Style Attack Disguise: When Fonts Become a Camouflage for Adversarial Intent

TL;DR

This paper introduces Style Attack Disguise (SAD), a novel style-based adversarial attack exploiting font and emoji styles to deceive NLP models while remaining human-readable, highlighting vulnerabilities in current NLP systems.

Contribution

The paper presents SAD, a new style-based attack method that effectively fools NLP models using stylistic fonts and emojis, revealing security gaps in existing systems.

Findings

SAD achieves high attack success rates across multiple NLP tasks.

SAD demonstrates potential threats to multimodal AI applications.

Experiments validate SAD's effectiveness on various models and services.

Abstract

With social media growth, users employ stylistic fonts and font-like emoji to express individuality, creating visually appealing text that remains human-readable. However, these fonts introduce hidden vulnerabilities in NLP models: while humans easily read stylistic text, models process these characters as distinct tokens, causing interference. We identify this human-model perception gap and propose a style-based attack, Style Attack Disguise (SAD). We design two sizes: light for query efficiency and strong for superior attack performance. Experiments on sentiment classification and machine translation across traditional models, LLMs, and commercial services demonstrate SAD's strong attack performance. We also show SAD's potential threats to multimodal tasks including text-to-image and text-to-speech generation.