With the growing interest in Quantum Machine Learning (QML) and the increasing availability of quantum computers through cloud providers, addressing the potential security risks associated with QML has become an urgent priority. One key concern in the QML domain is the threat of data poisoning attacks in the current quantum cloud setting. Adversarial access to training data could severely compromise the integrity and availability of QML models. Classical data poisoning techniques require significant knowledge and training to generate poisoned data, and lack noise resilience, making them ineffective for QML models in the Noisy Intermediate Scale Quantum (NISQ) era. In this work, we first propose a simple yet effective technique to measure intra-class encoder state similarity (ESS) by analyzing the outputs of encoding circuits. Leveraging this approach, we introduce a quantum indiscriminate data poisoning attack, QUID. Through extensive experiments conducted in both noiseless and noisy environments (e.g., IBM\_Brisbane's noise), across various architectures and datasets, QUID achieves up to $92\%$ accuracy degradation in model performance compared to baseline models and up to $75\%$ accuracy degradation compared to random label-flipping. We also tested QUID against state-of-the-art classical defenses, with accuracy degradation still exceeding $50\%$, demonstrating its effectiveness. This work represents the first attempt to reevaluate data poisoning attacks in the context of QML.

翻译：随着量子机器学习（QML）日益受到关注，以及通过云服务商获取量子计算机的途径不断增加，解决与QML相关的潜在安全风险已成为一项紧迫任务。QML领域的一个关键关切是在当前量子云环境下面临的数据投毒攻击威胁。攻击者对训练数据的对抗性访问可能严重损害QML模型的完整性与可用性。经典的数据投毒技术需要大量先验知识与训练来生成投毒数据，且缺乏噪声鲁棒性，这使其在嘈杂中型量子（NISQ）时代的QML模型中效果有限。在本工作中，我们首先提出了一种通过分析编码电路输出来测量类内编码器状态相似度（ESS）的简单而有效的技术。基于此方法，我们引入了一种量子无差别数据投毒攻击——QUID。通过在无噪声与含噪声环境（如IBM\_Brisbane的噪声）中，针对多种架构与数据集进行的大量实验，QUID相比基线模型最高可造成$92\%$的模型性能准确率下降，相比随机标签翻转攻击最高可造成$75\%$的准确率下降。我们还测试了QUID针对前沿经典防御方法的效果，其准确率下降仍超过$50\%$，证明了该攻击的有效性。本工作是首次在QML背景下重新评估数据投毒攻击的尝试。