对量子神经网络的黑盒后门攻击

IF 5.6 2区物理与天体物理 Q1 PHYSICS, MULTIDISCIPLINARY

Quantum Science and Technology Pub Date : 2025-06-09 DOI:10.1088/2058-9565/addf74

Jiayu Zhao, Lili Yan, Dong Tan, Yan Chang and Shibin Zhang

{"title":"对量子神经网络的黑盒后门攻击","authors":"Jiayu Zhao, Lili Yan, Dong Tan, Yan Chang and Shibin Zhang","doi":"10.1088/2058-9565/addf74","DOIUrl":null,"url":null,"abstract":"Quantum neural networks (QNNs), as a novel model that combines the advantages of quantum computing and classical neural networks, are similarly vulnerable to backdoor attacks like classical neural networks. Current research on backdoor attacks against QNNs is limited by model structure or poisoning rate, resulting in poor attack performance in black-box scenarios. This paper proposes a black-box attack method that uses a quantum-classical hybrid generative model to generate transferable backdoor triggers for QNNs with unknown structures. The method generates universal adversarial perturbations as triggers based on generative models, and designs a QNN pool by utilizing the idea of ensemble models. It combines the min–max framework and non-target Kullback–Leibler divergence technique to improve the transferability of triggers to achieve a black-box attack. Experiments demonstrate that with a poisoning rate of only 5%, the attack success rate exceeds 98% for three different structured QNNs, proving the effectiveness of this backdoor attack. In addition, we also prove that the existing detection methods such as strip and spectral signatures are unable to defend against the backdoor attack proposed in this paper.","PeriodicalId":20821,"journal":{"name":"Quantum Science and Technology","volume":"20 1","pages":""},"PeriodicalIF":5.6000,"publicationDate":"2025-06-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A black-box backdoor attack against quantum neural networks\",\"authors\":\"Jiayu Zhao, Lili Yan, Dong Tan, Yan Chang and Shibin Zhang\",\"doi\":\"10.1088/2058-9565/addf74\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Quantum neural networks (QNNs), as a novel model that combines the advantages of quantum computing and classical neural networks, are similarly vulnerable to backdoor attacks like classical neural networks. Current research on backdoor attacks against QNNs is limited by model structure or poisoning rate, resulting in poor attack performance in black-box scenarios. This paper proposes a black-box attack method that uses a quantum-classical hybrid generative model to generate transferable backdoor triggers for QNNs with unknown structures. The method generates universal adversarial perturbations as triggers based on generative models, and designs a QNN pool by utilizing the idea of ensemble models. It combines the min–max framework and non-target Kullback–Leibler divergence technique to improve the transferability of triggers to achieve a black-box attack. Experiments demonstrate that with a poisoning rate of only 5%, the attack success rate exceeds 98% for three different structured QNNs, proving the effectiveness of this backdoor attack. In addition, we also prove that the existing detection methods such as strip and spectral signatures are unable to defend against the backdoor attack proposed in this paper.\",\"PeriodicalId\":20821,\"journal\":{\"name\":\"Quantum Science and Technology\",\"volume\":\"20 1\",\"pages\":\"\"},\"PeriodicalIF\":5.6000,\"publicationDate\":\"2025-06-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Quantum Science and Technology\",\"FirstCategoryId\":\"101\",\"ListUrlMain\":\"https://doi.org/10.1088/2058-9565/addf74\",\"RegionNum\":2,\"RegionCategory\":\"物理与天体物理\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"PHYSICS, MULTIDISCIPLINARY\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Quantum Science and Technology","FirstCategoryId":"101","ListUrlMain":"https://doi.org/10.1088/2058-9565/addf74","RegionNum":2,"RegionCategory":"物理与天体物理","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"PHYSICS, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 0

摘要

量子神经网络（QNNs）作为一种结合了量子计算和经典神经网络优点的新型模型，与经典神经网络一样容易受到后门攻击。目前针对qnn的后门攻击研究受到模型结构或中毒率的限制，导致黑盒场景下的攻击性能较差。针对结构未知的量子神经网络，提出了一种利用量子经典混合生成模型生成可转移后门触发器的黑盒攻击方法。该方法基于生成模型生成通用的对抗扰动作为触发器，并利用集成模型的思想设计一个QNN池。结合最小-最大框架和非目标Kullback-Leibler散度技术，提高了触发器的可转移性，实现了黑盒攻击。实验表明，在投毒率仅为5%的情况下，三种不同结构的qnn的攻击成功率超过98%，证明了该后门攻击的有效性。此外，我们还证明了现有的检测方法，如条带和频谱签名，无法防御本文提出的后门攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A black-box backdoor attack against quantum neural networks

Quantum neural networks (QNNs), as a novel model that combines the advantages of quantum computing and classical neural networks, are similarly vulnerable to backdoor attacks like classical neural networks. Current research on backdoor attacks against QNNs is limited by model structure or poisoning rate, resulting in poor attack performance in black-box scenarios. This paper proposes a black-box attack method that uses a quantum-classical hybrid generative model to generate transferable backdoor triggers for QNNs with unknown structures. The method generates universal adversarial perturbations as triggers based on generative models, and designs a QNN pool by utilizing the idea of ensemble models. It combines the min–max framework and non-target Kullback–Leibler divergence technique to improve the transferability of triggers to achieve a black-box attack. Experiments demonstrate that with a poisoning rate of only 5%, the attack success rate exceeds 98% for three different structured QNNs, proving the effectiveness of this backdoor attack. In addition, we also prove that the existing detection methods such as strip and spectral signatures are unable to defend against the backdoor attack proposed in this paper.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Quantum Science and Technology Materials Science-Materials Science (miscellaneous)

CiteScore

11.20

自引率

3.00%

发文量

133

期刊介绍： Driven by advances in technology and experimental capability, the last decade has seen the emergence of quantum technology: a new praxis for controlling the quantum world. It is now possible to engineer complex, multi-component systems that merge the once distinct fields of quantum optics and condensed matter physics. Quantum Science and Technology is a new multidisciplinary, electronic-only journal, devoted to publishing research of the highest quality and impact covering theoretical and experimental advances in the fundamental science and application of all quantum-enabled technologies.