Sharpness-Aware Geometric Defense for Robust Out-Of-Distribution Detection

1. It should provide a detailed analysis of the computational complexity involved in computing the OOD score. Additionally, it is important to examine how the number of in-distribution (ID) training samples affects the performance of the OOD score, as this can influence the scalability and generalizability of the approach.

2. Choosing an appropriate threshold $\lambda$ for the OOD score can be challenging in real-world applications. The paper should include a clear, practical procedure for determining this threshold to ensure consistent performance across diverse datasets and scenarios.

3. To thoroughly validate the robustness of the proposed defense, it should incorporate adaptive attacks specifically designed to exploit the OOD scoring mechanism. Following the recommendations in [1], it should evaluate the effectiveness of the defense against these adaptive attacks to demonstrate its resilience under targeted adversarial conditions.

[1] Tramer, Florian, et al. "On adaptive attacks to adversarial example defenses." Advances in neural information processing systems 33 (2020): 1633-1645.

Should adversarial examples be classified as in-distribution samples rather than outliers?

It is clear that by adding adversarial perturbation, the distribution shifted, why it still should be in-distribution?

About the scenario

What are some real-world applications where out-of-distribution detection must handle potentially adversarially attacked images?

About the Contribution

The contribution of this work should be carefully justified. Most of the subsection in section 3 are existing methods. In the introduction section, the authors claim that the smoother regularizer introduced in 3.3 is the key contribution, but I do not agree that this intuition based smoothing regularizer is enough to let this paper be accept.

Given the limited practical relevance of the scenario and modest contributions, I recommend rejection.

1. My first concern is the reasonability of the research setting. The paper presents a method to classify adversarial examples as in-distribution (ID) samples in the context of out-of-distribution (OOD) detection. However, I find the rationale for this setting questionable for two main reasons:

• Adversarial examples, by design, deviate significantly from the natural data distribution, even if they remain close in image space. Treating them as OOD samples aligns with standard OOD detection objectives, as these samples no longer represent the semantic consistency of ID data.
• Detecting adversarial examples as OOD is practically advantageous, as it helps prevent their influence on model predictions. For most applications, identifying adversarial samples as OOD is a more effective way to mitigate potential risks, while treating them as ID can increase vulnerability to attacks.

2. The novelty of the methodology is limited. The proposed method appears to be a fusion of the MMEL approach [1] and the RSAM technique [4], denoted as MPG and RSAM, respectively, within the present paper.
3. The motivations of the introduction for the three components in the approach are not clear. Why do you use MGP, RSAM and Jitter-based perturbation?
4. The content of Figure 2 appears to have been adapted from Figure 1 in the referenced paper [1].
5. The significance of the sharp loss landscape seems to be self-evident, as it has been extensively explored in the existing literature [2, 3]. Regrettably, I fail to discern any novel contribution from the current paper in this regard.

[1] Learning Multi-Manifold Embedding for Out-Of-Distribution Detection

[2] Sharpness-Aware Minimization for Efficiently Improving Generalization

[3] Detecting Adversarial Samples through Sharpness of Loss Landscape

[4] Riemannian SAM: Sharpness-Aware Minimization on Riemannian Manifolds