Entangled Threats: A Unified Kill Chain Model for Quantum Machine Learning Security

Quantum Machine Learning (QML) systems inherit vulnerabilities from classical machine learning while introducing new attack surfaces rooted in the physical and algorithmic layers of quantum computing. Despite a growing body of research on individual attack vectors - ranging from adversarial poisoning and evasion to circuit-level backdoors, side-channel leakage, and model extraction - these threats are often analyzed in isolation, with unrealistic assumptions about attacker capabilities and system environments. This fragmentation hampers the development of effective, holistic defense strategies.

In this work, we argue that QML security requires more structured modeling of the attack surface, capturing not only individual techniques but also their relationships, prerequisites, and potential impact across the QML pipeline. We propose
adapting kill chain models, widely used in classical IT and cybersecurity, to the quantum machine learning context. Such models allow for structured reasoning about attacker objectives, capabilities, and possible multi-stage attack paths - spanning reconnaissance, initial access, manipulation, persistence, and exfiltration.

Based on extensive literature analysis, we present a detailed taxonomy of QML attack vectors mapped to corresponding stages in a quantum-aware kill chain framework that is inspired by the MITRE ATLAS for classical machine learning. We highlight interdependencies between physical-level threats (like side-channel leakage and crosstalk faults), data and algorithm manipulation (such as poisoning or circuit backdoors), and privacy attacks (including model extraction and training data inference). This work provides a foundation for more realistic threat modeling and proactive security-in-depth design in the emerging field of quantum machine learning.

Introduction

As quantum computers become increasingly powerful, there is great interest in finding applications that offer some sort of advantage over classical computers. One promising field is quantum machine learning (QML), which promises many advantages over conventional methods due to the exponentially larger feature space, parameter efficiency, sample complexity, or even robustness. However, new technologies can also pose risks. It is therefore important to examine the security aspects from the outset and to evaluate how QML methods can be used safely. Questions as to how classical development principles (e.g., security by design) can be transferred to quantum computers are therefore of particular interest.

In IT security, it is an established practice to first gain an overview of the available attack surface based on defined protection goals, for example concerning the classical CIAtriad (confidentiality, integrity, availability), and assets worth protecting (data, models, reputation), and to evaluate possible associated attacks to be able to develop structured defense mechanisms. The transition to quantum machine learning results in largely the same protection goals and assets, but the attack surface is significantly larger.

One aspect that is often neglected in current literature on adversarial QML, but is an established process in classic IT security, is threat modeling. A threat model that explains typical threat scenarios and assesses the potential impact according to the attacker’s capabilities and resources should be part of any analysis of security aspects of QML. This is the very basis for assessing whether a system is vulnerable and enables better selection and prioritization of defensive measures.

We make the following key contributions:

We present the first kill chain model tailored to QML, adapting established IT security methodologies to the unique properties of QML pipelines.
We provide a process model, inspired by classical killchain models for IT Security and ML, that maps known QML attacks to tactics, techniques, impacted components, and required attacker capabilities.
With this work, we also publish an interactive web application that can be used to explore published adversarial techniques and defenses more conveniently.
Our model highlights the complex interdependencies between physical quantum hardware vulnerabilities, algorithmic manipulation, and privacy attacks.
We propose initial mitigation strategies and identify open research challenges for securing QML systems against multi-stage, realistic threat scenarios.

[…]

Den gesamten Artikel können Sie oben herunterladen.

Der Artikel wurde in Zusammenarbeit mit Autoren des Fraunhofer-Institut für Angewandte und Integrierte Sicherheit (AISEC), Alpine Quantum Technologies (AQT) und Bundesamt für Sicherheit in der Informationstechnik (BSI) verfasst.