Detecting quantum attacks: a machine learning based defense strategy for practical continuous-variable quantum key distribution

The practical security of a continuous-variable quantum key distribution (CVQKD) system is compromised by various attack strategies. The existing countermeasures against these attacks are to exploit different real-time monitoring modules to prevent different types of attacks, which significantly depend on the accuracy of the estimated excess noise and lack a universal defense method. In this paper, we propose a defense strategy for CVQKD systems to address these disadvantages and resist most of the known attack types. We investigate several features of the pulses that would be affected by different types of attacks, derive a feature vector based on these features as the input of an artificial neural network (ANN) model, and show the training and testing process of the ANN model for attack detection and classification. Simulation results show that the proposed scheme can effectively detect most of the known attacks at the cost of reducing a small part of secret keys and transmission distance. It establishes a universal attack detection model by simply monitoring several features of the pulses without knowing the exact type of attack in advance.


Introduction
Quantum key distribution (QKD) [1] is one of the most important application of quantum technologies, which enables two distant parties, Alice and Bob, to exchange secret keys in an untrusted environment without being eavesdropped by an eavesdropper, Eve its theoretical unconditional security is guaranteed by the fundamental laws of quantum mechanics [2,3], which based on some assumptions that Alice and Bob's device are supposed to behave according to a perfect model. However, there are some deviations between the theoretical perfect assumptions and practical QKD implementations, such deviations may bring loopholes and enable Eve to break the security by stealing information from the legitimate parties [4][5][6].
According to different implementation methods, QKD can be divided into two types: discrete-variable (DV) QKD [7,8] and continuous-variable (CV) QKD [9][10][11]. Compared with DVQKD, CVQKD has higher secret key rate and better compatibility with the current optical networks [12]. Gaussian modulated coherent state (GMCS) protocol is the most popular CVQKD scheme [13,14], which has been proven theoretically secure against collective attacks [15][16][17]. However, the security of the practical GMCS CVQKD can be broken by some practical attack strategies, such as Trojan-horse attacks [18,19], wavelength attacks [20,21], calibration attacks [22], local oscillator (LO) intensity attacks [23], saturation attacks [24], and homodyne-detector-blinding attacks [25]. The main idea of these attacks is to exploit the imperfections of optical devices to bias the excess noise estimation, and the essence of the corresponding countermeasures is to add suitable real-time monitoring modules on the system, which significantly depend on the accuracy of

Learning for automatic attack classification 2.1. Feature extraction of optical pulses
In a GMCS CVQKD protocol, Alice prepares a train of coherent states |X A + iP A where the quadrature values X A and P A subject to a bivariate Gaussian distribution with variance V A N 0 . Here N 0 represents the shot noise variance which corresponds to the variance of the homodyne detector output when the input signals are vacuum states. Then Alice sends the prepared states to Bob with a strong LO of intensity I LO by using polarization multiplexing technique. The receiver Bob measures one of the quadratures of the signal states by performing a homodyne detection, with the help of the LO as a phase reference. After this process, Alice and Bob obtain two strings of correlated data x = {x 1 , x 2 , . . . , x N } and y = {y 1 , y 2 , . . . , y N }, where x represents the quadrature value modulated by Alice (X A or P A ) and y represents the quadrature value measured by Bob (X B or P B ). We note that where T and η are the quantum channel transmittance and the efficiency of the homodyne detector, respectively. V el = v el N 0 is the detector's electronic noise and ξ = εN 0 is the technical excess noise of the system. In a practical CVQKD system, there are several features could be affected by different attack strategies, such as the intensity I LO of the LO, the shot noise variance N 0 , the mean valueȳ and variance V y of Bob's measurement. Table 1 shows the impacts of different attack strategies on the measurable features. We find that the first four types of attacks affect different features. Although the last attack strategy and the saturation attack act on the same features, they have different degree of impact (more details can be found in the appendix A). Therefore, learning the variation of these features can help to detect and classify different attacks. Figure 1 shows the schematic diagram of Bob's detection setup that is used for simultaneously measuring the features mentioned above. Firstly, the signal and LO pulses are demultiplexed by using a PBS. Then, an AM is applied on the signal path to randomly set a maximum attenuation with a probability of 10% for real-time shot-noise estimation, and the remaining signal pulses are not attenuated. Meanwhile, the LO pulses are split by a 90 : 10 beam splitter, part of which are used for homodyne detection and part of which are used for power monitoring and clock generation. After that, the analog measurement results are fed in the DPC for sampling and attack detection. We assume that Bob receives N pulses in a communication process and all these pulses can be divided into M blocks. For each block, we can calculate the mean and variance, the LO average power, and the shot noise variance. By this way, a feature vector  According to the approximation theorem of the neural networks, it is possible to infinitely approximate to any given bounded continuous function on a given domain with a neural network [28]. It suggests that the neural network can fully learning the behaviours of the attacks based on the established feature vectors. It is worth noting that although there may be errors between the feature values of each block and these values of the whole data, the neural network can still use them to distinguish attacks because the errors under different attacks is also different.

Artificial neural network establishment for attack classification
In this section, we introduce how to establish the ANN attack detection model based on feature vectors. ANN is a popular machine learning technique inspired by the biological neural network in the human brain [29]. As shown in figure 2, an ANN consists of several layers and each layer contains many neurons, ANN sends the weight values of each neuron as output to the next layer after processing with inputs from neurons in the previous layer. Our target is to derive an output vector v according to the input vector u by constructing a classifier, which is represented by a function f : u → v. The construction of the classifier is based on multiple training iterations on a training set In our scheme, the input vector u consists of the features listed in table 1, the output vector v consists of a set of probability values, which represent the probability that the current input data belongs to each attack type. Figure 2(a) is a linear ANN model without hidden layers which can only solve linear separable problems. In order to applicable to distinguish different types of attacks, we join a hidden layer between the input layer and the output layer, and further construct a nonlinear ANN multi-classifier by using a softmax function. The number of neurons in the hidden layer can be adjusted for optimal performance. Figure 2(b) shows the nonlinear ANN multi-classifier that contains three layers: input layer, hidden layer and softmax layer (output layer). Each neuron in the current layer is a linear combination of neurons in the previous layer with weight ω and bias b. For example, the relationship between the input layer and the hidden layer is expressed as where v h j is the jth output of the hidden layer, u i is the ith element of the input vector u, b h j is the jth bias unit input into the hidden layer, ω h ij is the weight between the ith element of the input layer and the jth element of the hidden layer which will be iterative optimized in the training process. σ tanH is the activation function which is defined as [30,31] In a similar manner the relationship between the hidden layer and the output layer is obtained by where σ S is the softmax function which is given by ω o ij is the weight between the ith element of the hidden layer and the jth element of the output layer, b o j is the jth bias unit input into the output layer, v o j is the jth element of the output layer, and the sum of the output 6 j=1 v o j = 1. The final output v of the ANN model consists of six probability values, which represent the probability that the vector u belongs to each class. In the training process, the back-propagation algorithm is used to quickly solve the partial derivatives of the objective function on the internal weights in the network [32], and the weights is accordingly adjusted by using the stochastic gradient descent optimization algorithm [33]. Finally, an ANN model that matches the target output is learned by minimizing the objective function − log v o j when the target class is j.

Training and testing process
According to the data preparation process described in the appendix A, we generate six sets of data as training data Y train = {y normal , y LOIA , y calib , y sat , y hyb1 , y hyb2 } and preprocess them by division and feature vector extraction, as shown in figure 3. Subsequently, the collected feature vectors labeled by the category of data set are fed into the ANN trainer to learn the characteristics of different attack strategies. In a similar way, we also generate another six sets of data as testing data Y test = {y normal , y LOIA , y calib , y sat , y hyb1 , y hyb2 } and preprocess them. The resulting feature vectors are directly input into the trained ANN classifier to check the performance of attack classification. In our experiments, precision, recall, false positive rate (FPR) and false negative rate (FNR) are selected as the evaluation metrics to evaluate the performance of our scheme, which can be expressed as where TP (true positive) denotes the number of the feature vectors that belong to an certain attack type are identified as such attack, FP (false positive) denotes the number of the feature vectors that do not belong to an certain attack type are identified as such attack. FN (false negative) denotes the number of the feature vectors that belong to an certain attack type but are not identified as such attack. TN (true negative) denotes the number of the feature vectors that do not belong to an certain attack type and are not identified as such attack. In general, a fine ANN classifier can achieve high values of precision and recall, and low values of FPR and FNR. In the testing stage, 'one vs others' method is employed to evaluate the performance of the classifier. For example, when calculating the precision of detecting LO intensity attack, the LO intensity attack-related feature vectors are considered as positive instances, while the other five types of vectors are considered as negative instances, which simplifies the multi-class problem to a binary-class problem.

Implementation details
We implement ANN training and testing on Matlab R2019b, with the help of neural network toolbox. The memory and processor of our computer are 16 GB and Intel Core 4.0 GHz CPU, respectively, and the operating system is Windows 10 Professional. In the experiments the learning rate and error goal of ANN are set as 0.01, and the maximum iterations is 500. The data set size of each attack type is N = 1 × 10 7 and the number of pulses in each block is Q = 1 × 10 4 , therefore, the data set of each attack type can be divided into M = 1000 feature vectors, 6 types of data constitute 6000 feature vectors. It is worth noting that too small M value will make the ANN model unable to learn the characteristics of each attack type well, and too large M value will bring a large statistical error to the feature values of each block. In practical implementation, the value of M can be optimized by using the grid search algorithm, which is the most widely used strategies for hyper-parameter optimization [34]

Performance of attack classification for CVQKD system
In this section we analyze the performance of the ANN model for attack detection and classification. Firstly, we introduce principal component analysis [35] to map the collected 6000 feature vectors of six types of data into a 2D metric space, as shown in figure 4(a). We can find that the feature vectors of the calibration attack, the saturation attack and the hybrid attack 2 are very different from the normal unattacked vectors, whereas the feature vectors of the LO intensity attack and the hybrid attack 1 are close to the normal vectors and hard to be separated by statistical analysis. Figure 4(b) shows the mapped instances after ANN classification, we can see that different types of data are significantly separated by the ANN model. In order to determine the optimal number of neurons n e in the hidden layer, we calculate the values of precision, recall, FPR and FNR of the ANN model for attack classification, all of the results are the average of 20 iterations for fear of overfitting and underfitting. As illustrated in figure 5, the precision and recall of the calibration attack, the saturation attack, the hybrid attack 1 and the hybrid attack 2 reach the maximum 1 when the value of n e = 15. For the LO intensity attack under the same condition, the performance of the ANN is the worst with precision and recall of 0.9969 and 0.9961, respectively. This is because the feature vectors of the LO intensity attack is closest to the normal data compared to other attacks. Similarly, the FPR and FNR of the calibration attack, the saturation attack, the hybrid attack 1 and the hybrid attack 2 achieve the minimum value of 0 at n e = 15, but these two values of the LO intensity attack are 6.2 × 10 −4 and 3.9 × 10 −3 , respectively. The performance of ANN classification is relatively stable when the value of n e between 5 and 20, while the precision and recall are low when n e = 1 because the ANN model does not have enough learning ability when the number of neurons in hidden layer is small. In addition, the results of precision, recall, FPR and FNR fluctuate apparently in the condition of n e > 20, because too many neurons in hidden layer greatly increase the complexity of the ANN, thereby neurons in the hidden layer will lose their sensitivity to input signals, and the propagation of information is blocked severely, under this situation the network is easily trapped into a local minimum point and fail to converged to a global minimum within a reasonable number of iterations [36].

Secret key rate of ANN-based attack defense strategy
In this section, we compare the secret key rates for a CVQKD system that employs the ANN-based attack detection model and for a system that does not employ any countermeasures against attacks. The most commonly used method is the asymptotic secret key rate which is given by [13] K asym = βI AB − χ BE , where β is the reverse reconciliation efficiency, I AB is the Shannon mutual information between Alice and Bob, and χ BE is the Holevo quantity for Eve's maximum accessible information. The detailed calculation about I AB and χ BE can be found in appendix B. In addition to asymptotic security, the finite-size effect [37] is also taken into consideration, since the signals exchanged by Alice and Bob are impossible unlimited in practice. In the finite-size scenario, the characteristics of the quantum channel cannot be known in advance.  Even after quantum signals are exchanged, the quantum channel is only partially known. The results of the secret key rates for asymptotic and finite-size scenario are plotted in figure 6(a). We can find that in both asymptotic and finite-size cases, the secret key rate and transmission distance of our scheme are diminished comparing with the system without countermeasures, which is due to 10% of pulses are chosen to estimate the shot noise variance and the AM in Bob's signal path introduces extra insertion loss into the system. But it is deserving of sacrifice a part of secret keys and transmission distance to enhance the overall defense capability of the system. The detailed calculation about the secret key rate in the finite-size regime can be found in appendix C. Finally, we demonstrate the composable secret key rates of a CVQKD system with and without using the ANN-based attack detection model, and the results are plotted in figure 6(b). The composable security is based on the uncertainty of the finite-size effect, which carefully considers the failure probabilities of every step in CVQKD systems and can obtain the tightest secure bound of a protocol [38]. In figure 6(b), the solid lines from left to right correspond to the composable secret key rates with and without ANN-based attack detection at transmission distances of 10 km, 20 km, and 30 km, respectively. The dashed lines with the same color as the solid lines are their corresponding asymptotic secret key rates under the same conditions. We can see that the results are more pessimistic than that obtained in the finite-size and asymptotic regime, but as the number of exchanged signals increases, the composable secret key rates gradually approach the asymptotic values. The detailed calculation about the composable secret key rate can be found in appendix D.

Conclusion
In this work, we introduced and experimentally addressed a quantum attack defense strategy for CVQKD systems by using ANN. We considered the impacts of existing attack strategies on the measurable features of signal and LO pulses, and established a set of feature vectors label by different attack types as input of an ANN model. According to the realistic assumption of the attacks, the training and testing data is prepared for performance evaluation. Simulation results show that the trained ANN can automatically identify and classify attacks with precision and recall values above 99%. Interestingly, we find that the performance of the ANN model is sensitive to the number of neurons n e in the hidden layer, therefore how to select an appropriate values of n e is important in practical implementation. Comparing with a system that does not adopt any anti-attack countermeasures, our scheme slightly diminished the secret key rate and transmission distance, but it constructed an overall defense model to anti most of the known attack strategies, significantly improves the security of the system.
In order to investigate the performance of the ANN model for attack classification, we need to establish several valid data sets based on a realistic assumption of Alice and Bob's implementation setup, as well as Eve's capability. Firstly, we assume the fixed parameters mentioned above as: V A = 10, η = 0.6, ξ = 0.1N 0 , V el = 0.01N 0 , T = 10 −αL/10 , where L is the transmission distance which is set as a typical value of 30 km and α = 0.2 dB km −1 is the loss coefficient of the optical fiber. The attenuation values set by Bob are r 1 = 1 (no attenuation) and r 2 = 0.001 (maximum attenuation). All of these values are selected according to the standard realistic assumption for CVQKD implementations [22,39]. In a normal condition without any attacks, the mean and variance of the measurement results are given bȳ where V i = {V 1 , V 2 } corresponds to the values of r i , the LO power I LO at Bob side is set as 10 7 photons per pulse with 1% fluctuation [26,40]. Accordingly, the shot noise variance N 0 under normal condition is set as 0.4 based on the calibrated linear relationship in [22]. Secondly, we briefly recall the principles of the above-mentioned attack strategies, including the LO intensity attack, the calibration attack, the saturation attack, the hybrid attack 1 and the hybrid attack 2.
(a) In the LO intensity attack, Eve attacks the signal beam with a general Gaussian collective attack [15,41] and attacks the LO beam by using a non-changing phase intensity attenuator with attenuation coefficient k(0 < k < 1). By this way, Eve can arbitrarily reduce the excess noise ε estimated by Alice and Bob to zero and hide her attack. For computational simplicity, we assume the variable attenuation coefficient k of each LO pulse is the same. Therefore, the variance of Bob's measurement results under this attack can be expressed as represents the noise introduced by Eve's Gaussian collective attack, N = (1 − kηT)/k(1 − ηT) represents the variance of Eve's EPR states. Similarly, the shot noise N LOIA 0 is also deviated from the initial level as N LOIA 0 = kN 0 . (b) In the calibration attack, Eve intercepts a fraction μ of the signal pulses by implementing a partial intercept-resend (PIR) attack and modifies the shape of LO pulses to control the shot noise estimated by legitimate parties. According to the description in [22], the excess noise introduced by calibration attack is expressed as where ξ PIR = ξ + 2μN 0 is the excess noise introduced by Eve's PIR attack, N calib 0 is the shot noise after calibration attack and N 0 is the shot noise before attack. In order to make the excess noise estimated by Alice and Bob close to zero, the ratio N 0 /N calib 0 must satisfy  2.1ηT). Therefore, the variance of the measurement results under this attack can be expressed as (A.6) (c) In the saturation attack, Eve exploits the finite linearity domain of the homodyne detection response. In order to saturate Bob's detector, She intercepts all the pulses send by Alice and measures them with heterodyne detection, then displaces the quadratures of the resent coherent states with a value Δ. As shown in [24], the mean and variance of Bob under saturation attack are expressed as in which α is the boundary of the linear range of the homodyne detector, and the function erf(x) is the error function defined as x 0 e −t 2 dt. (A.13) (d) In the hybrid attack 1, we consider the strategy A that consists of two attack parts. The first part is similar with the LO intensity attack, Eve performs intercept-resend attack to obtain the information sent by Alice and prepares new signal and LO pulses with amplitude √ λT(X E + iP E )/2 and α LO / √ λ, respectively, where X E and P E are the quadrature values measured by Eve, α LO is the amplitude of the original LO and λ is a real number. In the second attack part Eve prepares and resends two extra Table 2. Parameters used to generate the data sets of the normal unattacked data and the five attack strategies.

Data sets
Parameters for data generation coherent pulses with wavelengths different from the typical communication wavelength of 1550 nm, so that makes the shot noise measurement results seem normal. The variance of Bob's measurement results is given by where D depends on the intensities I s , I lo and wavelengths λ s , λ lo of the extra two pulses. The shot noise level and excess noise estimated by legitimate parties are expressed as (e) In the hybrid attack 2, Eve performs a full intercept-resend attack, and inserts external pluses into the signal port of Bob's homodyne detector along with the re-prepared signals. The pulse width and repetition rate of the external pulses are the same as the pulses sent by Alice. But the wavelength of them is slightly different with Alice's signals, in order to saturate Bob's homodyne detector output. In this way, the external light causes a non-negligible offset on the measurement results of Bob, which is given by where T ext is the overall transmission of Bob's homodyne detector regarding the external pulses and is related to the wavelength of the pulse, I ext is the number of photons per pulse of the external light, and D ext is normalized in √ N 0 . The excess noise of the system under this attack becomes where ξ IR = 2N 0 is the noise caused by the intercept-resend attack, and ξ ext is the noise caused by the external light, which is related to the value of I ext .
Thirdly, we define the values of the parameters employed in different attack types. For the LO intensity attack, we set the LO fluctuation rate 1 − k as 0.05 since the analysis in [23] shows that Eve can obtain the full secret keys with an LO fluctuation rate of 0.05 at a transmission distance of 30 km. For the calibration attack, the value of δ is set according to the specific values of η and T based on the equation δ = 1/(1 + 2.1ηT). For the saturation attack, the value of α is set to 20 √ N 0 and the value of Δ is set to 19.5 √ N 0 since the analysis in [24] shows that the value of Δ should close to α for better attack effect. arbitrarily cloze to zero. For the hybrid attack 2, the value of T ext is set as 0.49, and the value of I ext is selected according to the specific parameter values to make the estimated excess noise smaller than the null key threshold.
Finally, in order to explain the data preparation process more clearly, we summarize the parameters used to generate the data sets for the normal unattacked situation and five attacks strategies, as shown in table 2. The size of each type of data set is 1 × N, where 90% of the values in each data set are generated based on r i = r 1 , and 10% of the values are generated based on r i = r 2 . For example, we generate two groups of normal data, the first group is y 1 = {y 1 , y 2 , . . . , y N−0.1N } which follows a Gaussian distribution with zero mean and variance V 1 = r 1 ηT(V A N 0 + ξ) + N 0 + V el , the second group is y 2 = {y 1 , y 2 , . . . , y 0.1N } which follows a Gaussian distribution with zero mean and variance Combining the two groups of data evenly and obtaining y normal = {y 1 , y 2 , . . . , y N }, which means that 10% of the data in y normal is generated for shot noise estimation. In order to establish feature vectors, we divide y normal into M blocks {b 1 , b 2 , . . . , b M }. In each block b m , the values from y 1 are used for calculating the meanȳ m and variance V m y of this block, the values from y 2 are used for estimating the shot noise variance N m 0 of this block. The LO power of this block is obtained by calculating the average power of the pulses in the current block. Among all of the data sets, y hyb2 is generated a little differently from the others. Firstly, we generate two groups of data y 1 and y 2 . Then, add a value of D ext √ N 0 on them, respectively. For each value y i in these two groups, perform the following calculation, as Finally, combine the resulting two groups of values evenly and obtain y hyb2 . It is worth noting that we did not describe how to set the value of shot noise N 0 in table 2 because N 0 can be calculated based on the specific data in each block.

Appendix B. Calculation of asymptotic secret key rate
The asymptotic secret key rate under collective attacks with reverse reconciliation is given by equation (11), where the mutual information I AB between Alice and Bob is derived from Bob's measured values V B = ηT(V + χ tol ) and the conditional variance V B|A = ηT(1 + χ tol ) by using Shannon's equation, where χ tol = χ line + χ hom /T represents the total noise referred to the channel input. χ line = T −1 + ε − 1 is the channel-added noise referred to the channel input and χ hom = [(1 − η) + v el ]/η is the detection-added noise referred to Bob's input. χ BE denotes the maximum information available to Eve on Bob's key, which is given by where G(x) = (x + 1)log 2 (x + 1) − xlog 2 (x). λ 1,2 are the symplectic eigenvalues given by Assuming that the success probability of parameter estimation is at least 0.99, thereby the robustness of the protocol is rob 0.01, and the random variables X 2 , Y 2 , and X, Y satisfy the following restrains where d is the discretization parameter. = √ PE + cor + ent + 2 sm +¯ is a possible security parameter. In the simulations, we choose sm =¯ = 10 −21 , PE = cor = ent = 10 −41 , and d = 5 for simplicity.