Counterfeit Answers: Adversarial Forgery against OCR-Free Document Visual Question Answering

TL;DR

The paper formalizes a white-box threat model for OCR-free DocVQA and develops gradient-based, end-to-end adversarial perturbations that can forge document content to induce targeted or incorrect answers in state-of-the-art systems (Pix2Struct and Donut). It demonstrates high attack success with minimal collateral impact on other QA pairs on the PFL-DocVQA dataset, using full-document and patch perturbations and a differentiable preprocessing pipeline. Quantitative and qualitative results reveal substantial vulnerabilities in end-to-end document understanding and motivate robust defenses and more realistic threat modeling. The work highlights practical security risks in automated document processing pipelines and suggests concrete directions for defense and evaluation protocols.

Abstract

Document Visual Question Answering (DocVQA) enables end-to-end reasoning grounded on information present in a document input. While recent models have shown impressive capabilities, they remain vulnerable to adversarial attacks. In this work, we introduce a novel attack scenario that aims to forge document content in a visually imperceptible yet semantically targeted manner, allowing an adversary to induce specific or generally incorrect answers from a DocVQA model. We develop specialized attack algorithms that can produce adversarially forged documents tailored to different attackers' goals, ranging from targeted misinformation to systematic model failure scenarios. We demonstrate the effectiveness of our approach against two end-to-end state-of-the-art models: Pix2Struct, a vision-language transformer that jointly processes image and text through sequence-to-sequence modeling, and Donut, a transformer-based model that directly extracts text and answers questions from document images. Our findings highlight critical vulnerabilities in current DocVQA systems and call for the development of more robust defenses.

Figures (6)

• Figure 1: Example DocVQA task on a synthetic invoice. The model must read and reason over structured document text. In normal operation the model correctly answers questions on the unaltered document (left). By applying a simple adversarial patch perturbation (right), an adversary can force the model to answer a preselected (incorrect) response; for instance, the perturbed document shows $0.00, potentially causing monetary loss.
• Figure 2: End-to-end attack. The non-differentiable preprocessing (top), which breaks the computational graph before $\boldsymbol{\mathbf{\delta}}$, and our end-to-end differentiable attack (bottom), obtained by reverse engineering the preprocessing $\phi$.
• Figure 3: Attack Visualization. The document altered with a patch in the lower right corner, with $\epsilon=96$.
• Figure 4: Targeted attack results. All metrics are reported for Pix2Struct and Donut across a different number of optimized QA pairs ($B$). Top panels show the ASR and the CDMG, while the bottom panels show the ANLS scores.
• Figure 5: Denial of Answer (DoA) results. All metrics are reported for Pix2Struct and Donut across a different number of optimized QA pairs ($B$). Top panels show the ASR and the CDMG, while the bottom panels show the ANLS scores.