Defending Quantum Classifiers against Adversarial Perturbations through Quantum Autoencoders

TL;DR

This paper introduces a quantum autoencoder-based defense mechanism that purifies adversarial samples in quantum classifiers, improving robustness without adversarial training.

Contribution

It proposes a novel, training-free quantum autoencoder approach for defending against adversarial attacks in quantum machine learning.

Findings

Defense significantly improves prediction accuracy under attack, up to 68%.

Quantum autoencoder effectively purifies adversarial perturbations.

Confidence metric helps identify unpurifiable adversarial samples.

Abstract

Machine learning models can learn from data samples to carry out various tasks efficiently. When data samples are adversarially manipulated, such as by insertion of carefully crafted noise, it can cause the model to make mistakes. Quantum machine learning models are also vulnerable to such adversarial attacks, especially in image classification using variational quantum classifiers. While there are promising defenses against these adversarial perturbations, such as training with adversarial samples, they face practical limitations. For example, they are not applicable in scenarios where training with adversarial samples is either not possible or can overfit the models on one type of attack. In this paper, we propose an adversarial training-free defense framework that utilizes a quantum autoencoder to purify the adversarial samples through reconstruction. Moreover, our defense framework provides a confidence metric to identify potentially adversarial samples that cannot be purified the quantum autoencoder. Extensive evaluation demonstrates that our defense framework can significantly outperform state-of-the-art in prediction accuracy (up to 68%) under adversarial attacks.