Cloud hosting of quantum machine learning (QML) models exposes them to a
range of vulnerabilities, the most significant of which is the model stealing
attack. In this study, we assess the efficacy of such attacks in the realm of
quantum computing. We conducted comprehensive experiments on various datasets
with multiple QML model architectures. Our findings revealed that model
stealing attacks can produce clone models achieving up to $0.9\times$ and
$0.99\times$ clone test accuracy when trained using Top-$1$ and Top-$k$ labels,
respectively ($k:$ num\_classes). To defend against these attacks, we leverage
the unique properties of current noisy hardware and perturb the victim model
outputs and hinder the attacker's training process. In particular, we propose:
1) hardware variation-induced perturbation (HVIP) and 2) hardware and
architecture variation-induced perturbation (HAVIP). Although noise and
architectural variability can provide up to $\sim16\%$ output obfuscation, our
comprehensive analysis revealed that models cloned under noisy conditions tend
to be resilient, suffering little to no performance degradation due to such
obfuscations. Despite limited success with our defense techniques, this outcome
has led to an important discovery: QML models trained on noisy hardwares are
naturally resistant to perturbation or obfuscation-based defenses or attacks.

云端托管的量子机器学习（QML）模型面临许多漏洞，其中最重要的是模型窃取攻击。本研究评估了这些攻击在量子计算领域的效果，利用多个 QML 模型体系结构在不同数据集上进行了全面的实验。实验结果显示，使用 Top-1 和 Top-k（k: num_classes）标签进行训练的模型窃取攻击可以产生克隆模型，其克隆测试准确率分别达到原模型的 0.9 倍和 0.99 倍。为了防御这些攻击，我们利用当前嘈杂硬件的独特属性扰乱了受害模型的输出，阻碍了攻击者的训练过程。具体来说，我们提出了两种方法：1）硬件变化诱发的扰动（HVIP）和 2）硬件和模型结构变化诱发的扰动（HAVIP）。虽然噪声和架构的可变性可以提供约 16% 的输出混淆，但我们的综合分析表明，在噪声条件下克隆的模型往往是弹性的，由于这种混淆几乎不会导致性能下降。尽管我们的防御技术取得了有限的成功，但这种结果导致了一项重要发现：在噪声硬件上训练的 QML 模型对扰动或混淆性的防御或攻击具有天然的抵抗力。

评估量子神经网络中的模型窃取攻击和防御机制的有效性

Evaluating Efficacy of Model Stealing Attacks and Defenses on Quantum  Neural Networks

Recent research demonstrates that GNNs are vulnerable to the model stealing
attack, a nefarious endeavor geared towards duplicating the target model via
query permissions. However, they mainly focus on node classification tasks,
neglecting the potential threats entailed within the domain of graph
classification tasks. Furthermore, their practicality is questionable due to
unreasonable assumptions, specifically concerning the large data requirements
and extensive model knowledge. To this end, we advocate following strict
settings with limited real data and hard-label awareness to generate synthetic
data, thereby facilitating the stealing of the target model. Specifically,
following important data generation principles, we introduce three model
stealing attacks to adapt to different actual scenarios: MSA-AU is inspired by
active learning and emphasizes the uncertainty to enhance query value of
generated samples; MSA-AD introduces diversity based on Mixup augmentation
strategy to alleviate the query inefficiency issue caused by over-similar
samples generated by MSA-AU; MSA-AUD combines the above two strategies to
seamlessly integrate the authenticity, uncertainty, and diversity of the
generated samples. Finally, extensive experiments consistently demonstrate the
superiority of the proposed methods in terms of concealment, query efficiency,
and stealing performance.

最近的研究表明，GNN 对于模型盗取攻击是脆弱的，而这种攻击是通过查询许可来复制目标模型的阴险行为。然而，这些研究主要关注节点分类任务，忽视了在图分类任务领域所带来的潜在威胁。此外，它们的可行性令人质疑，因为涉及了大量的数据需求和广泛的模型知识。为此，我们倡导遵循严格的设置，通过有限的真实数据和硬标签意识来生成合成数据，从而便于盗取目标模型。具体地，我们遵循重要的数据生成原则，引入了三种模型盗取攻击方法，以适应不同的实际场景：MSA-AU 受主动学习的启发，强调不确定性以增强生成样本的查询价值；MSA-AD 基于 Mixup 增强策略引入多样性，以减轻 MSA-AU 生成的过于相似样本所导致的查询效率问题；MSA-AUD 结合了上述两种策略，无缝地整合了生成样本的真实性、不确定性和多样性。最后，广泛的实验证明了所提方法在隐藏性、查询效率和盗取性能方面的优越性。

模型窃取攻击对图分类的真实性、不确定性和多样性

Model Stealing Attack against Graph Classification with Authenticity,  Uncertainty and Diversity

Security has always been a critical issue in machine learning (ML)
applications. Due to the high cost of model training -- such as collecting
relevant samples, labeling data, and consuming computing power --
model-stealing attack is one of the most fundamental but vitally important
issues. When it comes to quantum computing, such a quantum machine learning
(QML) model-stealing attack also exists and it is even more severe because the
traditional encryption method can hardly be directly applied to quantum
computation. On the other hand, due to the limited quantum computing resources,
the monetary cost of training QML model can be even higher than classical ones
in the near term. Therefore, a well-tuned QML model developed by a company can
be delegated to a quantum cloud provider as a service to be used by ordinary
users. In this case, the QML model will be leaked if the cloud provider is
under attack. To address such a problem, we propose a novel framework, namely
QuMoS, to preserve model security. Instead of applying encryption algorithms,
we propose to distribute the QML model to multiple physically isolated quantum
cloud providers. As such, even if the adversary in one provider can obtain a
partial model, the information of the full model is maintained in the QML
service company. Although promising, we observed an arbitrary model design
under distributed settings cannot provide model security. We further developed
a reinforcement learning-based security engine, which can automatically
optimize the model design under the distributed setting, such that a good
trade-off between model performance and security can be made. Experimental
results on four datasets show that the model design proposed by QuMoS can
achieve a close accuracy to the model designed with neural architecture search
under centralized settings while providing the highest security than the
baselines.

该研究提出了一种名为 QuMoS 的框架，该框架通过在多个云提供商之间分发 QML 模型而不是应用加密算法来保护模型安全，并且使用强化学习算法自动优化在分布式环境下的模型设计，从而在提供高安全性的同时实现高精度。