Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

RODEO: Robust Outlier Detection via Exposing Adaptive Out-of-Distribution Samples

Hossein Mirzaei, Mohammad Jafari, Hamid Reza Dehbashi, Ali Ansari, Sepehr Ghobadi, Masoud Hadi, Arshia Soltani Moakhar, Mohammad Azizmalayeri, Mahdieh Soleymani Baghshah, Mohammad Hossein Rohban

TL;DR

RODEO tackles the lack of adversarial exposure in outlier detection by generating adaptive, near-distribution outliers via a CLIP-guided diffusion pipeline conditioned on inlier data and their labels. This data-centric adaptive exposure, paired with adversarial training, yields substantial robustness gains across ND, OSR, and OOD benchmarks under strong attacks, while maintaining reasonable clean performance. The work provides theoretical rationale for the need of near-distribution, diverse OE and demonstrates empirical superiority over fixed OE baselines and embedding-space approaches. Its practical impact lies in enabling more reliable open-world detection systems capable of withstanding adversarial manipulation of inputs.

Abstract

In recent years, there have been significant improvements in various forms of image outlier detection. However, outlier detection performance under adversarial settings lags far behind that in standard settings. This is due to the lack of effective exposure to adversarial scenarios during training, especially on unseen outliers, leading to detection models failing to learn robust features. To bridge this gap, we introduce RODEO, a data-centric approach that generates effective outliers for robust outlier detection. More specifically, we show that incorporating outlier exposure (OE) and adversarial training can be an effective strategy for this purpose, as long as the exposed training outliers meet certain characteristics, including diversity, and both conceptual differentiability and analogy to the inlier samples. We leverage a text-to-image model to achieve this goal. We demonstrate both quantitatively and qualitatively that our adaptive OE method effectively generates ``diverse'' and ``near-distribution'' outliers, leveraging information from both text and image domains. Moreover, our experimental results show that utilizing our synthesized outliers significantly enhances the performance of the outlier detector, particularly in adversarial settings.

RODEO: Robust Outlier Detection via Exposing Adaptive Out-of-Distribution Samples

TL;DR

RODEO tackles the lack of adversarial exposure in outlier detection by generating adaptive, near-distribution outliers via a CLIP-guided diffusion pipeline conditioned on inlier data and their labels. This data-centric adaptive exposure, paired with adversarial training, yields substantial robustness gains across ND, OSR, and OOD benchmarks under strong attacks, while maintaining reasonable clean performance. The work provides theoretical rationale for the need of near-distribution, diverse OE and demonstrates empirical superiority over fixed OE baselines and embedding-space approaches. Its practical impact lies in enabling more reliable open-world detection systems capable of withstanding adversarial manipulation of inputs.

Abstract

In recent years, there have been significant improvements in various forms of image outlier detection. However, outlier detection performance under adversarial settings lags far behind that in standard settings. This is due to the lack of effective exposure to adversarial scenarios during training, especially on unseen outliers, leading to detection models failing to learn robust features. To bridge this gap, we introduce RODEO, a data-centric approach that generates effective outliers for robust outlier detection. More specifically, we show that incorporating outlier exposure (OE) and adversarial training can be an effective strategy for this purpose, as long as the exposed training outliers meet certain characteristics, including diversity, and both conceptual differentiability and analogy to the inlier samples. We leverage a text-to-image model to achieve this goal. We demonstrate both quantitatively and qualitatively that our adaptive OE method effectively generates ``diverse'' and ``near-distribution'' outliers, leveraging information from both text and image domains. Moreover, our experimental results show that utilizing our synthesized outliers significantly enhances the performance of the outlier detector, particularly in adversarial settings.

Paper Structure

This paper contains 34 sections, 2 theorems, 22 equations, 14 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Theoretical Insights
  4. Method
  5. Generation Step
  6. Training & Test Step
  7. Experimental Results
  8. Ablation Study
  9. Conclusion
  10. Limitations
  11. Evaluation Metrics & Datasets & Implementation Details
  12. Algorithm
  13. ND, OSR and outlier Detection
  14. Detailed Baselines
  15. Details About Evaluation and Generation
  16. ...and 19 more sections

Key Result

Theorem 3.1

Let $\sigma = 1$, and assume that $\| a^\prime \| \geq \| a \|$, reflecting that the OE is far from the distribution. Let $\theta$ be the angle between $a$ and $a^\prime$. Under the setup mentioned in Sec. sec3, for fixed $\theta$ and $a$, and small $\epsilon$, the optimal Bayes' adversarial error u with $c := \| a^\prime \| - \| a \| \cos(\theta)$, and $\Phi(.)$ being the standard normal cumulati

Figures (14)

  • Figure 1: ALOE and ATD are robust outlier detection methods that utilize the Tiny ImageNet dataset as OE. In this experiment, while keeping all other aspects of the original methods constant, we replaced Tiny ImageNet with SVHN, MNIST, and Gaussian noise and repeated the experiments for both ALOE and ATD. This replacement led to a notable decline in detection performance for ALOE and ATD on the CIFAR10 vs. CIFAR100 task, particularly under adversarial attack conditions. We attribute this performance drop to the fact that the SVHN, MNIST, and Gaussian Noise distributions are more distant from CIFAR10 (the inlier distribution in this task) compared to Tiny ImageNet.
  • Figure 2: Our proposed adversarially robust outlier detection method is initiated with a Near-Outlier Label Extraction, which finds words analogous to a given input label. These words, combined with inlier training image data, are employed in the Adaptive Generation stage to create Near-Outllier data. This stage is followed by Adversarial Training using both inliers and generated OE data, utilizing the cross-entropy loss function. During Testing, the model processes the input and computes the OOD score as the softmax of the OOD class. (The data filtering steps are not shown in this figure)
  • Figure 3: An overview of outlier data from different OE techniques. FITYMI considers image domain information exclusively. Dream-OOD utilizes both text and image domains, but initiating generation from the embedding space makes this method highly biased toward its prior knowledge of the generative backbone, Stable Diffusion. In contrast, RODEO shifts data from inlier to outlier while operating in pixel space. To provide further intuition about the importance of diversity and the distance of the OE from the in-distribution, we compute features for inliers and generated outlier data via a pretrained ViT model dosovitskiy2020image, and apply t-SNE van2008visualizing to visualize the data in 2D. We then find decision boundaries of the data with SVM cortes1995support and present them on the right side of each generated OE example. Our OE samples are both near-distribution and diverse.
  • Figure 4: The figure illustrates a text-guided diffusion process. A yellow dot, representing an inlier data point within the green inlier distribution, is progressively transformed towards the red outlier distribution, driven by CLIP guidance. This showcases the model's ability to guide the transformation from inlier to outlier data via textual instructions.
  • Figure 5: Comparative analysis of computational time for data generation and adversarial training across various datasets in one-class anomaly detection setting. The time is measured in minutes and is split into two components: data generation (golden segment) and the subsequent adversarial training phase (purple segment). The datasets range from standard image benchmarks like CIFAR-10 and MNIST to specialized medical and anomaly detection datasets such as MVTecAD, BrainMRI, and Covid-19.
  • ...and 9 more figures

Theorems & Definitions (5)

  • Theorem 3.1
  • proof
  • Definition 3.2
  • Theorem 3.3
  • proof