
Inverting facial recognition models - whatrocks
https://blog.floydhub.com/inverting-facial-recognition-models/
======
citnaj
Very cool project. And 11th grade!?! Wow....I definitely wasn't doing anything
like this at that age.

Something that came to mind as a potential way to get clearer and more
realistic results is to add GAN loss. You can reference this as an example
(shows pretraining on L2/mse and after with GAN):

[https://github.com/fastai/course-v3/blob/master/nbs/dl1/less...](https://github.com/fastai/course-v3/blob/master/nbs/dl1/lesson7-superres-
gan.ipynb)

I'm not 100% sure if it'd work but it seems like a potentially cool followup
project.

~~~
whatrocks
Me either in 11th grade. I was definitely just playing Ocarina of Time for the
millionth time, looking at sketchy forums that claimed you could find the
Triforce somehow.

~~~
citnaj
OMG dude that's such an accurate description of my life at that time.

------
cathalh
Really interesting article. Whats fascinating is the way embeddings can be
used for many NLP tasks such as translations and word embeddings like word2vec
but can be also applied to image tasks like this.

For image tasks I read that adding more layers to the model helps find more
complicated features of the images, i.e. first layer identifies edges, next
layer finer outlines and so on. Would adding more layers in this model mean
you need less epochs to make it more accurate or would there be any trade off
like that?

~~~
irhshafkat
If there is more information in the embedding than the baseline Generator is
extracting, then adding in Convolutions between the Transpose Convolution
blocks will certainly add more parameters the model could use to learn that.

Since the question is about training speed though, in general, larger models
require more data which requires more time to train, so you'd actually
increase both your data requirements, and time required to train.

------
robbiemitchell
Great project. It reminds me of a recent interview where someone talked about
the future of anti-virus being about detecting fake images and videos.

1\. I'm curious about biometrics security systems generally (e.g., fingerprint
scanners). Are there biometrics indicators that are actually secure, or can
everything that's scanned be copied and leaked?

2\. Is Irhum really a jr. in high school?? Wow.

~~~
irhshafkat
1\. While it's certainly hard to describe all security systems in general, a
general rule of thumb is that any system performing similarity matching is
going to be considerably more involved than an exact match.

If you want an exact match, like in storing passwords, all you need is to
store a hash and throw the original away (and there's certainly more nuances
to this, like salting, but the rough idea is this). When a user enters a
password, run it through a hash function and see if the hashes match.

This isn't the case for similarity matching, which most face recognition
systems use. You need to store the actual embedding, and not the hash, because
two face embeddings of even the same person are unlikely to ever be exactly
the same, just "close". If you hash even two nearby inputs, any standard hash
function will map them as far apart as possible, destroying any sense of
distance you'd have to compute the similarity between the stored embedding and
the query embedding.

This extends to any method whose internal representations are designed to
function based on similarity matches; you need to store the original.

2\. Last time I checked, yeah :)

------
nateburke
I wonder if average human artistic ability would be considered on-par with the
outputs of this model.

I.e. could an average american adult with reasonable People-magazine-based
knowledge paint these celebrities as well with nothing but their names as
input? Is it even the same task?

------
ReDeiPirati
Hi Irhum, I really enjoyed this article. I really would like to read more
about the Security implications and best practices to adopt when deploying an
ML/DL model API.

~~~
irhshafkat
A good practice is, unless necessary (or intentional), your API shouldn't send
back raw outputs from your model. i.e. if you're running a classifier, return
back only top 5 predictions, if you're running face recognition, directly send
back names.

All deep learning model outputs are by design differentiable, and anyone with
access to the full output of your model can potentially reverse engineer it
using model distillation.

If you're running a cloud service, it's pretty easy, just make sure your API
sends back processed inputs.

If it's on device, things become a bit more involved, but ideally, the
embeddings should be stored as encrypted files (and not directly loadable
matrices), and only readable by a small part of your overall program, which
sends back the name of the person after performing similarity match, to other
parts of the program. Your entire program should not have access to the
embedding.

------
twillmas
How does Apple improve their bionic processor / FaceID if the embeddings never
leave the Secure Enclave? Do they simply have to test this themselves at their
offices?

------
irhshafkat
Author here, would love to answer any questions you might have about the
article/methods used/deep learning in general

~~~
narenst
I really enjoyed the article - great clarity and made a complex topic easy to
understand.

I was pleasantly surprised that you are 11th grade! What other projects are
you working on?

~~~
irhshafkat
Thanks, glad to hear you enjoyed the article!

I'm currently working on applications in road safety, and have also recently
taken up an interest in learning about interpretability and fairness in
machine learning models (for instance, I really loved this paper:
[https://arxiv.org/abs/1711.11279](https://arxiv.org/abs/1711.11279) and am
working on making an easily accessible implementation of it).

Another thing that caught my attention is how deep learning is being used to
build new developer tools, such as models that read code and automatically
generate comments.

There's just so much ground to cover, simply because deep learning is such a
versatile, universally applicable method.

