Your Out-of-Distribution Detection Method is Not Robust!
Authors: Mohammad Azizmalayeri, Arshia Soltani Moakhar, Arman Zarei, Reihaneh Zohrabi, Mohammad Manzuri, Mohammad Hossein Rohban
NeurIPS 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this work, we re-examine these defenses against an end-to-end PGD attack on in/out data with larger perturbation sizes, e.g. up to commonly used ϵ = 8/255 for the CIFAR-10 dataset. Surprisingly, almost all of these defenses perform worse than a random detection under the adversarial setting. Next, we aim to provide a robust OOD detection method. [...] Using ATD with CIFAR-10 and CIFAR-100 as the in-distribution data, we could significantly outperform all previous methods in the robust AUROC while maintaining high standard AUROC and classification accuracy. The code repository is available at https://github.com/rohban-lab/ATD. In this section, we perform extensive experiments to evaluate existing OOD detection methods, including the standard and adversarially trained ones, and our ATD method against an end-to-end PGD attack. To this end, we first give details about the setting of the experiments. Next, we compare all the methods, which shows that ATD significantly outperforms the other methods. Toward the end, we conduct some additional experiments to investigate some aspects of our solution. Table 1: OOD detection AUROC under attack with ϵ = 8 255 for various methods trained with CIFAR10 or CIFAR-100 as the closed set. A clean evaluation is one where no attack is made on the data, whereas an in/out evaluation means that the corresponding data is attacked. |
| Researcher Affiliation | Academia | Department of Computer Engineering Sharif University of Technology {m.azizmalayeri, arshia.soltani, arman.zarei, zohrabi, manzuri, rohban}@sharif.edu |
| Pseudocode | No | The paper does not contain any pseudocode or algorithm blocks. |
| Open Source Code | Yes | The code repository is available at https://github.com/rohban-lab/ATD. |
| Open Datasets | Yes | In-distribution Datasets: CIFAR-10 and CIFAR-100 [49] are used as the in-distribution datasets. [...] Out-of-distribution Datasets: Following the setting in earlier works [23, 37], we use eight different datasets that are disjoint from the in-distribution sets, including MNIST [50], Tiny Image Net [51], Places365 [52], LSUN [53], i SUN [54], Birds [55], Flowers [56], and COIL-100 [57] as the OOD test sets. The results are averaged over these datasets to peform a comprehensive evaluation on different OOD datasets. Also, the SVHN [58] dataset is used as the OOD validation set to select the best discriminator during the training, and Food-101 [59] is used as the open training set. |
| Dataset Splits | Yes | Also, the SVHN [58] dataset is used as the OOD validation set to select the best discriminator during the training, and Food-101 [59] is used as the open training set. |
| Hardware Specification | Yes | We have used a single RTX 2060 Super GPU. |
| Software Dependencies | No | The paper mentions specific software/model names like "DCGAN" and "Adam optimizer" but does not provide specific version numbers for these or any other libraries or frameworks, which are necessary for reproducible software dependencies. |
| Experiment Setup | Yes | ATD Hyperparameters: A simple DCGAN [60] is used for the generator and discriminator architecture in the ATD. Furthermore, ATD is trained for 20 epochs with α = 0.5 using Adam [61] optimizer with learning rate of 1e 4. Details of the ATD method is available in section 3.1. [...] All the defenses are trained with ϵ = 8 255 to have the best results against attack with this perturbation budget. [...] All the models are evaluated against an end-to-end PGD attack with ϵ = 8 255. For the baseline methods, we only use a 10-step attack, but ATD is evaluated with 100 steps to ensure its robustness. [...] Also, the attack is performed with a single random restart and the random initialization in the range ( ϵ, ϵ). Moreover, the attack step size is selected as α = 2.5 ϵ |