Cloud hosting of quantum machine learning (QML) models exposes them to a range of vulnerabilities, the most significant of which is the model stealing attack. In this study, we assess the efficacy of such attacks in the realm of quantum computing. We conducted comprehensive experiments on various datasets with multiple QML model architectures. Our findings revealed that model stealing attacks can produce clone models achieving up to $0.9\times$ and $0.99\times$ clone test accuracy when trained using Top-$1$ and Top-$k$ labels, respectively ($k:$ num\_classes). To defend against these attacks, we leverage the unique properties of current noisy hardware and perturb the victim model outputs and hinder the attacker's training process. In particular, we propose: 1) hardware variation-induced perturbation (HVIP) and 2) hardware and architecture variation-induced perturbation (HAVIP). Although noise and architectural variability can provide up to $\sim16\%$ output obfuscation, our comprehensive analysis revealed that models cloned under noisy conditions tend to be resilient, suffering little to no performance degradation due to such obfuscations. Despite limited success with our defense techniques, this outcome has led to an important discovery: QML models trained on noisy hardwares are naturally resistant to perturbation or obfuscation-based defenses or attacks.

翻译：云托管量子机器学习（QML）模型使其暴露于一系列安全漏洞，其中最显著的是模型窃取攻击。本研究评估了此类攻击在量子计算领域的有效性。我们针对多种QML模型架构，在不同数据集上开展了全面实验。研究结果表明，模型窃取攻击能够生成克隆模型，当分别使用Top-1和Top-k标签（k：类别数）训练时，其克隆测试准确率可达$0.9\times$和$0.99\times$。为抵御此类攻击，我们利用当前含噪硬件的独特属性，对受害模型输出进行扰动以阻碍攻击者的训练过程。具体而言，我们提出：1）硬件差异诱导扰动（HVIP）和2）硬件与架构差异诱导扰动（HAVIP）。尽管噪声和架构变异性可提供高达$\sim16\%$的输出混淆效果，但我们的综合分析表明，在噪声条件下克隆的模型具有较强的鲁棒性，此类混淆几乎不会导致性能下降。尽管防御技术成效有限，但这一发现带来了重要启示：在含噪硬件上训练的QML模型天然具有抵抗基于扰动或混淆的防御手段与攻击的能力。