A machine learning system includes encoder and decoder networks. The machine learning system is configured to obtain input data, which includes sensor data and a radius of an p norm ball of admissible perturbations. Input bounding data is generated based on the input data. First bounding data and second bounding data are generated by respectively propagating the input bounding data on first and second outputs of the encoder network. Third bounding data is generated in association with a latent variable based on the first bounding data and the second bounding data. Fourth bounding data is generated by propagating the third bounding data on an output of the decoder network. A robustness certificate is established with respect to the input data by generating a lower bound of an evidence lower bound based on the first, second, third, and fourth bounding data. The encoder and the decoder networks are updated based on the robustness certificate to provide robustness to the machine learning system with respect to defending against the admissible perturbations.