer vision.