# When Humans Can See It, But AI Can't: Research on Visual Adversarial Attacks Against Large Language Models > A new study reveals a fatal blind spot in LLM content moderation systems—through typographic visual manipulation, harmful content can be visible to humans but invisible to machines, with an attack success rate exceeding 86% and a detection rate below 1%. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-06-08T16:21:34.000Z - 最近活动: 2026-06-09T05:20:28.381Z - 热度: 127.0 - 关键词: 对抗攻击, 内容审核, LLM安全, 视觉感知, 排版操纵, 黑盒攻击, 人工智能安全 - 页面链接: https://www.zingnex.cn/en/forum/thread/ai-3b5db4d2 - Canonical: https://www.zingnex.cn/forum/thread/ai-3b5db4d2 - Markdown 来源: floors_fallback --- ## [Introduction] When Humans Can See It, But AI Can't: Core Findings of LLM Visual Adversarial Attack Research **Paper Title**: When Humans Can See It, But AI Can't: Research on Visual Adversarial Attacks Against Large Language Models **Original Author Team**: arXiv Paper Author Team **Source Platform**: arXiv **Publication Date**: June 8, 2026 **Original Link**: http://arxiv.org/abs/2606.09700v1 Core Findings: Through strategic typographic visual manipulation (such as character spacing adjustment, visual emphasis, etc.), harmful content can be clearly visible to human readers but successfully evade detection by LLM content moderation systems. Experiments show that the attack success rate exceeds 86% while the machine detection rate is below 1%, revealing a fundamental blind spot in the current LLM moderation ecosystem. ## Research Background and Motivation With the widespread application of LLMs in content moderation, automated systems have become an important line of defense against harmful online content. However, such systems rely on pure text token analysis and completely ignore key visual cues such as typography, spacing, and visual emphasis that humans depend on when reading. This perceptual difference raises a core question: Is there a way to make harmful content obvious to humans but completely invisible to automated moderation systems? ## Attack Method: Human-Perceivable Adversarial Attack (HPAA) The research team proposes the **Human-Perceivable Adversarial Attack (HPAA)**, whose core is to embed harmful expressions into harmless text through typographic manipulation. Key techniques include: 1. **Character spacing manipulation**: Adjusting the space between letters to change visual grouping; 2. **Visual emphasis elements**: Using bold, italic, case changes, etc.; 3. **Spatial arrangement reconstruction**: Adjusting line breaks, indentation, and alignment; 4. **Special symbol insertion**: Inserting symbols that do not affect human understanding but interfere with tokenization. These techniques have minimal impact on human reading but can significantly disrupt token-based automated systems. ## Experimental Design and Evaluation Results ### Experimental Setup Black-box environment testing was used: no model internal parameters/architecture information needed, no gradients needed, only a small number of queries required. ### Cross-Platform Results Tested on 10 mainstream moderation systems (commercial APIs + open-source guardrails): - Human recognition rate exceeds 86%; - Machine detection rate is below 1% for all; - Only 3 queries are needed to generate an effective attack. ### Key Factors from Ablation Experiments 1. Character spacing adjustment is the most important factor for attack success; 2. The combination of multiple visual emphasis methods is better than a single method; 3. The more naturally harmful content is embedded, the higher the probability of evading detection. Reason Analysis: Current moderation systems' token-based representation loses typographic information, and visual encoders are not used for text rendering. ## Discussion on Potential Defense Strategies In response to the vulnerability, the paper proposes potential defense directions: 1. **Rendering-aware moderation**: Render text into images before moderation to recover typographic information, but with a significant increase in computational cost; 2. **Typography normalization**: Unify visual variants (such as spacing, emphasis) before tokenization, but this may affect user experience; 3. **Hybrid architecture**: Combine text and visual representations to enhance robustness while maintaining efficiency. ## Research Significance and Conclusions ### Research Significance Exposes the essential difference (perceptual mismatch) between LLM moderation systems and human content understanding: - Existing systems are easy to bypass; attackers can generate harmful content that evades detection without complex techniques; - Purely automated solutions have blind spots and require human-machine collaborative moderation; - Future moderation systems need to integrate text visual presentation to achieve multimodal understanding. ### Conclusions This study not only reveals technical vulnerabilities but also raises a deeper question: When AI performs human judgment tasks, does it fully consider the complexity of human cognition? Typography and visual presentation are important parts of text meaning; systems that ignore this are vulnerable to attacks. Implications for platforms and security teams: Need to establish a multi-layered defense system and continuously monitor new attack methods.