Variational autoencoders (VAEs) lack provable robustness guarantees under adversarial attacks in safety-critical applications. Method: We propose CIVET, the first end-to-end certifiably robust training framework for VAEs. Its core insight is that a VAE’s worst-case reconstruction performance is fully governed by the reconstruction error bound over a critical support set in latent space. Leveraging this, CIVET integrates variational inference, Lagrangian duality optimization, and support-set sensitivity analysis with randomized smoothing and gradient regularization. Contribution/Results: Evaluated across multiple wireless communication and computer vision datasets, CIVET significantly outperforms state-of-the-art methods. It achieves ≥92% provably guaranteed reconstruction confidence under diverse perturbation magnitudes—the first such result—while maintaining high reconstruction fidelity and strong probabilistic robustness.

Variational Autoencoders (VAEs) have become increasingly popular and deployed in safety-critical applications. In such applications, we want to give certified probabilistic guarantees on performance under adversarial attacks. We propose a novel method, CIVET, for certified training of VAEs. CIVET depends on the key insight that we can bound worst-case VAE error by bounding the error on carefully chosen support sets at the latent layer. We show this point mathematically and present a novel training algorithm utilizing this insight. We show in an extensive evaluation across different datasets (in both the wireless and vision application areas), architectures, and perturbation magnitudes that our method outperforms SOTA methods achieving good standard performance with strong robustness guarantees.