The tool, called Nightshade, messes up training data in ways that could cause serious damage to image-generating AI models.
A new tool lets artists add invisible changes to the pixels in their art before they upload it online so that if it’s scraped into an AI training set, it can cause the resulting model to break in chaotic and unpredictable ways.
The tool, called Nightshade, is intended as a way to fight back against AI companies that use artists’ work to train their models without the creator’s permission.
[...]
Zhao’s team also developed Glaze, a tool that allows artists to “mask” their own personal style to prevent it from being scraped by AI companies. It works in a similar way to Nightshade: by changing the pixels of images in subtle ways that are invisible to the human eye but manipulate machine-learning models to interpret the image as something different from what it actually shows.
Thanks for added background! I haven't been monitoring this area very closely so wasn't aware, but I'd have thought a publication that has been would then be more skeptical and at least mention some of this, particularly highlighting disputes over the efficacy of the Glaze software. Not to mention the others they talked to for the article.
Figures that in a space rife with grifters you'd have ones for each side.
People don't understand AI. Probably all articles I have read on it by mainstream media were somehow wrong. It often feels like reading a political journalist discussing about quantum mechanics.
My rule of thumb is: always assume that the articles on AI are wrong. I know it isn't nice, but that's the sad reality. Society is not ready for AI because too few people understand AI. Even AI creators don't fully understand AI (this is why you often hear about "emergent abilities" of models, it means "we really didn't expect it and we don't understand how this happened")
who illegally stole GPLv3 code from an open source program called DiffusionBee for his proprietary Glaze software (reddit link), and when pressed, only released the code for the “front end” while still being in violation of GPL?
Oh, how I wish the FSF had more of their act together nowadays and were more like the EFF or ACLU.
They don't even need to detect them - once they are common enough in training datasets the training process will "just" learn that the noise they introduce are not features relevant to the desired output. If there are enough images like that it might eventually generate images with the same features.
I find it very interesting that someone went in this direction to try to find a way to mitigate plagiarism. This is very akin to adversarial attacks in neural networks (you can read more in this short review https://arxiv.org/pdf/2303.06032.pdf)
I saw some comments saying that you could just build an AI that detects poisoned images, but that wouldn't be feasible with a simple NN classifier or feature-based approaches. This technique changes the artist style itself to something the AI would see differently in the latent space, yet, visually perceived as the same image. So if you're changing to a different style the AI has learned, it's fair to assume it will be realistic and coherent. Although maaaaaaaybe you could detect poisoned images with some dark magic tho, get the targeted AI then analyze the latent space to see if the image has been tampered with
On the other hand, I think if you build more robust features and just scale the data this problems might go away with more regularization in the network. Plus, it assumes you have the target of one AI generation tool, there are a dozen of these, and if someone trains with a few more images in a cluster, that's it, you shifted the features and the poisoned images are invalid
Haven't read the paper so not sure about the specifics, but if it relies on subtle changes, would rounding color values or down sampling the image blur that noise away?
Wondering the same thing. Slight loss of detail but still successfully gets the gist of the original data.
For that matter, how does the poisoning hold up against regular old jpg compression?
Eta: read the paper, they account for this in section 7. It seems pretty robust on paper, by the time you've smoothed out the perturbed pixels, youve also smoothed out the image to where the end result is a bit of a murky mess.
Trying to detect poisoned images is the wrong approach. Include them in the training set and the training process itself will eventually correct for it.
I think if you build more robust features
Diffusion approaches etc. do not involve any conscious "building" of features in the first place. The features are trained by training the net to match images with text features correctly, and then "just" repeatedly predict how to denoise an image to get closer to a match with the text features. If the input includes poisoned images, so what? It's no different than e.g. compression artifacts, or noise.
These tools all try to counter models trained without images using them in the training set with at most fine-tuning, but all they show is that models trained without having seen many images using that particular tool will struggle.
But in reality, the massive problem with this is that we'd expect any such tool that becomes widespread to be self-defeating, in that they become a source for images that will work their way into the models at a sufficient volume that the model will learn them. In doing so they will make the models more robust against noise and artifacts, and so make the job harder for the next generation of these tools.
In other words, these tools basically act like a manual adversarial training source, and in the long run the main benefit coming out of them will be that they'll prod and probe at failure modes of the models and help remove them.
This is cool. I think generative AI is great, but the way it's being trained right now largely without consent from the artists or subjects is unequivocally unethical. Until the law catches up with the technology, people need ways of protecting themselves.
Until the law catches up with the technology, people need ways of protecting themselves.
I agree, and I wonder if the law might be kicked into catching up quicker as more companies try to adopt these tools and inadvertently infringe on other companies' copyrighted material. 😅
I don't see a problem with it training on all materials, fuck copyright. I see the problem in it infringing on everyone's copyright and then being proprietary, monetized bullshit.
If it trains on an open dataset, it must be completely and fully open. Everything else is peak capitalism.
How is training AI with art on the web different to a person studying art styles? I'd say if the AI is being monetized in some capacity, then sure maybe there should be laws in place. I'm just hard-pressed to believe that anyone can have sole control of anything once it gets on the Internet.
Obviously this is using some bug and/or weakness in the existing training process, so couldn't they just patch the mechanism being exploited?
Or at the very least you could take a bunch of images, purposely poison them, and now you have a set of poisoned images and their non-poisoned counterparts allowing you to train another model to undo it.
Sure you've set up a speedbump but this is hardly a solution.
An AI don't see the images like we do, an AI see a matrix of RGB values and the relationship they have with each other and create an statistical model of the color value of each pixel for a determined prompt.