ML Security PapersQShield: Securing Neural Networks Against Adversarial Attacks using Quantum Circuits
Navid Azimi , Aditya Prakash , Yao Wang , Li Xiong
Published on arXiv
2604.10933
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Hybrid models with entanglement patterns maintain high accuracy while substantially reducing attack success rates and significantly increasing computational cost for adversarial example generation
QShield
Novel technique introduced
Deep neural networks remain highly vulnerable to adversarial perturbations, limiting their reliability in security- and safety-critical applications. To address this challenge, we introduce QShield, a modular hybrid quantum-classical neural network (HQCNN) architecture designed to enhance the adversarial robustness of classical deep learning models. QShield integrates a conventional convolutional neural network (CNN) backbone for feature extraction with a quantum processing module that encodes the extracted features into quantum states, applies structured entanglement operations under realistic noise models, and outputs a hybrid prediction through a dynamically weighted fusion mechanism implemented via a lightweight multilayer perceptron (MLP). We systematically evaluate both classical and hybrid quantum-classical models on the MNIST, OrganAMNIST, and CIFAR-10 datasets, using a comprehensive set of robustness, efficiency, and computational performance metrics. Our results demonstrate that classical models are highly vulnerable to adversarial attacks, whereas the proposed hybrid models with entanglement patterns maintain high predictive accuracy while substantially reducing attack success rates across a wide range of adversarial attacks. Furthermore, the proposed hybrid architecture significantly increased the computational cost required to generate adversarial examples, thereby introducing an additional layer of defense. These findings indicate that the proposed modular hybrid architecture achieves a practical balance between predictive accuracy and adversarial robustness, positioning it as a promising approach for secure and reliable machine learning in sensitive and safety-critical applications.
Key Contributions
- Modular hybrid quantum-classical architecture (QShield) integrating parameterized quantum circuits with CNN backbone for adversarial robustness
- Adaptive fusion mechanism via lightweight MLP that dynamically weights quantum and classical predictions per sample
- Structured entanglement patterns (linear, star, fully connected) in quantum circuits under realistic noise models to enhance feature expressiveness and robustness
🛡️ Threat Analysis
The paper directly addresses adversarial examples and evasion attacks at inference time. QShield is evaluated against multiple gradient-based adversarial attacks (FGSM, PGD, C&W, etc.) and demonstrates reduced attack success rates. The defense mechanism aims to counter input manipulation attacks through quantum circuit processing.