Adv-BERT: BERT is not robust on misspellings! Generating nature adversarial samples on BERT
This work addresses the problem of model robustness for NLP practitioners by showing BERT's vulnerability to realistic typos, which is incremental as it builds on existing adversarial example research.
The paper investigated BERT's robustness to natural adversarial examples like typos, finding that typos in informative words cause the most damage, with mistyping being the most harmful factor, and that humans and machines focus differently on these attacks.
There is an increasing amount of literature that claims the brittleness of deep neural networks in dealing with adversarial examples that are created maliciously. It is unclear, however, how the models will perform in realistic scenarios where \textit{natural rather than malicious} adversarial instances often exist. This work systematically explores the robustness of BERT, the state-of-the-art Transformer-style model in NLP, in dealing with noisy data, particularly mistakes in typing the keyboard, that occur inadvertently. Intensive experiments on sentiment analysis and question answering benchmarks indicate that: (i) Typos in various words of a sentence do not influence equally. The typos in informative words make severer damages; (ii) Mistype is the most damaging factor, compared with inserting, deleting, etc.; (iii) Humans and machines have different focuses on recognizing adversarial attacks.