A team of researchers from American and Swiss universities, in collaboration with Google and its subsidiary DeepMind, has published a research article explaining how data is leaked from imaging platforms based on generative models of artificial intelligence, such as: DALL-E, Imagen, or Stabilizer Broadcast.
They all work the same way, relying on the user typing at a specific text prompt - say, "lawyer's chair" - and receiving a text-generated image within seconds.
The generative AI models used in these platforms were trained using a large number of images with specific descriptions. The idea is that neural networks can generate new unique images after processing large amounts of training data.
However, new research shows that these images are not always unique. In some cases, neural networks can reproduce images that exactly match the images previously used for training, which means that the neural network can inadvertently reveal private information.
The study challenges the notion that the AI models used to create the images do not record their training data and that the training data can remain private if it is not made public.
Provide additional information:
The results of deep learning systems can be amazing to the average person who may think it is magic, but in reality there is nothing magical about it because all neural networks work on the same principle, which is that training consumes a large amount of data data. It accurately describes each image, for example: a series of pictures of cats and dogs.
After training, the neural network receives a new image and is asked to judge whether it is a cat or a dog. From there, the developers of these models moved on to a more complex scenario: They used an algorithm trained on many photos of cats to create an image of a pet that didn't actually exist. These experiments were done not only with pictures but also with text, video and even audio.
The starting point of all neural networks is the training data set, and neural networks cannot create new objects from scratch. For example, to create a picture of a cat, the algorithm needs to study thousands of real photos or drawings of cats.
Extensive Efforts to Maintain the Record's Confidentiality:
In their work, the researchers focus particularly on machine learning models that distort training data (images of people, cars, houses, etc.) by adding noise. The neural network is then trained to restore these images to their original state.
This approach produces images of acceptable quality, but a potential disadvantage compared to, for example, competing network generation algorithms is that it is more prone to data leakage. Raw data can be extracted from it in at least three different ways:
- Use specific queries to force the neural network to generate a specific source image instead of a single image generated from thousands of images.
- The original image can be reconstructed even if only a part of it exists.
- It is easy to determine if a particular image is included in the training data.
Neural networks are often slow. If the training set contains multiple copies of the same image, they don't create a new image, they create something from the training set. If the image is repeated more than a hundred times in the training set, it is likely to have leaked out in a semi-original form.
However, the researchers are showing ways to recover training images that appear only once in the original set. Of the 500 images the researchers tested, the algorithm randomly recovered three.
Who stole from?
In January 2023, three artists sued an AI-based image generation platform for using their online images to train their models without respecting copyright.
A neural network can actually replicate a specific artist's style, thus making a profit from it. In some cases, and for various reasons, the newspaper said, algorithms can completely impersonate, producing graphics, photos, and other images that are nearly identical to the work of real people.
Therefore, the researchers made suggestions to improve the specificity of the original training set:
- Eliminate repetitions in the training set.
- Reprocess training images, for example by adding noise or changing brightness. This makes data leakage less likely.
- Test the algorithm with a special training image, and then make sure you don't accidentally reproduce it.
And then?
Generative art platforms have certainly sparked an interesting debate recently, where a balance needs to be struck between artists and technology developers. On the one hand, copyright must be respected, and on the other hand, art created by artificial intelligence is different from human art?
But let's talk about security. The article only presents a set of specific facts about the machine learning model. If we extend this concept to all similar algorithms, we face an interesting situation. It is not difficult to imagine a scenario in which a mobile operator's intelligent assistant transmits sensitive corporate information at the user's request, or writes a malicious script that would cause a general neurotic on the network to make a copy of a person's passport. However, the researchers stress that these questions remain theoretical for the time being.
But now we have other practical problems, such as script patterns: ChatGPT is now used to write real malicious code.
GitHub Copilot helps programmers write code using a variety of open source software as input. And the tool does not always respect the copyright and privacy of authors whose code ends up in very large training datasets.
As neural networks continue to evolve, so do attacks against them, the consequences of which are not yet known.