CopyQNN: Quantum Neural Network Extraction Attack under Varying Quantum Noise

TL;DR

This paper tackles the vulnerability of quantum neural networks (QNNs) deployed as QNN-as-a-Service to model-extraction attacks in the presence of varying NISQ noise. It introduces CopyQNN, a noise-aware extraction framework that first cleans noisy query labels through variance-based data filtering (Remember Ratio) and Mixup, then uses quantum-domain contrastive learning to pre-train a transferable encoder and train a compact quantum classifier on the cleaned data. The approach leverages multi-round querying to capture noise dynamics and combines a BarloW Twins–style contrastive objective with transfer learning to achieve high substitute-model accuracy with far fewer queries than prior methods. Experimental results on IBM Qiskit-enabled hardware show CopyQNN outperforms QuantumLeak by about 8.73% on average and reduces required queries by 90x, with only modest hardware overhead, highlighting both the feasibility of noise-aware attacks and the importance of data cleaning in real-world settings.

Abstract

Quantum Neural Networks (QNNs) have shown significant value across domains, with well-trained QNNs representing critical intellectual property often deployed via cloud-based QNN-as-a-Service (QNNaaS) platforms. Recent work has examined QNN model extraction attacks using classical and emerging quantum strategies. These attacks involve adversaries querying QNNaaS platforms to obtain labeled data for training local substitute QNNs that replicate the functionality of cloud-based models. However, existing approaches have largely overlooked the impact of varying quantum noise inherent in noisy intermediate-scale quantum (NISQ) computers, limiting their effectiveness in real-world settings. To address this limitation, we propose the CopyQNN framework, which employs a three-step data cleaning method to eliminate noisy data based on its noise sensitivity. This is followed by the integration of contrastive and transfer learning within the quantum domain, enabling efficient training of substitute QNNs using a limited but cleaned set of queried data. Experimental results on NISQ computers demonstrate that a practical implementation of CopyQNN significantly outperforms state-of-the-art QNN extraction attacks, achieving an average performance improvement of 8.73% across all tasks while reducing the number of required queries by 90x, with only a modest increase in hardware overhead.

Figures (7)

• Figure 1: The QNN-as-a-service on a NISQ server.
• Figure 2: Preliminary results indicate: (a) fluctuations in inference accuracy when running the victim QNN at different times during the day; (b) ineffectiveness of existing model extraction attacks.
• Figure 3: Multi-round query, noise characterization, and data cleaning.
• Figure 4: Variance of queried labels over 5 rounds across different tasks.
• Figure 5: CopyQNN overview: (a) the overall architecture and training of QClassifier; (b) the training process for transferable QEnc; (c) the NISQ implementation of the VQC circuit.