When Humans Can See It, But AI Can't: Research on Visual Adversarial Attacks Against Large Language Models

Paper Title: When Humans Can See It, But AI Can't: Research on Visual Adversarial Attacks Against Large Language Models Original Author Team: arXiv Paper Author Team Source Platform: arXiv Publication Date: June 8, 2026 Original Link: http://arxiv.org/abs/2606.09700v1

Core Findings: Through strategic typographic visual manipulation (such as character spacing adjustment, visual emphasis, etc.), harmful content can be clearly visible to human readers but successfully evade detection by LLM content moderation systems. Experiments show that the attack success rate exceeds 86% while the machine detection rate is below 1%, revealing a fundamental blind spot in the current LLM moderation ecosystem.

With the widespread application of LLMs in content moderation, automated systems have become an important line of defense against harmful online content. However, such systems rely on pure text token analysis and completely ignore key visual cues such as typography, spacing, and visual emphasis that humans depend on when reading.

This perceptual difference raises a core question: Is there a way to make harmful content obvious to humans but completely invisible to automated moderation systems?

The research team proposes the Human-Perceivable Adversarial Attack (HPAA), whose core is to embed harmful expressions into harmless text through typographic manipulation. Key techniques include:

1. Character spacing manipulation: Adjusting the space between letters to change visual grouping;
2. Visual emphasis elements: Using bold, italic, case changes, etc.;
3. Spatial arrangement reconstruction: Adjusting line breaks, indentation, and alignment;
4. Special symbol insertion: Inserting symbols that do not affect human understanding but interfere with tokenization.

These techniques have minimal impact on human reading but can significantly disrupt token-based automated systems.

Experimental Setup

Black-box environment testing was used: no model internal parameters/architecture information needed, no gradients needed, only a small number of queries required.

Cross-Platform Results

Tested on 10 mainstream moderation systems (commercial APIs + open-source guardrails):

• Human recognition rate exceeds 86%;
• Machine detection rate is below 1% for all;
• Only 3 queries are needed to generate an effective attack.

Key Factors from Ablation Experiments

1. Character spacing adjustment is the most important factor for attack success;
2. The combination of multiple visual emphasis methods is better than a single method;
3. The more naturally harmful content is embedded, the higher the probability of evading detection.

Reason Analysis: Current moderation systems' token-based representation loses typographic information, and visual encoders are not used for text rendering.

In response to the vulnerability, the paper proposes potential defense directions:

1. Rendering-aware moderation: Render text into images before moderation to recover typographic information, but with a significant increase in computational cost;
2. Typography normalization: Unify visual variants (such as spacing, emphasis) before tokenization, but this may affect user experience;
3. Hybrid architecture: Combine text and visual representations to enhance robustness while maintaining efficiency.

Research Significance

Exposes the essential difference (perceptual mismatch) between LLM moderation systems and human content understanding:

• Existing systems are easy to bypass; attackers can generate harmful content that evades detection without complex techniques;
• Purely automated solutions have blind spots and require human-machine collaborative moderation;
• Future moderation systems need to integrate text visual presentation to achieve multimodal understanding.

Conclusions

This study not only reveals technical vulnerabilities but also raises a deeper question: When AI performs human judgment tasks, does it fully consider the complexity of human cognition? Typography and visual presentation are important parts of text meaning; systems that ignore this are vulnerable to attacks.

Implications for platforms and security teams: Need to establish a multi-layered defense system and continuously monitor new attack methods.