Quantum Support Vector Regression for Robust Anomaly Detection

In 2019, Havlicek et al. [7] introduced a quantum Support Vector Machine (QSVM) for binary classification on a two-qubit NISQ device. Since then, QSVMs have been applied to many areas, including remote sensing image classification [8], mental health treatment prediction [9], and breast cancer prediction [10]. Kyriienko and Magnusson [11] extended this to unsupervised fraud detection with a simulated one-class QSVM, and Tscharke et al. [4] developed a QSVR for semisupervised AD in 2023. However, to the best of our knowledge, a QSVR for semisupervised AD has not yet been set up on hardware.

Research has also explored the influence of noise in QML models [12, 13, 14], focusing on noise robustness [15, 16] or beneficial use of noise [17, 18]. However, as far as we know, the influence of noise on a QSVR for semisupervised AD has not yet been evaluated.

Finally, the link between quantum noise and QAML was established by Du et al. [5] in 2021, who found that adding depolarization noise can increase adversarial robustness. Building on this, Huang and Zhang [6] improved the adversarial robustness of Quantum Neural Networks by adding noise layers in 2023. To date, there have been no published results involving adversarial attacks on semisupervised QML models for AD.

The goal of our work is to gain further insight into the potential of QSVR for semisupervised AD in the NISQ era, which we accomplish through these contributions:

1. 1.

   We investigate how the model performs on hardware and report that the QSVR achieves good classification performance on a 27-qubit IBM device, even outperforming a noiseless simulation on two out of ten real-world datasets.

2. 2.

   We show that the QSVR is largely robust to noise by training and evaluating over 500 noisy models. We further observe that amplitude damping and miscalibration have the most damaging effect on the model’s performance and that the artificial Toy dataset, constructed to be linearly separable, suffers the most from noise.

3. 3.

   Finally, we investigate the robustness of the QSVR against adversarial attacks and find it highly vulnerable, with performance on real-world datasets dropping by up to an order of magnitude for a weak attack strength of $\varepsilon=0.01$. Introducing noise into the QSVR does not clearly improve the model’s adversarial robustness.

A kernel is a positive, semidefinite function $\kappa:\mathcal{X}\times\mathcal{X}\to\mathbb{C}$ on the input set $\mathcal{X}$. It uses a distance measure $\kappa(\boldsymbol{x}_{i},\boldsymbol{x}_{j})$ between two input vectors $\boldsymbol{x}_{i},\boldsymbol{x}_{j}\in\mathcal{X}$ to create a model that captures the properties of a data distribution. A feature map $\phi:\mathcal{X}\to\mathcal{F}$ maps input vectors $\boldsymbol{x}$ to a Hilbert or feature space $\mathcal{F}$. They are of great importance in ML, as they map input data in a higher-dimensional space with a well-defined metric. The feature map can be a nonlinear function that changes the relative position of the data points. As a result, the dataset can become easier to classify in feature space, and even linearly separable. We associate feature maps with kernels by defining a kernel via

where $\braket{\cdot,\cdot}_{\mathcal{F}}$ is the inner product defined on $\mathcal{F}$.

With the exponentially large Hilbert space of QCs, the use of QKMs for ML is close at hand. A quantum feature map $\psi:\boldsymbol{x}\to\ket{\phi(\boldsymbol{x})}$ is implemented via a feature-embedding circuit $U(\boldsymbol{x})$, which acts on a ground state $\ket{0\dots 0}$ of a Hilbert space $\mathcal{F}$ as $\ket{\phi(\boldsymbol{x})}=U(\boldsymbol{x})\ket{0\dots 0}$. The distance measure in the quantum kernel is the absolute square of the inner product of the quantum states. On hardware, this can be realized by the inversion test, where a sample $\boldsymbol{x}_{i}$ is encoded in the unitary $U$, followed by the adjoint $U^{\dagger}$ encoding the second sample $\boldsymbol{x}_{j}$ and measuring the probability of the all-zero state. Thus, the quantum kernel is defined as

and returns the overlap or fidelity of the two states. A more in-depth description of quantum kernels can be found in [19, 20].

There exist many different encoding techniques for the circuit realizing the quantum feature map, but for this work, we will focus on angle encoding because of its advantageous complexity with respect to the number of gates $\mathcal{O}(k)$ for an input vector x of dimension $k$. Angle encoding is a special form of time-evolution encoding, where a scalar value $\boldsymbol{x}$ is encoded in the unitary evolution of a quantum system governed by a Hamiltonian $H$. The unitary of time-evolution encoding is given by

In the case of angle encoding, the Pauli matrices $\sigma_{a}$ with $a\in\{x,y,z\}$ are used in the Hamiltonian $H=\frac{1}{2}\sigma_{a}$.

Real quantum systems are never completely isolated from the environment; for example, an electron realizing a qubit will interact with other charged particles. Moreover, quantum computers are programmed by an external system and thus can never be a closed system [21, 22].

In the current NISQ-era, noise significantly limits the performance of quantum algorithms, primarily through coherent and incoherent noise. Coherent noise arises from systematic, reversible errors that lead to predictable but undesired evolution of the states, often caused by imperfect calibrations or imprecise control signals [23]. Coherent noise is an unitary evolution of the system, characterized by having only one operation element in the operator-sum representation introduced below [24, 25].

Incoherent noise, on the other hand, is characterized by random, stochastic processes caused by insufficient isolation of the system from its environment. These uncontrolled interactions between system and environment lead to deviations between the desired and the actual evolution and to a loss of coherence in the system [23, 22].

Quantum noise can be modeled by a quantum channel, where the term ”channel” is drawn from classical information theory [21]. In the operator-sum representation, a channel is described by the map $\mathcal{E}$ with operation elements (or Kraus operators) $\{E_{i}\}$ mapping the density operator $\rho=\ket{\psi}\bra{\psi}$ to another density operator $\mathcal{E}(\rho)$.

In the following, selected types of single-qubit noisy channels are described, and their operation elements $E_{i}$ are listed. For a more detailed explanation of the noisy quantum channels, we refer to [21, 26, 24].

1. 1.

   Amplitude Damping channel: describes the effect of energy loss, such as when an atom emits a photon. The channel acts on the quantum system $A$ and the environment $E$ as follows: if both $A$ and $E$ are in their ground state $\ket{0}$, nothing happens. If $A$ is in the excited state $\ket{1}_{A}$, a photon will be emitted with probability $p$, leading to the excitation of the environment and causing the transition $\ket{0}_{E}\to\ket{1}_{E}$, while $A$ drops to the ground state, i.e. $\ket{1}_{A}\to\ket{0}_{A}$. The evolution caused by the channel can be summarized as:

   	$\displaystyle|0\rangle_{A}\otimes|0\rangle_{E}\mapsto|0\rangle_{A}\otimes|0\rangle_{E}$
   	$\displaystyle|1\rangle_{A}\otimes|0\rangle_{E}\mapsto\sqrt{1-p}|1\rangle_{A}\otimes|0\rangle_{E}+\sqrt{p}|0\rangle_{A}\otimes|1\rangle_{E}$		(5)

   This is achieved by the operation elements:

   	$\displaystyle E_{0}$	$\displaystyle=\left[\begin{array}[]{rr}1&0\\ 0&\sqrt{1-p}\end{array}\right]$		(8)
   	$\displaystyle E_{1}$	$\displaystyle=\left[\begin{array}[]{rr}0&\sqrt{p}\\ 0&0\end{array}\right]$		(11)

2. 2.

   Bitflip channel: flips the state of a qubit from $\ket{0}$ to $\ket{1}$ and vice versa with probability $p$. The operators are:

   	$\displaystyle E_{0}=\sqrt{1-p}I=\sqrt{1-p}\left[\begin{array}[]{rr}1&0\\ 0&1\end{array}\right]$		(14)
   	$\displaystyle E_{1}=\sqrt{p}X=\sqrt{p}\left[\begin{array}[]{rr}0&1\\ 1&0\end{array}\right]$		(17)

3. 3.

   Depolarizing channel: the qubit remains intact with probability $1-p$, while an error occurs with probability $p$. If an error occurs, the state is replaced by a uniform ensemble of the three states $X\ket{\psi},Y\ket{\psi},Z\ket{\psi}$. This is a symmetric decoherence channel defined by operation elements:

   	$\displaystyle E_{0}$	$\displaystyle=\sqrt{1-p}I$	$\displaystyle=\sqrt{1-p}\left[\begin{array}[]{rr}1&0\\ 0&1\end{array}\right]$		(20)
   	$\displaystyle X\text{-Error: }E_{1}$	$\displaystyle=\sqrt{p/3}X$	$\displaystyle=\sqrt{p/3}\left[\begin{array}[]{rr}0&1\\ 1&0\end{array}\right]$		(23)
   	$\displaystyle Y\text{-Error: }E_{2}$	$\displaystyle=\sqrt{p/3}Y$	$\displaystyle=\sqrt{p/3}\left[\begin{array}[]{rr}0&-i\\ i&0\end{array}\right]$		(26)
   	$\displaystyle Z\text{-Error: }E_{3}$	$\displaystyle=\sqrt{p/3}Z$	$\displaystyle=\sqrt{p/3}\left[\begin{array}[]{rr}1&0\\ 0&-1\end{array}\right]$		(29)

4. 4.

   Miscalibration channel: a coherent noise channel applying an ”overrotation” $p$ to the $R_{a}$ rotation gate with $a\in\{x,y,z\}$. This can be caused by an imperfect calibration of the device [23]. Since the channel is unitary, it has only one operation element:

   $\displaystyle E_{0}=R_{a}(p).$

   (30)

5. 5.

   Phase Damping channel: the phase damping or dephasing channel models the effect of random environmental scattering on a qubit, such as photon interactions in a waveguide or atomic states perturbed by distant charges. This channel causes a partial loss of phase information without energy loss. It produces the same effect as the phase flip channel, with the phase damping $\lambda$ related to the phase flip probability $p$ by

   $\displaystyle p=\frac{1-\sqrt{1-\lambda}}{2}.$

   (31)

6. 6.

   Phaseflip channel: applies a phase of $-1$ to the $\ket{1}$-state with probability $p$ and leaves the $\ket{0}$-state unchanged. It has the operation elements:

   	$\displaystyle E_{0}=\sqrt{1-p}I=\sqrt{1-p}\left[\begin{array}[]{rr}1&0\\ 0&1\end{array}\right]$		(34)
   	$\displaystyle E_{1}=\sqrt{p}Z=\sqrt{p}\left[\begin{array}[]{rr}1&0\\ 0&-1\end{array}\right]$		(37)

   The channel has the following effect on the state’s density matrix $\rho$:

   $\displaystyle\mathcal{E}\left(\begin{array}[]{ll}\rho_{00}&\rho_{01}\\ \rho_{10}&\rho_{11}\end{array}\right)=\left(\begin{array}[]{cc}\rho_{00}&(1-2p)\rho_{01}\\ (1-2p)\rho_{10}&\rho_{11}\end{array}\right)$

   (42)

   From this, we can see that the phase flip channel destroys superposition by decaying the off-diagonal terms of the density matrix $\rho$ while the on-diagonal terms remain invariant.

QML models are typically trained using a hybrid quantum-classical approach. In this framework, the model parameters are optimized using a classical optimization algorithm, while the quantum part is limited to the evaluation of the loss, which is (partially) done by the quantum computer or simulator. This hybrid approach allows us to easily extend the concept of adversarial attacks from classical ML to QML, which has already been successfully demonstrated in [27].

An adversarial attack is a small, carefully crafted perturbation of the $k$-dimensional input $\boldsymbol{x}$ that causes the model to misclassify the input [28, 29]. An untargeted adversarial sample is created by maximizing the model’s loss $\mathcal{L}$ while keeping the perturbation $\delta$ small enough to be imperceptible to humans, e.g., by ensuring $\delta\in\Delta=\{\delta\in\mathbb{R}^{k}:\|\delta\|_{\infty}\leq\varepsilon\}$ for some small $\varepsilon$. In general, the ideal perturbation is given by

where $f$ is the model, $\theta^{*}$ are the model’s optimized parameters after training, and $y$ is the target.

One of the most widely used methods for generating adversarial samples is Projected Gradient Descent (PGD) [30]. PGD iteratively maximizes the model’s prediction error while ensuring that the perturbation remains within a predefined range. This approach has become a standard tool for evaluating the robustness of models to adversarial threats. The perturbed input is determined by

where $\boldsymbol{x}^{t}$ represents the perturbed data at step $t$, $\Pi_{\boldsymbol{x}+S}$ clips the perturbed data into the range of the normalized input set $S$, and $\alpha$ is the step size.

A straightforward strategy to increase the adversarial robustness is adversarial training, where adversarial samples are included in the training set.

The QSVR for semi-supervised AD is described in detail in [4] , and the kernel circuit is displayed in Fig. 1. The first data point $\boldsymbol{x}_{i}$ is encoded by the unitary $U$, followed by its inverse $U^{\dagger}$ encoding the second data point $\boldsymbol{x}_{j}$. The unitary $U$ consists of a layer of RZ gates and a layer of RX gates, followed by a layer of IsingZZ¹¹1https://docs.pennylane.ai/en/stable/code/api/pennylane.IsingZZ.html gates to create entanglement. Each of the single-qubit gates encodes one feature, while the parameter of the IsingZZ gate is a product of two features. The kernel entry $K_{ij}=K_{ji}$ is obtained by measuring the probability of the all-zero state after applying both unitaries.

In the hardware experiments, we used a training set of size 30 from the normal class and a test set of size 50 with equal class ratio, following [4].

The influence of noise on the QSVR for semisupervised AD was evaluated by applying six noise channels with different strengths to the quantum circuit that computes the kernel. The seven noise probabilities used in the experiments are $p\in\{0.01,0.05,0.1,0.2,0.3,0.4,0.5\}$ and the five noise channels are [bitflip, phaseflip, depolarizing, phase damping, amplitude damping]. This leads to a total of $7\cdot 5=35$ models per dataset. For the miscalibration channel, the noise probability $p$ is the overrotation in radians in 20 linear steps between 0 and $2\pi$. For the DoH dataset subject to adversarial attacks of strength $\varepsilon=0.1$, additional evaluations were performed in the region close to $p=\pi$. The noisy QSVR was simulated using PennyLane [33]. We used a training set of size 100 from the normal class and a test set of size 100 with a balanced class ratio.

We created 100 adversarial samples of the test set (50 from each class) using PGD with the parameters listed in Table II. The attacks targeted the noiseless models and were then applied to the noisy models. For adversarial training, we create adversarial samples of the training set and train the model using the adversarial training set of size 100.

Figure 2 compares model performance on eleven datasets using area under the ROC curve (AUC), a commonly used metric in AD that measures the trade-off between the true and false positive rates independent of a detection threshold. An AUC of 1.0 indicates perfect classification of the dataset, and a random classifier achieves an AUC of 0.5 on balanced binary datasets. The datasets include Credit Card Fraud (CC), Census, Forest Cover Type (CoverT), Domain Name System over HTTPS (DoH), EMNIST, Fashion MNIST (FMNIST), Network Intrusion (KDD), MNIST, Mammography (Mammo), URL, and our constructed dataset Toy. The models included in the study are qc-QSVR (ours), QSVR, QAE, CSVR, and CAE. The average performance of each model across all datasets is represented by a dotted line, while the bars indicate the models’ performance on individual datasets.

On average, our qc-QSVR exhibits an AUC decrease of 0.04 compared to the simulated QSVR. In 8 out of 11 datasets, the simulated model outperforms the qc-QSVR, with the performance gap explained by hardware noise. On the DoH datasets, both models perform identically, while on the CC and KDD datasets, the qc-QSVR surprisingly outperforms its simulated counterpart. On these two datasets, hardware-induced noise appears to enhance model performance, an effect we attribute to improved generalization. Specifically, the perturbations introduced by the noisy gates mimic the corruptions applied in denoising autoencoders, a technique shown to yield superior generalization compared to standard autoencoders [34]. Our results are consistent with those of other authors who observe that noise can improve the performance of QML models under certain circumstances [35, 36].

The hardware results show that noise in NISQ devices affects the performance of QSVR. Therefore, in this section, we examine the influence of six noise channels on the QSVR based on the performance on eleven datasets. Figure 3 shows the AUC of noisy simulations with the noise channels described in Section II-B as well as the influence of adversarial attacks of strength $\varepsilon=0.1$ on the noisy simulations. The model’s robustness against noise is now analyzed, and the adversarial robustness is investigated in Section IV-C. The QSVR is largely robust against depolarizing, phase damping, phaseflip , and bitflip noise, as the AUC for these noise types remains rather stable with increasing noise probability. A theoretical analysis of the robustness of quantum classifiers done by LaRose and Coyle [37] proves that single-qubit classifiers are robust against precisely these noise channels. Taking into account the findings of Schuld [1] that many short-term and fault-tolerant quantum models can be replaced by a general support vector machine whose kernel computes distances between data-encoding quantum states, we expect these results to transfer to our QSVR.

Amplitude damping has a large effect on the model’s behavior as the AUC decreases for all datasets except CoverT and URL at $p=0.1$ and $p=0.2$. At higher $p$, the AUC partially recovers, approaching 0.5. This shows that the QSVR is very sensitive to amplitude damping , and at high noise levels the model becomes a random classifier. These results are also supported by LaRose and Coyle’s [37] analysis, who found that quantum classifiers are generally not robust against amplitude damping noise.

The curves of the models subject to miscalibration noise show a periodicity of approximately $\pi$, with dips at about $k\pi$ for $k=0,1,2$, and plateaus in between. Small levels of miscalibration degrade the performance of the model, but when the noise level is above about $0.25\pi$ , the AUC reaches a plateau at a level similar to the one for zero noise until the curve dips again around $p=\pi$. We conclude that small degrees of miscalibration reduce model performance, and that this type of noise should be avoided in hardware.

AD is often used in security-critical areas such as credit card fraud detection or network intrusion detection. Therefore, ML models used for AD must be robust to adversarial attacks. For low-dimensional, tabular data sets, it is possible that a sample can be completely and effectively transformed into a sample of a different class at high attack strengths. In these cases, the effect on the AUC may be exaggerated and should be interpreted only as an upper bound on the performance drop.