Fooling OCR Systems with Adversarial Text Images
This exposes a security risk for NLP applications relying on OCR preprocessing, potentially leading to misinterpretations in critical domains.
The paper tackles the vulnerability of state-of-the-art deep learning-based optical character recognition (OCR) systems to adversarial images, showing that minor modifications to printed text images can cause the OCR to output different text with semantic opposites, completely altering the meaning.
We demonstrate that state-of-the-art optical character recognition (OCR) based on deep learning is vulnerable to adversarial images. Minor modifications to images of printed text, which do not change the meaning of the text to a human reader, cause the OCR system to "recognize" a different text where certain words chosen by the adversary are replaced by their semantic opposites. This completely changes the meaning of the output produced by the OCR system and by the NLP applications that use OCR for preprocessing their inputs.