Papers
Topics
Authors
Recent
Search
2000 character limit reached

DTW-Certified Robust Defense

Updated 5 July 2026
  • The paper introduces a certified defense framework that guarantees invariant anomaly decisions for all perturbed inputs within a specified DTW radius.
  • It employs Gaussian randomized smoothing with percentile scoring to obtain an ℓ2 certificate and then translates it to a DTW certificate via a Keogh lower bound.
  • Empirical results across benchmark datasets show that the method improves robustness and F1-score under strong DTW-based adversarial attacks.

Searching arXiv for the specified paper and closely related certification work. DTW-certified robust defense denotes a certified robustness framework for time-series anomaly detection in which robustness guarantees are stated in terms of Dynamic Time Warping (DTW) rather than only in an p\ell_p norm. In the formulation introduced by "Fortifying Time Series: DTW-Certified Robust Anomaly Detection" (Liu et al., 8 May 2026), the objective is to guarantee that, for all perturbed inputs within a DTW radius ε\varepsilon, the anomaly detector’s anomaly/benign decision remains unchanged with high probability. The framework is motivated by the mismatch between indexwise p\ell_p distances and the temporal alignment structure of time series, and it adapts randomized smoothing by first obtaining an 2\ell_2 certificate for a smoothed anomaly score and then converting that certificate into a DTW certificate through a lower-bound argument based on the Keogh lower bound. In methodological terms, it belongs to a broader line of research that extends randomized smoothing to non-additive metrics by introducing a metric-specific bridge to a normed certificate space, as also exemplified by Wasserstein smoothing in image classification (Levine et al., 2019).

1. Definition and problem setting

The setting is time-series anomaly detection on

X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},

where LL is sequence length and CC is the number of channels. The detector operates on windows of size TLT\le L and assigns a real-valued anomaly score f(x)Rf(x)\in\mathbb{R}. The binary decision rule is

d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}

where ε\varepsilon0 denotes anomaly and ε\varepsilon1 denotes benign (Liu et al., 8 May 2026).

The central robustness requirement is pointwise and worst-case: the detector should certify that no perturbation within a prescribed radius can flip the anomaly decision. In the threat model considered, the adversary is white-box, has full access to the detector, and has unlimited computation. Given an input ε\varepsilon2, the attacker seeks ε\varepsilon3 such that

ε\varepsilon4

subject to the budget

ε\varepsilon5

This covers both evasion attacks, which hide a true anomaly, and availability attacks, which cause a benign signal to be flagged as anomalous (Liu et al., 8 May 2026).

The motivation is explicitly safety-critical. The cited application domains include healthcare, finance, and infrastructure monitoring, where anomaly detectors may trigger alarms, initiate interventions, or prevent failures. Under that interpretation, robustness is not treated as an average-case performance attribute but as a requirement for provable trust under worst-case perturbations (Liu et al., 8 May 2026).

2. Why DTW is the relevant robustness metric

Standard ε\varepsilon6 threat models are treated as inadequate for time-series data because they compare signals index-by-index and therefore ignore temporal alignment. The paper states the conventional distance as

ε\varepsilon7

This geometry is poorly matched to temporal distortions such as small temporal shifts, local delay, stretching or compression, and rescaling in time, all of which can preserve semantic identity while producing a large ε\varepsilon8 discrepancy (Liu et al., 8 May 2026).

DTW is introduced as the more appropriate similarity and attack metric because it explicitly permits elastic temporal alignment. The DTW distance of norm order ε\varepsilon9 is defined as

p\ell_p0

where p\ell_p1 is an admissible alignment path and p\ell_p2 is the set of all such paths. The path satisfies matched ends, monotonicity and continuity, and the requirement that each time index appears at least once. In the main text, the construction uses p\ell_p3 (Liu et al., 8 May 2026).

Under this definition, DTW better captures phase shifts, temporal stretching, compression, and local misalignment. The paper therefore argues that previous certified defenses for time-series anomaly detection that simply import p\ell_p4 smoothing certify the wrong geometry. A model can be certified in an p\ell_p5 ball and still remain vulnerable to natural or adversarial temporal distortions. The explicit novelty claim is the introduction of the first certified defense for time-series anomaly detection under the DTW distance and, more specifically, the first theoretical framework that provides certified robustness in DTW distance for this problem (Liu et al., 8 May 2026).

A plausible implication is that the notion of robustness becomes application-aligned only when the attack metric respects temporal equivalence classes induced by alignment, rather than only raw samplewise deviations.

3. Smoothed anomaly scoring and the p\ell_p6 certificate

The defense pipeline begins with an arbitrary anomaly detector with score function p\ell_p7, then constructs a smoothed anomaly score function p\ell_p8 using Gaussian randomized smoothing, computes an p\ell_p9-type certified radius for the smoothed detector using percentile smoothing, and finally converts that 2\ell_20 certificate into a DTW certified radius (Liu et al., 8 May 2026).

Ordinary smoothing is described as insufficient because the anomaly score is a real-valued scalar and can be unbounded, high variance, and unstable under noise. The adopted alternative is percentile smoothing. With Gaussian noise

2\ell_21

the percentile-smoothed anomaly score is

2\ell_22

For 2\ell_23, this behaves as a median-like smoothing rule. The smoothed detector uses 2\ell_24 in place of 2\ell_25 and retains the threshold 2\ell_26 (Liu et al., 8 May 2026).

The paper gives the percentile smoothing certificate in 2\ell_27 form: 2\ell_28 where

2\ell_29

and X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},0 is the standard Gaussian CDF. This provides a sufficient condition ensuring that the smoothed score stays on the same side of the decision threshold throughout an X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},1 ball (Liu et al., 8 May 2026).

The certified X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},2 radius X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},3 depends on whether the smoothed score is above or below the threshold: X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},4 This is the radius within which the smoothed decision is unchanged (Liu et al., 8 May 2026).

Within the logic of certified defense, the role of smoothing is therefore modular: it supplies a norm-ball certificate around the test point, and the main theoretical task is to replace that norm geometry with the DTW geometry relevant to temporal distortions.

4. The Keogh lower bound and the bridge from X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},5 to DTW

The key technical step is the conversion of the X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},6 certificate into a DTW certificate through a lower-bound contradiction argument. For a warping window X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},7, the upper and lower envelopes are

X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},8

These envelopes characterize, at each time step and channel, the range of values that can align to X=RL×C,\mathcal{X}=\mathbb{R}^{L\times C},9 within the allowed warping window (Liu et al., 8 May 2026).

The Keogh lower bound is then defined as

LL0

If a point of LL1 stays inside the envelope of LL2, it contributes nothing to the lower bound; only envelope violations contribute. Since this is a lower bound on DTW, any sufficiently large value implies a large DTW distance (Liu et al., 8 May 2026).

The conceptual bridge is stated as Lemma 3.2. If a smoothed function LL3 satisfies

LL4

then it also satisfies

LL5

where LL6 is a strict lower bound of LL7 and

LL8

The proof mechanism is contradiction: if some point had LL9 while lying outside the safe CC0 ball, the strict lower bound would violate the definition of CC1 (Liu et al., 8 May 2026).

The main theorem instantiates this bridge with CC2. The decision condition is

CC3

Then robustness is guaranteed for all CC4 satisfying

CC5

where

CC6

with

CC7

Here CC8 is the total amount of Euclidean perturbation that can remain inside the envelope with zero Keogh penalty, while CC9 is the largest single-coordinate slack (Liu et al., 8 May 2026).

The two-case structure is significant. If TLT\le L0, the infimum DTW lower bound outside the TLT\le L1 ball is still TLT\le L2, so the DTW certificate degenerates to TLT\le L3. If TLT\le L4, any point outside the TLT\le L5 ball must protrude beyond the envelope and therefore induce positive Keogh cost, producing a positive DTW certificate. This suggests that certificate quality depends jointly on the smoothing-derived Euclidean radius and on the tightness of the envelope slack permitted by the chosen DTW window.

5. Certification semantics, evaluation protocol, and operationalization

The formal certified-defense definition is pointwise: the detector provides certified defense at input TLT\le L6 with DTW radius TLT\le L7 if there is no TLT\le L8 such that

TLT\le L9

and

f(x)Rf(x)\in\mathbb{R}0

with confidence at least f(x)Rf(x)\in\mathbb{R}1 (Liu et al., 8 May 2026).

The practical certification procedure is given as a seven-step pipeline. For a test input f(x)Rf(x)\in\mathbb{R}2, one samples Gaussian noise f(x)Rf(x)\in\mathbb{R}3, computes noisy scores

f(x)Rf(x)\in\mathbb{R}4

sorts the scores and estimates confidence bounds on the relevant percentiles using binomial tail bounds, derives the smoothed decision and the f(x)Rf(x)\in\mathbb{R}5 certificate radius f(x)Rf(x)\in\mathbb{R}6, constructs DTW envelopes f(x)Rf(x)\in\mathbb{R}7 for a chosen wrapping window f(x)Rf(x)\in\mathbb{R}8, computes the slack values f(x)Rf(x)\in\mathbb{R}9 and then d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}0 and d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}1, and finally outputs the DTW certified radius

d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}2

The method does not require retraining and can be applied to pre-trained anomaly detectors. At inference, the described pipeline is: inject Gaussian noise, optionally pass through a denoising stage, aggregate scores via percentile smoothing, and output the anomaly decision together with the DTW certificate (Liu et al., 8 May 2026).

The empirical study uses seven benchmark datasets, listed in the text as SMAP, MSL, SMD, NIPS-TS-SWAN, NIPS-TS-CREDITCARD, NIPS-TS-WATER, UCR-1, and UCR-2, with UCR split into two subsets. These include both univariate and multivariate anomaly detection tasks. The anomaly detection backbones are COUTA, TimesNet, and DeepSVDDTS. The primary baselines are the undefended base model, a traditional d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}3-norm certified defense based on standard randomized smoothing, and the proposed DTW-certified defense, all evaluated under DTW-based adversarial attacks (Liu et al., 8 May 2026).

Default hyperparameters are sequence length d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}4, DTW wrapping window d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}5, number of noisy samples d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}6, Gaussian noise level d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}7, percentile d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}8, and confidence parameter d(x)={1,f(x)>γ, 0,f(x)γ,(1)d(x)= \begin{cases} 1, & f(x)>\gamma,\ 0, & f(x)\le \gamma, \end{cases} \tag{1}9. The implementation is reported in PyTorch on Linux with Intel Xeon Gold 6326 CPUs and NVIDIA A100 80GB GPUs (Liu et al., 8 May 2026).

The evaluation includes both ordinary detection metrics and certification metrics. Detection performance is measured by point-adjusted F1-score and ROC AUC. Certified radii over test instances are summarized by mean radius, maximum radius, standard deviation, and certified proportion, defined as the fraction with non-zero certificate. The paper also extends certified accuracy to anomaly detection via certified confusion matrices: ε\varepsilon00

ε\varepsilon01

ε\varepsilon02

with

ε\varepsilon03

ε\varepsilon04

These are conservative worst-case metrics (Liu et al., 8 May 2026).

6. Empirical findings, trade-offs, and methodological context

The reported results indicate that the defense is broadly applicable across datasets and models, often with only small degradation and occasionally even improvement in clean detection performance. One example from Table 1 is NIPS-TS-WATER with DeepSVDDTS, where the method certifies ε\varepsilon05 of test inputs with mean DTW certified radius ε\varepsilon06, with no performance degradation in F1 or AUC. On many tasks, DeepSVDDTS attains the strongest robustness, which the authors state may be because it handles noisy inputs better. Robustness is weaker on datasets such as SMAP and NIPS-TS-SWAN, which the paper attributes to higher channel dimensionality, higher variance, and looser lower-bound estimation (Liu et al., 8 May 2026).

Under strong DTW-based adversarial attack, the main empirical comparison is between undefended models, ε\varepsilon07-certified models, and the DTW-certified defense at attack budget

ε\varepsilon08

This budget exceeds the average certified radius of roughly ε\varepsilon09 and is presented as a strong stress test. DTW attacks severely damage undefended models, with F1 drops of ε\varepsilon10 on SMD and ε\varepsilon11 on UCR-1. The ε\varepsilon12-certified defense improves robustness somewhat but remains inconsistent when attacks involve strong temporal distortions. The DTW-certified defense consistently outperforms both baselines: on MSL, F1 under attack improves from ε\varepsilon13 for the ε\varepsilon14-certified defense to ε\varepsilon15 for the DTW-certified defense, a gain of ε\varepsilon16 percentage points; on UCR-1, F1 improves from ε\varepsilon17 to ε\varepsilon18, a gain of ε\varepsilon19 percentage points (Liu et al., 8 May 2026).

The paper also reports dataset-level certified performance curves. Figure 1 shows certified F1 and certified accuracy versus DTW attack budget ε\varepsilon20 for COUTA on MSL and SMAP under both evasion and availability attacks. On SMAP, with suitable ε\varepsilon21 such as ε\varepsilon22, the defense maintains certified F1 of roughly ε\varepsilon23 under evasion attack at budget ε\varepsilon24 (Liu et al., 8 May 2026).

The principal trade-off concerns the smoothing noise level ε\varepsilon25. Increasing ε\varepsilon26 generally increases mean certified radius, maximum radius, and certified proportion, but too large a value hurts F1-score and ROC AUC. The examples singled out in the text are that moderate ε\varepsilon27 or ε\varepsilon28 can improve both robustness and sometimes generalization, whereas large ε\varepsilon29 often degrades clean detection. The paper characterizes this as the standard smoothing trade-off: more noise yields larger certificates but can blur the detector. It also notes that moderate smoothing can improve clean performance by stabilizing the decision boundary (Liu et al., 8 May 2026).

The limitations are explicit. Certification requires many noisy evaluations at test time, introducing inference overhead. The DTW certificate is conservative because it is derived through ε\varepsilon30 rather than exact DTW geometry; failure to certify beyond radius ε\varepsilon31 does not imply actual non-robustness beyond that radius. Longer sequences and higher-dimensional multivariate series can reduce certificate tightness, and the use of a Sakoe-Chiba warping window means the quality of the certificate depends on the chosen warping constraint. The scope of the current framework is limited to anomaly detection rather than classification or forecasting (Liu et al., 8 May 2026).

In a broader methodological context, the DTW construction follows the same general research pattern as Wasserstein smoothing: a non-additive metric is not certified directly in raw input space but through a metric-specific reduction that permits the reuse of randomized smoothing machinery. Wasserstein smoothing converts a transport-based perturbation model into an ε\varepsilon32-type perturbation model in flow space and then applies an existing ε\varepsilon33 randomized smoothing certificate (Levine et al., 2019). DTW-certified robust defense does not use a latent additive transformation space in the same way; instead, it converts an ε\varepsilon34 certificate into a DTW certificate through a strict lower-bound bridge. This suggests a broader taxonomy of certified defenses for non-additive metrics: one class reduces the metric to a norm in a transformation space, while another uses provable lower or upper bounds to transfer a norm-ball certificate into the target geometry.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to DTW-Certified Robust Defense.