A backdoor attack against quantum neural networks with limited information

doi:10.1088/1674-1056/acd8ab

中国物理B ›› 2023, Vol. 32 ›› Issue (10): 100306-100306.doi: 10.1088/1674-1056/acd8ab

A backdoor attack against quantum neural networks with limited information

Chen-Yi Huang(黄晨猗)^1,2 and Shi-Bin Zhang(张仕斌)^1,2,†

1 College of Cyberspace Security, Chengdu University of Information Technology, Chengdu 610225, China;
2 Advanced Cryptography and System Security Key Laboratory of Sichuan Province, Chengdu 610225, China

收稿日期:2023-02-14 修回日期:2023-05-17 接受日期:2023-05-25 出版日期:2023-09-21 发布日期:2023-10-09
通讯作者: Shi-Bin Zhang E-mail:cuitzsb@cuit.edu.cn
基金资助:
This work was supported by the National Natural Science Foundation of China (Grant No. 62076042), the National Key Research and Development Plan of China, Key Project of Cyberspace Security Governance (Grant No. 2022YFB3103103), the Key Research and Development Project of Sichuan Province (Grant Nos. 2022YFS0571, 2021YFSY0012, 2021YFG0332, and 2020YFG0307).

A backdoor attack against quantum neural networks with limited information

Chen-Yi Huang(黄晨猗)^1,2 and Shi-Bin Zhang(张仕斌)^1,2,†

1 College of Cyberspace Security, Chengdu University of Information Technology, Chengdu 610225, China;
2 Advanced Cryptography and System Security Key Laboratory of Sichuan Province, Chengdu 610225, China

Received:2023-02-14 Revised:2023-05-17 Accepted:2023-05-25 Online:2023-09-21 Published:2023-10-09
Contact: Shi-Bin Zhang E-mail:cuitzsb@cuit.edu.cn
Supported by:
This work was supported by the National Natural Science Foundation of China (Grant No. 62076042), the National Key Research and Development Plan of China, Key Project of Cyberspace Security Governance (Grant No. 2022YFB3103103), the Key Research and Development Project of Sichuan Province (Grant Nos. 2022YFS0571, 2021YFSY0012, 2021YFG0332, and 2020YFG0307).

摘要/Abstract

摘要： Backdoor attacks are emerging security threats to deep neural networks. In these attacks, adversaries manipulate the network by constructing training samples embedded with backdoor triggers. The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label. While quantum neural networks (QNNs) have shown promise in surpassing their classical counterparts in certain machine learning tasks, they are also susceptible to backdoor attacks. However, current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods. Given the diversity of encoding methods and model structures in QNNs, the effectiveness of such backdoor attacks remains uncertain. In this paper, we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks. A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data. The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger. Furthermore, our proposed attack cannot be easily resisted by existing backdoor detection methods.

关键词: backdoor attack, quantum artificial intelligence security, quantum neural network, variational quantum circuit

Abstract: Backdoor attacks are emerging security threats to deep neural networks. In these attacks, adversaries manipulate the network by constructing training samples embedded with backdoor triggers. The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label. While quantum neural networks (QNNs) have shown promise in surpassing their classical counterparts in certain machine learning tasks, they are also susceptible to backdoor attacks. However, current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods. Given the diversity of encoding methods and model structures in QNNs, the effectiveness of such backdoor attacks remains uncertain. In this paper, we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks. A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data. The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger. Furthermore, our proposed attack cannot be easily resisted by existing backdoor detection methods.

Key words: backdoor attack, quantum artificial intelligence security, quantum neural network, variational quantum circuit

中图分类号: (Quantum information)

03.67.-a

03.67.Lx (Quantum computation architectures and implementations) 03.67.Ac (Quantum algorithms, protocols, and simulations)

Chen-Yi Huang(黄晨猗) and Shi-Bin Zhang(张仕斌). A backdoor attack against quantum neural networks with limited information[J]. 中国物理B, 2023, 32(10): 100306-100306.

Chen-Yi Huang(黄晨猗) and Shi-Bin Zhang(张仕斌). A backdoor attack against quantum neural networks with limited information[J]. Chin. Phys. B, 2023, 32(10): 100306-100306.

参考文献

[1] Krizhevsky A, Sutskever I and Hinton G 2017 Commun. ACM 60 84
[2] Graves A, Mohamed A R and Hinton G 2013 2013 IEEE International Conference on Acoustics, Speech and Signal Processing, May 26-30, 2013, Vancouver, BC, Canada, p. 6645
[3] Dunjko V and Briegel H J 2018 Rep. Prog. Phys. 81 074001
[4] Li W and Deng D L 2022 Sci. China Phys. Mech. Astron. 65 220301
[5] Preskill J 2018 Quantum 2 79
[6] Cerezo M, Arrasmith A, Babbush R, Benjamin S C, Endo S, Fujii K, McClean J R, Mitarai K, Cincio L and Coles P J 2021 Natl. Rev. Phys. 3 625
[7] Schuld M, Bocharov A, Svore K M and Wiebe N 2020 Phys. Rev. A 101 032308
[8] Grant E, Benedetti M, Cao S, Hallam A, Lockhart J, Stojevic V, Green A G and Severini S 2018 npj Quantum Inf. 4 65
[9] Dallaire-Demers P L and Killoran N 2018 Phys. Rev. A 98 012324
[10] Zoufal C, Lucchi A and Woerner S 2019 npj Quantum Inf. 5 103
[11] Morales M E, Tlyachev T and Biamonte J 2018 Phys. Rev. A 98 062333
[12] Lu S, Duan L M and Deng D L 2020 Phys. Rev. Res. 2 033212
[13] Gong W and Deng D L 2022 Natl. Sci. Rev. 9 130
[14] Liu N and Wittek P 2020 Phys. Rev. A 101 062331
[15] Liao H, Convy I, Huggins W J and Whaley K B 2021 Phys. Rev. A 103 042427
[16] Ren W, Li W, Xu S, et al. 2022 Nat. Comput. Sci. 2 711
[17] Weber M, Liu N, Li B, Zhang C and Zhao Z 2021 npj Quantum Inf. 7 76
[18] Guan J, Fang W and Ying M 2020 arXiv:2008.07230 [quant-ph]
[19] Du Y, Hsieh M H, Liu T, Tao D and Liu N 2021 Phys. Rev. Res. 3 023153
[20] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I and Fergus R 2013 arXiv:1312.6199 [cs.CV]
[21] Goodfellow I J, Shlens J and Szegedy C 2014 arXiv:1412.6572 [stat.ML]
[22] Muñoz-González L, Biggio Battista, Demontis A, Paudice A, Wongrassamee V, Lupu E C and Roli F 2017 Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, Dallas, Texas, USA, p. 27
[23] Shafahi A, Huang W R, Najibi M, Suciu O, Studer C, Dumitras T and Goldstein T 2018 Advances in Neural Information Processing Systems, December 2018, Montreal, Canada, p. 139
[24] Gu T, Dolan-Gavitt B and Garg S 2017 arXiv:1708.06733 [cs.CR]
[25] Chen S Y C and Yoo S 2021 Entropy 23 460
[26] Turner A, Tsipras D and Madry A 2019 arXiv:1912.02771 [stat.ML]
[27] Chu C, Jiang L, Swany M and Chen F 2023 arXiv:2302.08090 [quant-ph]
[28] Zhao S, Ma X, Bailey J, Chen J and Jiang Y G 2020 Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, June 2020, Seattle, United States, p. 14443
[29] Zhang Q, Ding Y F, Tian Y Q, Guo J M, Yuan M and Jiang Y 2021 Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, July 2021, New York, NY, USA, p. 127
[30] Tran B, Li J and Madry A 2018 Advances in Neural Information Processing Systems, Montreal, Quebec, Canada, p. 8011
[31] Chen B, Carvalho W, Baracaldo N, Ludwig H, Edwards B, Lee T, Molloy L and Srivastava B 2018 arXiv:1811.03728 [cs.LG]
[32] Farhi E and Neven H 2018 arXiv:1802.06002 [quant-ph]
[33] LaRose R and Coyle B 2020 Phys. Rev. A 102 032420
[34] Hornik K, Stinchcombe M and White H 1989 Neural Netw. 2 359
[35] Moosavi-Dezfooli S M, Fawzi A, Fawzi O and Frossard P 2017 Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, July 2017, Hawaii, USA, p. 86
[36] Makarov V, Bourgoin J P, Chaiwongkhot P, Gagné M, Jennewein T, Kaiser S, Kashyap R, Legré M, Minshull C and Sajeed S 2016 Phys. Rev. A 94 030302
[37] Weng C H, Lee Y and Wu S H 2020 Advances in Neural Information Processing Systems, 2020, p. 11973
[38] Liu Y, Lee W C, Tao G, Ma S, Aafer Y and Zhang X 2019 Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, United Kingdom, p. 1265
[39] Rakin A S, He Z and Fan D 2020 Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, June 2020, Seattle, United States, p. 13198
[40] Liu Y, Chen X, Liu C and Song D 2016 arXiv:1611.02770 [cs.LG]
[41] Zhang H, Cisse M, Dauphin Y N and Lopez-Paz D 2017 arXiv:1710.09412 [cs.LG]
[42] Zadeh LA 1965 Inf. Control 8 338
[43] LeCun Y 1998 THE MNIST DATABASE of handwritten digits
[44] Madry A, Makelov A, Schmidt L, Tsipras D and Vladu A 2019 arXiv:1706.06083 [stat.ML]
[45] Mitarai K, Negoro M, Kitagawa M and Fujii K 2018 Phys. Rev. A 98 032309
[46] Cong I, Choi S and Lukin M D 2019 Nat. Phys. 15 1273
[47] Kingma D P and Ba J 2014 arXiv:1412.6980 [cs.LG]
[48] Schuld M, Bergholm V, Gogolin C, Izaac J and Killoran N 2019 Phys. Rev. A 99 032331
[49] Bergholm V, Izaac J, Schuld M, et al. 2018 arXiv:1811.04968 [quant-ph]
[50] Abadi M 2016 Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming, September 2016, Nara, Japan, p. 1

A backdoor attack against quantum neural networks with limited information

A backdoor attack against quantum neural networks with limited information

RichHTML

PDF (PC)

赞

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 1

Metrics

本文评价

推荐阅读 0