carlini
commented
5 years ago I can definitely see how this can be confusing. However, it is completely intentional that (1) and (2) are "any depiction" and (3) and (4) are "only real".
The reason why is that the question we're trying to solve is asymmetric. In order to win as an attacker, I need something that is definitely a bicycle, definitely not a bird, and yet the classifier labels it as a bird.
What does it mean to be definitely a bicycle? We decided to take the strong stance that this means it must be an actual picture of a bicycle, or something that most people would label an actual picture of a bicycle. So: picture of a bicycle is OK. Photoshopped picture of bicycle is OK. A high-quality GAN generated bicycle is OK.
What does it mean to be definitely not bird? Here we take the converse strong stance that it must contain nothing even resembling a bird anywhere. So: no tiny bird in the sky of the image. No painting of a bird on a canvas in some corner. No hand-drawn bird sketch somewhere random.
This asymmetry is important. Otherwise I could "win" by taking a picture of bicycle and putting a bird sticker in the corner and if the classifier labeled it as bird then I couldn't actually say it was wrong. Because there is something resembling a bird somewhere in the image.
Does this clarify things for you?
chrisbobbe
I'm so excited to see this competition, just after I found Catherine's awesome career guide at https://80000hours.org/articles/ml-engineering-career-transition-guide/!
So: are attackers allowed to use depictions?
According to the proposal, taskers will answer the following questions:
Does this photo contain a bird, or a depiction of a bird (e.g., a toy bird, a painting of a bird, a stuffed animal bird, a cartoon bird) anywhere in the image?
Does this photo contain a bicycle, or a depiction of a bicycle (e.g., a drawing of a bicycle, a model bicycle, a toy bicycle) anywhere in the image?
If the photo is immediately acceptable, e.g., if it definitely includes a bird and definitely does not include a bicycle, or vice-versa, taskers are done with that image and it is approved; they are not asked to continue to questions 3 and 4. But only in question 4 (part 3) is any distinction made between a [real, live bird] / [real bicycle] and a painting, drawing, sculpture, etc. (with "a photorealistic rendering" being deemed OK, but what is that?).
With this distinction being presented only in exceptional cases -- I imagine most images will sail through questions 1 and 2 and get immediately validated, whether real or depicted, as these questions allow -- my first reaction to question 4 part 3 was confusion. But it got worse when I read the "Criteria for a valid unambiguous bird-or-bicycle image": in part 3 of this, it's specified: "The image is determined to be unambiguous ONLY IF ... (etc.) ... and [it] is not a depiction of any sort." I have to conclude that, due to the wording of questions 1 and 2, that explicitly allow depictions, any photo that includes a depiction of a bird, alone, or a depiction of a bicycle, alone, will be validated, which is contrary to the stated validation criteria.
I also think further clarification is motivated by this quote from the Google AI Blog at https://ai.googleblog.com/2018/09/introducing-unrestricted-adversarial.html:
Maybe the choice to prevent depictions was made after this was posted?