Deciphering the Definition of Adversarial Robustness for post-hoc OOD Detectors

TL;DR

This paper evaluates the adversarial robustness of 16 post-hoc out-of-distribution detectors against evasion attacks, highlighting the need for standardized adversarial testing and proposing a roadmap for improving their defenses.

Contribution

It provides a comprehensive analysis of the adversarial robustness of existing OOD detectors and introduces a structured roadmap for enhancing their security against adversarial attacks.

Findings

16 detectors tested against various evasion attacks

Lack of uniform parameters hampers performance evaluation

Proposes a multi-level roadmap for adversarial defense

Abstract

Detecting out-of-distribution (OOD) inputs is critical for safely deploying deep learning models in real-world scenarios. In recent years, many OOD detectors have been developed, and even the benchmarking has been standardized, i.e. OpenOOD. The number of post-hoc detectors is growing fast. They are showing an option to protect a pre-trained classifier against natural distribution shifts and claim to be ready for real-world scenarios. However, its effectiveness in dealing with adversarial examples (AdEx) has been neglected in most studies. In cases where an OOD detector includes AdEx in its experiments, the lack of uniform parameters for AdEx makes it difficult to accurately evaluate the performance of the OOD detector. This paper investigates the adversarial robustness of 16 post-hoc detectors against various evasion attacks. It also discusses a roadmap for adversarial defense in OOD detectors that would help adversarial robustness. We believe that level 1 (AdEx on a unified dataset) should be added to any OOD detector to see the limitations. The last level in the roadmap (defense against adaptive attacks) we added for integrity from an adversarial machine learning (AML) point of view, which we do not believe is the ultimate goal for OOD detectors.