中国物理B ›› 2023, Vol. 32 ›› Issue (10): 100306-100306.doi: 10.1088/1674-1056/acd8ab

• • 上一篇    下一篇

A backdoor attack against quantum neural networks with limited information

Chen-Yi Huang(黄晨猗)1,2 and Shi-Bin Zhang(张仕斌)1,2,†   

  1. 1 College of Cyberspace Security, Chengdu University of Information Technology, Chengdu 610225, China;
    2 Advanced Cryptography and System Security Key Laboratory of Sichuan Province, Chengdu 610225, China
  • 收稿日期:2023-02-14 修回日期:2023-05-17 接受日期:2023-05-25 出版日期:2023-09-21 发布日期:2023-10-09
  • 通讯作者: Shi-Bin Zhang E-mail:cuitzsb@cuit.edu.cn
  • 基金资助:
    This work was supported by the National Natural Science Foundation of China (Grant No. 62076042), the National Key Research and Development Plan of China, Key Project of Cyberspace Security Governance (Grant No. 2022YFB3103103), the Key Research and Development Project of Sichuan Province (Grant Nos. 2022YFS0571, 2021YFSY0012, 2021YFG0332, and 2020YFG0307).

A backdoor attack against quantum neural networks with limited information

Chen-Yi Huang(黄晨猗)1,2 and Shi-Bin Zhang(张仕斌)1,2,†   

  1. 1 College of Cyberspace Security, Chengdu University of Information Technology, Chengdu 610225, China;
    2 Advanced Cryptography and System Security Key Laboratory of Sichuan Province, Chengdu 610225, China
  • Received:2023-02-14 Revised:2023-05-17 Accepted:2023-05-25 Online:2023-09-21 Published:2023-10-09
  • Contact: Shi-Bin Zhang E-mail:cuitzsb@cuit.edu.cn
  • Supported by:
    This work was supported by the National Natural Science Foundation of China (Grant No. 62076042), the National Key Research and Development Plan of China, Key Project of Cyberspace Security Governance (Grant No. 2022YFB3103103), the Key Research and Development Project of Sichuan Province (Grant Nos. 2022YFS0571, 2021YFSY0012, 2021YFG0332, and 2020YFG0307).

摘要: Backdoor attacks are emerging security threats to deep neural networks. In these attacks, adversaries manipulate the network by constructing training samples embedded with backdoor triggers. The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label. While quantum neural networks (QNNs) have shown promise in surpassing their classical counterparts in certain machine learning tasks, they are also susceptible to backdoor attacks. However, current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods. Given the diversity of encoding methods and model structures in QNNs, the effectiveness of such backdoor attacks remains uncertain. In this paper, we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks. A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data. The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger. Furthermore, our proposed attack cannot be easily resisted by existing backdoor detection methods.

关键词: backdoor attack, quantum artificial intelligence security, quantum neural network, variational quantum circuit

Abstract: Backdoor attacks are emerging security threats to deep neural networks. In these attacks, adversaries manipulate the network by constructing training samples embedded with backdoor triggers. The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label. While quantum neural networks (QNNs) have shown promise in surpassing their classical counterparts in certain machine learning tasks, they are also susceptible to backdoor attacks. However, current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods. Given the diversity of encoding methods and model structures in QNNs, the effectiveness of such backdoor attacks remains uncertain. In this paper, we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks. A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data. The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger. Furthermore, our proposed attack cannot be easily resisted by existing backdoor detection methods.

Key words: backdoor attack, quantum artificial intelligence security, quantum neural network, variational quantum circuit

中图分类号:  (Quantum information)

  • 03.67.-a
03.67.Lx (Quantum computation architectures and implementations) 03.67.Ac (Quantum algorithms, protocols, and simulations)