Optical Character Recognition (OCR) is a widely used tool to extract text from scanned documents. Today, the state-of-the-art is achieved by exploiting deep neural networks. However, the cost of this performance is paid at the price of system vulnerability. For instance, in backdoor attacks, attackers compromise the training phase by inserting a backdoor in the victim's model that will be activated at testing time by specific patterns while leaving the overall model performance intact. This work proposes a backdoor attack for OCR resulting in the injection of non-readable characters from malicious input images. This simple but effective attack exposes the state-of-the-art OCR weakness, making the extracted text correct to human eyes but simultaneously unusable for the NLP application that uses OCR as a preprocessing step. Experimental results show that the attacked models successfully output non-readable characters for around 90% of the poisoned instances without harming their performance for the remaining instances.

翻译：光学字符识别（OCR）是一种从扫描文档中提取文本的广泛应用工具。当前，最先进的技术通过深度神经网络实现。然而，这种高性能是以系统脆弱性为代价的。例如，在后门攻击中，攻击者通过在受害者的模型中植入后门来破坏训练阶段，该后门会在测试阶段由特定模式激活，同时保持模型整体性能不变。本文提出了一种针对OCR的后门攻击，该攻击导致恶意输入图像中注入不可读字符。这种简单但有效的攻击暴露了最先进OCR系统的弱点，使得提取的文本在人眼看来正确，但无法被将OCR作为预处理步骤的自然语言处理（NLP）应用使用。实验结果表明，受攻击模型成功地对约90%的中毒样本输出了不可读字符，同时未损害其对剩余样本的性能。