FAWA: Fast Adversarial Watermark Attack on Optical Character Recognition (OCR) Systems

TL;DR

FAWA introduces a natural-looking, watermark-based adversarial attack on OCR systems that achieves perfect success rates with fewer perturbations and iterations, enhancing attack stealth and efficiency.

Contribution

This paper presents FAWA, a novel watermark-based adversarial attack method for OCR that is natural, efficient, and adaptable to various languages and OCR enhancements.

Findings

Achieves 100% attack success rate with fewer perturbations.

Produces natural-looking adversarial images indistinguishable to humans.

Reduces average iterations by 78% compared to existing methods.

Abstract

Deep neural networks (DNNs) significantly improved the accuracy of optical character recognition (OCR) and inspired many important applications. Unfortunately, OCRs also inherit the vulnerabilities of DNNs under adversarial examples. Different from colorful vanilla images, text images usually have clear backgrounds. Adversarial examples generated by most existing adversarial attacks are unnatural and pollute the background severely. To address this issue, we propose the Fast Adversarial Watermark Attack (FAWA) against sequence-based OCR models in the white-box manner. By disguising the perturbations as watermarks, we can make the resulting adversarial images appear natural to human eyes and achieve a perfect attack success rate. FAWA works with either gradient-based or optimization-based perturbation generation. In both letter-level and word-level attacks, our experiments show that in addition to natural appearance, FAWA achieves a 100% attack success rate with 60% less perturbations and 78% fewer iterations on average. In addition, we further extend FAWA to support full-color watermarks, other languages, and even the OCR accuracy-enhancing mechanism.