Out-of-Distribution (OOD) Adversarial Training Problem

[1234238]

Dear Zhang,

I am currently reviewing the source code related to your work on Out-of-Distribution (OOD) adversarial training and have encountered some questions regarding your method for evading OOD detection. Specifically, I have concerns about the role of the term loss_outter += loss_dis * self.args.weight_ood in the loss function of the trigger generator. This term corresponds to the DPGBA\D component described in your paper.

In your paper, it is indicated that DPGBA\D achieves very low attack success rates in OOD detection. However, when I followed your experimental setup and commented out this specific loss term, I observed that the attack success rate did not decrease as expected. In fact, it seems to have increased slightly.

Additionally, I tried lowering the threshold, for example, by removing 15% of the anomalous edges using threshold = np.percentile(rec_score_ori.detach().cpu().numpy(), 97). However, this adjustment did not seem to have any effect.

Could you please provide clarification on how the omission of this loss term might impact the effectiveness of the attack and whether there are any additional factors or settings I should consider in my experiments?

Thank you for your assistance. I look forward to your response.

Best regards

[zzwjames]

Hi,

Thanks for your interest in our work.

Could you please let me know which dataset you are using? The parameter 'rec_epochs' also influences the outlier detection method's ability. It can result in either over-learning or under-learning, both of which can lead to the scenario you mentioned.

Best,