Invisible Threats: Backdoor Attack in OCR Systems
- URL: http://arxiv.org/abs/2310.08259v1
- Date: Thu, 12 Oct 2023 12:05:51 GMT
- Title: Invisible Threats: Backdoor Attack in OCR Systems
- Authors: Mauro Conti, Nicola Farronato, Stefanos Koffas, Luca Pajola, Stjepan
Picek
- Abstract summary: This work proposes a backdoor attack for OCR resulting in the injection of non-readable characters from malicious input images.
This simple but effective attack exposes the state-of-the-art OCR weakness, making the extracted text correct to human eyes but simultaneously unusable for the NLP application.
- Score: 26.471281625129226
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Optical Character Recognition (OCR) is a widely used tool to extract text
from scanned documents. Today, the state-of-the-art is achieved by exploiting
deep neural networks. However, the cost of this performance is paid at the
price of system vulnerability. For instance, in backdoor attacks, attackers
compromise the training phase by inserting a backdoor in the victim's model
that will be activated at testing time by specific patterns while leaving the
overall model performance intact. This work proposes a backdoor attack for OCR
resulting in the injection of non-readable characters from malicious input
images. This simple but effective attack exposes the state-of-the-art OCR
weakness, making the extracted text correct to human eyes but simultaneously
unusable for the NLP application that uses OCR as a preprocessing step.
Experimental results show that the attacked models successfully output
non-readable characters for around 90% of the poisoned instances without
harming their performance for the remaining instances.
Related papers
- Assimilation Matters: Model-level Backdoor Detection in Vision-Language Pretrained Models [71.44858461725893]
Given a model fine-tuned by an untrusted third party, determining whether the model has been injected with a backdoor is a critical and challenging problem.<n>Existing detection methods usually rely on prior knowledge of training dataset, backdoor triggers and targets.<n>We introduce Assimilation Matters in DETection (AMDET), a novel model-level detection framework that operates without any such prior knowledge.
arXiv Detail & Related papers (2025-11-29T06:20:00Z) - Towards Invisible Backdoor Attack on Text-to-Image Diffusion Model [70.03122709795122]
Backdoor attacks targeting text-to-image diffusion models have advanced rapidly.
Current backdoor samples often exhibit two key abnormalities compared to benign samples.
We propose a novel Invisible Backdoor Attack (IBA) to enhance the stealthiness of backdoor samples.
arXiv Detail & Related papers (2025-03-22T10:41:46Z) - Poisoned Forgery Face: Towards Backdoor Attacks on Face Forgery
Detection [62.595450266262645]
This paper introduces a novel and previously unrecognized threat in face forgery detection scenarios caused by backdoor attack.
By embedding backdoors into models, attackers can deceive detectors into producing erroneous predictions for forged faces.
We propose emphPoisoned Forgery Face framework, which enables clean-label backdoor attacks on face forgery detectors.
arXiv Detail & Related papers (2024-02-18T06:31:05Z) - When Vision Fails: Text Attacks Against ViT and OCR [37.010684530076205]
Text-based machine learning models are vulnerable to an emerging class of Unicode-based adversarial examples.<n>In theory, OCR models will ignore any malicious Unicode characters and will extract the visually correct input to be fed to the model.<n>We show that these visual defenses fail to prevent this type of attack.
arXiv Detail & Related papers (2023-06-12T11:26:08Z) - Backdoor Attack with Sparse and Invisible Trigger [57.41876708712008]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
backdoor attack is an emerging yet threatening training-phase threat.
We propose a sparse and invisible backdoor attack (SIBA)
arXiv Detail & Related papers (2023-05-11T10:05:57Z) - SATBA: An Invisible Backdoor Attack Based On Spatial Attention [7.405457329942725]
Backdoor attacks involve the training of Deep Neural Network (DNN) on datasets that contain hidden trigger patterns.
Most existing backdoor attacks suffer from two significant drawbacks: their trigger patterns are visible and easy to detect by backdoor defense or even human inspection.
We propose a novel backdoor attack named SATBA that overcomes these limitations using spatial attention and an U-net based model.
arXiv Detail & Related papers (2023-02-25T10:57:41Z) - Untargeted Backdoor Attack against Object Detection [69.63097724439886]
We design a poison-only backdoor attack in an untargeted manner, based on task characteristics.
We show that, once the backdoor is embedded into the target model by our attack, it can trick the model to lose detection of any object stamped with our trigger patterns.
arXiv Detail & Related papers (2022-11-02T17:05:45Z) - BATT: Backdoor Attack with Transformation-based Triggers [72.61840273364311]
Deep neural networks (DNNs) are vulnerable to backdoor attacks.
Backdoor adversaries inject hidden backdoors that can be activated by adversary-specified trigger patterns.
One recent research revealed that most of the existing attacks failed in the real physical world.
arXiv Detail & Related papers (2022-11-02T16:03:43Z) - Turn the Combination Lock: Learnable Textual Backdoor Attacks via Word
Substitution [57.51117978504175]
Recent studies show that neural natural language processing (NLP) models are vulnerable to backdoor attacks.
Injected with backdoors, models perform normally on benign examples but produce attacker-specified predictions when the backdoor is activated.
We present invisible backdoors that are activated by a learnable combination of word substitution.
arXiv Detail & Related papers (2021-06-11T13:03:17Z) - Hidden Killer: Invisible Textual Backdoor Attacks with Syntactic Trigger [48.59965356276387]
We propose to use syntactic structure as the trigger in textual backdoor attacks.
We conduct extensive experiments to demonstrate that the trigger-based attack method can achieve comparable attack performance.
These results also reveal the significant insidiousness and harmfulness of textual backdoor attacks.
arXiv Detail & Related papers (2021-05-26T08:54:19Z) - Attacking Optical Character Recognition (OCR) Systems with Adversarial
Watermarks [22.751944254451875]
We propose a watermark attack method to produce natural distortion that is in the disguise of watermarks and evade human eyes' detection.
Experimental results show that watermark attacks can yield a set of natural adversarial examples attached with watermarks and attain similar attack performance to the state-of-the-art methods in different attack scenarios.
arXiv Detail & Related papers (2020-02-08T05:53:21Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.