ML Security PapersFaRAccel: FPGA-Accelerated Defense Architecture for Efficient Bit-Flip Attack Resilience in Transformer Models
Najmeh Nazari 1, Banafsheh Saber Latibari 2, Elahe Hosseini 1, Fatemeh Movafagh 3, Chongzhou Fang 1, Hosein Mohammadi Makrani 1, Kevin Immanuel Gubbi 1, Abhijit Mahalanobis 2, Setareh Rafatirad 1, Hossein Sayadi 4, Houman Homayoun 1
Published on arXiv
2510.24985
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
FaRAccel achieves up to 15× speedup in FaR inference latency over software implementations while maintaining equivalent resilience against gradient-based Bit-Flip Attacks.
FaRAccel
Novel technique introduced
Forget and Rewire (FaR) methodology has demonstrated strong resilience against Bit-Flip Attacks (BFAs) on Transformer-based models by obfuscating critical parameters through dynamic rewiring of linear layers. However, the application of FaR introduces non-negligible performance and memory overheads, primarily due to the runtime modification of activation pathways and the lack of hardware-level optimization. To overcome these limitations, we propose FaRAccel, a novel hardware accelerator architecture implemented on FPGA, specifically designed to offload and optimize FaR operations. FaRAccel integrates reconfigurable logic for dynamic activation rerouting, and lightweight storage of rewiring configurations, enabling low-latency inference with minimal energy overhead. We evaluate FaRAccel across a suite of Transformer models and demonstrate substantial reductions in FaR inference latency and improvement in energy efficiency, while maintaining the robustness gains of the original FaR methodology. To the best of our knowledge, this is the first hardware-accelerated defense against BFAs in Transformers, effectively bridging the gap between algorithmic resilience and efficient deployment on real-world AI platforms.
Key Contributions
- FaRAccel: first FPGA-based hardware accelerator for executing Forget-and-Rewire (FaR) BFA defense operations on Transformer models
- Reconfigurable datapath supporting dynamic neuron rerouting, activation modulation, and parameter concealment without model retraining
- Up to 15× inference latency speedup over software-based FaR while preserving equivalent robustness against Bit-Flip Attacks
🛡️ Threat Analysis
Bit-Flip Attacks corrupt model weights/parameters at the hardware level (via DRAM vulnerabilities) to degrade or redirect model behavior — a form of model parameter corruption. FaRAccel accelerates the FaR defense, which obfuscates critical weight parameters through dynamic neuron rewiring to resist these targeted weight-manipulation attacks.