Codes for reproducing the experimental results in "CNN-Cert: An Efficient Framework for Certifying Robustness of Convolutional Neural Networks", published at AAAI 2019
Apache License 2.0
What's New


Please refer to this post for an overview of recent robustness evaluation algorithms and our contributions. We provide a video summary of this work here.


About CNN-Cert

CNN-Cert is a general and efficient framework for certifying the robustness of convolutional neural networks (CNN).

Cite our work:

Akhilan Boopathy, Tsui-Wei Weng, Pin-Yu Chen, Sijia Liu and Luca Daniel, "CNN-Cert: An Efficient Framework for Certifying Robustness of Convolutional Neural Networks", AAAI 2019.

  author = "Akhilan Boopathy AND Tsui-Wei Weng AND Pin-Yu Chen AND Sijia Liu AND Luca Daniel",
  title = "CNN-Cert: An Efficient Framework for Certifying Robustness of Convolutional
Neural Networks",
  booktitle = "AAAI",
  year = "2019",
  month = "Jan"

Related Work


  1. The code is tested with python3 and TensorFlow v1.10 and v1.12 (TensorFlow v1.8 is not compatible). The following packages are required.

    conda create --name cnncert python=3.6
    source activate cnncert
    conda install pillow numpy scipy pandas h5py tensorflow numba posix_ipc matplotlib
  2. Please also install Gurobi, its associated python library gurobipy and its license in order to run LP/Dual-LP methods.

conda config --add channels
conda install gurobi
  1. Clone this repository:
git clone
cd CNN-Cert
  1. Download the pre-trained CNN models used in the paper.

  2. Convert the pre-trained CNN models to MLP models (in order to compare with Fast-Lin)


    Converted model results are saved into log_cnn2mlp_timestamp.txt.

  3. Ready to run CNN-Cert and reproduce the experiments and Tables 3-13 in our paper.


    The default value of parameter table in the main function of is set to 6, meaning to reproduce the Table 6 in the paper. In addition, includes an interface to the main CNN-Cert evaluation functions. Comparison scripts to run other methods including Fast-Lin, LP, CLEVER and attack methods are also included.

Results of robustness certificate and runtime are saved into log_pymain_{timestamp}.txt; example format of log file of Table 6 (partial):

Table 6 result
model name = models/mnist_resnet_2, numimage = 10, norm = i, targettype = random
avg robustness = 0.01832
avg run time = 1.54 sec
CNN-Cert-Ada, ReLU activation
model name = models/mnist_resnet_2, numimage = 10, norm = i, targettype = random
avg robustness = 0.01971
avg run time = 1.56 sec
CNN-Cert-Ada, Sigmoid activation
model name = models/mnist_resnet_2, numimage = 10, norm = i, targettype = random
avg robustness = 0.00597
avg run time = 1.60 sec

How to Run

We have provided a interfacing file to compute certified bounds. This file contains a function run_cnn that computes CNN-Cert bounds and runtime averaged over a given number of samples.

Usage: run_cnn(file_name, n_samples, norm, core, activation, cifar)

The main CNN-Cert functions are included in and is for CNNs with just convolution and pooling layers, while can be used for more general CNNs such as Resnets. The main Fast-Lin files are, which implements ordinary Fast-Lin, and, which implements a sparse matrix version of Fast-Lin. Please note that Fast-Lin and CNN-Cert may yield slightly different bounds on the same network due to implementation differences. CNN-Cert uses 15 steps of binary search to find a certified bound while Fast-Lin may use less than 15 steps.

Training your own models and evaluating CNN-Cert and other methods

  1. We provide pre-trained models here. The pre-trained models use the following naming convention:

Pure CNN Models:

{dataset}_cnn_{number of layers}layer_{filter size}_{kernel size}[_{non ReLU activation}]
Example: mnist_cnn_4layer_10_3
Example: cifar_cnn_5layer_5_3_tanh

General CNN Models:

{dataset}_cnn_{number of layers}layer[_{non ReLU activation}]
Example: mnist_cnn_7layer
Example: mnist_cnn_7layer_tanh

Fully connected Models:

{dataset}_{number of layers}layer_fc_{layer size}
Example: mnist_2layer_fc_20

Resnet Models:

{dataset}_resnet_{number of residual blocks}[_{non ReLU activation}]
Example: mnist_resnet_3
Example: mnist_resnet_4_tanh

LeNet Models:

{dataset}_cnn_lenet[_nopool][_{non ReLU activation}]
Example: mnist_cnn_lenet_tanh
Example: mnist_cnn_lenet_nopool
  1. The pre-trained models are used as an example to evaluate CNN-Cert and are not particularly optimized with the test accuracy. We encourage users could also train their own models and apply CNN-Cert. We provide the following example scripts:,,,

Models will be stored in the models folder. All models are trained and stored with Keras. To train your own model, call the training function in the appopriate file. For example, to train a 4-layer CNN trained on MNIST for 10 epochs with 5 filters per layer and 3x3 filters, run:

from train_cnn import train
from setup_mnist import MNIST
train(MNIST(), file_name='models/mnist_cnn_4layer_5_3', filters=[5,5,5], kernels = [3,3,3], num_epochs=10)
  1. In order to run Fast-Lin and LP methods, convert the network to MLP using the convert function in

    convert('models/mnist_cnn_4layer_5_3', 'models/mnist_cnn_as_mlp_4layer_5_3', cifar=False)
  2. Evaluate the saved model models/mnist_cnn_4layer_5_3 and compare with the methods reported in the paper: CNN-Cert, Fast-Lin, LP, Global Lipschitz, CLEVER, and CW/EAD attack (interface found in

Additional Examples

For example, to compute the average l-infinity CNN-Cert bound over 100 images on a MNIST pure convolutional ReLU network with filename my_mnist_network, run the following in python:

from pymain import run_cnn
bound, time = run_cnn('my_mnist_network', 100, 'i')

To find the Fast-Lin bounds on this network, first convert the network to MLP:

from cnn_to_mlp import convert
convert('my_mnist_network', 'my_mlp_mnist_network')

This will print the size of the MLP weight matrices. Use this to determine the number of nodes in each hidden layer of the MLP network. Suppose there are 3 hidden layers (4 layers total excluding the input) with 50 nodes each.

To run Fast-Lin, call the Fast-Lin interfacing function in

from pymain import run
bound, time = run(50, 4, 'i', 'my_mlp_mnist_network')

To compute the average l-2 CNN-Cert bound over 10 images on a CIFAR sigmoid Resnet with filename my_cifar_resnet, run the following in python:

from pymain import run_cnn
bound, time = run_cnn('my_cifar_resnet', 10, '2', core = False, activation = 'sigmoid', cifar = True)

Experimental Results

Results of running CNN-Cert are shown for some example networks with different perturbation norms. CNN-Cert is compared to other certified bounds in both bounds and runtimes. As illustrated, for the example networks CNN-Cert performs similar to or better than the compared methods with faster runtime. Bounds Results Runtime Results