Quantum Adversarial Learning for Kernel Methods

TL;DR

This work shows that quantum-kernel classifiers based on QSVMs are susceptible to evasion attacks produced by small input perturbations, paralleling vulnerabilities seen in classical and quantum neural approaches. It develops adversarial training via data augmentation to enhance robustness and demonstrates both simulation and a proof-of-principle hardware experiment on IBM Quantum hardware, including a compact and a large quantum embedding. The results indicate that adversarial training substantially improves resilience against evasion and can partly mitigate hardware noise, while kernel concentration in expressive embeddings remains a challenge. The study provides practical guidance for building more robust quantum kernel methods, highlights the role of kernel alignment in shaping generalization, and points to future work on embedding choice and direct links between robustness and generalization.

Abstract

We show that hybrid quantum classifiers based on quantum kernel methods and support vector machines are vulnerable against adversarial attacks, namely small engineered perturbations of the input data can deceive the classifier into predicting the wrong result. Nonetheless, we also show that simple defence strategies based on data augmentation with a few crafted perturbations can make the classifier robust against new attacks. Our results find applications in security-critical learning problems and in mitigating the effect of some forms of quantum noise, since the attacker can also be understood as part of the surrounding environment.

Figures (7)

• Figure 1: (top) Three dimensional representation of the the decision function $f$ (blue) for a two-dimensional input $x$ and an extra axis $z$, together with the tangent plane near $x_i^0$ (orange). (bottom) The intersection of the above surfaces with the $z=0$ plane (in black in the top figure), together with two steps of the iteration described by Eqs. \ref{['eq: gradient iteration']} and \ref{['eq:adaptive']}. The blue line is the decision hypersurface $f(x)=0$, while the orange lines are the approximations of the hypersurface at iterations $t=0$ and $t=1$, using hyperplanes -- that for $t=0$ is a projection of the orage hyperplane from the top figure.
• Figure 2: Some samples from the training and test dataset.
• Figure 3: Compact feature map for compressed input data, reduced via PCA transformation. The embedding circuit consists of 80 angle encoding gates, loading the classical vector $(x[0],\dots, x[{79}])$ into the quantum register, and 20 parametric gates, with parameters $(\theta[0],\dots, \theta[{19}])$. Note that the parametric gates can be combined with the encoding gates to reduce the circuit depth, and further merged via the Euler angle decomposition.
• Figure 4: Kernel-target alignment of both large (top figure) and compact (bottom figure) feature maps. The Cross-entropy loss was employed for the min-max optimization.
• Figure 5: Kernel matrices of the training dataset, after the kernel alignment procedure, using either the large (left figure) or the compact (right figure) feature maps.