A Robust Out-of-Distribution Detection Framework via Synergistic Smoothing

Researchers introduce ROSS, a robust out-of-distribution detection framework that combines median smoothing with instability quantification to defend machine learning systems against adversarial attacks. The method achieves state-of-the-art performance by leveraging the observation that OOD samples exhibit higher instability under perturbations, outperforming prior defenses by up to 40 AUROC points.

Out-of-distribution detection represents a critical security layer for deployed machine learning systems, particularly in high-stakes applications where distinguishing between known and unknown data prevents system failures. The research community has long recognized that while modern OOD detectors perform well on clean data, they remain vulnerable to adversarial attacks designed to manipulate their confidence scores. This vulnerability gap undermines real-world deployment confidence.

The ROSS framework addresses this by introducing a two-pronged approach. Rather than relying solely on baseline OOD scores, the method applies median smoothing—a robustness technique that introduces controlled noise—and repurposes the resulting perturbations to measure local score instability. The key insight proves elegant: OOD samples naturally exhibit greater instability when subjected to small perturbations compared to in-distribution samples, enabling an additional discrimination signal. This symmetric defense effectively counters both score-minimizing attacks (which attempt to suppress OOD signals) and score-maximizing attacks (which amplify false positives).

For the machine learning security community, this represents meaningful progress in adversarial robustness. The 40 AUROC point improvement over existing methods, combined with comprehensive validation across CIFAR-10, CIFAR-100, and ImageNet, suggests the approach generalizes effectively. The post-hoc nature of ROSS means practitioners can integrate it with existing OOD detectors without architectural modifications, lowering adoption friction. As autonomous systems and safety-critical ML applications expand, robust anomaly detection becomes increasingly valuable for liability and operational reliability.

• →ROSS introduces a post-hoc OOD detection method that combines median smoothing with instability measurement for robust adversarial defense
• →OOD samples demonstrate higher perturbation instability than in-distribution samples, providing an exploitable discriminative signal
• →The framework achieves symmetric robustness against both score-minimizing and score-maximizing adversarial attacks
• →Performance improvements of up to 40 AUROC points over prior methods across standard vision benchmarks establish new robustness baselines
• →Post-hoc design enables integration with existing OOD detectors without requiring architectural retraining