Adversarial Robustness in Two-Stage Learning-to-Defer: Algorithms and Guarantees

TL;DR

This paper studies adversarial attacks on two-stage Learning-to-Defer systems, introduces new attack strategies, and proposes SARD, a robust learning algorithm with theoretical guarantees that enhances security without sacrificing performance.

Contribution

It is the first to analyze adversarial robustness in two-stage L2D, proposing novel attack methods and a provably robust learning algorithm applicable across multiple settings.

Findings

SARD significantly improves robustness against adversarial attacks.

SARD maintains strong performance on clean data.

Theoretical guarantees hold across various learning tasks.

Abstract

Two-stage Learning-to-Defer (L2D) enables optimal task delegation by assigning each input to either a fixed main model or one of several offline experts, supporting reliable decision-making in complex, multi-agent environments. However, existing L2D frameworks assume clean inputs and are vulnerable to adversarial perturbations that can manipulate query allocation--causing costly misrouting or expert overload. We present the first comprehensive study of adversarial robustness in two-stage L2D systems. We introduce two novel attack strategie--untargeted and targeted--which respectively disrupt optimal allocations or force queries to specific agents. To defend against such threats, we propose SARD, a convex learning algorithm built on a family of surrogate losses that are provably Bayes-consistent and $(\mathcal{R}, \mathcal{G})$-consistent. These guarantees hold across classification, regression, and multi-task settings. Empirical results demonstrate that SARD significantly improves robustness under adversarial attacks while maintaining strong clean performance, marking a critical step toward secure and trustworthy L2D deployment.