A backdoor attack against quantum neural networks with limited information  

作　　者：黄晨猗 张仕斌 Chen-Yi Huang;Shi-Bin Zhang(College of Cyberspace Security,Chengdu University of Information Technology,Chengdu 610225,China;Advanced Cryptography and System Security Key Laboratory of Sichuan Province,Chengdu 610225,China)

机构地区：[1]College of Cyberspace Security,Chengdu University of Information Technology,Chengdu 610225,China [2]Advanced Cryptography and System Security Key Laboratory of Sichuan Province,Chengdu 610225,China

出　　处：《Chinese Physics B》2023年第10期219-228,共10页中国物理B（英文版）

基　　金：supported by the National Natural Science Foundation of China(Grant No.62076042);the National Key Research and Development Plan of China,Key Project of Cyberspace Security Governance(Grant No.2022YFB3103103);the Key Research and Development Project of Sichuan Province(Grant Nos.2022YFS0571,2021YFSY0012,2021YFG0332,and 2020YFG0307)。

摘　　要：Backdoor attacks are emerging security threats to deep neural networks.In these attacks,adversaries manipulate the network by constructing training samples embedded with backdoor triggers.The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label.While quantum neural networks(QNNs)have shown promise in surpassing their classical counterparts in certain machine learning tasks,they are also susceptible to backdoor attacks.However,current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods.Given the diversity of encoding methods and model structures in QNNs,the effectiveness of such backdoor attacks remains uncertain.In this paper,we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks.A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data.The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger.Furthermore,our proposed attack cannot be easily resisted by existing backdoor detection methods.

关 键 词：backdoor attack quantum artificial intelligence security quantum neural network variational quantum circuit 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程] O413[自动化与计算机技术—控制科学与工程]