I totally get why the artist chooses to deep-fry their art with the AI-poison-patterns but like, fuck. I wish we lived in a world without AI... her legs look like they're bruised...It's fucked up that this is what an artist has to do to avoid their art being crunched into the machine without their consent

MysteriousLounger said in comment #2582307:

It's fucked up that this is what an artist has to do to avoid their art being crunched into the machine without their consent

They don't have to do it because it doesn't work. There are so many ways for trainers to filter out adversarial noise (upscaling then downscaling, blur/deblur, img2img using the noisy image as reference), and that's all assuming they're not training for a model that already knows how to ignore the noise. Adversarial noise is as effective against trainers as a note saying "pretty please no training".

marcymal said in comment #2582318:

They don't have to do it because it doesn't work. There are so many ways for trainers to filter out adversarial noise (upscaling then downscaling, blur/deblur, img2img using the noisy image as reference), and that's all assuming they're not training for a model that already knows how to ignore the noise. Adversarial noise is as effective against trainers as a note saying "pretty please no training".

I mean, that's an interesting definition of "doesn't work". It inflicts costs on the adversary; every technique you mentioned, blur, upscale-downscale or img-to-img, adversarial training for the transformer itself to ignore the noise--all of them come with costs. Monetary costs, time costs, costs in terms of lower learning efficiency per parameter because the model has to encode resilience to adversarial noise. That's all costs; disproportionate costs, even, in particular the added cost in training time and parameter size to harden models against adversarial patterns. That's hugely asymmetric, a really incredible amount of effect to inflict for relatively little effort. Of course, now we're in a situation were the old noise isn't good enough, doesn't have any effect, so the noise here is worse, more annoying, larger to resist down-scaling, louder to resist img-to-img... there are diminishing returns. And, yes, it doesn't "work" in the sense of preventing theft altogether. But, it does "work" in the sense of inflicting costs. Shot exchange. If a terrorist throws 100 drones each costing 10k at a US military base, and they shoot down every single one with a patriot missile costing 5 million bucks a pop, the terrorist still won that engagement despite not scoring a single hit. it's about an exchange of costs. in an adversarial situation like this one, the artists are expending resources, the trainers are also expending resource. Of course there's a huge gulf in available resource between them, and I'm not suggesting that the costs inflicted on trainers by adversarial noise come even close to the kind of ratio I just spit-balled there with the drones and the missiles. indeed at some point, once they've hardened their models against noise, the ongoing costs to the trainers (which is just the cost of running a slightly larger model that can encode that noise resistance) are maybe marginal. maybe the shot-exchange problem no longer favours the artists. Maybe it never did to begin with (although--I do really doubt that. Training a model to resist noise in this way requires either fully re-architecting and re-training it, unless there's some new advancements in the field, since I was last up to date with the research, which, I will admit, it has been several years since I was working with this stuff in the lab. Hell, we used CNNs. Those were the good old days. But, at the time, the state of the art was GANs; so, I feel at least a little confident speaking about them... and they are horrible finicky bastards prone to eating all your work and failing in very particular ways; if they are using adversarial training to harden the transformers against noise, I can only assume the process is similarly painful)
But, point is, it's not clear cut like you make it out to be--it all depends on what the artist wants to actually accomplish by deep-frying their shit. Like, yeah, if they want to fully prevent their art from being trained on, it doesn't work. But if they are satisfied with just inflicting some level of cost, any level of cost and annoyance, on the guys training on their art, then it does work, to some extent

MysteriousLounger said in comment #2582332:
??????

Brother, no one in this chain of events defines success as "someone has to spend a few extra seconds making an image dataset-ready". Tools like Nightshade and Glaze are advertised as preventing models from training on the image. Artists who use these tools do so with the intent of preventing their works from being used as training data. Success here means "the image is never used as training data, period" and under that definition, adversarial noise is proving to be as "successful" as a watermark saying "no training please and thank you".