[akhundelar]

As far as my understanding goes, you can apply a distance measure on the (neural)hashes of the input image and the reference image. A proximity threshold will determine if it's a variant of the original image or not. So, it should probably be pretty good at defeating basic evasion.

It is not like a cryptographic hash, where altering a single bit will completely change the output.

[toxik]

I think you're overestimating the capabilities of neural networks here, and especially ones that we know the exact weights for. It is fairly trivial to generate invisible noise that makes an input image get an entirely different hash.

[akhundelar]

> It is fairly trivial to generate invisible noise that makes an input image get an entirely different hash.

What I had in mind when referring to 'basic evasion' was 'cropping or rotating', as per your original comment.

All that being said, I admit that generating adversarial examples for models with known weights is not a difficult task.

[heavyset_go]

Perceptual hashing systems that do derivative image lookups don't rely on exact hash comparisons, but fuzzy hash comparisons using a distance metric like the Hamming distance to find similar images.

If two hashes are off by a bit or two, chances are that the two images are derived from the same, or similar, source image.

[toxik]

I can restate what I said again for you: I can generate noise that makes the Hamming distance or whatever metric you prefer arbitrarily large without changing the contents noticeably.