Backdoor Attacks against Hybrid Classical-Quantum Neural Networks
Ji Guo, Wenbo Jiang, Rui Zhang, Wenshu Fan, Jiachen Li, Guoming Lu
TL;DR
This work investigates the security of Hybrid Classical-Quantum Neural Networks (HQNNs) by introducing a formal backdoor framework and deriving theoretical bounds on generalization and trigger perturbations. It presents the Qcolor backdoor, a color-space trigger optimized via NSGA-II, and demonstrates high attack effectiveness with minimal poisoning while maintaining stealth. Empirical results show HQNNs are more robust than CNNs against traditional backdoor triggers, and Qcolor achieves strong ASR with high SSIM across multiple datasets, even under state-of-the-art defenses. The findings highlight both the resilience of HQNNs to conventional backdoors and the potential for color-space triggers to circumvent defenses, underscoring the need for HQNN-specific defense methods.
Abstract
Hybrid Quantum Neural Networks (HQNNs) represent a promising advancement in Quantum Machine Learning (QML), yet their security has been rarely explored. In this paper, we present the first systematic study of backdoor attacks on HQNNs. We begin by proposing an attack framework and providing a theoretical analysis of the generalization bounds and minimum perturbation requirements for backdoor attacks on HQNNs. Next, we employ two classic backdoor attack methods on HQNNs and Convolutional Neural Networks (CNNs) to further investigate the robustness of HQNNs. Our experimental results demonstrate that HQNNs are more robust than CNNs, requiring more significant image modifications for successful attacks. Additionally, we introduce the Qcolor backdoor, which utilizes color shifts as triggers and employs the Non-dominated Sorting Genetic Algorithm II (NSGA-II) to optimize hyperparameters. Through extensive experiments, we demonstrate the effectiveness, stealthiness, and robustness of the Qcolor backdoor.