Existing out-of-distribution (OOD) detection methods suffer from poor discrimination between adversarial in-distribution (ID) samples and genuine OOD samples under adversarial attacks, leading to erroneous classifications. To address this, we propose Sharpness-aware Geometric Defense (SaGD), a unified framework integrating sharpness-aware optimization with geometric projection. SaGD smooths the adversarial loss landscape, enhances robust convergence of latent-space geometric structure, and incorporates Jitter perturbation to improve generalization against unseen attacks. Extensive experiments on CIFAR-100 and six diverse OOD benchmarks demonstrate that SaGD consistently outperforms state-of-the-art methods, achieving superior performance in both false positive rate at 95% true positive rate (FPR95) and area under the ROC curve (AUC). Notably, SaGD is the first approach to simultaneously enhance adversarial robustness and OOD detection accuracy, establishing a new benchmark for secure and reliable OOD identification.

Out-of-distribution (OOD) detection ensures safe and reliable model deployment. Contemporary OOD algorithms using geometry projection can detect OOD or adversarial samples from clean in-distribution (ID) samples. However, this setting regards adversarial ID samples as OOD, leading to incorrect OOD predictions. Existing efforts on OOD detection with ID and OOD data under attacks are minimal. In this paper, we develop a robust OOD detection method that distinguishes adversarial ID samples from OOD ones. The sharp loss landscape created by adversarial training hinders model convergence, impacting the latent embedding quality for OOD score calculation. Therefore, we introduce a {f Sharpness-aware Geometric Defense (SaGD)} framework to smooth out the rugged adversarial loss landscape in the projected latent geometry. Enhanced geometric embedding convergence enables accurate ID data characterization, benefiting OOD detection against adversarial attacks. We use Jitter-based perturbation in adversarial training to extend the defense ability against unseen attacks. Our SaGD framework significantly improves FPR and AUC over the state-of-the-art defense approaches in differentiating CIFAR-100 from six other OOD datasets under various attacks. We further examine the effects of perturbations at various adversarial training levels, revealing the relationship between the sharp loss landscape and adversarial OOD detection.