|
|
|
A backdoor attack against quantum neural networks with limited information |
| Chen-Yi Huang(黄晨猗)1,2 and Shi-Bin Zhang(张仕斌)1,2,† |
1 College of Cyberspace Security, Chengdu University of Information Technology, Chengdu 610225, China;
2 Advanced Cryptography and System Security Key Laboratory of Sichuan Province, Chengdu 610225, China |
|
|
|
|
Abstract Backdoor attacks are emerging security threats to deep neural networks. In these attacks, adversaries manipulate the network by constructing training samples embedded with backdoor triggers. The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label. While quantum neural networks (QNNs) have shown promise in surpassing their classical counterparts in certain machine learning tasks, they are also susceptible to backdoor attacks. However, current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods. Given the diversity of encoding methods and model structures in QNNs, the effectiveness of such backdoor attacks remains uncertain. In this paper, we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks. A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data. The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger. Furthermore, our proposed attack cannot be easily resisted by existing backdoor detection methods.
|
Received: 14 February 2023
Revised: 17 May 2023
Accepted manuscript online: 25 May 2023
|
|
PACS:
|
03.67.-a
|
(Quantum information)
|
| |
03.67.Lx
|
(Quantum computation architectures and implementations)
|
| |
03.67.Ac
|
(Quantum algorithms, protocols, and simulations)
|
|
| Fund: This work was supported by the National Natural Science Foundation of China (Grant No. 62076042), the National Key Research and Development Plan of China, Key Project of Cyberspace Security Governance (Grant No. 2022YFB3103103), the Key Research and Development Project of Sichuan Province (Grant Nos. 2022YFS0571, 2021YFSY0012, 2021YFG0332, and 2020YFG0307). |
Corresponding Authors:
Shi-Bin Zhang
E-mail: cuitzsb@cuit.edu.cn
|
Cite this article:
Chen-Yi Huang(黄晨猗) and Shi-Bin Zhang(张仕斌) A backdoor attack against quantum neural networks with limited information 2023 Chin. Phys. B 32 100306
|
[1] Krizhevsky A, Sutskever I and Hinton G 2017 Commun. ACM 60 84
[2] Graves A, Mohamed A R and Hinton G 2013 2013 IEEE International Conference on Acoustics, Speech and Signal Processing, May 26-30, 2013, Vancouver, BC, Canada, p. 6645
[3] Dunjko V and Briegel H J 2018 Rep. Prog. Phys. 81 074001
[4] Li W and Deng D L 2022 Sci. China Phys. Mech. Astron. 65 220301
[5] Preskill J 2018 Quantum 2 79
[6] Cerezo M, Arrasmith A, Babbush R, Benjamin S C, Endo S, Fujii K, McClean J R, Mitarai K, Cincio L and Coles P J 2021 Natl. Rev. Phys. 3 625
[7] Schuld M, Bocharov A, Svore K M and Wiebe N 2020 Phys. Rev. A 101 032308
[8] Grant E, Benedetti M, Cao S, Hallam A, Lockhart J, Stojevic V, Green A G and Severini S 2018 npj Quantum Inf. 4 65
[9] Dallaire-Demers P L and Killoran N 2018 Phys. Rev. A 98 012324
[10] Zoufal C, Lucchi A and Woerner S 2019 npj Quantum Inf. 5 103
[11] Morales M E, Tlyachev T and Biamonte J 2018 Phys. Rev. A 98 062333
[12] Lu S, Duan L M and Deng D L 2020 Phys. Rev. Res. 2 033212
[13] Gong W and Deng D L 2022 Natl. Sci. Rev. 9 130
[14] Liu N and Wittek P 2020 Phys. Rev. A 101 062331
[15] Liao H, Convy I, Huggins W J and Whaley K B 2021 Phys. Rev. A 103 042427
[16] Ren W, Li W, Xu S, et al. 2022 Nat. Comput. Sci. 2 711
[17] Weber M, Liu N, Li B, Zhang C and Zhao Z 2021 npj Quantum Inf. 7 76
[18] Guan J, Fang W and Ying M 2020 arXiv:2008.07230 [quant-ph]
[19] Du Y, Hsieh M H, Liu T, Tao D and Liu N 2021 Phys. Rev. Res. 3 023153
[20] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I and Fergus R 2013 arXiv:1312.6199 [cs.CV]
[21] Goodfellow I J, Shlens J and Szegedy C 2014 arXiv:1412.6572 [stat.ML]
[22] Muñoz-González L, Biggio Battista, Demontis A, Paudice A, Wongrassamee V, Lupu E C and Roli F 2017 Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, Dallas, Texas, USA, p. 27
[23] Shafahi A, Huang W R, Najibi M, Suciu O, Studer C, Dumitras T and Goldstein T 2018 Advances in Neural Information Processing Systems, December 2018, Montreal, Canada, p. 139
[24] Gu T, Dolan-Gavitt B and Garg S 2017 arXiv:1708.06733 [cs.CR]
[25] Chen S Y C and Yoo S 2021 Entropy 23 460
[26] Turner A, Tsipras D and Madry A 2019 arXiv:1912.02771 [stat.ML]
[27] Chu C, Jiang L, Swany M and Chen F 2023 arXiv:2302.08090 [quant-ph]
[28] Zhao S, Ma X, Bailey J, Chen J and Jiang Y G 2020 Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, June 2020, Seattle, United States, p. 14443
[29] Zhang Q, Ding Y F, Tian Y Q, Guo J M, Yuan M and Jiang Y 2021 Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, July 2021, New York, NY, USA, p. 127
[30] Tran B, Li J and Madry A 2018 Advances in Neural Information Processing Systems, Montreal, Quebec, Canada, p. 8011
[31] Chen B, Carvalho W, Baracaldo N, Ludwig H, Edwards B, Lee T, Molloy L and Srivastava B 2018 arXiv:1811.03728 [cs.LG]
[32] Farhi E and Neven H 2018 arXiv:1802.06002 [quant-ph]
[33] LaRose R and Coyle B 2020 Phys. Rev. A 102 032420
[34] Hornik K, Stinchcombe M and White H 1989 Neural Netw. 2 359
[35] Moosavi-Dezfooli S M, Fawzi A, Fawzi O and Frossard P 2017 Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, July 2017, Hawaii, USA, p. 86
[36] Makarov V, Bourgoin J P, Chaiwongkhot P, Gagné M, Jennewein T, Kaiser S, Kashyap R, Legré M, Minshull C and Sajeed S 2016 Phys. Rev. A 94 030302
[37] Weng C H, Lee Y and Wu S H 2020 Advances in Neural Information Processing Systems, 2020, p. 11973
[38] Liu Y, Lee W C, Tao G, Ma S, Aafer Y and Zhang X 2019 Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, November 11-15, 2019, London, United Kingdom, p. 1265
[39] Rakin A S, He Z and Fan D 2020 Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, June 2020, Seattle, United States, p. 13198
[40] Liu Y, Chen X, Liu C and Song D 2016 arXiv:1611.02770 [cs.LG]
[41] Zhang H, Cisse M, Dauphin Y N and Lopez-Paz D 2017 arXiv:1710.09412 [cs.LG]
[42] Zadeh LA 1965 Inf. Control 8 338
[43] LeCun Y 1998 THE MNIST DATABASE of handwritten digits
[44] Madry A, Makelov A, Schmidt L, Tsipras D and Vladu A 2019 arXiv:1706.06083 [stat.ML]
[45] Mitarai K, Negoro M, Kitagawa M and Fujii K 2018 Phys. Rev. A 98 032309
[46] Cong I, Choi S and Lukin M D 2019 Nat. Phys. 15 1273
[47] Kingma D P and Ba J 2014 arXiv:1412.6980 [cs.LG]
[48] Schuld M, Bergholm V, Gogolin C, Izaac J and Killoran N 2019 Phys. Rev. A 99 032331
[49] Bergholm V, Izaac J, Schuld M, et al. 2018 arXiv:1811.04968 [quant-ph]
[50] Abadi M 2016 Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming, September 2016, Nara, Japan, p. 1 |
| No Suggested Reading articles found! |
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
Altmetric
|
|
blogs
Facebook pages
Wikipedia page
Google+ users
|
Online attention
Altmetric calculates a score based on the online attention an article receives. Each coloured thread in the circle represents a different type of online attention. The number in the centre is the Altmetric score. Social media and mainstream news media are the main sources that calculate the score. Reference managers such as Mendeley are also tracked but do not contribute to the score. Older articles often score higher because they have had more time to get noticed. To account for this, Altmetric has included the context data for other articles of a similar age.
View more on Altmetrics
|
|
|
