Lex Fridman Podcast - #19 - Ian Goodfellow: Generative Adversarial Networks (GANs)

The following is a conversation with Ian Goodfellow.

He’s the author of the popular textbook on deep learning

simply titled Deep Learning.

He coined the term of Generative Adversarial Networks,

otherwise known as GANs,

and with his 2014 paper is responsible

for launching the incredible growth

of research and innovation in this subfield

of deep learning.

He got his BS and MS at Stanford,

his PhD at University of Montreal

with Yoshua Bengio and Aaron Kerrville.

He held several research positions

including at OpenAI, Google Brain,

and now at Apple as the Director of Machine Learning.

This recording happened while Ian was still at Google Brain,

but we don’t talk about anything specific to Google

or any other organization.

This conversation is part

of the Artificial Intelligence Podcast.

If you enjoy it, subscribe on YouTube, iTunes,

or simply connect with me on Twitter at Lex Friedman,

spelled F R I D.

And now here’s my conversation with Ian Goodfellow.

You open your popular deep learning book

with a Russian doll type diagram

that shows deep learning is a subset

of representation learning,

which in turn is a subset of machine learning

and finally a subset of AI.

So this kind of implies that there may be limits

to deep learning in the context of AI.

So what do you think is the current limits of deep learning

and are those limits something

that we can overcome with time?

Yeah, I think one of the biggest limitations

of deep learning is that right now it requires

really a lot of data, especially labeled data.

There are some unsupervised

and semi supervised learning algorithms

that can reduce the amount of labeled data you need,

but they still require a lot of unlabeled data,

reinforcement learning algorithms.

They don’t need labels,

but they need really a lot of experiences.

As human beings, we don’t learn to play Pong

by failing at Pong 2 million times.

So just getting the generalization ability better

is one of the most important bottlenecks

in the capability of the technology today.

And then I guess I’d also say deep learning

is like a component of a bigger system.

So far, nobody is really proposing to have

only what you’d call deep learning

as the entire ingredient of intelligence.

You use deep learning as sub modules of other systems,

like AlphaGo has a deep learning model

that estimates the value function.

Most reinforcement learning algorithms

have a deep learning module

that estimates which action to take next,

but you might have other components.

So you’re basically building a function estimator.

Do you think it’s possible,

you said nobody’s kind of been thinking about this so far,

but do you think neural networks could be made to reason

in the way symbolic systems did in the 80s and 90s

to do more, create more like programs

as opposed to functions?

Yeah, I think we already see that a little bit.

I already kind of think of neural nets

as a kind of program.

I think of deep learning as basically learning programs

that have more than one step.

So if you draw a flow chart

or if you draw a TensorFlow graph

describing your machine learning model,

I think of the depth of that graph

as describing the number of steps that run in sequence.

And then the width of that graph

is the number of steps that run in parallel.

Now it’s been long enough

that we’ve had deep learning working

that it’s a little bit silly

to even discuss shallow learning anymore.

But back when I first got involved in AI,

when we used machine learning,

we were usually learning things like support vector machines.

You could have a lot of input features to the model

and you could multiply each feature by a different weight.

All those multiplications were done

in parallel to each other.

There wasn’t a lot done in series.

I think what we got with deep learning

was really the ability to have steps of a program

that run in sequence.

And I think that we’ve actually started to see

that what’s important with deep learning

is more the fact that we have a multi step program

rather than the fact that we’ve learned a representation.

If you look at things like resonance, for example,

they take one particular kind of representation

and they update it several times.

Back when deep learning first really took off

in the academic world in 2006,

when Jeff Hinton showed that you could train

deep belief networks,

everybody who was interested in the idea

thought of it as each layer

learns a different level of abstraction.

That the first layer trained on images

learns something like edges

and the second layer learns corners.

And eventually you get these kind of grandmother cell units

that recognize specific objects.

Today I think most people think of it more

as a computer program where as you add more layers

you can do more updates before you output your final number.

But I don’t think anybody believes that

layer 150 of the ResNet is a grandmother cell

and layer 100 is contours or something like that.

Okay, so you’re not thinking of it

as a singular representation that keeps building.

You think of it as a program,

sort of almost like a state.

Representation is a state of understanding.

Yeah, I think of it as a program

that makes several updates

and arrives at better and better understandings,

but it’s not replacing the representation at each step.

It’s refining it.

And in some sense, that’s a little bit like reasoning.

It’s not reasoning in the form of deduction,

but it’s reasoning in the form of taking a thought

and refining it and refining it carefully

until it’s good enough to use.

So do you think, and I hope you don’t mind,

we’ll jump philosophical every once in a while.

Do you think of cognition, human cognition,

or even consciousness as simply a result

of this kind of sequential representation learning?

Do you think that can emerge?

Cognition, yes, I think so.

Consciousness, it’s really hard to even define

what we mean by that.

I guess there’s, consciousness is often defined

as things like having self awareness,

and that’s relatively easy to turn into something actionable

for a computer scientist to reason about.

People also define consciousness

in terms of having qualitative states of experience,

like qualia, and there’s all these philosophical problems,

like could you imagine a zombie

who does all the same information processing as a human,

but doesn’t really have the qualitative experiences

that we have?

That sort of thing, I have no idea how to formalize

or turn it into a scientific question.

I don’t know how you could run an experiment

to tell whether a person is a zombie or not.

And similarly, I don’t know how you could run

an experiment to tell whether an advanced AI system

had become conscious in the sense of qualia or not.

But in the more practical sense,

like almost like self attention,

you think consciousness and cognition can,

in an impressive way, emerge from current types

of architectures that we think of as learning.

Or if you think of consciousness

in terms of self awareness and just making plans

based on the fact that the agent itself exists in the world,

reinforcement learning algorithms

are already more or less forced

to model the agent’s effect on the environment.

So that more limited version of consciousness

is already something that we get limited versions of

with reinforcement learning algorithms

if they’re trained well.

But you say limited, so the big question really

is how you jump from limited to human level, right?

And whether it’s possible,

even just building common sense reasoning

seems to be exceptionally difficult.

So if we scale things up,

if we get much better on supervised learning,

if we get better at labeling,

if we get bigger data sets, more compute,

do you think we’ll start to see really impressive things

that go from limited to something,

echoes of human level cognition?

I think so, yeah.

I’m optimistic about what can happen

just with more computation and more data.

I do think it’ll be important

to get the right kind of data.

Today, most of the machine learning systems we train

are mostly trained on one type of data for each model.

But the human brain, we get all of our different senses

and we have many different experiences

like riding a bike, driving a car,

talking to people, reading.

I think when we get that kind of integrated data set,

working with a machine learning model

that can actually close the loop and interact,

we may find that algorithms not so different

from what we have today learn really interesting things

when you scale them up a lot

and train them on a large amount of multimodal data.

So multimodal is really interesting,

but within, like you’re working adversarial examples.

So selecting within modal, within one mode of data,

selecting better at what are the difficult cases

from which you’re most useful to learn from.

Oh yeah, like could we get a whole lot of mileage

out of designing a model that’s resistant

to adversarial examples or something like that?

Right, that’s the question.

My thinking on that has evolved a lot

over the last few years.

When I first started to really invest

in studying adversarial examples,

I was thinking of it mostly as adversarial examples

reveal a big problem with machine learning

and we would like to close the gap

between how machine learning models respond

to adversarial examples and how humans respond.

After studying the problem more,

I still think that adversarial examples are important.

I think of them now more of as a security liability

than as an issue that necessarily shows

there’s something uniquely wrong

with machine learning as opposed to humans.

Also, do you see them as a tool

to improve the performance of the system?

Not on the security side, but literally just accuracy.

I do see them as a kind of tool on that side,

but maybe not quite as much as I used to think.

We’ve started to find that there’s a trade off

between accuracy on adversarial examples

and accuracy on clean examples.

Back in 2014, when I did the first

adversarily trained classifier that showed resistance

to some kinds of adversarial examples,

it also got better at the clean data on MNIST.

And that’s something we’ve replicated several times

on MNIST, that when we train

against weak adversarial examples,

MNIST classifiers get more accurate.

So far that hasn’t really held up on other data sets

and hasn’t held up when we train

against stronger adversaries.

It seems like when you confront

a really strong adversary,

you tend to have to give something up.


But it’s such a compelling idea

because it feels like that’s how us humans learn

is through the difficult cases.

We try to think of what would we screw up

and then we make sure we fix that.

It’s also in a lot of branches of engineering,

you do a worst case analysis

and make sure that your system will work in the worst case.

And then that guarantees that it’ll work

in all of the messy average cases that happen

when you go out into a really randomized world.

Yeah, with driving with autonomous vehicles,

there seems to be a desire to just look for,

think adversarially,

try to figure out how to mess up the system.

And if you can be robust to all those difficult cases,

then you can, it’s a hand wavy empirical way

to show your system is safe.

Today, most adversarial example research

isn’t really focused on a particular use case,

but there are a lot of different use cases

where you’d like to make sure that the adversary

can’t interfere with the operation of your system.

Like in finance,

if you have an algorithm making trades for you,

people go to a lot of an effort

to obfuscate their algorithm.

That’s both to protect their IP

because you don’t want to research

and develop a profitable trading algorithm

then have somebody else capture the gains.

But it’s at least partly

because you don’t want people to make adversarial examples

that fool your algorithm into making bad trades.

Or I guess one area that’s been popular

in the academic literature is speech recognition.

If you use speech recognition to hear an audio wave form

and then turn that into a command

that a phone executes for you,

you don’t want a malicious adversary

to be able to produce audio

that gets interpreted as malicious commands,

especially if a human in the room doesn’t realize

that something like that is happening.

And speech recognition,

has there been much success

in being able to create adversarial examples

that fool the system?

Yeah, actually.

I guess the first work that I’m aware of

is a paper called Hidden Voice Commands

that came out in 2016, I believe.

And they were able to show that they could make sounds

that are not understandable by a human

but are recognized as the target phrase

that the attacker wants the phone to recognize it as.

Since then, things have gotten a little bit better

on the attacker’s side

when worse on the defender’s side.

It’s become possible to make sounds

that sound like normal speech

but are actually interpreted as a different sentence

than the human hears.

The level of perceptibility

of the adversarial perturbation is still kind of high.

When you listen to the recording,

it sounds like there’s some noise in the background,

just like rustling sounds.

But those rustling sounds

are actually the adversarial perturbation

that makes the phone hear a completely different sentence.

Yeah, that’s so fascinating.

Peter Norvig mentioned

that you’re writing the deep learning chapter

for the fourth edition

of the Artificial Intelligence, A Modern Approach book.

So how do you even begin summarizing

the field of deep learning in a chapter?

Well, in my case, I waited like a year

before I actually wrote anything.

Even having written a full length textbook before,

it’s still pretty intimidating

to try to start writing just one chapter

that covers everything.

One thing that helped me make that plan

was actually the experience

of having written the full book before

and then watching how the field changed

after the book came out.

I’ve realized there’s a lot of topics

that were maybe extraneous in the first book

and just seeing what stood the test

of a few years of being published

and what seems a little bit less important

to have included now helped me pare down the topics

I wanted to cover for the book.

It’s also really nice now

that the field is kind of stabilized

to the point where some core ideas from the 1980s

are still used today.

When I first started studying machine learning,

almost everything from the 1980s had been rejected

and now some of it has come back.

So that stuff that’s really stood the test of time

is what I focused on putting into the book.

There’s also, I guess, two different philosophies

about how you might write a book.

One philosophy is you try to write a reference

that covers everything.

The other philosophy is you try to provide

a high level summary that gives people the language

to understand a field

and tells them what the most important concepts are.

The first deep learning book that I wrote

with Joshua and Aaron was somewhere

between the two philosophies,

that it’s trying to be both a reference

and an introductory guide.

Writing this chapter for Russell Norvig’s book,

I was able to focus more on just a concise introduction

of the key concepts and the language

you need to read about them more.

In a lot of cases, I actually just wrote paragraphs

that said, here’s a rapidly evolving area

that you should pay attention to.

It’s pointless to try to tell you what the latest

and best version of a learn to learn model is.

I can point you to a paper that’s recent right now,

but there isn’t a whole lot of a reason to delve

into exactly what’s going on

with the latest learning to learn approach

or the latest module produced

by a learning to learn algorithm.

You should know that learning to learn is a thing

and that it may very well be the source of the latest

and greatest convolutional net or recurrent net module

that you would want to use in your latest project.

But there isn’t a lot of point in trying to summarize

exactly which architecture and which learning approach

got to which level of performance.

So you maybe focus more on the basics of the methodology.

So from back propagation to feed forward

to recurrent neural networks, convolutional,

that kind of thing?

Yeah, yeah.

So if I were to ask you, I remember I took algorithms

and data structures algorithms course.

I remember the professor asked, what is an algorithm?

And yelled at everybody in a good way

that nobody was answering it correctly.

Everybody knew what the algorithm, it was graduate course.

Everybody knew what an algorithm was,

but they weren’t able to answer it well.

So let me ask you in that same spirit,

what is deep learning?

I would say deep learning is any kind of machine learning

that involves learning parameters of more than one

consecutive step.

So that, I mean, shallow learning is things

where you learn a lot of operations that happen in parallel.

You might have a system that makes multiple steps.

Like you might have hand designed feature extractors,

but really only one step is learned.

Deep learning is anything where you have multiple operations

in sequence, and that includes the things

that are really popular today,

like convolutional networks and recurrent networks.

But it also includes some of the things that have died out

like Bolton machines,

where we weren’t using back propagation.

Today, I hear a lot of people define deep learning

as gradient descent applied

to these differentiable functions.

And I think that’s a legitimate usage of the term.

It’s just different from the way that I use the term myself.

So what’s an example of deep learning

that is not gradient descent and differentiable functions?

In your, I mean, not specifically perhaps,

but more even looking into the future,

what’s your thought about that space of approaches?

Yeah, so I tend to think of machine learning algorithms

as decomposed into really three different pieces.

There’s the model, which can be something like a neural net

or a Bolton machine or a recurrent model.

And that basically just describes how do you take data

and how do you take parameters?

And what function do you use to make a prediction

given the data and the parameters?

Another piece of the learning algorithm

is the optimization algorithm.

Or not every algorithm can be really described

in terms of optimization,

but what’s the algorithm for updating the parameters

or updating whatever the state of the network is?

And then the last part is the data set,

like how do you actually represent the world

as it comes into your machine learning system?

So I think of deep learning as telling us something about

what does the model look like?

And basically to qualify as deep,

I say that it just has to have multiple layers.

That can be multiple steps

in a feed forward differentiable computation.

That can be multiple layers in a graphical model.

There’s a lot of ways that you could satisfy me

that something has multiple steps

that are each parameterized separately.

I think of gradient descent

as being all about that other piece,

the how do you actually update the parameters piece?

So you could imagine having a deep model

like a convolutional net

and training it with something like evolution

or a genetic algorithm.

And I would say that still qualifies as deep learning.

And then in terms of models

that aren’t necessarily differentiable,

I guess Bolton machines are probably

the main example of something

where you can’t really take a derivative

and use that for the learning process.

But you can still argue that the model

has many steps of processing that it applies

when you run inference in the model.

So it’s the steps of processing that’s key.

So Jeff Hinton suggests that we need to throw away

back propagation and start all over.

What do you think about that?

What could an alternative direction

of training neural networks look like?

I don’t know that back propagation

is gonna go away entirely.

Most of the time when we decide

that a machine learning algorithm

isn’t on the critical path to research for improving AI,

the algorithm doesn’t die.

It just becomes used for some specialized set of things.

A lot of algorithms like logistic regression

don’t seem that exciting to AI researchers

who are working on things like speech recognition

or autonomous cars today.

But there’s still a lot of use for logistic regression

and things like analyzing really noisy data

in medicine and finance

or making really rapid predictions

in really time limited contexts.

So I think back propagation and gradient descent

are around to stay, but they may not end up being

everything that we need to get to real human level

or super human AI.

Are you optimistic about us discovering

back propagation has been around for a few decades?

So are you optimistic about us as a community

being able to discover something better?

Yeah, I am.

I think we likely will find something that works better.

You could imagine things like having stacks of models

where some of the lower level models

predict parameters of the higher level models.

And so at the top level,

you’re not learning in terms of literally

calculating gradients,

but just predicting how different values will perform.

You can kind of see that already in some areas

like Bayesian optimization,

where you have a Gaussian process

that predicts how well different parameter values

will perform.

We already use those kinds of algorithms

for things like hyper parameter optimization.

And in general, we know a lot of things other than back prop

that work really well for specific problems.

The main thing we haven’t found is

a way of taking one of these other

non back prop based algorithms

and having it really advanced the state of the art

on an AI level problem.


But I wouldn’t be surprised if eventually

we find that some of these algorithms

that even the ones that already exist,

not even necessarily new one,

we might find some way of customizing

one of these algorithms to do something really interesting

at the level of cognition or the level of,

I think one system that we really don’t have working

quite right yet is like short term memory.

We have things like LSTMs,

they’re called long short term memory.

They still don’t do quite what a human does

with short term memory.

Like gradient descent to learn a specific fact

has to do multiple steps on that fact.

Like if I tell you the meeting today is at 3 p.m.,

I don’t need to say over and over again,

it’s at 3 p.m., it’s at 3 p.m., it’s at 3 p.m.,

it’s at 3 p.m.

for you to do a gradient step on each one.

You just hear it once and you remember it.

There’s been some work on things like self attention

and attention like mechanisms,

like the neural Turing machine

that can write to memory cells

and update themselves with facts like that right away.

But I don’t think we’ve really nailed it yet.

And that’s one area where I’d imagine

that new optimization algorithms

or different ways of applying

existing optimization algorithms

could give us a way of just lightning fast

updating the state of a machine learning system

to contain a specific fact like that

without needing to have it presented

over and over and over again.

So some of the success of symbolic systems in the 80s

is they were able to assemble these kinds of facts better.

But there’s a lot of expert input required

and it’s very limited in that sense.

Do you ever look back to that

as something that we’ll have to return to eventually?

Sort of dust off the book from the shelf

and think about how we build knowledge,

representation, knowledge base.

Like will we have to use graph searches?

Graph searches, right.

And like first order logic and entailment

and things like that.

That kind of thing, yeah, exactly.

In my particular line of work,

which has mostly been machine learning security

and also generative modeling,

I haven’t usually found myself moving in that direction.

For generative models, I could see a little bit of,

it could be useful if you had something

like a differentiable knowledge base

or some other kind of knowledge base

where it’s possible for some of our

fuzzier machine learning algorithms

to interact with a knowledge base.

I mean, your network is kind of like that.

It’s a differentiable knowledge base of sorts.



If we had a really easy way of giving feedback

to machine learning models,

that would clearly help a lot with generative models.

And so you could imagine one way of getting there

would be get a lot better at natural language processing.

But another way of getting there would be

take some kind of knowledge base

and figure out a way for it to actually

interact with a neural network.

Being able to have a chat with a neural network.


So like one thing in generative models we see a lot today

is you’ll get things like faces that are not symmetrical,

like people that have two eyes that are different colors.

I mean, there are people with eyes

that are different colors in real life,

but not nearly as many of them as you tend to see

in the machine learning generated data.

So if you had either a knowledge base

that could contain the fact,

people’s faces are generally approximately symmetric

and eye color is especially likely

to be the same on both sides.

Being able to just inject that hint

into the machine learning model

without it having to discover that itself

after studying a lot of data

would be a really useful feature.

I could see a lot of ways of getting there

without bringing back some of the 1980s technology,

but I also see some ways that you could imagine

extending the 1980s technology to play nice with neural nets

and have it help get there.


So you talked about the story of you coming up

with the idea of GANs at a bar with some friends.

You were arguing that this, you know, GANs would work,

generative adversarial networks,

and the others didn’t think so.

Then you went home at midnight, coded it up, and it worked.

So if I was a friend of yours at the bar,

I would also have doubts.

It’s a really nice idea,

but I’m very skeptical that it would work.

What was the basis of their skepticism?

What was the basis of your intuition why it should work?

I don’t want to be someone who goes around

promoting alcohol for the purposes of science,

but in this case,

I do actually think that drinking helped a little bit.

When your inhibitions are lowered,

you’re more willing to try out things

that you wouldn’t try out otherwise.

So I have noticed in general

that I’m less prone to shooting down some of my own ideas

when I have had a little bit to drink.

I think if I had had that idea at lunchtime,

I probably would have thought,

it’s hard enough to train one neural net,

you can’t train a second neural net

in the inner loop of the outer neural net.

That was basically my friend’s objection,

was that trying to train two neural nets at the same time

would be too hard.

So it was more about the training process,

unless, so my skepticism would be,

you know, I’m sure you could train it,

but the thing it would converge to

would not be able to generate anything reasonable,

any kind of reasonable realism.

Yeah, so part of what all of us were thinking about

when we had this conversation was deep Bolton machines,

which a lot of us in the lab, including me,

were a big fan of deep Bolton machines at the time.

They involved two separate processes

running at the same time.

One of them is called the positive phase,

where you load data into the model

and tell the model to make the data more likely.

The other one is called the negative phase,

where you draw samples from the model

and tell the model to make those samples less likely.

In a deep Bolton machine,

it’s not trivial to generate a sample.

You have to actually run an iterative process

that gets better and better samples

coming closer and closer to the distribution

the model represents.

So during the training process,

you’re always running these two systems at the same time,

one that’s updating the parameters of the model

and another one that’s trying to generate samples

from the model.

And they worked really well in things like MNIST,

but a lot of us in the lab, including me,

had tried to get deep Bolton machines

to scale past MNIST to things like generating color photos,

and we just couldn’t get the two processes

to stay synchronized.

So when I had the idea for GANs,

a lot of people thought that the discriminator

would have more or less the same problem

as the negative phase in the Bolton machine,

that trying to train the discriminator in the inner loop,

you just couldn’t get it to keep up

with the generator in the outer loop,

and that would prevent it from converging

to anything useful.

Yeah, I share that intuition.


But turns out to not be the case.

A lot of the time with machine learning algorithms,

it’s really hard to predict ahead of time

how well they’ll actually perform.

You have to just run the experiment and see what happens.

And I would say I still today don’t have

like one factor I can put my finger on and say,

this is why GANs worked for photo generation

and deep Bolton machines don’t.

There are a lot of theory papers

showing that under some theoretical settings,

the GAN algorithm does actually converge,

but those settings are restricted enough

that they don’t necessarily explain the whole picture

in terms of all the results that we see in practice.

So taking a step back,

can you, in the same way as we talked about deep learning,

can you tell me what generative adversarial networks are?

Yeah, so generative adversarial networks

are a particular kind of generative model.

A generative model is a machine learning model

that can train on some set of data.

Like, so you have a collection of photos of cats

and you want to generate more photos of cats,

or you want to estimate a probability distribution over cats.

So you can ask how likely it is

that some new image is a photo of a cat.

GANs are one way of doing this.

Some generative models are good at creating new data.

Other generative models are good at estimating

that density function and telling you how likely

particular pieces of data are to come

from the same distribution as the training data.

GANs are more focused on generating samples

rather than estimating the density function.

There are some kinds of GANs like FlowGAN that can do both,

but mostly GANs are about generating samples,

generating new photos of cats that look realistic.

And they do that completely from scratch.

It’s analogous to human imagination.

When a GAN creates a new image of a cat,

it’s using a neural network to produce a cat

that has not existed before.

It isn’t doing something like compositing photos together.

You’re not literally taking the eye off of one cat

and the ear off of another cat.

It’s more of this digestive process

where the neural net trains in a lot of data

and comes up with some representation

of the probability distribution

and generates entirely new cats.

There are a lot of different ways

of building a generative model.

What’s specific to GANs is that we have a two player game

in the game theoretic sense.

And as the players in this game compete,

one of them becomes able to generate realistic data.

The first player is called the generator.

It produces output data such as just images, for example.

And at the start of the learning process,

it’ll just produce completely random images.

The other player is called the discriminator.

The discriminator takes images as input

and guesses whether they’re real or fake.

You train it both on real data,

so photos that come from your training set,

actual photos of cats,

and you train it to say that those are real.

You also train it on images

that come from the generator network

and you train it to say that those are fake.

As the two players compete in this game,

the discriminator tries to become better

at recognizing whether images are real or fake.

And the generator becomes better

at fooling the discriminator into thinking

that its outputs are real.

And you can analyze this through the language of game theory

and find that there’s a Nash equilibrium

where the generator has captured

the correct probability distribution.

So in the cat example,

it makes perfectly realistic cat photos.

And the discriminator is unable to do better

than random guessing

because all the samples coming from both the data

and the generator look equally likely

to have come from either source.

So do you ever sit back

and does it just blow your mind that this thing works?

So from very,

so it’s able to estimate that density function

enough to generate realistic images.

I mean, does it, yeah.

Do you ever sit back and think how does this even,

why, this is quite incredible,

especially where GANs have gone in terms of realism.

Yeah, and not just to flatter my own work,

but generative models,

all of them have this property that

if they really did what we ask them to do,

they would do nothing but memorize the training data.

Right, exactly.

Models that are based on maximizing the likelihood,

the way that you obtain the maximum likelihood

for a specific training set

is you assign all of your probability mass

to the training examples and nowhere else.

For GANs, the game is played using a training set.

So the way that you become unbeatable in the game

is you literally memorize training examples.

One of my former interns wrote a paper,

his name is Vaishnav Nagarajan,

and he showed that it’s actually hard for the generator

to memorize the training data,

hard in a statistical learning theory sense,

that you can actually create reasons

for why it would require quite a lot of learning steps

and a lot of observations of different latent variables

before you could memorize the training data.

That still doesn’t really explain why

when you produce samples that are new,

why do you get compelling images

rather than just garbage

that’s different from the training set.

And I don’t think we really have a good answer for that,

especially if you think about

how many possible images are out there

and how few images the generative model sees

during training.

It seems just unreasonable

that generative models create new images as well as they do,

especially considering that we’re basically

training them to memorize rather than generalize.

I think part of the answer is

there’s a paper called Deep Image Prior

where they show that you can take a convolutional net

and you don’t even need to learn

the parameters of it at all,

you just use the model architecture.

And it’s already useful for things like inpainting images.

I think that shows us

that the convolutional network architecture

captures something really important

about the structure of images.

And we don’t need to actually use the learning

to capture all the information

coming out of the convolutional net.

That would imply that it would be much harder

to make generative models in other domains.

So far, we’re able to make reasonable speech models

and things like that.

But to be honest, we haven’t actually explored

a whole lot of different data sets all that much.

We don’t, for example, see a lot of deep learning models

of like biology data sets

where you have lots of microarrays measuring

the amount of different enzymes and things like that.

So we may find that some of the progress

that we’ve seen for images and speech

turns out to really rely heavily on the model architecture.

And we were able to do what we did for vision

by trying to reverse engineer the human visual system.

And maybe it’ll turn out that we can’t just use

that same trick for arbitrary kinds of data.

Right, so there’s aspect to the human vision system,

the hardware of it, that makes it without learning,

without cognition, just makes it really effective

at detecting the patterns we see in the visual world.


Yeah, that’s really interesting.

What, in a big, quick overview,

in your view, what types of GANs are there

and what other generative models besides GANs are there?

Yeah, so it’s maybe a little bit easier to start

with what kinds of generative models are there

other than GANs.

So most generative models are likelihood based

where to train them, you have a model that tells you

how much probability it assigns to a particular example

and you just maximize the probability assigned

to all the training examples.

It turns out that it’s hard to design a model

that can create really complicated images

or really complicated audio waveforms

and still have it be possible to estimate

the likelihood function from a computational point of view.

Most interesting models that you would just write down

intuitively, it turns out that it’s almost impossible

to calculate the amount of probability they assign

to a particular point.

So there’s a few different schools of generative models

in the likelihood family.

One approach is to very carefully design the model

so that it is computationally tractable

to measure the density it assigns to a particular point.

So there are things like autoregressive models,

like PixelCNN, those basically break down

the probability distribution into a product

over every single feature.

So for an image, you estimate the probability

of each pixel given all of the pixels that came before it.

There’s tricks where if you want to measure

the density function, you can actually calculate

the density for all these pixels more or less in parallel.

Generating the image still tends to require you

to go one pixel at a time, and that can be very slow.

But there are, again, tricks for doing this

in a hierarchical pattern where you can keep

the runtime under control.

Are the quality of the images it generates,

putting runtime aside, pretty good?

They’re reasonable, yeah.

I would say a lot of the best results

are from GANs these days, but it can be hard to tell

how much of that is based on who’s studying

which type of algorithm, if that makes sense.

The amount of effort invested in a particular.

Yeah, or like the kind of expertise.

So a lot of people who’ve traditionally been excited

about graphics or art and things like that

have gotten interested in GANs.

And to some extent, it’s hard to tell

are GANs doing better because they have a lot

of graphics and art experts behind them,

or are GANs doing better because they’re more

computationally efficient, or are GANs doing better

because they prioritize the realism of samples

over the accuracy of the density function.

I think all of those are potentially valid explanations,

and it’s hard to tell.

So can you give a brief history of GANs from 2014?

Were you paper 13?

Yeah, so a few highlights.

In the first paper, we just showed

that GANs basically work.

If you look back at the samples we had now,

they look terrible.

On the CIFAR 10 data set,

you can’t even recognize objects in them.

Your paper, sorry, you used CIFAR 10?

We used MNIST, which is little handwritten digits.

We used the Toronto Face database,

which is small grayscale photos of faces.

We did have recognizable faces.

My colleague Bing Xu put together

the first GAN face model for that paper.

We also had the CIFAR 10 data set,

which is things like very small 32 by 32 pixels

of cars and cats and dogs.

For that, we didn’t get recognizable objects,

but all the deep learning people back then

were really used to looking at these failed samples

and kind of reading them like tea leaves.

And people who are used to reading the tea leaves

recognize that our tea leaves at least look different.

Maybe not necessarily better,

but there was something unusual about them.

And that got a lot of us excited.

One of the next really big steps was LAPGAN

by Emily Denton and Sumit Chintala at Facebook AI Research,

where they actually got really good high resolution photos

working with GANs for the first time.

They had a complicated system

where they generated the image starting at low res

and then scaling up to high res,

but they were able to get it to work.

And then in 2015, I believe later that same year,

Alec Radford and Sumit Chintala and Luke Metz

published the DCGAN paper,

which it stands for deep convolutional GAN.

It’s kind of a non unique name

because these days basically all GANs

and even some before that were deep and convolutional,

but they just kind of picked a name

for a really great recipe

where they were able to actually using only one model

instead of a multi step process,

actually generate realistic images of faces

and things like that.

That was sort of like the beginning

of the Cambrian explosion of GANs.

Like once you had animals that had a backbone,

you suddenly got lots of different versions of fish

and four legged animals and things like that.

So DCGAN became kind of the backbone

for many different models that came out.

It’s used as a baseline even still.

Yeah, yeah.

And so from there,

I would say some interesting things we’ve seen

are there’s a lot you can say

about how just the quality

of standard image generation GANs has increased,

but what’s also maybe more interesting

on an intellectual level

is how the things you can use GANs for has also changed.

One thing is that you can use them to learn classifiers

without having to have class labels

for every example in your training set.

So that’s called semi supervised learning.

My colleague at OpenAI, Tim Solomons,

who’s at Brain now,

wrote a paper called Improve Techniques for Training GANs.

I’m a coauthor on this paper,

but I can’t claim any credit for this particular part.

One thing he showed in the paper

is that you can take the GAN discriminator

and use it as a classifier that actually tells you,

this image is a cat, this image is a dog,

this image is a car, this image is a truck, and so on.

Not just to say whether the image is real or fake,

but if it is real to say specifically

what kind of object it is.

And he found that you can train these classifiers

with far fewer labeled examples

than traditional classifiers.

So if you supervise based on also

not just your discrimination ability,

but your ability to classify,

you’re going to do much,

you’re going to converge much faster

to being effective at being a discriminator.


So for example, for the MNIST dataset,

you want to look at an image of a handwritten digit

and say whether it’s a zero, a one, or a two, and so on.

To get down to less than 1% accuracy

required around 60,000 examples

until maybe about 2014 or so.

In 2016 with this semi supervised GAN project,

Tim was able to get below 1% error

using only 100 labeled examples.

So that was about a 600X decrease

in the amount of labels that he needed.

He’s still using more images than that,

but he doesn’t need to have each of them labeled

as this one’s a one, this one’s a two,

this one’s a zero, and so on.

Then to be able to,

for GANs to be able to generate recognizable objects,

so objects from a particular class,

you still need labeled data

because you need to know what it means

to be a particular class cat, dog.

How do you think we can move away from that?

Yeah, some researchers at Brain Zurich

actually just released a really great paper

on semi supervised GANs

where their goal isn’t to classify,

it’s to make recognizable objects

despite not having a lot of labeled data.

They were working off of DeepMind’s BigGAN project

and they showed that they can match the performance

of BigGAN using only 10%, I believe,

of the labels.

BigGAN was trained on the ImageNet data set,

which is about 1.2 million images

and had all of them labeled.

This latest project from Brain Zurich

shows that they’re able to get away

with only having about 10% of the images labeled.

And they do that essentially using a clustering algorithm

where the discriminator learns

to assign the objects to groups

and then this understanding that objects can be grouped

into similar types helps it to form more realistic ideas

of what should be appearing in the image

because it knows that every image it creates

has to come from one of these archetypal groups

rather than just being some arbitrary image.

If you train a GAN with no class labels,

you tend to get things that look sort of like grass

or water or brick or dirt,

but without necessarily a lot going on in them.

And I think that’s partly because

if you look at a large ImageNet image,

the object doesn’t necessarily occupy the whole image.

And so you learn to create realistic sets of pixels,

but you don’t necessarily learn

that the object is the star of the show

and you want it to be in every image you make.

Yeah, I’ve heard you talk about the horse,

the zebra cycle GAN mapping

and how it turns out, again, thought provoking

that horses are usually on grass

and zebras are usually on drier terrain.

So when you’re doing that kind of generation,

you’re going to end up generating greener horses

or whatever, so those are connected together.

It’s not just, you’re not able to segment,

be able to generate in a segment away.

So are there other types of games you come across

in your mind that neural networks can play

with each other to be able to solve problems?

Yeah, the one that I spend most of my time on

is in security.

You can model most interactions as a game

where there’s attackers trying to break your system

and you’re the defender trying to build a resilient system.

There’s also domain adversarial learning,

which is an approach to domain adaptation

that looks really a lot like GANs.

The authors had the idea before the GAN paper came out,

their paper came out a little bit later

and they’re very nice and cited the GAN paper,

but I know that they actually had the idea

before it came out.

Domain adaptation is when you want to train

a machine learning model in one setting called a domain

and then deploy it in another domain later.

And you would like it to perform well in the new domain,

even though the new domain is different

from how it was trained.

So for example, you might want to train

on a really clean image data set like ImageNet,

but then deploy on users phones

where the user is taking pictures in the dark

and pictures while moving quickly

and just pictures that aren’t really centered

or composed all that well.

When you take a normal machine learning model,

it often degrades really badly

when you move to the new domain

because it looks so different

from what the model was trained on.

Domain adaptation algorithms try to smooth out that gap

and the domain adversarial approach

is based on training a feature extractor

where the features have the same statistics

regardless of which domain you extracted them on.

So in the domain adversarial game,

you have one player that’s a feature extractor

and another player that’s a domain recognizer.

The domain recognizer wants to look at the output

of the feature extractor

and guess which of the two domains the features came from.

So it’s a lot like the real versus fake discriminator

in GANs and then the feature extractor,

you can think of as loosely analogous

to the generator in GANs,

except what it’s trying to do here

is both fool the domain recognizer

into not knowing which domain the data came from

and also extract features that are good for classification.

So at the end of the day,

in the cases where it works out,

you can actually get features

that work about the same in both domains.

Sometimes this has a drawback

where in order to make things work the same in both domains,

it just gets worse at the first one.

But there are a lot of cases

where it actually works out well on both.

So do you think of GANs being useful

in the context of data augmentation?

Yeah, one thing you could hope for with GANs

is you could imagine I’ve got a limited training set

and I’d like to make more training data

to train something else like a classifier.

You could train the GAN on the training set

and then create more data

and then maybe the classifier

would perform better on the test set

after training on this bigger GAN generated data set.

So that’s the simplest version

of something you might hope would work.

I’ve never heard of that particular approach working,

but I think there’s some closely related things

that I think could work in the future

and some that actually already have worked.

So if we think a little bit about what we’d be hoping for

if we use the GAN to make more training data,

we’re hoping that the GAN will generalize to new examples

better than the classifier would have generalized

if it was trained on the same data.

And I don’t know of any reason to believe

that the GAN would generalize better

than the classifier would,

but what we might hope for

is that the GAN could generalize differently

from a specific classifier.

So one thing I think is worth trying

that I haven’t personally tried but someone could try is

what if you trained a whole lot of different

generative models on the same training set,

create samples from all of them

and then train a classifier on that?

Because each of the generative models

might generalize in a slightly different way.

They might capture many different axes of variation

that one individual model wouldn’t

and then the classifier can capture all of those ideas

by training in all of their data.

So it’d be a little bit like making

an ensemble of classifiers.

And I think that…

Ensemble of GANs in a way.

I think that could generalize better.

The other thing that GANs are really good for

is not necessarily generating new data

that’s exactly like what you already have,

but by generating new data that has different properties

from the data you already had.

One thing that you can do is you can create

differentially private data.

So suppose that you have something like medical records

and you don’t want to train a classifier

on the medical records and then publish the classifier

because someone might be able to reverse engineer

some of the medical records you trained on.

There’s a paper from Casey Green’s lab

that shows how you can train a GAN

using differential privacy.

And then the samples from the GAN

still have the same differential privacy guarantees

as the parameters of the GAN.

So you can make fake patient data

for other researchers to use.

And they can do almost anything they want with that data

because it doesn’t come from real people.

And the differential privacy mechanism

gives you clear guarantees

on how much the original people’s data has been protected.

That’s really interesting, actually.

I haven’t heard you talk about that before.

In terms of fairness, I’ve seen from AAAI,

your talk, how can adversarial machine learning

help models be more fair with respect to sensitive variables?

Yeah, so there’s a paper from Amos Starkey’s lab

about how to learn machine learning models

that are incapable of using specific variables.

So say, for example, you wanted to make predictions

that are not affected by gender.

It isn’t enough to just leave gender

out of the input to the model.

You can often infer gender

from a lot of other characteristics.

Like say that you have the person’s name,

but you’re not told their gender.

Well, if their name is Ian, they’re kind of obviously a man.

So what you’d like to do is make a machine learning model

that can still take in a lot of different attributes

and make a really accurate informed prediction,

but be confident that it isn’t reverse engineering gender

or another sensitive variable internally.

You can do that using something very similar

to the domain adversarial approach,

where you have one player that’s a feature extractor

and another player that’s a feature analyzer.

And you want to make sure that the feature analyzer

is not able to guess the value of the sensitive variable

that you’re trying to keep private.

Right, that’s, yeah, I love this approach.

So yeah, with the feature,

you’re not able to infer the sensitive variables.

Brilliant, that’s quite brilliant and simple actually.

Another way I think that GANs in particular

could be used for fairness

would be to make something like a CycleGAN,

where you can take data from one domain

and convert it into another.

We’ve seen CycleGAN turning horses into zebras.

We’ve seen other unsupervised GANs made by Mingyu Liu

doing things like turning day photos into night photos.

I think for fairness,

you could imagine taking records for people in one group

and transforming them into analogous people in another group

and testing to see if they’re treated equitably

across those two groups.

There’s a lot of things that’d be hard to get right

to make sure that the conversion process itself is fair.

And I don’t think it’s anywhere near

something that we could actually use yet,

but if you could design that conversion process

very carefully, it might give you a way of doing audits

where you say, what if we took people from this group,

converted them into equivalent people in another group,

does the system actually treat them how it ought to?

That’s also really interesting.

You know, in popular press and in general,

in our imagination, you think,

well, GANs are able to generate data

and you start to think about deep fakes

or being able to sort of maliciously generate data

that fakes the identity of other people.

Is this something of a concern to you?

Is this something, if you look 10, 20 years into the future,

is that something that pops up in your work,

in the work of the community

that’s working on generating models?

I’m a lot less concerned about 20 years from now

than the next few years.

I think there’ll be a kind of bumpy cultural transition

as people encounter this idea

that there can be very realistic videos

and audio that aren’t real.

I think 20 years from now,

people will mostly understand

that you shouldn’t believe something is real

just because you saw a video of it.

People will expect to see

that it’s been cryptographically signed

or have some other mechanism to make them believe

that the content is real.

There’s already people working on this.

Like there’s a startup called Truepick

that provides a lot of mechanisms

for authenticating that an image is real.

They’re maybe not quite up to having a state actor

try to evade their verification techniques,

but it’s something that people are already working on

and I think we’ll get right eventually.

So you think authentication will eventually win out.

So being able to authenticate that this is real

and this is not.


As opposed to GANs just getting better and better

or generative models being able to get better and better

to where the nature of what is real is normal.

I don’t think we’ll ever be able

to look at the pixels of a photo

and tell you for sure that it’s real or not real.

And I think it would actually be somewhat dangerous

to rely on that approach too much.

If you make a really good fake detector

and then someone’s able to fool your fake detector

and your fake detector says this image is not fake,

then it’s even more credible

than if you’ve never made a fake detector

in the first place.

What I do think we’ll get to is systems

that we can kind of use behind the scenes

to make estimates of what’s going on

and maybe not like use them in court

for a definitive analysis.

I also think we will likely get better authentication systems

where, imagine that every phone cryptographically signs

everything that comes out of it.

You wouldn’t be able to conclusively tell

that an image was real,

but you would be able to tell somebody

who knew the appropriate private key for this phone

was actually able to sign this image

and upload it to this server at this timestamp.

Okay, so you could imagine maybe you make phones

that have the private keys hardware embedded in them.

If like a state security agency

really wants to infiltrate the company,

they could probably plant a private key of their choice

or break open the chip and learn the private key

or something like that.

But it would make it a lot harder

for an adversary with fewer resources to fake things.

For most of us it would be okay.

So you mentioned the beer and the bar and the new ideas.

You were able to implement this

or come up with this new idea pretty quickly

and implement it pretty quickly.

Do you think there’s still many such groundbreaking ideas

in deep learning that could be developed so quickly?

Yeah, I do think that there are a lot of ideas

that can be developed really quickly.

GANs were probably a little bit of an outlier

on the whole like one hour timescale.

But just in terms of like low resource ideas

where you do something really different

on the algorithm scale and get a big payback.

I think it’s not as likely that you’ll see that

in terms of things like core machine learning technologies

like a better classifier

or a better reinforcement learning algorithm

or a better generative model.

If I had the GAN idea today,

it would be a lot harder to prove that it was useful

than it was back in 2014

because I would need to get it running

on something like ImageNet or Celeb A at high resolution.

You know, those take a while to train.

You couldn’t train it in an hour

and know that it was something really new and exciting.

Back in 2014, training on MNIST was enough.

But there are other areas of machine learning

where I think a new idea

could actually be developed really quickly

with low resources.

What’s your intuition about what areas

of machine learning are ripe for this?

Yeah, so I think fairness and interpretability

are areas where we just really don’t have any idea

how anything should be done yet.

Like for interpretability,

I don’t think we even have the right definitions.

And even just defining a really useful concept,

you don’t even need to run any experiments,

could have a huge impact on the field.

We’ve seen that, for example, in differential privacy

that Cynthia Dwork and her collaborators

made this technical definition of privacy

where before a lot of things were really mushy.

And then with that definition,

you could actually design randomized algorithms

for accessing databases and guarantee

that they preserved individual people’s privacy

in like a mathematical quantitative sense.

Right now, we all talk a lot about

how interpretable different machine learning algorithms are,

but it’s really just people’s opinion.

And everybody probably has a different idea

of what interpretability means in their head.

If we could define some concept related to interpretability

that’s actually measurable,

that would be a huge leap forward

even without a new algorithm that increases that quantity.

And also once we had the definition of differential privacy,

it was fast to get the algorithms that guaranteed it.

So you could imagine once we have definitions

of good concepts and interpretability,

we might be able to provide the algorithms

that have the interpretability guarantees quickly too.

So what do you think it takes to build a system

with human level intelligence

as we quickly venture into the philosophical?

So artificial general intelligence, what do you think it takes?

I think that it definitely takes better environments

than we currently have for training agents

that we want them to have

a really wide diversity of experiences.

I also think it’s gonna take really a lot of computation.

It’s hard to imagine exactly how much.

So you’re optimistic about simulation,

simulating a variety of environments as the path forward?

I think it’s a necessary ingredient.

Yeah, I don’t think that we’re going to get

to artificial general intelligence

by training on fixed data sets

or by thinking really hard about the problem.

I think that the agent really needs to interact

and have a variety of experiences within the same lifespan.

And today we have many different models

that can each do one thing.

And we tend to train them on one data set

or one RL environment.

Sometimes there are actually papers

about getting one set of parameters to perform well

in many different RL environments.

But we don’t really have anything like an agent

that goes seamlessly from one type of experience to another

and really integrates all the different things

that it does over the course of its life.

When we do see multi agent environments,

they tend to be,

or so many multi environment agents,

they tend to be similar environments.

Like all of them are playing like an action based video game.

We don’t really have an agent that goes from

playing a video game to like reading the Wall Street Journal

to predicting how effective a molecule will be as a drug

or something like that.

What do you think is a good test for intelligence

in your view?

There’s been a lot of benchmarks started with the,

with Alan Turing,

natural conversation being a good benchmark for intelligence.

What would Ian Goodfellow sit back

and be really damn impressed

if a system was able to accomplish?

Something that doesn’t take a lot of glue

from human engineers.

So imagine that instead of having to

go to the CIFAR website and download CIFAR 10

and then write a Python script to parse it and all that,

you could just point an agent at the CIFAR 10 problem

and it downloads and extracts the data

and trains a model and starts giving you predictions.

I feel like something that doesn’t need to have

every step of the pipeline assembled for it,

definitely understands what it’s doing.

Is AutoML moving into that direction

or are you thinking way even bigger?

AutoML has mostly been moving toward,

once we’ve built all the glue,

can the machine learning system

design the architecture really well?

And so I’m more of saying like,

if something knows how to pre process the data

so that it successfully accomplishes the task,

then it would be very hard to argue

that it doesn’t truly understand the task

in some fundamental sense.

And I don’t necessarily know that that’s like

the philosophical definition of intelligence,

but that’s something that would be really cool to build

that would be really useful and would impress me

and would convince me that we’ve made a step forward

in real AI.

So you give it like the URL for Wikipedia

and then next day expect it to be able to solve CIFAR 10.

Or like you type in a paragraph

explaining what you want it to do

and it figures out what web searches it should run

and downloads all the necessary ingredients.

So you have a very clear, calm way of speaking,

no ums, easy to edit.

I’ve seen comments for both you and I

have been identified as both potentially being robots.

If you have to prove to the world that you are indeed human,

how would you do it?

I can understand thinking that I’m a robot.

It’s the flip side of the Turing test, I think.

Yeah, yeah, the prove your human test.

Intellectually, so you have to…

Is there something that’s truly unique in your mind?

Does it go back to just natural language again?

Just being able to talk the way out of it.

Proving that I’m not a robot with today’s technology.

Yeah, that’s pretty straightforward.

Like my conversation today hasn’t veered off

into talking about the stock market or something

because of my training data.

But I guess more generally trying to prove

that something is real from the content alone

is incredibly hard.

That’s one of the main things I’ve gotten

out of my GAN research,

that you can simulate almost anything.

And so you have to really step back to a separate channel

to prove that something is real.

So like, I guess I should have had myself

stamped on a blockchain when I was born or something,

but I didn’t do that.

So according to my own research methodology,

there’s just no way to know at this point.

So what, last question, problem stands out for you

that you’re really excited about challenging

in the near future?

So I think resistance to adversarial examples,

figuring out how to make machine learning secure

against an adversary who wants to interfere

and control it, that is one of the most important things

researchers today could solve.

In all domains, image, language, driving, and everything.

I guess I’m most concerned about domains

we haven’t really encountered yet.

Like imagine 20 years from now,

when we’re using advanced AIs to do things

we haven’t even thought of yet.

Like if you ask people,

what are the important problems in security of phones

in like 2002?

I don’t think we would have anticipated

that we’re using them for nearly as many things

as we’re using them for today.

I think it’s gonna be like that with AI

that you can kind of try to speculate

about where it’s going,

but really the business opportunities

that end up taking off would be hard

to predict ahead of time.

What you can predict ahead of time

is that almost anything you can do with machine learning,

you would like to make sure

that people can’t get it to do what they want

rather than what you want,

just by showing it a funny QR code

or a funny input pattern.

And you think that the set of methodology to do that

can be bigger than any one domain?

I think so, yeah.

Yeah, like one methodology that I think is,

not a specific methodology,

but like a category of solutions

that I’m excited about today is making dynamic models

that change every time they make a prediction.

So right now we tend to train models

and then after they’re trained, we freeze them

and we just use the same rule

to classify everything that comes in from then on.

That’s really a sitting duck from a security point of view.

If you always output the same answer for the same input,

then people can just run inputs through

until they find a mistake that benefits them.

And then they use the same mistake

over and over and over again.

I think having a model that updates its predictions

so that it’s harder to predict what you’re gonna get

will make it harder for an adversary

to really take control of the system

and make it do what they want it to do.

Yeah, models that maintain a bit of a sense of mystery

about them, because they always keep changing.

Ian, thanks so much for talking today, it was awesome.

Thank you for coming in, it’s great to see you.

comments powered by Disqus