benchmark 2025

On the Ability of LLMs to Handle Character-Level Perturbations: How Well and How?

Anyuan Zhuo 1, Xuefei Ning 2, Ningyuan Li 2, Jingyi Zhu 1, Yu Wang 2, Pinyan Lu 1

1 Shanghai University of Finance and Economics

2 Tsinghua University

0 citations · 17 references · arXiv
α

Published on arXiv

2510.14365

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Despite heavy Unicode character injection that fragments tokenization and drastically reduces signal-to-noise ratio, many contemporary LLMs maintain notable performance, undermining UCC-Inj as an effective anti-cheating defense.

UCC-Inj

Novel technique introduced

This work investigates the resilience of contemporary LLMs against frequent and structured character-level perturbations, specifically through the insertion of noisy characters after each input character. We introduce UCC-Inj, a practical method that inserts invisible Unicode control characters into text to discourage LLM misuse in scenarios such as online exam systems. Surprisingly, despite strong obfuscation that fragments tokenization and reduces the signal-to-noise ratio significantly, many LLMs still maintain notable performance. Through comprehensive evaluation across model-, problem-, and noise-related configurations, we examine the extent and mechanisms of this robustness, exploring both the handling of character-level tokenization and implicit versus explicit denoising mechanism hypotheses of character-level noises. We hope our findings on the low-level robustness of LLMs will shed light on the risks of their misuse and on the reliability of deploying LLMs across diverse applications.

Key Contributions

  • Introduces UCC-Inj, a practical Unicode control character injection method that inserts invisible characters after each input character to discourage LLM misuse in exam systems
  • Provides comprehensive evaluation of LLM robustness to character-level perturbations across model, problem, and noise configurations, revealing that many LLMs maintain notable performance despite severe tokenization fragmentation
  • Analyzes the mechanisms behind LLM robustness to character-level noise, exploring implicit vs. explicit denoising hypotheses and tokenization handling

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Applications
online exam systemsllm misuse preventiontext obfuscation
Read PDF arXiv DOI

Similar Papers

benchmark

JMedEthicBench: A Multi-Turn Conversational Benchmark for Evaluating Medical Safety in Japanese Large Language Models

2026 0 cit.
100%
benchmark

EMNLP: Educator-role Moral and Normative Large Language Models Profiling

2025 0 cit.
100%
benchmark

Quantifying CBRN Risk in Frontier Models

2025 2 cit.
100%
benchmark

CySecBench: Generative AI-based CyberSecurity-focused Prompt Dataset for Benchmarking Large Language Models

2025 0 cit.
100%
benchmark

MalURLBench: A Benchmark Evaluating Agents' Vulnerabilities When Processing Web URLs

2026 0 cit.
100%
benchmark

Cooking Up Risks: Benchmarking and Reducing Food Safety Risks in Large Language Models

2026 0 cit.
100%
benchmark

Vulnerability of LLMs' Belief Systems? LLMs Belief Resistance Check Through Strategic Persuasive Conversation Interventions

2026 0 cit.
100%
benchmark

Consistency of Large Reasoning Models Under Multi-Turn Attacks

2026 0 cit.
100%