Several years of research have shown that machine-learning systems are
vulnerable to adversarial examples, both in theory and in practice. Until now,
such attacks have primarily targeted visual models, exploiting the gap between
human and machine perception. Although text-based models have also been
attacked with adversarial examples, such attacks struggled to preserve semantic
meaning and indistinguishability. In this paper, we explore a large class of
adversarial examples that can be used to attack text-based models in a
black-box setting without making any human-perceptible visual modification to
inputs. We use encoding-specific perturbations that are imperceptible to the
human eye to manipulate the outputs of a wide range of Natural Language
Processing (NLP) systems from neural machine-translation pipelines to web
search engines. We find that with a single imperceptible encoding injection --
representing one invisible character, homoglyph, reordering, or deletion -- an
attacker can significantly reduce the performance of vulnerable models, and
with three injections most models can be functionally broken. Our attacks work
against currently-deployed commercial systems, including those produced by
Microsoft and Google, in addition to open source models published by Facebook,
IBM, and HuggingFace. This novel series of attacks presents a significant
threat to many language processing systems: an attacker can affect systems in a
targeted manner without any assumptions about the underlying model. We conclude
that text-based NLP systems require careful input sanitization, just like
conventional applications, and that given such systems are now being deployed
rapidly at scale, the urgent attention of architects and operators is required.

本研究探索了一种新的文本诱骗攻击方式，使用对人眼不可见的编码特定干扰，攻击了广泛应用于神经机器翻译和网络搜索引擎等自然语言处理系统的文本模型，破坏了系统的性能，提出了输入净化的需求。

不可察觉的自然语言处理攻击

Bad Characters: Imperceptible NLP Attacks

We propose Februus; a new idea to neutralize highly potent and insidious
Trojan attacks on Deep Neural Network (DNN) systems at run-time. In Trojan
attacks, an adversary activates a backdoor crafted in a deep neural network
model using a secret trigger, a Trojan, applied to any input to alter the
model's decision to a target prediction---a target determined by and only known
to the attacker. Februus sanitizes the incoming input by surgically removing
the potential trigger artifacts and restoring the input for the classification
task. Februus enables effective Trojan mitigation by sanitizing inputs with no
loss of performance for sanitized inputs, Trojaned or benign. Our extensive
evaluations on multiple infected models based on four popular datasets across
three contrasting vision applications and trigger types demonstrate the high
efficacy of Februus. We dramatically reduced attack success rates from 100% to
near 0% for all cases (achieving 0% on multiple cases) and evaluated the
generalizability of Februus to defend against complex adaptive attacks;
notably, we realized the first defense against the advanced partial Trojan
attack. To the best of our knowledge, Februus is the first backdoor defense
method for operation at run-time capable of sanitizing Trojaned inputs without
requiring anomaly detection methods, model retraining or costly labeled data.

Februus 为一种新方法，能够在运行时中立化高度潜在和难以发现的网络 Trojan 攻击，通过对输入进行手术式的去除和重构，Februus 实现了对不符合标准的输入的有效中和，并能够在不需要异常检测方法、模型重新训练或昂贵的标签数据的情况下，操作运行时 Trojaned 输入的处理。