OCR systems are vulnerable to digital and physical adversarial attacks, while existing defenses suffer from strong model dependency, poor robustness, and degradation of clean-sample accuracy. To address these issues, this paper proposes a model-agnostic, topology-aware reconstruction framework. Its core innovation lies in the first integration of topological features into OCR security defense: a topology-preserving autoencoder is designed to enforce manifold consistency in latent space, enabling structure-preserving purification without gradient-based regularization. By synergistically combining manifold learning with an adversarial detection-reconstruction mechanism, the method achieves significant robustness improvements against diverse attacks—including FGSM, PGD, CW, EOT, BDPA, and FAWA—on benchmarks such as EMNIST and MNIST, while preserving original recognition accuracy on clean samples.

Adversarially perturbed images of text can cause sophisticated OCR systems to produce misleading or incorrect transcriptions from seemingly invisible changes to humans. Some of these perturbations even survive physical capture, posing security risks to high-stakes applications such as document processing, license plate recognition, and automated compliance systems. Existing defenses, such as adversarial training, input preprocessing, or post-recognition correction, are often model-specific, computationally expensive, and affect performance on unperturbed inputs while remaining vulnerable to unseen or adaptive attacks. To address these challenges, TopoReformer is introduced, a model-agnostic reformation pipeline that mitigates adversarial perturbations while preserving the structural integrity of text images. Topology studies properties of shapes and spaces that remain unchanged under continuous deformations, focusing on global structures such as connectivity, holes, and loops rather than exact distance. Leveraging these topological features, TopoReformer employs a topological autoencoder to enforce manifold-level consistency in latent space and improve robustness without explicit gradient regularization. The proposed method is benchmarked on EMNIST, MNIST, against standard adversarial attacks (FGSM, PGD, Carlini-Wagner), adaptive attacks (EOT, BDPA), and an OCR-specific watermark attack (FAWA).