Combating Adversarial Misspellings with Robust Word Recognition

TL;DR

This paper introduces a robust word recognition model to defend against adversarial misspellings, significantly improving downstream classifier accuracy and outperforming existing methods like adversarial training and spell checkers.

Contribution

We develop a novel RNN semi-character architecture with new backoff strategies, enhancing recognition of corrupted words and improving adversarial robustness of NLP models.

Findings

Achieves 32% relative error reduction over baseline models.

Restores sentiment analysis accuracy from 45.8% to 75% under attack.

Robustness depends on both recognition quality and a new metric called sensitivity.

Abstract

To combat adversarial spelling mistakes, we propose placing a word recognition model in front of the downstream classifier. Our word recognition models build upon the RNN semi-character architecture, introducing several new backoff strategies for handling rare and unseen words. Trained to recognize words corrupted by random adds, drops, swaps, and keyboard mistakes, our method achieves 32% relative (and 3.3% absolute) error reduction over the vanilla semi-character model. Notably, our pipeline confers robustness on the downstream classifier, outperforming both adversarial training and off-the-shelf spell checkers. Against a BERT model fine-tuned for sentiment analysis, a single adversarially-chosen character attack lowers accuracy from 90.3% to 45.8%. Our defense restores accuracy to 75%. Surprisingly, better word recognition does not always entail greater robustness. Our analysis reveals that robustness also depends upon a quantity that we denote the sensitivity.