Visual Attack and Defense on Text
Shengjun Liu, Ningkang Jiang, Yuanbin Wu
TL;DR
This paper explores visual adversarial attacks on text, demonstrating how slight visual modifications can fool neural classifiers while remaining human-readable, and proposes a vision-based defense method.
Contribution
It introduces a novel visual attack method on text and a defense strategy using adversarial training with vision-based models.
Findings
Visual attacks significantly mislead neural classifiers
Proposed defense reduces attack success rate
Visual attack methods are highly diverse and sophisticated
Abstract
Modifying characters of a piece of text to their visual similar ones often ap-pear in spam in order to fool inspection systems and other conditions, which we regard as a kind of adversarial attack to neural models. We pro-pose a way of generating such visual text attack and show that the attacked text are readable by humans but mislead a neural classifier greatly. We ap-ply a vision-based model and adversarial training to defense the attack without losing the ability to understand normal text. Our results also show that visual attack is extremely sophisticated and diverse, more work needs to be done to solve this.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Digital Media Forensic Detection · Anomaly Detection Techniques and Applications