RESQ: A Unified Framework for REliability- and Security Enhancement of Quantized Deep Neural Networks

© 2026 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistrib ution to servers or lists, or reuse of any copyrighted component of this work in other works. This paper is accepted at the IEEE Latin-American T est Symposium (LA TS) 2026. RESQ: A Unified Frame work for REliability- and Security Enhancement of Quantized Deep Neural Networks Ali Soltan Mohammadi 1 , Samira Nazari 1 , Ali Azarpeyv and 1 , Mahdi T aheri 2,3 , Milos Krstic 4 , Michael H ¨ ubner 2 , Christian Herglotz 2 , and T ara Ghasempouri 3 1 Uni versity of Zanjan, Zanjan, Iran 2 Brandenbur g T echnical Uni versity , Cottbus, German y 3 T allinn Uni v ersity of T echnology , T allinn, Estonia 4 Leibniz Institute for High Performance Microelectronics, Frankfurt Oder , German y Abstract —This work pr oposes a unified thr ee-stage frame- work that produces a quantized DNN with balanced fault and attack rob ustness. The first stage impr oves attack resilience via fine-tuning that desensitizes feature r epresentations to small input perturbations. The second stage reinf or ces fault resilience through fault-aware fine-tuning under simulated bit-flip faults. Finally , a lightweight post-training adjustment integrates quanti- zation to enhance efficiency and further mitigate fault sensitivity without degrading attack resilience. Experiments on ResNet18, V GG16, EfficientNet, and Swin-T iny in CIF AR-10, CIF AR-100, and GTSRB show consistent gains of up to 10.35% in attack resilience and 12.47% in fault resilience, while maintaining competitive accuracy in quantized networks. The r esults also highlight an asymmetric interaction in which improvements in fault r esilience generally increase resilience to adversarial attacks, whereas enhanced adversarial resilience does not necessarily lead to higher fault r esilience. Index T erms —Deep Neural Networks, Adversarial Attacks, Fault T olerance, Dependability . I . I N T R O D U C T I O N Deploying DNNs on edge platforms for safety-critical ap- plications introduces new concerns related to reliability and security . Despite their high inference accuracy , DNNs are vulnerable to two primary threats: (1) adversarial attacks, where imperceptible input perturbations can mislead mod- els into incorrect predictions [1], and (2) hardware-induced faults, such as Single Ev ent Upsets (SEUs) that can cause bitflips in memory , which can arise from cosmic radiation [2]. These vulnerabilities threaten prediction inte grity , particularly in safety-critical contexts like autonomous vehicles, industrial robotics, and defense navigation systems, where adversarial manipulation of sensor readings or bit-flip faults can lead to hazardous actions and misclassifications. At the same time, Quantized Deep Neural Networks (QNNs) hav e emerged as a compelling solution for resource- constrained edge en vironments [3]. By representing weights and activ ations with low-precision formats, quantization re- duces memory and ener gy consumption. Ho we ver , reducing precision also introduces numerical instabilities, such as larger relativ e changes in weight values after small perturbations, increased sensitivity to bit flips in the most significant bits, and abrupt shifts caused by quantization-lev el boundaries. These effects make QNNs more vulnerable to both adversarial perturbations and hardware-induced faults [4]. Hence, the interplay between quantization, fault resilience, and attack resilience becomes critical for dependable deployment. Substantial efforts focus on improving the reliability of DNNs under hardware-induced faults. Prior studies high- light that traditional resilience techniques fail to address the unique dataflo w and error-propag ation patterns of DNNs [2]. Reliability-aware retraining approaches and sensiti vity-guided fine-tuning methods sho w improv ed tolerance to weight and activ ation bit-flips. Other studies explore selectiv e protection or fault-aw are quantization [5], as well as hybrid mitigation strategies that adjust model parameters to reduce vulnerability under soft errors [2]. These representati ve ef forts collectiv ely underscore the growing need for reliability-a ware design and deployment in safety-critical en vironments. Parallel to fault resilience, extensi v e efforts have been dev oted to mitigating adversarial vulnerabilities [6] in DNNs. In this context, adv ersarial threats primarily refer to test- time e v asion attacks, where small, imperceptible perturbations are added to the input data to mislead the model. A large body of work [7] analyze attack strategies such as the Fast Gradient Sign Method (FGSM) [8], and Momentum Iterative Method (MIM) [9], as well as corresponding defense mech- anisms including adversarial training, gradient masking, and input denoising. Recent advancements in V ision T ransform- ers (V iTs) hav e improved visual recognition in traffic sign detection for autonomous driving, yet their vulnerability in adversarial en vironments necessitates a comprehensi v e revie w of their weaknesses and rob ustness enhancement methods, complemented by a detailed tab ular comparison [10]. Despite these advancements, most existing studies treat faults and attacks as isolated challenges, overlooking their potential interactions and combined effects. This separation leav es open important questions about how techniques de- signed to address one vulnerability might affect the other . 1 Our findings indicate that adversarial fine-tuning can reduce fault tolerance and that fault-aware training does not always preserve adv ersarial robustness. This observ ation moti v ates the need for a unified framew ork that addresses both forms of resilience while maintaining computational ef ficienc y . T o address this challenge, this paper proposes a unified three-stage framework that sequentially improves both fault and attack resilience, culminating in a quantized, dual-resilient DNN suitable for edge deployment. The ke y contributions of this paper are summarized as follows: • Dual-Resilience Analysis: A systematic in vestigation of the interdependence between fault resilience and attack resilience in DNNs, re vealing their asymmetric trade-off characteristics. • Unified Sequential Framework: A unified resilience- enhancement pipeline that simultaneously strengthens resilience against adversarial perturbations applied to the input and improves tolerance to bit-flip faults in memory , deliv ering balanced protection across both threat domains. • Quantized Resilient DNN Output: The frame work pro- duces a quantized model that maintains high accuracy while exhibiting enhanced resilience to both hardware faults and adversarial attacks. • Cross-Ar chitectur e Evaluation: V alidation on ResNet18, VGG16, Ef ficientNet, and Swin-T iny across CIF AR-10 and GTSRB datasets demonstrates the generality of the proposed method across both CNNs and V iTs. The remainder of this paper is org anized as follows. Sec- tion II presents the proposed three-stage methodology for enhancing fault and attack resilience. Section III discusses the experimental setup, ev aluation metrics, and key results across multiple DNN architectures and datasets. Finally , Section IV concludes the paper . I I . P R O P O S E D M E T H O D O L O G Y This section introduces RESQ, a unified framework de- signed to achiev e fault- and attack-resilient DNNs. RESQ integrates complementary resilience-enhancement stages that strengthen the model against adversarial perturbations and memory bit-flip faults. The framework combines adversarial attack resilience, improved using Bit Plane Feature Consis- tency (BPFC) [11], with fault resilience achiev ed through fault-aw are fine-tuning and post-training protection based on FOR TUNE [5]. Unlike prior works that address these vulner- abilities independently , RESQ sequentially couples resilience- enhancing steps to achieve balanced protection without de- grading model accuracy . The final output is a quantized DNN that remains resilient against both adversarial input manipula- tions and hardware-induced faults. A. Overview RESQ consists of one preparation stage follo wed by three resilience-oriented stages (Figure 1). Stage 0 trains a strong Pretrained DNN Dataset Stage 0: Clean Training with Mixup Generate Mixup Samples Fine-tune the model Clean Pretrained Model Stage 1: Adversarial Resilience Implement BPFC-based tuning Find Critical Layers BPFC-trained Model Stage 2: Fault Aware Fine-T uning Freeze critical layers Inject faults during fine-tuning Fault-Aware Model Stage 3: Memory Protection Quantize Model Implement FORTUNE Final Resilient DNN Fig. 1: Overvie w of the RESQ framew ork. The pipeline sequentially enhances DNN resilience and produces a final model robust to both input perturbations and hardware f aults. baseline model, and Stages 1–3 progressiv ely enhance adver- sarial resilience, fault tolerance, and memory-le v el reliability . 1) Stage 0 — Clean T raining with Mixup: A clean pretrained model is obtained using mixup augmentation to improve generalization and stabilize later resilience training. 2) Stage 1 — Adversarial Resilience: The network learns to suppress sensiti vity to LSB perturbations using BPFC, reducing vulnerability to adversarial attacks that operate on visually imperceptible bit changes. 3) Stage 2 — Fault-A ware Fine-T uning: Layers most critical for adversarial robustness are frozen, while the remaining layers are fine-tuned under simulated bit-flip faults to improv e tolerance to hardware errors. 4) Stage 3 — Memory Protection: The model is quan- tized using an adaptiv e bit-width search, and MSBs are protected via triple modular redundancy for reliable deployment. Throughout this section, Θ denotes trainable parameters and f θ the corresponding model. B. Stage 0: Clean T raining with Mixup Before adversarial and fault-resilience training stages are applied, an initial clean training phase is conducted to establish a strong baseline model (Algorithm 1, Lines 1–5). During this stage, the network is trained on the clean dataset using data augmentation strategies designed to improve generalization. In particular , the mixup technique is employed, where pairs of training samples ( x i , y i ) and ( x j , y j ) are linearly interpolated to form augmented examples: ˜ x = λx i + (1 − λ ) x j , ˜ y = λy i + (1 − λ ) y j , where λ ∼ Beta ( α, α ) . The parameter α denotes the mixup hyperparameter that controls the strength of interpolation, while the Beta distribution determines how strongly pairs of samples are blended. Model parameters Θ are updated using the cross-entropy loss with the predefined learning rate η . This augmentation strategy encourages the model to learn smoother decision boundaries and reduces overfitting by ex- posing it to a broader space of input variations. In this stage, validation is performed to monitor conv er gence and guide hy- perparameter choices such as the learning rate, re gularization strength, and batch composition. Standard validation metrics Algorithm 1 Integrate Pipeline for Attack- and Fault-Resilient DNN Deployment Input: Dataset D , learning rate η , mixup parameter α , LSB remov al factor k , fault injection rate B E R , quantization range [ m, n ] , accuracy threshold a , reliability threshold r Output: Final resilient DNN f θ ∗ // Stage 0: Clean T raining 1: for each minibatch B do 2: Generate mixup samples ( ˜ x, ˜ y ) 3: Update Θ ← Θ − η ∇ Θ C E ( f θ ( ˜ x ) , ˜ y ) 4: end f or 5: Obtain Θ clean // Stage 1: Adversarial Resilience 6: for each minibatch B do 7: for each ( x i , y i ) do 8: x pre i = x i + U ( − 2 k − 2 , 2 k − 2 ) 9: x q i = x pre i − ( x pre i mo d 2 k ) 10: Compute BPFC loss 11: end for 12: Update θ 13: end f or 14: Obtain Θ BPFC // Stage 2: Fault-A ware Fine-T uning 15: Identify critical layers L c via gradient EMA analysis 16: Freeze parameters of L c 17: for each minibatch B do 18: Inject bit-flip faults in unfrozen layers at rate B E R 19: Update only non-critical layers 20: end f or 21: Obtain Θ F A // Stage 3: Memory Protection 22: Initialize bit width b = ( m + n ) / 2 23: while not con verged do 24: Quantize weights (affine mapping) 25: Evaluate accuracy and reliability 26: if accuracy ≥ a and reliability ≥ r then 27: Apply MSB triple modular redundanc y 28: break 29: else 30: Adjust b via binary search 31: end if 32: end while 33: return f θ ∗ (e.g., accuracy or v alidation loss) ensure that the resulting pre- trained model e xhibits strong generalization before resilience- oriented stages are applied. The output of Stage 0, denoted Θ clean , serves as the initialization for the subsequent BPFC- based adversarial resilience stage. C. Stage 1: Adversarial Resilience Adversarial perturbations typically exploit imperceptible variations in the Least Significant Bits (LSBs) of input im- ages. Modifying only LSBs keeps the perturbations visually undetectable to humans, whereas altering higher-significance bits would introduce visible artifacts. T o reduce the model’ s sensitivity to such small but adversarially crafted changes, the BPFC approach [11] encourages the network to rely on more stable, high-magnitude information present in higher bit planes. In this stage, the model is trained to maintain feature consistency between each original input x i and a quantized version x q i obtained after removing k LSBs (Algorithm 1, Lines 6–14). Before bit-plane remov al, a small amount of uniform noise is added, x pre i = x i + U ( − 2 k − 2 , 2 k − 2 ) , to pre v ent de generate solutions and encourage resilience across local neighborhoods of the input space. The quantized variant is then computed as x q i = x pre i − ( x pre i mo d 2 k ) , which eliminates the lowest k bits of each pixel. T o enforce in variance between x i and x q i , training minimizes the BPFC loss: L B P F C = C E ( f θ ( x i ) , y i ) + λ ∥ g ( x i ) − g ( x q i ) ∥ 2 2 , where λ controls the strength of the feature-consistency reg- ularization and g ( · ) denotes the pre-softmax acti v ations and C E is the cross entropy loss. This regularizer reduces the model’ s local Lipschitz constant, leading to smoother decision boundaries and substantially impro ved resistance to adversarial perturbations. The updated parameters are obtained using the learning rate η , and the resulting model Θ BPFC serves as the initialization for the subsequent fault-resilience stage. D. Stage 2: F ault-A ware F ine-T uning Adversarial and fault-resilience objectiv es can interfere with each other when trained simultaneously . In particular , injecting weight perturbations during fault-aware training may degrade the feature in variances learned during BPFC. T o pre vent this conflict, Stage 2 employs a selectiv e layer -freezing strategy that protects the most influential layers—those essential for adversarial rob ustness—while allowing controlled adaptation in less sensitiv e parts of the network. 1) Identification of Critical Layers: Critical layers are identified using a sensitivity analysis performed on the BPFC- trained model θ BPFC (Algorithm 1, Line 15). During the final iterations of Stage 1, the gradient norms of each layer are monitored to estimate their relati ve importance. Layers whose parameters consistently exhibit large gradients contribute more strongly to the loss landscape and are therefore considered essential for maintaining adversarial resilience. T o obtain stable estimates, an Exponential Moving A verage (EMA) of gradient norms is maintained for each layer . F or a layer l , the EMA at iteration t is computed as: EMA ( t ) l = β ∥∇ θ l L ( t ) ∥ 2 +(1 − β ) EMA ( t − 1) l , where β ∈ (0 , 1) is a smoothing factor (distinct from the mixup parameter used in Stage 0), and ∥∇ θ l L ( t ) ∥ 2 is the ℓ 2 - norm of the gradient of the loss with respect to layer l at iteration t . A threshold is applied to these importance scores to classify layers as critical. Layers whose normalized EMA scores exceed this threshold form the set of protected layers L c . 2) F ault-A war e F ine-T uning: After identifying the critical layers, their parameters are fr ozen during Stage 2 (Algorithm 1, Line 16). Freezing means that the weights of these layers are excluded from gradient updates: they remain fixed through- out fault-aw are fine-tuning. This preserves the BPFC-induced in v ariances that are crucial for adversarial robustness. For all unfrozen (non-critical) layers, random bit-flip faults are injected during forward passes at a predefined Bit Error Rate (BER) (Algorithm 1, Lines 17–21). The BER determines the expected fraction of bits in the weight representation that are flipped. For a weight w i , the injected fault is modeled as ˆ w i = w i ⊕ B ( B E R ) , where B ( B E R ) is a Bernoulli-distributed random bit mask with parameter B E R , and ⊕ denotes a bitwise XOR opera- tion. T raining optimizes a composite loss that encourages both correct classification and robustness to weight faults: L fault = L CE ( f ( W, x ) , y ) + λ E ˆ W h ∥ f ( W, x ) − f ( ˆ W , x ) ∥ 2 2 i , where f ( W, x ) is the network output under nominal weights (i.e., the clean, fault-free parameters), and f ( ˆ W , x ) is the output under fault-injected weights. The e xpectation operator E ˆ W [ · ] denotes averaging ov er multiple random fault realiza- tions. The second term penalizes deviations caused by bit flips, encouraging the non-critical layers to absorb fault resilience without disturbing the preserved adversarially robust layers. E. Stage 3: Memory Pr otection The final stage applies a modified version of FOR TUNE [5] to quantize and harden the model weights for reliable deploy- ment. The algorithm performs a search over the quantization bit width b (Algorithm 1, Lines 22–33), which is initialized using the midpoint of the user-defined quantization range [ m, n ] . For each candidate bit width, the weights are quantized using an affine linear mapping: q i = round  x i − x min s  , s = x max − x min 2 b − 1 , where s is the quantization scale. This mapping produces an unsigned integer representation in which all weights are non- negati v e, effecti v ely eliminating the sign bit and improving resilience to bit-flip faults. T o enhance robustness further , the most significant bits (MSBs) of the quantized weights are protected using a triple modular redundancy (TMR) mechanism. For each weight element i , the protected MSB is replicated three times, forming copies { b i 1 , b i 2 , b i 3 } . During inference, the MSB is recon- structed via majority voting: ˜ b i = mode ( b i 1 , b i 2 , b i 3 ) = ( 1 , if b i 1 + b i 2 + b i 3 ≥ 2 , 0 , otherwise . Here mode ( · ) denotes majority voting, and the number of protected bits n MSB is a configurable parameter that allows trading memory overhead for reliability . The algorithm ev aluates, for each bit width, both model accuracy and fault tolerance under simulated bit-flip errors. T wo thresholds are used for this search: (i) an accuracy requirement a and (ii) a reliability requirement r (Algorithm 1, Lines 26–28). If both criteria are satisfied, TMR protection is applied and the search terminates; otherwise, the bit width b is adjusted via binary search. The term “not con ver ged” refers to the iterati ve search over b until a configuration meeting both thresholds is found. Through this combination of quantization, sign-bit elimi- nation, and MSB redundancy , the final model f θ ∗ achiev es strong tolerance against memory faults while preserving the adversarial rob ustness and clean accuracy obtained in earlier stages. I I I . E X P E R I M E N TA L R E S U L T S A N D D I S C U S S I O N A. Experimental Setup Four representative neural network architectures are em- ployed to validate the generality of the proposed approach: ResNet-18, V GG-11, Ef ficientNet-B0, and Swin-Tin y . ResNet- 18 incorporates residual connections to mitigate vanishing gra- dient issues; VGG-11 adopts a uniform con v olutional structure with 3 × 3 filters; EfficientNet-B0 le verages compound scal- ing for optimized depth-width-resolution balance; and Swin- T iny represents a hierarchical V ision T ransformer model with shifted windo w self-attention. These architectures collectiv ely enable comprehensive e v aluation across both CNN- and V iT - based designs. All experiments are conducted on a computing system equipped with an NVIDIA GeForce GTX 1050 Ti GPU. Three benchmark datasets are utilized for ev aluation: CIF AR-10, CIF AR-100, and the German T raf fic Sign Recogni- tion Benchmark (GTSRB). The CIF AR-10 dataset comprises 60,000 color images of size 32 × 32 distributed across 10 classes, whereas CIF AR-100 extends this benchmark to 100 fine-grained classes. The GTSRB dataset, containing ov er 50,000 images from 43 traffic sign cate gories, is selected to as- sess the framework’ s applicability to safety-critical perception tasks, such as those encountered in autonomous driving. T able I summarizes the baseline accuracies of the original pretrained models and the impro v ements obtained at each stage of the proposed unified framew ork—namely , (i) adversarial fine-tuning (BPFC stage), (ii) fault-aw are fine-tuning (F A stage), and (iii) quantization with FOR TUNE-based reliability enhancement (Q-F A stage). The results demonstrate that the proposed pipeline maintains competiti ve clean accuracy while progressiv ely enhancing both attack and fault resilience. B. Layer-W ise Criticality Analysis Figure 2 presents the results of the critical layer identifi- cation procedure. Due to space limitations, only the ResNet model is shown as a representativ e example. The figure illustrates that the most critical layers—identified via EMA T ABLE I: Baseline and Stage-W ise Accurac y (%) of RESQ across Architectures and Datasets Model Dataset Baseline BPFC Stage F A Stage Q-F A Stage ResNet-18 CIF AR-10 92.82 92.13 91.34 91.69 VGG-11 CIF AR-10 90.44 90.05 89.26 89.83 EfficientNet-B0 GTSRB 99.89 99.73 99.05 96.40 Swin-T iny CIF AR-100 85.30 81.39 78.20 73.12 of gradient norms—are predominantly located in the early residual blocks. These initial blocks form the core feature- extraction pathway and play a major role in preserving the adversarial inv ariances learned during BPFC. Because of their elev ated criticality scores, these early-stage layers are frozen during the fault-aw are fine-tuning phase. This ensures that their adversarially resilient representations remain intact, while fault resilience is learned primarily in the non-critical layers. Consequently , the model adapts to bit-flip faults without disrupting the sensiti v e, robustness-preserving components of the network. 0.000 0.005 0.010 0.015 0.020 0.025 0.030 Scor e layer1.0.bn1 layer1.0.bn2 bn1 conv1 layer1.1.bn1 layer1.1.bn2 layer2.0.bn1 layer2.0.bn2 layer2.0.downsample.1 layer2.1.bn1 Layer Fig. 2: T op ten critical layers for ResNet-18 via EMA-based gradient norms. Follo wing the layer-wise criticality analysis, Figure 3 further illustrates how each training stage affects model resilience, shown here for ResNet-18 as a representative example. The figure contains two subplots comparing the baseline, BPFC- trained, and fault-aware trained (F A) models. Figure 3(a) reports accuracy under injected bit-flip faults. The BPFC model exhibits the lowest fault tolerance, reflecting the trade-off where enhancing adversarial resilience increases sensitivity to weight perturbations. Fault-aware fine-tuning mitigates this effect: although the F A model does not fully recov er the baseline’ s fault resilience, it significantly improv es ov er BPFC. Figure 3(b) ev aluates resilience against FGSM attacks across multiple ϵ v alues. Here, BPFC already provides sub- stantial resilience gains compared to the baseline, and the F A model further strengthens this adversarial resilience. This outcome highlights the Asymmetric Resilience Observation: while BPFC improves attack resilience at the cost of fault tolerance, fault-aware training simultaneously enhances both dimensions by protecting critical layers and adapting the remaining ones to faults. Overall, the combined results demon- strate that RESQ progressiv ely balances and strengthens both fault and attack resilience across stages. 1 0 4 1 0 3 1 0 2 BER 0 20 40 60 80 100 A ccuracy (%) Baseline BPFC F A (a) Fault Resilience 1 0 3 1 0 2 1 0 1 Epsilon 0 20 40 60 80 100 A ccuracy (%) Baseline BPFC F A (b) Attack Resilience Fig. 3: Impact of training stages on resilience of ResNet-18 C. Evaluation on Adversarial Resilience The final quantized fault- and attack-resilient models (Q-F A models) are compared against corresponding quantized orig- inal baselines under multiple adversarial settings, including FGSM, IFGSM, PGD, BIM, and MIM attacks. Due to dif ferences in model architectures and their intrinsic resilience to adversarial perturbations, different perturbation magnitudes ϵ are used for ev aluation: ϵ = 0 . 1 for VGG11 and ResNet18, ϵ = 0 . 001 for EfficientNet, and ϵ = 0 . 0005 for Swin-T iny . Larger ϵ v alues are suitable for less resilient models like VGG11 and ResNet18, while more robust architectures such as EfficientNet and Swin-T iny require smaller pertur- bations to effecti v ely ev aluate adversarial reilience. T able II summarizes the adversarial resilience of all models under the respectiv e perturbation settings. The results show that the Q-F A models consistently im- prov e adversarial resilience compared to the corresponding baseline models. For the less resilient architectures, VGG11 and ResNet18, which are ev aluated with a larger perturbation T ABLE II: Adversarial Resilience of Models with Different Perturbation Magnitudes Model Clean FGSM IFGSM PGD BIM MIM ϵ VGG11 89.83 36.92 10.22 12.28 10.90 16.33 0.1 Q-F A-VGG11 90.02 50.94 24.52 27.57 25.57 30.77 0.1 ResNet18 91.69 41.95 10.52 12.68 11.06 17.43 0.1 Q-F A-ResNet18 92.82 52.30 30.45 31.01 30.86 34.80 0.1 EfficientNet 96.40 58.39 51.47 46.57 51.65 54.44 0.001 Q-F A-EfficientNet 97.80 86.35 84.97 83.55 85.01 85.57 0.001 Swin-T iny 72.07 33.80 30.65 28.03 30.42 32.02 0.0005 Q-F A-SwinTin y 73.74 35.29 31.05 27.52 31.07 32.97 0.0005 ϵ = 0 . 1 , the improvements are substantial across all attack types, particularly FGSM, IFGSM, and MIM attacks. Effi- cientNet, ev aluated with a smaller perturbation ϵ = 0 . 001 due to its higher intrinsic resilience, also benefits greatly from Q- F A quantization, achieving significant accuracy gains under all attacks. Swin-Tin y , ev aluated with the smallest perturbation ϵ = 0 . 0005 , shows moderate improv ements, particularly for PGD and MIM attacks, although the gains are less pronounced compared to the other architectures. These results demonstrate that the proposed Q-F A approach effecti vely enhances adver - sarial resilience while accounting for dif ferences in architec- ture sensitivity and inherent robustness. D. Evaluation on F ault Resilience T o ev aluate fault tolerance, random bit-flip injections are applied to model weights at v arying BERs, and the resulting classification accuracy quantifies model reliability . Different BER ranges are selected based on the structural characteristics and inherent resilience of each architecture. Models such as VGG11 and EfficientNet exhibit lower natural tolerance to bit errors; therefore, smaller BER ranges are used to clearly capture their degradation patterns. In contrast, ResNet18 and Swin-T iny are more resilient to weight perturbations, so higher BER ranges are required to meaningfully expose their resilience behavior . These architecture-specific BER settings ensure that dif ferences in fault tolerance are clearly observable and comparable across models. T able III summarizes the reliability scores for all models under the respectiv e BER settings. T ABLE III: Fault Resilience of Models under V arying BERs Model BER 1 BER 2 BER 3 Q-F A-VGG11 91.21 49.97 13.95 VGG11 89.83 49.22 10.01 Q-F A-ResNet18 91.52 90.58 74.71 ResNet18 79.05 18.92 9.99 Q-F A-EfficientNet 96.15 95.57 93.68 EfficientNet 89.14 87.31 86.17 Q-F A-SwinTin y 72.62 68.56 62.46 SwinT iny 71.90 65.90 44.50 The results sho w that the Q-F A models consistently improv e fault resilience across all ev aluated BERs. For VGG11, which is ev aluated at low BERs, the Q-F A variant maintains slightly higher accuracy than the baseline under all bit-flip rates, indicating enhanced reliability . ResNet18, e v aluated at higher BERs, shows substantial improvements with Q-F A, especially at the highest BER of 0.01, where the accuracy increases from 9.99% to 74.71%. EfficientNet exhibits strong fault tolerance ev en at higher BERs, and the Q-F A model further enhances this resilience. Swin-T iny , which is moderately resilient, sho ws notable improvements under the highest BERs, particularly improving reliability from 44.50% to 62.46% at BER = 0.005. These results confirm that the proposed fault- and attack- resilient quantization strategy ef fecti vely strengthens fault tol- erance while accounting for architecture-specific sensiti vity to bit errors. Following fault-aw are fine-tuning, fault resilience is restored compared to pre-BPFC lev els, and the subsequent FOR TUNE quantization stage further enhances reliability by promoting redundancy in critical bits. I V . C O N C L U S I O N This work proposes a unified three-stage framew ork that produces a quantized DNN with balanced fault and attack robustness. Experiments on ResNet18, VGG16, Ef ficientNet, and Swin-T iny in CIF AR-10, CIF AR-100, and GTSRB sho w consistent gains of up to 10.35% in attack resilience and 12.47% in fault resilience, without sacrificing clean and fault- free accuracy . Results also highlight a key asymmetric be- havior that adv ersarial tuning slightly reduces fault resilience, while fault-a ware fine-tuning restores and often enhances both resilience dimensions. V . A C K N O W L E D G M E N T S This work was supported in part by the Estonian Research Council grant PUT PRG1467 ”CRASHLESS“, EU Grant Project 101160182 “T AICHIP“, by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – Project- ID ”458578717”, and by the Federal Ministry of Research, T echnology and Space of Germany (BMFTR) for supporting Edge-Cloud AI for DIstributed Sensing and COmputing (AI-DISCO) project (Project-ID ”16ME1127”). R E F E R E N C E S [1] S. Y . Khamaiseh, D. Bagagem, A. Al-Alaj, M. Mancino, and H. W . Alomari, “ Adv ersarial deep learning: A survey on adversarial attacks and defense mechanisms on image classification, ” IEEE Access , vol. 10, pp. 102 266–102 291, 2022. [2] S. Mittal, “ A survey on modeling and improving reliability of dnn algorithms and accelerators, ” J ournal of Systems Arc hitectur e , vol. 104, p. 101689, 2020. [3] B. Rokh, A. Azarpeyvand, and A. Khanteymoori, “ A comprehensive survey on model quantization for deep neural networks in image clas- sification, ” A CM T r ansactions on Intelligent Systems and T echnology , vol. 14, no. 6, pp. 1–50, 2023. [4] V . Sze, Y .-H. Chen, T .-J. Y ang, and J. S. Emer , “Ef ficient processing of deep neural networks: A tutorial and survey , ” Proceedings of the IEEE , vol. 105, no. 12, pp. 2295–2329, 2017. [5] S. Nazari, M. T aheri, A. Azarpeyv and, M. Afsharchi, T . Ghasempouri, C. Her glotz, M. Daneshtalab, and M. Jenihhin, “Fortune: A negativ e memory ov erhead hardware-agnostic fault tolerance technique in dnns, ” in 2024 IEEE 33rd Asian T est Symposium (ATS) . IEEE, 2024, pp. 1–6. [6] M. Rahman, P . Roy , S. Frizell, and L. Qian, “Evaluating pretrained deep learning models for image classification against individual and ensemble adversarial attacks, ” IEEE Access , 2025. [7] C. Eleftheriadis, A. Symeonidis, and P . Katsaros, “ Adversarial robustness improvement for deep neural networks, ” Machine V ision and Applica- tions , vol. 35, no. 3, p. 35, 2024. [8] W . V illegas-Ch, A. Jaramillo-Alc ´ azar , and S. Luj ´ an-Mora, “Evaluating the robustness of deep learning models against adversarial attacks: An analysis with fgsm, pgd and cw , ” Big Data and Cognitive Computing , vol. 8, no. 1, p. 8, 2024. [9] Y . Li, B. Xie, S. Guo, Y . Y ang, and B. Xiao, “ A surve y of robustness and safety of 2d and 3d deep learning models against adversarial attacks, ” ACM Computing Surveys , vol. 56, no. 6, pp. 1–37, 2024. [10] O. Fawole and D. Rawat, “Recent advances in vision transformer robust- ness against adversarial attacks in traf fic sign detection and recognition: A survey , ” ACM Computing Surveys , vol. 57, no. 10, pp. 1–33, 2025. [11] S. Addepalli, V . BS, A. Baburaj, G. Sriramanan, and R. V . Babu, “T owards achieving adversarial rob ustness by enforcing feature consis- tency across bit planes, ” in Pr oceedings of the IEEE/CVF conference on computer vision and pattern r ecognition , 2020, pp. 1020–1029.