{"id":"https://openalex.org/W4416851502","doi":"https://doi.org/10.1145/3733800.3763269","title":"When Vision Fails: Text Attacks Against ViT and OCR","display_name":"When Vision Fails: Text Attacks Against ViT and OCR","publication_year":2025,"publication_date":"2025-10-13","ids":{"openalex":"https://openalex.org/W4416851502","doi":"https://doi.org/10.1145/3733800.3763269"},"language":null,"primary_location":{"id":"doi:10.1145/3733800.3763269","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3733800.3763269","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3733800.3763269","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Workshop on Large AI Systems and Models with Privacy and Security Analysis","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3733800.3763269","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Nicholas Boucher","orcid":"https://orcid.org/0000-0002-5674-3730"},"institutions":[{"id":"https://openalex.org/I241749","display_name":"University of Cambridge","ror":"https://ror.org/013meh722","country_code":"GB","type":"education","lineage":["https://openalex.org/I241749"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Nicholas Boucher","raw_affiliation_strings":["University of Cambridge, Cambridge, United Kingdom"],"raw_orcid":"https://orcid.org/0000-0002-5674-3730","affiliations":[{"raw_affiliation_string":"University of Cambridge, Cambridge, United Kingdom","institution_ids":["https://openalex.org/I241749"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5087740414","display_name":"Jenny Blessing","orcid":"https://orcid.org/0009-0007-7470-6435"},"institutions":[{"id":"https://openalex.org/I241749","display_name":"University of Cambridge","ror":"https://ror.org/013meh722","country_code":"GB","type":"education","lineage":["https://openalex.org/I241749"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Jenny Blessing","raw_affiliation_strings":["University of Cambridge, Cambridge, United Kingdom"],"raw_orcid":"https://orcid.org/0009-0007-7470-6435","affiliations":[{"raw_affiliation_string":"University of Cambridge, Cambridge, United Kingdom","institution_ids":["https://openalex.org/I241749"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5069844959","display_name":"Ilia Shumailov","orcid":"https://orcid.org/0000-0003-3100-0727"},"institutions":[{"id":"https://openalex.org/I40120149","display_name":"University of Oxford","ror":"https://ror.org/052gg0110","country_code":"GB","type":"education","lineage":["https://openalex.org/I40120149"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Ilia Shumailov","raw_affiliation_strings":["University of Oxford, Oxford, United Kingdom"],"raw_orcid":"https://orcid.org/0000-0003-3100-0727","affiliations":[{"raw_affiliation_string":"University of Oxford, Oxford, United Kingdom","institution_ids":["https://openalex.org/I40120149"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5046983053","display_name":"Ross Anderson","orcid":"https://orcid.org/0000-0001-8697-5682"},"institutions":[{"id":"https://openalex.org/I98677209","display_name":"University of Edinburgh","ror":"https://ror.org/01nrxwf90","country_code":"GB","type":"education","lineage":["https://openalex.org/I98677209"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Ross Anderson","raw_affiliation_strings":["University of Cambridge, Cambridge, United Kingdom and University of Edinburgh, Edinburgh, United Kingdom"],"raw_orcid":"https://orcid.org/0000-0001-8697-5682","affiliations":[{"raw_affiliation_string":"University of Cambridge, Cambridge, United Kingdom and University of Edinburgh, Edinburgh, United Kingdom","institution_ids":["https://openalex.org/I98677209"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5018809423","display_name":"Nicolas Papernot","orcid":"https://orcid.org/0000-0001-5078-7233"},"institutions":[{"id":"https://openalex.org/I185261750","display_name":"University of Toronto","ror":"https://ror.org/03dbr7087","country_code":"CA","type":"education","lineage":["https://openalex.org/I185261750"]},{"id":"https://openalex.org/I4210127509","display_name":"Vector Institute","ror":"https://ror.org/03kqdja62","country_code":"CA","type":"facility","lineage":["https://openalex.org/I4210127509"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Nicolas Papernot","raw_affiliation_strings":["University of Toronto, Toronto, Canada and Vector Institute, Toronto, Canada"],"raw_orcid":"https://orcid.org/0000-0001-5078-7233","affiliations":[{"raw_affiliation_string":"University of Toronto, Toronto, Canada and Vector Institute, Toronto, Canada","institution_ids":["https://openalex.org/I4210127509","https://openalex.org/I185261750"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I241749"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.1914393,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"19","last_page":"29"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.853600025177002,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.853600025177002,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.02630000002682209,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.016699999570846558,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/unicode","display_name":"Unicode","score":0.9214000105857849},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.7475000023841858},{"id":"https://openalex.org/keywords/comprehension","display_name":"Comprehension","score":0.5253000259399414},{"id":"https://openalex.org/keywords/character","display_name":"Character (mathematics)","score":0.49790000915527344},{"id":"https://openalex.org/keywords/class","display_name":"Class (philosophy)","score":0.4284999966621399},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.423799991607666},{"id":"https://openalex.org/keywords/optical-character-recognition","display_name":"Optical character recognition","score":0.34060001373291016},{"id":"https://openalex.org/keywords/language-model","display_name":"Language model","score":0.31709998846054077}],"concepts":[{"id":"https://openalex.org/C500551929","wikidata":"https://www.wikidata.org/wiki/Q8819","display_name":"Unicode","level":2,"score":0.9214000105857849},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.7475000023841858},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.71670001745224},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6158999800682068},{"id":"https://openalex.org/C511192102","wikidata":"https://www.wikidata.org/wiki/Q5156948","display_name":"Comprehension","level":2,"score":0.5253000259399414},{"id":"https://openalex.org/C204321447","wikidata":"https://www.wikidata.org/wiki/Q30642","display_name":"Natural language processing","level":1,"score":0.5087000131607056},{"id":"https://openalex.org/C2780861071","wikidata":"https://www.wikidata.org/wiki/Q1062934","display_name":"Character (mathematics)","level":2,"score":0.49790000915527344},{"id":"https://openalex.org/C2777212361","wikidata":"https://www.wikidata.org/wiki/Q5127848","display_name":"Class (philosophy)","level":2,"score":0.4284999966621399},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.423799991607666},{"id":"https://openalex.org/C546480517","wikidata":"https://www.wikidata.org/wiki/Q167555","display_name":"Optical character recognition","level":3,"score":0.34060001373291016},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.33340001106262207},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.31709998846054077},{"id":"https://openalex.org/C36464697","wikidata":"https://www.wikidata.org/wiki/Q451553","display_name":"Visualization","level":2,"score":0.31380000710487366},{"id":"https://openalex.org/C774472","wikidata":"https://www.wikidata.org/wiki/Q6760393","display_name":"Margin (machine learning)","level":2,"score":0.2971000075340271},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.2955000102519989},{"id":"https://openalex.org/C28490314","wikidata":"https://www.wikidata.org/wiki/Q189436","display_name":"Speech recognition","level":1,"score":0.2921000123023987},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.2793999910354614},{"id":"https://openalex.org/C195324797","wikidata":"https://www.wikidata.org/wiki/Q33742","display_name":"Natural language","level":2,"score":0.26420000195503235},{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.2628999948501587},{"id":"https://openalex.org/C178253425","wikidata":"https://www.wikidata.org/wiki/Q162668","display_name":"Visual perception","level":3,"score":0.260699987411499},{"id":"https://openalex.org/C2776035688","wikidata":"https://www.wikidata.org/wiki/Q1606558","display_name":"Affect (linguistics)","level":2,"score":0.25130000710487366},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.25029999017715454}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3733800.3763269","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3733800.3763269","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3733800.3763269","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Workshop on Large AI Systems and Models with Privacy and Security Analysis","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3733800.3763269","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3733800.3763269","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3733800.3763269","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Workshop on Large AI Systems and Models with Privacy and Security Analysis","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416851502.pdf","grobid_xml":"https://content.openalex.org/works/W4416851502.grobid-xml"},"referenced_works_count":16,"referenced_works":["https://openalex.org/W1595159159","https://openalex.org/W2113321599","https://openalex.org/W2250342921","https://openalex.org/W2582311786","https://openalex.org/W2933138175","https://openalex.org/W2962718684","https://openalex.org/W2962818281","https://openalex.org/W2963532001","https://openalex.org/W2963748441","https://openalex.org/W2963807318","https://openalex.org/W3001639638","https://openalex.org/W3103836116","https://openalex.org/W3154987757","https://openalex.org/W3176393001","https://openalex.org/W3212709629","https://openalex.org/W3213748123"],"related_works":[],"abstract_inverted_index":{"Text-based":[0],"machine":[1],"learning":[2],"models":[3,48,168,200],"are":[4,201],"vulnerable":[5,203],"to":[6,34,62,65,78,89,136,182,204],"an":[7],"emerging":[8],"class":[9],"of":[10,15,82,112,124,155,194,207],"Unicode-based":[11],"adversarial":[12,92,164,187],"examples":[13,93,165,188],"capable":[14],"tricking":[16],"a":[17,86,98,102,179],"model":[18],"into":[19],"misreading":[20],"text":[21,38,138,148,208],"with":[22],"potentially":[23,36],"disastrous":[24],"effects.":[25],"The":[26],"primary":[27],"existing":[28],"defense":[29],"against":[30,166],"these":[31,74,156],"attacks":[32,157],"is":[33,149],"preprocess":[35],"malicious":[37,52],"inputs":[39,139],"using":[40],"optical":[41],"character":[42],"recognition":[43],"(OCR).":[44],"In":[45,68],"theory,":[46],"OCR":[47,95,113],"will":[49,56],"ignore":[50],"any":[51],"Unicode":[53,122],"characters":[54,126,132],"and":[55,114,134,174],"extract":[57],"the":[58,66,110,121,131,147,153,159,185,195],"visually":[59],"correct":[60],"input":[61],"be":[63],"fed":[64],"model.":[67],"this":[69,80,205],"work,":[70],"we":[71,119],"show":[72],"that":[73,107,141,184,198],"visual":[75,91,116,143],"defenses":[76],"fail":[77],"prevent":[79],"type":[81,206],"attack.":[83,209],"We":[84,151,176],"use":[85,120],"genetic":[87],"algorithm":[88],"generate":[90],"(i.e.,":[94],"outputs)":[96],"in":[97,158],"black-box":[99],"setting,":[100],"demonstrating":[101],"highly":[103],"effective":[104],"novel":[105],"attack":[106],"substantially":[108],"reduces":[109],"accuracy":[111],"other":[115],"models.":[117],"Specifically,":[118],"functionality":[123],"combining":[125],"(e.g.,":[127],"\\(\\tilde{n}\\)":[128],"which":[129],"combines":[130],"n":[133],"\u223c)":[135],"manipulate":[137],"so":[140],"small":[142],"perturbations":[144],"appear":[145],"when":[146],"displayed.":[150],"demonstrate":[152],"effectiveness":[154],"real":[160],"world":[161],"by":[162,170],"creating":[163],"production":[167],"published":[169],"Meta,":[171],"Microsoft,":[172],"IBM,":[173],"Google.":[175],"additionally":[177],"conduct":[178],"user":[180],"study":[181],"establish":[183],"model-fooling":[186],"do":[189],"not":[190],"affect":[191],"human":[192],"comprehension":[193],"text,":[196],"showing":[197],"language":[199],"uniquely":[202]},"counts_by_year":[],"updated_date":"2026-03-13T14:20:09.374765","created_date":"2025-12-01T00:00:00"}