Visual Attack and Defense on Text
This addresses a security vulnerability in text-based neural systems for applications like spam filtering, though it appears incremental as it builds on existing adversarial attack/defense methods.
The paper tackles the problem of visual text attacks where characters are modified to visually similar ones to fool neural classifiers, showing that such attacks are readable by humans but greatly mislead classifiers. The authors propose a vision-based model with adversarial training for defense, achieving results that maintain normal text understanding while highlighting the sophistication and diversity of these attacks.
Modifying characters of a piece of text to their visual similar ones often ap-pear in spam in order to fool inspection systems and other conditions, which we regard as a kind of adversarial attack to neural models. We pro-pose a way of generating such visual text attack and show that the attacked text are readable by humans but mislead a neural classifier greatly. We ap-ply a vision-based model and adversarial training to defense the attack without losing the ability to understand normal text. Our results also show that visual attack is extremely sophisticated and diverse, more work needs to be done to solve this.