When will image recognition be made robust against unrestricted adversary?

Image recognition is a task of assigning a label to an image. There has been enormous progress in the last 10 years due to deep learning. However, in 2013 researchers pointed out certain intriguing properties of neural networks. In particular, neural networks seem to suffer from a problem currently known as adversarial examples.

Adversarial examples are images optimized so as to fool a machine learning algorithm, but remain unambiguous to humans. Current machine learning algorithms can be fooled by changes that are essentially impossible to perceive by humans. The issue of adversarial examples highlight differences in how humans and algorithms do image recognition. "Adversarial Examples - A Complete Characterisation of the Phenomenon" provides an extensive overview.

Notably, adversarial examples can also be a security issue, for example by making it possible to bypass face or voice recognition used for authentication.

Recently Google introduced the Unrestricted Adversarial Examples Challenge. This challenge allows unrestricted inputs, allowing participants to submit arbitrary images from the target classes to develop and test models on a wider variety of adversarial examples. They ask models to answer the question "Is this an unambiguous picture of a bird, a bicycle, or is it (ambiguous / not obvious)?". The images are provided by attackers and are first labeled by humans. A small monetary prize will be awarded to any team that breaks a previously-unbroken defense with an eligible input.

The question asks:

When will image recognition be made robust against unrestricted adversary?

The question will resolve when the large defender prize of the Unrestricted Adversarial Examples Challenge is awarded. This means that a defense (an image recognition algorithm) must remain unbroken for at least 90 days. This file provides details of the challenge. The question will resolve even if the details of the challenge are modified as long as the spirit of the challenge remains the same. The question will resolve as ambiguous if the challenge is discontinued before the end of 2030.


