Kind: captions
Language: en
We have systems now to detect AI text,
AI audio, AI images, AI video. What is
the give us the nuts and bolts of how
you detect these fakes?
>> So, what you have to understand about um
generative AI deep fakes is that it is
fundamentally learning how to generate
images, audio, and video by looking at
patterns in billions and billions of
images, audio, and video.
>> Okay?
>> But it doesn't know what a lens is. It
doesn't know what the physics of the
world is. It doesn't know about
geometry. It doesn't know about the
physical world. It's not recreating this
thing that we you and I are in right
now.
>> Right.
>> Um take any image outdoors. Sunny day
here in uh in Virginia, go outdoors and
because the sun is shining, you will see
shadows all over the place.
>> Yeah.
>> And those shadows have to follow a very
specific law of physics which is that
there's a single dominant light source,
the sun
>> and it is giving rise to all those
shadows. So we have geometric techniques
that can say given a point on a shadow
and the part of the object that is
casting it tell me where the light is
consistent with that
>> and we can do that not once not twice
not three times but as many times for
shadows that we find
>> for every shadow in the
>> every shadow. And if we find that they
are not converging on a single light
source the sun then we have a physically
implausible scene.
>> Yeah.
>> It seems like that would be easy for AI
to figure out. You would think, but
here's why I can't. Because what I
described to you is a three-dimensional
process that's happening in the
three-dimensional world, but the AI
lives in 2D.
>> It lives in a two-dimensional world. And
reasoning about the three-dimensional
world is not something it does. Now, it
can sort of fake it pretty well. The way
artists fake it,
>> right? Lots of things in paintings are
not physically plausible, but our visual
system doesn't really care. We're
looking at a pretty picture.
>> So, that's one of my favorite
techniques. Um, here's another one that
I love. Um, go outside and well, you
shouldn't do actually do this, but stand
on the railroad tracks. I don't actually
advise doing that. I did this the other
day with one of my students. I'm like,
what are you doing standing on the
railroad tracks? I wanted to take a
picture of railroad tracks. And the
reason I wanted to take a picture of
railroad tracks is that when you're
standing on the railroad tracks, those
railroad tracks of course are parallel
in the physical world and they are
remain parallel
>> as long as the track continues going.
But if you take a picture of it, those
uh train tracks will converge to what's
called the vanishing point. This is a
notion that Renaissance painters have
understood for hundreds of years. And
why is that? It's because when you
photograph something, um, the size on
the image sensor is inversely
proportional to how far it is from me.
So, as the train tracks recede, it looks
like they're converging. Right? This is
called projective geometry, a vanishing
point. It's a very specific geometry.
And this is true of the parallel lines
on the top and bottom of a window, on
the sides of a building, on a sidewalk,
anything that you have a flat surface
like this table that we're at, right?
>> Take a photo of this of this table and
the all these parallel lines will
converge to a vanishing point,
>> right?
>> So, we can make those measurements in an
image and when we find deviations of
that,
>> something is physically implausible.
Your the image is violating geometry.
>> Okay?
>> All right. Let me move to a sort of
different side of it. This is actually
one of my favorite techniques is when
you go to your favorite AI system and
you ask it to make an image, um it will
create all the pixels, but then it has
to bundle it up into a JPEG image or a
PNG image or some format,
>> right?
>> And it actually does that in a very
specific way. And so here's an analogy.
When I buy something from an online
retailer, there's the product I get, but
that product is also packaged in a box.
Yes.
>> And different retailers have different
ways of doing it. Apple has a very
specific way of doing beautiful
packaging, right? Other retailers, you
know, just shove it in a box and send it
off.
>> So, the packaging when I create an image
on Open AI or on Enthropic or on
MidJourney, all these different
generators, they package it up
differently.
>> Um, and it's different than the way my
phone packages up the pixels and it's
different than the way Photoshop
packages up the pixels. So when we get
an image or an audio or video for that
matter, we can look at the underlying
package and saying is this a packaging
that is consistent with OpenAI or
Enthropic or a camera or whatever it is.
And so
>> so it doesn't have package emulators.
>> Yeah, it does not. It doesn't know about
because it doesn't care. Why would you
care about it? I'm the only person in
the world who probably cares about this.
You certainly don't care how it's
packaged because what do you do? You
open the package, you throw it away, and
you got your product, the image, right?
So we can look at the packaging. U
there's a whole another set of
techniques um that so everything I've
described is sort of after the fact
right you wait for the content to land
on your desk and you start doing these
analyses right there's a whole another
set of techniques that are what are
called active techniques so Google
recently announced that every single
piece of content that comes from their
generators image audio video will have
what's called an imperceptible watermark
>> so think we don't use currency that much
anymore but take your $20 bill out of
your wallet and hold it up to the light
and you'll see all kinds of watermarks
that prevent or make it very difficult
to counterfeit.
>> Yeah.
>> So what Google has done is they have
inserted an invisible watermark into
images, audio and video at the point of
creation that says we made this.
>> Yeah.
>> And then when I get that piece of
content, I have a specialized piece of
software because we over at Get Real
have a relationship with Google that
says
>> is there a watermark in there? It's it's
a signal and you can't see it.
>> Right? And the adversary can't see it,
but I can see it. So that's really cool.
And by the way, if this
decides we're going to watermark every
single piece of content that is natural,
I've got a signal that is built in,
right?
>> So, we've got lots of different
techniques from things that we rely on
third parties like the Googles of the
world to measurements that we can make
in an image, a video, or an audio. I'll
give you one of my favorite audio ones,
by the way.
>> So, if you're listening to this, you
won't be able to see us, but if you're
watching this on YouTube, you will know
we're in a really nice studio. Yeah. And
there are soft walls around us and we
have really nice microphones and so the
amount of reverberation
>> that you hear is quite minimal. We're
this audio is going to sound really good
because you guys are pros here, right?
But the amount of reverberation is
dependent on the physical geometry
around us, how hard those surfaces are
and that should be fairly consistent
over an audio,
>> right? But what you see with AI
generation is you see inconsistencies
in the microphone and the reverberation
because it doesn't it's not physically
recording these things.
>> So even in a single
>> recording you'll see modulations that
are quote unquote unnatural. Yeah. So
what a lot of what we do is look for
patterns you expect to see that mimic
the physical world. Okay. now and then I
talked about the active techniques the
watermarking and then there's a whole
another set of techniques that I'm going
to talk about a little but not a lot and
you'll understand in a minute why not so
the other side of of what we do is we
try to understand the tools that our
adversary uses so if you're using an
open AI or anthropic or some open source
code we actually go into the well we
can't do this for open AI but for
anything that's open source
>> um so there's there are so-called um uh
um face swap deep fakes where you can
take somebody's face eyebrow to chin
cheek to cheek and replace it with
another face. And these are all open
source libraries. We can dig into the
code
>> and we can see okay, what are they
doing? All right, the first thing
they're doing is this and then they do
this and then they do this and then they
do this and then we'll say ah that
second step should introduce a very
specific artifact.
>> Um so I'll give you one example but not
more than one. So one of the things that
a lot of these swap faces do is they put
a a a square bounding box around the
face.
>> They pull the face off. They synthesize
a new face and then they put it back.
>> But when they put it back, it's with a
bounding box and they do it very well.
>> Yeah.
>> You can't see it, but we know how to go
into the to the video and discover that
bounding box that was there.
>> Wow.
>> All right. So, that's an example where
we reverse engineering because we
understand how the adversaries made
something. Now, we have lots of other
ones which I don't want to tell you
about.
>> Yes. I understand why. You can see now
cuz it's adversarial.
>> Exactly. Right. Right. Right. Man, it it
sounds very systematic. I I have a a
decent understanding now if I want to
make a lab to do this some techniques to
do it. But you know the average person
out there isn't a scientist. How can
people how can I how can my mother
identify real from the fake in the world
of AI?
>> Yeah. Yeah. They can't. This is the
reality of where we are right now. And
this is important to understand because
I don't want you to walk away from this
podcast thinking, "Okay, I understand a
little bit now. Now, when I'm scrolling
through, you know, X or Blue Sky or
Facebook or Instagram, I'm going to be
able to tell. You won't.
>> You won't be able to tell. And even if I
could tell you something today that was
reliable, six weeks from now, it will
not be reliable and you'll have a false
sense of security.
>> Right?
>> So, I get this question a lot. And the
thing you have to understand is this is
a hard job.
>> It is really hard to do this. And it's
constantly changing. And the average
person doom scrolling on social media
cannot do this reliably. You can't do it
reliably. I can barely do it reliably
and this is what I do for a living.