Existing robust training methods exhibit imbalanced defense capabilities against diverse perturbations—including ℓ∞ and ℓ2 norm-bounded adversarial attacks, geometric transformations, and patch-based corruptions—and lack unified, provably robust guarantees across threat models. This work introduces CURE, the first training framework enabling multi-norm joint certified robustness. Our approach comprises three key contributions: (1) a novel theoretical framework for unified certification across multiple norms; (2) a bound alignment mechanism that bridges natural training and certified training objectives; and (3) an integrated strategy combining multi-norm random smoothing, joint ℓ∞/ℓ2 certification, and pretraining-finetuning. Evaluated on MNIST, CIFAR-10, and TinyImageNet, CURE improves “union robustness” by 32.0%, 25.8%, and 10.6%, respectively. Moreover, it generalizes to unseen geometric and patch perturbations, boosting robustness by 6.8% and 16.0%, respectively.

Existing certified training methods can only train models to be robust against a certain perturbation type (e.g. $l_infty$ or $l_2$). However, an $l_infty$ certifiably robust model may not be certifiably robust against $l_2$ perturbation (and vice versa) and also has low robustness against other perturbations (e.g. geometric and patch transformation). By constructing a theoretical framework to analyze and mitigate the tradeoff, we propose the first multi-norm certified training framework extbf{CURE}, consisting of several multi-norm certified training methods, to attain better emph{union robustness} when training from scratch or fine-tuning a pre-trained certified model. Inspired by our theoretical findings, we devise bound alignment and connect natural training with certified training for better union robustness. Compared with SOTA-certified training, extbf{CURE} improves union robustness to $32.0%$ on MNIST, $25.8%$ on CIFAR-10, and $10.6%$ on TinyImagenet across different epsilon values. It leads to better generalization on a diverse set of challenging unseen geometric and patch perturbations to $6.8%$ and $16.0%$ on CIFAR-10. Overall, our contributions pave a path towards extit{universal certified robustness}.