Adversarial Attack Defense Method for a Continuous-Variable Quantum Key Distribution System Based on Kernel Robust Manifold Non-Negative Matrix Factorization

Machine learning has been applied in continuous-variable quantum key distribution (CVQKD) systems to address the growing threat of quantum hacking attacks. However, the use of machine learning algorithms for detecting these attacks has uncovered a vulnerability to adversarial disturbances that can compromise security. By subtly perturbing the detection networks used in CVQKD, significant misclassifications can occur. To address this issue, we utilize an adversarial sample defense method based on non-negative matrix factorization (NMF), considering the nonlinearity and high-dimensional nature of CVQKD data. Specifically, we employ the Kernel Robust Manifold Non-negative Matrix Factorization (KRMNMF) algorithm to reconstruct input samples, reducing the impact of adversarial perturbations. Firstly, we extract attack features against CVQKD by considering the adversary known as Eve. Then, we design an Artificial Neural Network (ANN) detection model to identify these attacks. Next, we introduce adversarial perturbations into the data generated by Eve. Finally, we use the KRMNMF decomposition to extract features from CVQKD data and mitigate the influence of adversarial perturbations through reconstruction. Experimental results demonstrate that the application of KRMNMF can effectively defend against adversarial attacks to a certain extent. The accuracy of KRMNMF surpasses the commonly used Comdefend method by 32.2% and the JPEG method by 30.8%. Moreover, it exhibits an improvement of 20.8% compared to NMF and outperforms other NMF-related algorithms in terms of classification accuracy. Moreover, it can complement other defense strategies, thus enhancing the overall defensive capabilities of CVQKD systems.


Introduction
Driven by advancements in quantum secure communication technology, Quantum Key Distribution (QKD) has experienced widespread application and development [1]. QKD enables secure communication between two remote parties, Alice and Bob, in an untrusted execution environment by transmitting quantum states that are resistant to eavesdropping from Eve [2]. Leveraging the principles of quantum mechanics, QKD provides information-theoretic security to the legitimate communication parties [3]. However, achieving unconditional security depends on flawless device operation within a perfect model. In reality, deviations between theoretical and actual QKD implementations create opportunities for Eve to intercept information from the legitimate parties. Attacks such as wavelength attacks [4], local oscillator (LO) strength attacks [5], calibration attacks [6], and saturation attacks [7] have been observed in protocols like Gaussian-modulated coherent state (GMCS) Continuous Variable Quantum Key Distribution (CVQKD). Traditional defense strategies involve real-time monitoring modules or measurement devices, that the nonlinear and non-stationary characteristics of CVQKD signal data and addresses these issues by incorporating KRMNMF and leveraging manifold learning theory to capture the geometric structure of the feature space. This algorithm exhibits strong feature extraction capabilities compared to traditional methods. By reconstructing the samples using this algorithm, the influence of adversarial perturbations is minimized, leading to accurate classification by the CVQKD neural network model and effective adversarial defense. By employing our strategy, CVQKD network models can effectively defend against adversarial samples in real-time across various physical scenarios. Consequently, implementers of our approach can assert with confidence that they have enhanced overall security against potential attacks from adversarial samples. This paper is organized as follows: In Section 2, we first summarize the principle of the CVQKD system and then demonstrate the impact of adversarial attacks on CVQKD attack detection networks. In Section 3, we introduce the proposed KRMNMF algorithm. We provide a detailed description of the defense framework and experimental setup to demonstrate the effectiveness of our method in Section 4. Finally, A brief conclusion is given in Section 5.

Principle and System Description of CVQKD
The security of Quantum Key Distribution (QKD) protocols relies on Heisenberg's uncertainty principle and the quantum no-cloning theorem, allowing for the exchange of unconditionally secure keys for communication [2]. In QKD, Alice and Bob are the two parties involved in communication, utilizing quantum information such as single photons or photon beams [4]. However, the presence of an eavesdropper, referred to as Eve, introduces interference. This interference is detected by both Alice and Bob, leading to the cancellation of the communication to ensure information security. While discretevariable QKD relies on single photons to encode information, continuous-variable QKD (CVQKD) utilizes continuous quantum variables of the electromagnetic field, such as the quadratures of optical field modes, to carry information. Both prepare and measure techniques; the key difference is the variable used to encode the key. CVQKD has the advantage of integrating with existing optical fiber networks and showing significant potential for further development. Figure 1 illustrates the schematic of a typical CVQKD system that employs the Gaussian Modulation Continuous Variable Quantum Key Distribution (GMCS CVQKD) methodology, utilizing homodyne detection. Initially, Alice generates coherent light pulses with a wavelength of 1550 nanometers using a telecom diode [22]. These pulses are split into a weak signal and a strong local oscillator (LO) through a beam splitter. Random modulation, involving phase and amplitude modulators, is applied to the signal pulses to follow a Gaussian distribution characterized by a variance V 0 N 0 . Polarization multiplexing is incorporated with the use of a polarizing beam splitter between the signal pulses and the LO. Subsequently, Alice transmits the modulated pulses to Bob through a quantum channel that may be susceptible to eavesdropping attempts by Eve. Importantly, Eve may launch both common CVQKD attacks and adversarial attacks simultaneously during the transmission process. Upon reaching Bob's end, the signal pulses and the LO are separated by Bob, employing a polarizing beam splitter and implementing homodyne detection. Moreover, within Bob's signal path, a fraction of the signal pulses undergo random attenuation to facilitate the timely measurement of shot noise, while the remaining pulses remain unattenuated. A fraction of the LO pulses is also split for monitoring the LO power and generating the clock. By incorporating a phase modulator in the LO path, Bob can selectively choose the quadrature value to be detected by adjusting the measurement phase randomly. Ultimately, the obtained measurement results are forwarded to the data processing center for sampling and the detection of potential attacks. Thus, two related data strings-= [ , … , ] and = [ , … , ]-are obtained by Alice and Bob; we found the following [23]: where the quadrature value and obey variance . represents quantum channel transmittance, and denotes efficiency of the homodyne detector. represents the electronic noise coefficient of the detector; is the technical excess noise of the system. We mainly consider four common attack strategies in CVQKD systems, including calibration attack, LO intensity attack, saturation attack, and hybrid attack. We find that the four attacks mentioned above in the actual CVQKD system affect different characteristics, such as the intensity of LO pulses, shot noise variance . The feature vectors collected by the CVQKD system under the four attacks are highly nonlinear, and same event correlation is high, so it is suitable to apply deep learning models for signal diagnosis. The objective of the deep learning model in CVQKD is to obtain an output vector ⃗ from the input vector ⃗ by meticulously designing function : ⃗ → ⃗ , which is constructed from a training set train = ( ⃗, ⃗), ( ⃗, ⃗), ( ⃗, ⃗), … Moreover, within Bob's signal path, a fraction of the signal pulses undergo random attenuation to facilitate the timely measurement of shot noise, while the remaining pulses remain unattenuated. A fraction of the LO pulses is also split for monitoring the LO power and generating the clock. By incorporating a phase modulator in the LO path, Bob can selectively choose the quadrature value to be detected by adjusting the measurement phase randomly. Ultimately, the obtained measurement results are forwarded to the data processing center for sampling and the detection of potential attacks. Thus, two related data strings-x = [x 1 , x 2 . . . , x n ] and y = [y 1 , y 2 . . . , y n ]-are obtained by Alice and Bob; we found the following [23]: where the quadrature value X A and P A obey variance V 0 N 0 . T represents quantum channel transmittance, and κ denotes efficiency of the homodyne detector. v el represents the electronic noise coefficient of the detector; ξ is the technical excess noise of the system. We mainly consider four common attack strategies in CVQKD systems, including calibration attack, LO intensity attack, saturation attack, and hybrid attack. We find that the four attacks mentioned above in the actual CVQKD system affect different characteristics, such as the intensity I LO of LO pulses, shot noise variance N 0 . The feature vectors collected by the CVQKD system under the four attacks are highly nonlinear, and same event correlation is high, so it is suitable to apply deep learning models for signal diagnosis. The objective of the deep learning model in CVQKD is to obtain an output vector

Adversarial Attacks in CVQKD
The defense method for CVQKD is based on deep learning and employing deep learning models to identify and analyze the attack characteristics of an eavesdropper (referred as Eve) within the CVQKD system. This approach facilitates the classification of Eve's attacks and enables the selection of targeted defensive measures to mitigate these attacks. However, deep learning techniques are vulnerable to the interference of adversarial samples during both the training and testing processes. These samples can lead to significant deviations in the predictions of the neural network, even though the differences between these samples and the original ones are imperceptible to the human eye. For instance, in image classification scenarios, an attacker can introduce subtle but specific perturbations to clean samples, causing them to be misclassified when processed by well-performing neural network models.
The proliferation of adversarial attacks presents significant security challenges for artificial intelligence (AI) systems. These attacks have also permeated the realm of physical applications, resulting in severe consequences. In the context of CVQKD networks, the examination of adversarial samples is essential to ensure their security. Regarding CVQKD systems, it has been observed that they are susceptible to adversarial disturbances due to the inherent vulnerability of quantum devices to adversarial attacks. This vulnerability is influenced by the following factors: 1.
Nonlinear Nature of Quantum Measurements: CVQKD systems rely on quantum measurements which introduce nonlinearity in the detection process. Adversarial disturbances can exploit this nonlinearity to manipulate the measurement outcomes and compromise the security of the system.

2.
Sensitivity to Measurement Conditions: CVQKD systems are sensitive to measurement conditions such as the intensity of local oscillator (LO) pulses and shot noise variance. Adversaries can manipulate these conditions to introduce additional noise or alter the statistical properties of the measurement results, leading to compromised key distribution.

3.
Imperfections in Quantum Devices: The quantum devices used in CVQKD systems, such as homodyne detectors, suffer from imperfections like electronic noise and technical excess noise. Adversarial attacks can exploit these imperfections to inject additional noise or modify the measurement outcomes.
We further demonstrate the vulnerability of quantum devices to adversarial perturbations in Appendix A.
Notably, several classical and advanced adversarial attack methods have been identified, including the fast gradient sign method (FGSM) [24], the basic iterative method (BIM) [25], the projected gradient descent (PGD) [26], the query efficient boundary-based blackbox attack (QEBA) [27], physical perturbations (RP2) [28], and adversarial camouflage (AdvCam). These attack methods are summarized in Table 1. Adversarial attacks also pose a threat to quantum communication systems, particularly due to system linearization. For instance, adversary samples created by Eve can potentially deceive pretrained attack classification models, rendering traditional CVQKD defense methods ineffective. To assess the performance of adversarial attacks, we utilize a trained classifier and adopt the FGSM method. Figure 2 shows the confusion matrices of artificial neural networks (ANN) for CVQKD attack detection and classification [29]. Under normal circumstances, the artificial neural network (ANN) can effectively distinguish between normal signals and four types of attacks. However, introducing an adversarial perturbation of 0.3 into the communication channel through using the fast gradient sign method (FGSM) significantly decreases the classification accuracy of the system.

Methods
In this paper, a reconstruction method based on the NMF algorithm that uses neural network classifiers as a basis is proposed to defend against adversarial attacks in the field of CVQKD. The transmission in CVQKD is often high-dimensional, non-linear, and noisy. By using the dimension reduction property of the NMF algorithm, the influence of perturbations in adversarial samples can be reduced. In the process of decomposing the original matrix X using NMF, the goal is to find two non-negative low-rank matrices, the basis matrix W and the coefficient matrix H, so that X ≈ WH. In this decomposition process, the adversarial perturbations are minimized. Therefore, by using the approximation error before and after matrix decomposition, some imperceptible adversarial perturbations can be eliminated, and the reconstructed samples can reduce the influence of adversarial per-

Methods
In this paper, a reconstruction method based on the NMF algorithm that uses neural network classifiers as a basis is proposed to defend against adversarial attacks in the field of CVQKD. The transmission in CVQKD is often high-dimensional, non-linear, and noisy. By using the dimension reduction property of the NMF algorithm, the influence of perturbations in adversarial samples can be reduced. In the process of decomposing the original matrix X using NMF, the goal is to find two non-negative low-rank matrices, the basis matrix W and the coefficient matrix H, so that X ≈ WH. In this decomposition process, the adversarial perturbations are minimized. Therefore, by using the approximation error before and after matrix decomposition, some imperceptible adversarial perturbations can be eliminated, and the reconstructed samples can reduce the influence of adversarial perturbations.
Based on this, the loss function of the NMF algorithm is selected according to the data type and application scenarios. Due to the non-linear and non-stationary nature of CVQKD data and the presence of noise that affects the decomposition results, this paper proposes the Kernel Robust Manifold Non-negative Matrix Factorization (KRMNMF) method, which extracts the non-linear features in the data using a kernel function. L 2,1 norm is used to calculate the objective function to reduce the impact of noise in the data. The graph regularization term is also employed to capture the geometric structure in the feature space, achieving superior adversarial defense results.
The objective of NMF is to decompose a high-dimensional non-negative matrix X = R m×n + into two non-negative low-rank matrices-W = R m×k + and H = R k×n + -so that the product of these two matrices approximates the original matrix infinitely. This can be formally expressed as follows: where X = [x 1 , · · · , x n ] represents the original data matrix, W = [w 1 , · · · , w k ] denotes the basis matrix, H = [h 1 , · · · , h n ] represents the coefficient matrix, and k m. The standard NMF utilizes the Euclidean distance to compute the loss function, which can be expressed as follows: min where · F represents the Frobenius norm of a matrix. Robust Non-negative Matrix Factorization (RNMF) employs the L 2,1 norm to calculate the error, thereby reducing the influence of outliers with large errors and enhancing robustness. The objective function of RNMF can be formulated as follows: The definition of L 2,1 norm is where · 2,1 refers to the L 2,1 norm, and x i represents the i th vector of X.
Based on the theory of manifold learning [30], manifold regularization can reduce the complexity of data in high-dimensional space while preserving the proximity relationship between neighboring data points in the low-dimensional manifold space. This implies that it is beneficial for dimensionality reduction and feature selection in the low-dimensional manifold space. By projecting the data onto the low-dimensional manifold space, we can reduce the dimensionality of the data and retain the important information that reaches these low-dimensional spaces. Through manifold regularization, it is possible to differentiate adversarial perturbation information, which helps eliminate adversarial perturbation in reconstruction.
The objective function of KRMNMF is defined as follows: where ∈ R m×n + , W ∈ R m×k + , H ∈ R k×n + , φ is the Gaussian kernel function mapping, x i → φ(x i ), x i represents the i th sample point in the original data space X, i.e., X → φ(X); λ is a non-negative regularization parameter, Tr (·) denotes the trace of a matrix, and L is the Laplacian matrix defined as The objective function of KRMNMF is not jointly convex with respect to F and H. However, when fixing the other variables, the individual variables are convex. In this paper, the Lagrangian multiplier method is adopted to solve the problem. The equivalent form of the objective function is as follows: where D is a diagonal matrix that satisfies where I represents the identity matrix. Equation (7) is equivalent to Let Ψ and Ω be the Lagrange multipliers for F and H, respectively. The Lagrangian function with respect to the objective function is given by the following: Taking partial derivatives with respect to F and H, respectively, yields the following: From the Karush-Kuhn-Tucker (KKT) conditions-Ψ nk F nk = 0, Ω kn H kn = 0-it follows that Based on the above analysis, the updating rules for F and H can be obtained as follows: In summary, we have obtained a description of the KRMNMF algorithm (shown as Algorithm 1).

Experiments
Despite the extensive application of non-negative matrix factorization (NMF) algorithms in various domains, they have not been combined with adversarial sample defense. This section introduces the parameter selection and comparative experiments of the KRM-NMF algorithm in defense against CVQKD. The experimental environment included an AMD RYZEN 8 processor (Advanced Micro Devices, Santa Clara, CA, USA) MATLAB 2022b, and an RTX 3080 graphics card (Nvidia, Santa Clara, CA, USA). The experimental framework can be divided into the following four steps: Firstly, generating CVQKD datasets under different attacks by Eve [9]. Secondly, training a classifier using clean datasets, in this case, an ANN classifier, to achieve high recognition accuracy for clean samples. Next, using the FGSM algorithm to transform clean samples into adversarial samples and inputting them into the classifier, resulting in a significant decrease in the classifier's recognition accuracy. Finally, utilizing the KRMNMF algorithm to reconstruct each adversarial sample and inputting them into the classifier to calculate the classification accuracy, quantifying the defense effect. The specific defense process is illustrated in Figure 3.

Experiments
Despite the extensive application of non-negative matrix factorization (NMF) algorithms in various domains, they have not been combined with adversarial sample defense. This section introduces the parameter selection and comparative experiments of the KRM-NMF algorithm in defense against CVQKD. The experimental environment included an AMD RYZEN 8 processor (Advanced Micro Devices, Santa Clara, CA, USA) MATLAB 2022b, and an RTX 3080 graphics card (Nvidia, Santa Clara, CA, USA). The experimental framework can be divided into the following four steps: Firstly, generating CVQKD datasets under different attacks by Eve [9]. Secondly, training a classifier using clean datasets, in this case, an ANN classifier, to achieve high recognition accuracy for clean samples. Next, using the FGSM algorithm to transform clean samples into adversarial samples and inputting them into the classifier, resulting in a significant decrease in the classifier's recognition accuracy. Finally, utilizing the KRMNMF algorithm to reconstruct each adversarial sample and inputting them into the classifier to calculate the classification accuracy, quantifying the defense effect. The specific defense process is illustrated in Figure 3. The parameter variables involved in the KRMNMF algorithm mainly include the selection of the kernel function, the number of nearest neighbor samples used in the edge adjacency matrix (W) denoted as a, the regularization parameter (λ), and the dimensionality of the decomposition matrix (k). In this study, the impact of other parameters on the KRMNMF algorithm was compared when a polynomial kernel function was chosen. Ultimately, a value of 3 was chosen for a; a value of 1 was chosen for λ, and k was set to 25, which resulted in better performance for the KRMNMF algorithm.
To validate the defense effectiveness of the KRMNMF algorithm against adversarial attacks in the CVQKD system, we conducted comparative experiments on the classification performance of the ANN model before and after adding adversary+al defense. In these experiments, the QEBA attack strength was set to 0.1. As shown in Figure 4, the The parameter variables involved in the KRMNMF algorithm mainly include the selection of the kernel function, the number of nearest neighbor samples used in the edge adjacency matrix (W) denoted as a, the regularization parameter (λ), and the dimensionality of the decomposition matrix (k). In this study, the impact of other parameters on the KRMNMF algorithm was compared when a polynomial kernel function was chosen. Ultimately, a value of 3 was chosen for a; a value of 1 was chosen for λ, and k was set to 25, which resulted in better performance for the KRMNMF algorithm.
To validate the defense effectiveness of the KRMNMF algorithm against adversarial attacks in the CVQKD system, we conducted comparative experiments on the classification performance of the ANN model before and after adding adversary+al defense. In these experiments, the QEBA attack strength was set to 0.1. As shown in Figure 4, the selected comparative algorithms for defense models were JPEG [31] and ComDefend [32]. The experiments were conducted using the open source code and the best parameter settings provided in the corresponding literature. The comparison results presented in Table 2 indicate that the proposed defense scheme in this paper exhibits outstanding performance in the CVQKD system. The adversarial perturbation classification accuracy achieved by our defense scheme surpasses that of the comparative methods. For instance, employing KRMNMF defense alone achieves an average classification accuracy of 71.6% (much better than the 39.4% achieved by Comdefend defense and 40.8% achieved by JPEG defense). While combining KRMNMF with JPEG defense or Comdefend defense enhances the accuracy to 78.8% and 79.5%, respectively, which outperforms other methods in terms of adversarial perturbation classification accuracy, it can be observed that our approach demonstrates significant advantages in filtering adversarial attacks, making it a highly effective defense strategy for the CVQKD system. It is worth noting that the KRMNMF method can be flexibly combined with other algorithms, and it achieves better results when combined with other defense algorithms. This further demonstrates the value of the KRMNMF algorithm.
According to Table 3, it can be observed that NMF, KNMF, RNMF, GNMF, KRNMF, SNMF, and LNMF algorithms exhibit significant fluctuations in accuracy as the dimensionality changes. Furthermore, our approach demonstrates a significant enhancement of 20.8% compared to NMF, surpassing the classification accuracy of the other NMF-related algorithms in our study. When compared to the KRMNMF algorithm, KRMNMF demonstrates higher accuracy, lower dimensionality, and greater stability. This indicates that the KRMNMF algorithm is capable of extracting a smaller number of features to characterize the CVQKD data, resulting in better performance in terms of adversarial sample filtering during reconstruction, thereby improving the defense capability. Table 3. Based on the MNF-based algorithm's accuracy and dimensionality for the adversarial defense of CVQKD data, it can be observed that the proposed KRMNMF defense method has the smallest dimensionality and achieves the best defense effectiveness. The defense method proposed in this paper using the KRMNMF approach increases the accuracy of CVQKD attack identification from 15.6% to 71.6%, achieving the highest level compared to the other methods. Moreover, the incorporation of KRMNMF defense in conjunction with other methods such as JPEG defense or Comdefend defense further boosts the average classification accuracy to 78.8% and 79.5%, respectively. It is worth noting that there is still room for further improvement in this accuracy. This is due to the significant impact of the quality of adversarial attack generation on the final defense effectiveness. If the adversarial samples exhibit substantial differences from the original samples in the feature space, it may result in difficulties for the defense model to accurately classify these adversarial samples. Additionally, the complexity and nonlinearity of the CVQKD dataset also affect the final classification accuracy. Furthermore, in practical applications, the novel CVQKD adversarial defense strategy provided in this paper can be combined with other defense methods. For instance, the integration of the KRMNMF method with fingerprinting techniques or other defense approaches can further enhance the defensive capability against potential adversarial sample perturbations.

Conclusions
In this paper, we present a defense method against adversarial samples in CVQKD by utilizing the KRMNMF algorithm, which applies non-negative matrix factorization to reconstruct input samples and reduce adversarial perturbations in CVQKD. Our proposed method offers a cutting-edge solution to enhance the robustness of the CVQKD system against adversarial attacks. Recognizing the non-linear and non-stationary nature of CVQKD signal data, we employed kernel robust manifold to address these challenges by mapping samples from different attack strategies to a lower-dimensional space. By incorporating manifold learning theory, we capture the intrinsic geometric structure in the feature space. Our algorithm surpasses conventional feature extraction methods by demonstrating superior capabilities in exploring the features specific to CVQKD. We conducted experimental simulations using an artificial neural network model and conducted comparisons with other methods. The results convincingly illustrate the effectiveness of our approach in detecting and mitigating the impact of adversarial attacks. This comprehensive defense method for CVQKD can also be extended to other machine learning scenarios to counter potential adversarial interferences, thus ensuring the security of communication systems.

Data Availability Statement:
The data that support the findings of this study are available from the corresponding author upon reasonable request.

Acknowledgments:
The authors would like to express their thanks to Y. Yan and K. Huang for their pioneering research. Furthermore, we thank the reviewers of this work for their valuable comments and suggestions.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. The Vulnerability of Quantum Devices to Adversarial Perturbations
To prove that the quantum devices are easily disturbed by adversarial perturbations, we assume that the quantum device can provide real output v(σ) from the input quantum state σ, which set mapping Λ (·) to perform quantum measurements to extract real numbers Tr[OΛ (σ)], where O is positive operator-valued measure. Let the antagonistic perturbations of the initial state be σ → ρ, where F (σ, ρ) 1 − δ and δ << 1.