HALO: Robust Out-of-Distribution Detection via Joint Optimisation

TL;DR

HALO is a new robust out-of-distribution detection method that improves performance and resistance to adversarial attacks by extending the TRADES framework with a novel objective and additional loss terms.

Contribution

The paper introduces HALO, a robust OOD detection approach that surpasses existing methods by balancing clean and adversarial robustness through a novel joint optimization framework.

Findings

HALO achieves state-of-the-art AUROC scores across multiple datasets.

HALO demonstrates strong resistance to transferred adversarial attacks.

HALO offers tunable performance and compatibility with existing frameworks.

Abstract

Effective out-of-distribution (OOD) detection is crucial for the safe deployment of machine learning models in real-world scenarios. However, recent work has shown that OOD detection methods are vulnerable to adversarial attacks, potentially leading to critical failures in high-stakes applications. This discovery has motivated work on robust OOD detection methods that are capable of maintaining performance under various attack settings. Prior approaches have made progress on this problem but face a number of limitations: often only exhibiting robustness to attacks on OOD data or failing to maintain strong clean performance. In this work, we adapt an existing robust classification framework, TRADES, extending it to the problem of robust OOD detection and discovering a novel objective function. Recognising the critical importance of a strong clean/robust trade-off for OOD detection, we introduce an additional loss term which boosts classification and detection performance. Our approach, called HALO (Helper-based AdversariaL OOD detection), surpasses existing methods and achieves state-of-the-art performance across a number of datasets and attack settings. Extensive experiments demonstrate an average AUROC improvement of 3.15 in clean settings and 7.07 under adversarial attacks when compared to the next best method. Furthermore, HALO exhibits resistance to transferred attacks, offers tuneable performance through hyperparameter selection, and is compatible with existing OOD detection frameworks out-of-the-box, leaving open the possibility of future performance gains. Code is available at: https://github.com/hugo0076/HALO