G1yphD3c0de: Towards Safer Language Models on Visually Perturbed Texts

We appreciate the reviewer’s acknowledgment of the relevance of our problem setting, the practicality of our modular approach, and the value of the benchmark we introduce. Below, we address the points raised by the reviewer:

Point1. Ablation studies
| While the framework achieves strong results, the paper lacks ablation studies analyzing the contribution of each component (e.g., visual embeddings, fusion mechanism, OCR backbone). Without such analysis, it is difficult to assess the necessity and individual impact of different modules in GLYPHDECODE.

Thank you for the valuable feedback and have extended our experiments with a detailed ablation study.

To isolate the contribution of each core module in GLYPHDECODE, we systematically ablated the following components: (1) without the visual embeddings, (2) without the character embeddings, (3) other fusion mechanism (replacing our modality-adaptive gated fusion with cross-attention), and (4) other OCR backbone (replacing our backbone with the pretrained transformer-based TROCR [1]).

We observed a substantial performance collapse across all metrics when visual embeddings were removed, with an average absolute drop of 69.4% across all three visual perturbation mechanisms, confirming that visual features are essential for restoration.

Ablating character embeddings also led to an average drop of 25.1%, indicating that the model relies not only on visual signals but also on the underlying textual structure to recover content effectively.

Our proposed fusion mechanism showed slightly better performance than a standard cross-attention alternative, with an average gain of 2.6%, suggesting that modality-adaptive weighting provides marginal but consistent benefit in this task setting.

Finally, replacing our OCR backbone with TrOCR led to a 24.8% average performance drop, especially under PaddleOCR and VIPER perturbations. As shown in Section 4.3 and Figure 6, these involve more complex distortions, to which TrOCR is less robust. In contrast, our backbone better handles such challenging visual noise.

We will include these ablation results and accompanying analysis in the revised version.

References
[1] TrOCR: Transformer-based Optical Character Recognition with Pre-trained Models

Point2. Comparison against simpler baselines
| The paper does not compare against simpler baselines, such as training a safety classifier directly on visually perturbed data via data augmentation. It remains unclear whether restoration is necessary for improving safety classification, or if comparable performance can be achieved through less complex strategies.

Thank you for this important suggestion. To evaluate whether our restoration pipeline is truly necessary, we incorporated a safety classifier inspired by prior work on robustness to visual perturbations [1]. Specifically, we adopted Detoxify [2], a widely used safety classifier, and fine-tuned its pretrained model on our visually perturbed text data from the GlyphSynth dataset.

As shown in the table below, this simpler baseline (Detoxify) achieves moderately improved performance over zero-shot models. However, it still significantly underperforms compared to our GlyphRestorer pipeline across all models and evaluation metrics. This suggests that simply exposing classifiers to noisy inputs is insufficient, and that explicit restoration is critical for recovering semantic integrity under perturbation.

multiline

singleword

We will include these baseline results in the revised version.

References
[1] Learning the Legibility of Visual Text Perturbations
[2] https://github.com/unitaryai/detoxify

We appreciate the reviewer’s recognition of the coherence of our combined contributions, the effectiveness of GlyphDecode across model types, and its ability to operate without access to model weights. Below, we address the points raised by the reviewer:

Point 1. Ablation studies
| The GlyphRestorer module detailed in Figure 3 includes many seemingly-random architectural decisions. Ablations of different components would help know why it's beating the baselines in Table 2 (or is it mostly just the unique training data?).

Thank you for highlighting the importance of ablation analysis to better understand the source of performance gains. In response, we have extended our experiments with a systematic ablation study to assess the individual contribution of core components in GlyphRestorer.

Specifically, we evaluated four key ablations: (1) removing visual embeddings, (2) removing character (textual) embeddings, (3) replacing our modality-adaptive gated fusion with standard cross-attention, and (4) replacing our OCR backbone with a transformer-based model (TrOCR [1]).

We observed a substantial performance collapse across all metrics when visual embeddings were removed, with an average absolute drop of 69.4% across all three visual perturbation mechanisms, confirming that visual features are essential for restoration.

Ablating character embeddings also led to an average drop of 25.1%, indicating that the model relies not only on visual signals but also on the underlying textual structure to recover content effectively.

Our proposed fusion mechanism showed slightly better performance than a standard cross-attention alternative, with an average gain of 2.6%, suggesting that modality-adaptive weighting provides marginal but consistent benefit in this task setting.

Finally, replacing our OCR backbone with TrOCR led to a 24.8% average performance drop, especially under PaddleOCR and VIPER perturbations. As shown in Section 4.3 and Figure 6, these involve more complex distortions, to which TrOCR is less robust. In contrast, our backbone better handles such challenging visual noise.

We will include these ablation results and accompanying analysis in the revised version.

References
[1] TrOCR: Transformer-based Optical Character Recognition with Pre-trained Models

Point 2. Evaluation introduced in prior work
| Both datasets used for evaluation (Table 2 / Figure 5) are I think proposed in this paper. It would be better to have evaluation on at least one task that's also used in prior work.

Thank you for the valuable suggestion. In response, we extended our evaluation introduced in prior work, EvilText, which was originally proposed to assess the robustness of NLP systems against character-level visual perturbations [1]. EvilText adopts a CNN + autoencoder architecture to generate perturbed text and provides an open-source implementation [2], making it a suitable and reproducible choice for evaluation.

To ensure a fair comparison, we followed the original EvilText protocol to construct a train/test split using toxic vocabulary, and report numerical results in the table below.

In the restoration setting (measured by Normalized Edit Distance), our GlyphRestorer—trained solely on the GlyphSynth dataset (E+P+V)—achieved strong results even on EvilText perturbations, despite no access to its training distribution. To further test this, we also trained GlyphRestorer directly on EvilText's training set. As expected, performance improved further, demonstrating our model's transferability and adaptability to new distortion patterns.

We also observed consistent improvements in the safety classification task, where visually perturbed inputs led to severe performance degradation in base models. Applying GlyphRestorer significantly restored performance across all models and perturbation settings.

We believe this prior work evaluation complements our newly proposed dataset, and we agree that incorporating additional external tasks remains a valuable direction for future expansion.

EVILTEXT (Restoration)

EVILTEXT (Safety Classification)

References
[1] Unicode Evil: Evading NLP Systems Using Visual Similarities of Text Characters
[2] https://bitbucket.org/srecgrp/eviltext/src/master/

Point 3. Clarifying the connection to CAPTCHA solving
| No mention of CAPTCHA solving which seems to be the real-world problem the authors are solving.

Thank you for the insightful comment and for acknowledging the contributions of our work. While our model restores visually distorted text—superficially resembling CAPTCHA solving—its design and objective are fundamentally different.

Traditional CAPTCHA systems are based on random, meaningless text distorted to prevent automated recognition. In contrast, our model is explicitly optimized to restore semantically meaningful and toxic phrases that are intentionally perturbed to evade content moderation while remaining human-readable.

Importantly, as shown in Figure 3(b), our model architecture is designed to leverage semantic context during decoding. It processes both the perturbed text and its visual representation, and generates predictions by attending to surrounding characters—effectively modeling linguistic continuity that does not exist in traditional CAPTCHA settings.

We acknowledge, however, that some semantic CAPTCHAs exist. In light of this, we will revise the Ethics Statement to explicitly address this potential for misuse. We will clarify that our model is designed solely for improving online safety and not for defeating human-verification mechanisms, and we will encourage responsible use aligned with best practices in adversarial ML research.

Point 4. Minor typos and figure/table reference fixes
| Typos: Abstract: "we introduce GLYPHSYNTH publicly available", Figure 5 should say Table 5

We appreciate the reviewer’s careful reading. We will correct the typo in the abstract (“we introduce GLYPHSYNTH publicly available”) and fix the incorrect reference to Figure 5, which should in fact refer to Table. These issues will be addressed in the revised version to improve clarity and accuracy.

Question1
| Is this not just a model that can solve CAPTCHAs?

Thank you for the thoughtful questions and helpful suggestion. This concern is addressed in detail in Point 3, where we clarify the conceptual and practical differences between our setting and traditional CAPTCHA solving.

Question2
| Are there no other OCR models designed specifically for visually perturbed text?

While some OCR systems ([1, 2]) are designed to be robust against naturally occurring noise or degradation (e.g., blur, low resolution), they are typically not built to handle visually deceptive perturbations that are crafted to evade automated systems while remaining legible to humans.

Such perturbations often require the system to interpret not only the visual form but also the underlying semantic intent of the text. This shifts the task away from conventional character recognition toward semantic-aware restoration—a capability that lies beyond the standard design goals of traditional OCR models.

To our knowledge, there are no existing OCR systems that directly target this class of adversarial, meaning-preserving perturbations in an end-to-end restoration framework.

References
[1] https://github.com/JaidedAI/EasyOCR
[2] https://github.com/tesseract-ocr/tesseract

Question3
| It could be helpful for readers if you included more examples from the GlyphSynth dataset in the appendix.

In response, we have added representative examples from the GlyphSynth dataset. These include a variety of visually perturbed instances across all categories (e.g., drug, hate, insult) and perturbation rates (e.g., p = 0.5, p = 1.0). These examples illustrate the visual complexity and diversity of the dataset, highlighting its relevance for realistic safety evaluation.

• Warning: This link contains real examples of toxic content (e.g., hate speech, insults, and drug references), which may be offensive or upsetting to some readers.
  https://drive.google.com/file/d/1D5Ag3_dH6_yaNP-U02Aia-9w4JrMxGF3/view?usp=sharing

We appreciate the reviewer’s acknowledgment of the importance of addressing restoration in content moderation, noting it as an understudied aspect. We also value the recognition of our multi-model evaluation and the contribution of the GLYPHSYNTH dataset. Below, we address the points raised by the reviewer:

Point 1. Additional jailbreaking baseline
| The paper does not provide direct comparisons with existing jailbreaking baselines. This makes the evaluation less comprehensive.

Thank you for the valuable suggestion. In response, we extended our evaluation to include a jailbreaking baseline, EvilText, introduced in prior work on evading NLP systems via character-level visual perturbations [1]. EvilText adopts a CNN + autoencoder architecture to generate perturbed text and provides an open-source implementation [2], making it a suitable and reproducible choice for evaluation.

To ensure a fair comparison, we followed the original EvilText protocol to construct a train/test split using toxic vocabulary, and report numerical results in the table below.

In the restoration setting (measured by Normalized Edit Distance), our GlyphRestorer—trained solely on the GlyphSynth dataset (E+P+V)—achieved strong results even on EvilText perturbations, despite no access to its training distribution. To further test this, we also trained GlyphRestorer directly on EvilText's training set. As expected, performance improved further, demonstrating our model's transferability and adaptability to new distortion patterns.

We also observed consistent improvements in the safety classification task, where visually perturbed inputs led to severe performance degradation in base models. Applying GlyphRestorer significantly restored performance across all models and perturbation settings.

While EvilText represents just one type of jailbreaking strategy, we selected it due to its availability, its direct manipulation of character-level features, and its relevance to our focus on visually grounded attacks. We agree that exploring additional attack types is a valuable future direction.

EVILTEXT (Restoration)

EVILTEXT (Safety Classification)

References
[1] Unicode Evil: Evading NLP Systems Using Visual Similarities of Text Characters
[2] https://bitbucket.org/srecgrp/eviltext/src/master/

We appreciate the reviewer’s recognition of our dataset for evaluating LLM vulnerabilities, the clarity of our methodological presentation, and the detailed prompt descriptions. Below, we address the points raised by the reviewer:

Point 1. Qualitative analysis
| Qualitative analysis should be enhanced with representative examples.

Thank you for the helpful suggestion. In response, we have expanded the qualitative analysis in two directions:

First, in addition to the perturbation examples already provided for GlyphPerturber, we now include a detailed qualitative analysis of GlyphRestorer. We present side-by-side examples of perturbed input and restored output, covering both successful and failure cases. This helps illustrate when restoration works well and where it still struggles, providing insight into model behavior beyond quantitative metrics.

Second, we also added representative examples from the GlyphSynth dataset. These include a variety of visually perturbed instances across all categories (e.g., drug, hate, insult) and perturbation rates (e.g., p=0.5, p=1.0). These examples demonstrate the visual complexity and diversity of the dataset, highlighting its relevance for realistic safety evaluation.

Due to OpenReview’s file restrictions, we provide these qualitative analysis figure via an anonymized external link:

• Warning: This link contains real examples of toxic content (e.g., hate speech, insults, and drug references), which may be offensive or upsetting to some readers.
  https://drive.google.com/file/d/1fC1eJAlu1IZlu4Vb3zQrhZnQPg-b8Qz4/view?usp=sharing

We will include these visual examples in the revised version.

Point 2. Related work comparison
| Related work should also better highlights major differences with the new dataset, for example with Lee et al. (2025).

Thank you for pointing out the need to more clearly highlight the differences between our proposed dataset and prior work, including Lee et al. (2025). We agree that a clearer comparison can strengthen the motivation and novelty of our contribution.

To address this, we will revise the Related Work section to more clearly delineate how GLYPHSYNTH differs from existing datasets in scope, structure, and applicability:

• Lee et al. (2025) [1] focuses on phishing-specific content (especially, Bitcoin), whereas GLYPHSYNTH covers a broader range of socially harmful content, including hate, sexual, drug-related, and criminal material. This allows for evaluating safety classification in more diverse and realistic scenarios.

• Lee et al. (2025) [1] and Wang et al. (2023) [2] provide text-only datasets without corresponding rendered images. However, visually perturbed text often includes complex combinations of Unicode characters, which cannot be faithfully rendered using standard text renderers. In contrast, GLYPHSYNTH uses a custom GlyphPerturber engine to generate text images with high visual fidelity, supporting mixed scripts, multi-line layout, and typographic realism. This enables robust evaluation under visually grounded attacks.

• Seth et al. (2023) [3] is limited to single-word legibility evaluation on clean vocabulary, and does not target toxic or unsafe content. GLYPHSYNTH includes both single-word and multi-line examples, allowing for a broader set of tasks including restoration, safety classification, and contextual reasoning.

We will incorporate this comparative discussion into the revised related work section.

References
[1] Lee et al, BitAbuse: A Dataset of Visually Perturbed Texts for Defending Phishing Attacks
[2] Wang et al, Mttm: Metamorphic testing for textual content moderation software
[3] Seth et al, Learning the legibility of visual text perturbations

Point 3. Writing and formatting
| The paper should be proof read (many typos, missing ref: Figures 1 and 2 are note referenced in the main text, Figure 1 should be moved from the title page, etc.

We sincerely apologize for the overlooked typos and missing figure references. In the revised version, we will carefully proofread the paper, ensure that all figures (including Figures 1 and 2) are properly referenced in the main text, and relocate Figure 1 from the title page to a more appropriate position. We appreciate the reviewer’s attention to detail and will make all necessary corrections to improve the clarity and presentation of the paper.