QShield: Securing Neural Networks Against Adversarial Attacks using Quantum Circuits

TL;DR

QShield introduces a hybrid quantum-classical neural network architecture that enhances adversarial robustness and increases the computational effort needed for attacks, promising improved security for critical applications.

Contribution

The paper presents a novel modular hybrid quantum-classical neural network architecture that improves adversarial robustness of deep learning models.

Findings

Hybrid models maintain high accuracy under adversarial attacks.

Hybrid architecture significantly raises the computational cost for generating adversarial examples.

Classical models are more vulnerable to attacks compared to hybrid models.

Abstract

Deep neural networks remain highly vulnerable to adversarial perturbations, limiting their reliability in security- and safety-critical applications. To address this challenge, we introduce QShield, a modular hybrid quantum-classical neural network (HQCNN) architecture designed to enhance the adversarial robustness of classical deep learning models. QShield integrates a conventional convolutional neural network (CNN) backbone for feature extraction with a quantum processing module that encodes the extracted features into quantum states, applies structured entanglement operations under realistic noise models, and outputs a hybrid prediction through a dynamically weighted fusion mechanism implemented via a lightweight multilayer perceptron (MLP). We systematically evaluate both classical and hybrid quantum-classical models on the MNIST, OrganAMNIST, and CIFAR-10 datasets, using a comprehensive set of robustness, efficiency, and computational performance metrics. Our results demonstrate that classical models are highly vulnerable to adversarial attacks, whereas the proposed hybrid models with entanglement patterns maintain high predictive accuracy while substantially reducing attack success rates across a wide range of adversarial attacks. Furthermore, the proposed hybrid architecture significantly increased the computational cost required to generate adversarial examples, thereby introducing an additional layer of defense. These findings indicate that the proposed modular hybrid architecture achieves a practical balance between predictive accuracy and adversarial robustness, positioning it as a promising approach for secure and reliable machine learning in sensitive and safety-critical applications.