QSentry: Backdoor Detection for Quantum Neural Networks via Measurement Clustering

TL;DR

QSentry addresses backdoor threats in quantum neural networks by leveraging a measurement-clustering approach that analyzes quantum measurement statistics to detect anomalous inputs. It extracts measurement activations, transforms them into a discriminative space, and performs unsupervised clustering to isolate minority backdoor clusters without requiring trigger information. Empirical results on a MNIST-based binary task show strong detection performance, with F1 scores improving from 75.8% at 1% poisoning to 93.2% at 10% poisoning, outperforming several state-of-the-art defenses. The work demonstrates that quantum measurement distributions carry robust backdoor signatures and provides a practical, attack-agnostic defense framework, though it notes runtime and scalability considerations and the potential for adaptive triggers.

Abstract

Quantum neural networks (QNNs) are an important model for implementing quantum machine learning (QML), while they demonstrate a high degree of vulnerability to backdoor attacks similar to classical networks. To address this issue, a quantum backdoor attack detection framework called QSentry is proposed, in which a quantum Measurement Clustering method is introduced to detect backdoors by identifying statistical anomalies in measurement outputs. It is demonstrated that QSentry can effectively detect anomalous distributions induced by backdoor samples with extensive experiments. It achieves a 75.8% F1 score even under a 1% poisoning rate, and further improves to 85.7% and 93.2% as the poisoning rate increases to 5% and 10%, respectively. The integration of silhouette coefficients and relative cluster size enable QSentry to precisely isolate backdoor samples, yielding estimates that closely match actual poisoning ratios. Evaluations under various quantum attack scenarios demonstrate that QSentry delivers superior robustness and accuracy compared with three state-of-the-art detection methods. This work establishes a practical and effective framework for mitigating backdoor threats in QML.

Figures (10)

• Figure 1: The threat of backdoor attacks in the field of autonomous driving.
• Figure 2: Differences between QNN and classical DNN during the training process.
• Figure 3: An illustration of the quantum backdoor attack. The backdoor target is label 7, with the trigger pattern being the square in the upper left corner. When injecting the backdoor, some samples in the training set are modified to carry the trigger mark, and their labels are also altered to the target label. After training on the modified training set, the model will recognize samples bearing the trigger mark as the target label. Meanwhile, for any sample without the trigger mark, the model remains capable of correctly identifying its label.
• Figure 4: The activation of the quantum measurement layer is projected onto the first two principal components: This is the measurement activation of the images labeled 7 and 6.
• Figure 5: QSentry defense framework architecture. The system integrates poisoning training, forward measurement collection and measurement clustering.