Certified Causal Defense with Generalizable Robustness

TL;DR

This paper introduces GLEAN, a certified defense framework that leverages causal inference to improve robustness against adversarial attacks and generalize across different data domains with distribution shifts.

Contribution

GLEAN integrates causal factor learning with certified defense, enabling robustness to adversarial attacks and better generalization across diverse data distributions.

Findings

Outperforms existing methods in certified robustness across multiple domains.

Effectively disentangles causal and spurious features to enhance defense.

Demonstrates robustness against adversarial attacks on latent causal factors.

Abstract

While machine learning models have proven effective across various scenarios, it is widely acknowledged that many models are vulnerable to adversarial attacks. Recently, there have emerged numerous efforts in adversarial defense. Among them, certified defense is well known for its theoretical guarantees against arbitrary adversarial perturbations on input within a certain range (e.g., $l_2$ ball). However, most existing works in this line struggle to generalize their certified robustness in other data domains with distribution shifts. This issue is rooted in the difficulty of eliminating the negative impact of spurious correlations on robustness in different domains. To address this problem, in this work, we propose a novel certified defense framework GLEAN, which incorporates a causal perspective into the generalization problem in certified defense. More specifically, our framework integrates a certifiable causal factor learning component to disentangle the causal relations and spurious correlations between input and label, and thereby exclude the negative effect of spurious correlations on defense. On top of that, we design a causally certified defense strategy to handle adversarial attacks on latent causal factors. In this way, our framework is not only robust against malicious noises on data in the training distribution but also can generalize its robustness across domains with distribution shifts. Extensive experiments on benchmark datasets validate the superiority of our framework in certified robustness generalization in different data domains. Code is available in the supplementary materials.