Research on Black-box Attack Algorithm by Targeting ID Card Text Recognition

被引：0

作者：

Xu C.-K. ^{[1
,2
]}

Feng W.-D. ^{[1
,2
]}

Zhang C.-J. ^{[1
,2
]}

Zheng X.-L. ^{[3
,4
,5
]}

Zhang H. ^{[6
]}

Wang F.-Y. ^{[3
,4
,5
]}

机构：

[1] The Institute of Information Science, School of Computer and Information Technology, Beijing Jiaotong University, Beijing

[2] Beijing Key Laboratory of Advanced Information Science and Network Technology, Beijing

[3] State Key Laboratory of Multimodal Artificial Intelligence Systems, Institute of Automation, Chinese Academy of Sciences, Beijing

[4] State Key Laboratory for Management and Control of Complex Systems, Institute of Automation, Chinese Academy of Sciences, Beijing

[5] School of Artificial Intelligence, University of Chinese Academy of Sciences, Beijing

[6] School of Transportation Science and Engineering, Beihang University, Beijing

来源：

Zidonghua Xuebao/Acta Automatica Sinica | 2024年 / 50卷 / 01期

基金：

中国国家自然科学基金;

关键词：

Adversarial examples; binarization mask; black-box attack; ID card text recognition; physical world;

D O I：

10.16383/j.aas.c230344

中图分类号：

X9 [安全科学];

学科分类号：

0837 ;

摘要：

Identity card authentication scenarios often use text recognition models to extract, recognize, and authenticate ID card images, which poses a significant privacy breach risk. Besides, most of current adversarial attack algorithms for text recognition models only consider simple background data (such as print) and white-box conditions, making it difficult to achieve ideal attack effects in the physical world, and is not suitable for complex backgrounds, data, and black-box conditions. In order to alleviate the above problems, this paper proposes a black-box attack algorithm for the ID card text recognition model by taking into account the more complex image background, more stringent black-box conditions and attack effects in the physical world. By using the transfer-based black-box attack algorithm, the proposed algorithm introduces binarization mask and space transformation, which improves the visual effect of adversarial examples and the robustness in the physical world while ensuring the attack success rate. By exploring the performance upper limit and the influence of key hyper-parameters of the transfer-based black-box attack algorithm under different norm constraints, the proposed algorithm achieves 100% attack success rate on the Baidu ID card recognition model. The ID card dataset will be made publicly available in the future. © 2024 Science Press. All rights reserved.

引用

页码：103 / 120

页数：17

共 44 条

[31] Graves A, Fernandez S, Gomez F, Schmidhuber J., Connectionist temporal classification: Labelling unsegmented sequence data with recurrent neural networks, Proceedings of the 23rd International Conference on Machine Learning, pp. 369-376, (2006)
[32] Song C Z, Shmatikov V., Fooling OCR systems with adversarial text images, (2018)
[33] Jiang H, Yang J T, Hua G, Li L X, Wang Y, Tu S H, Et al., FAWA: Fast adversarial watermark attack, IEEE Transactions on Computers
[34] Xu X, Chen J F, Xiao J H, Gao L L, Shen F M, Shen H T., What machines see is not what they get: Fooling scene text recognition models with adversarial text images, Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 12301-12311, (2020)
[35] Xu Y K, Dai P W, Li Z K, Wang H J, Cao X C., The best protection is attack: Fooling scene text recognition with minimal pixels, IEEE Transactions on Information Forensics and Security, 18, pp. 1580-1595, (2023)
[36] Zhang J M, Sang J T, Xu K Y, Wu S X, Zhao X, Sun Y F, Et al., Robust CAPTCHAs towards malicious OCR, IEEE Transactions on Multimedia, 23, pp. 2575-2587, (2021)
[37] Ding K Y, Hu T, Niu W N, Liu X L, He J P, Yin M Y, Et al., A novel steganography method for character-level text image based on adversarial attacks, Sensors, 22, 17, (2022)
[38] Yang M K, Zheng H T, Bai X, Luo J B., Cost-effective adversarial attacks against scene text recognition, Proceedings of the 25th International Conference on Pattern Recognition (ICPR), pp. 2368-2374, (2021)
[39] Chen L, Xu W., Attacking optical character recognition (OCR) systems with adversarial watermarks, (2020)
[40] Xu Chang-Kai, Research on Adversarial Example Defense and Generation Algorithm Based on Deep Learning, (2023)

← 1 2 3 4 5 →