Adversarial Attack Defense Method for a Continuous-Variable Quantum Key Distribution System Based on Kernel Robust Manifold Non-Negative Matrix Factorization

Abstract

Machine learning has been applied in continuous-variable quantum key distribution (CVQKD) systems to address the growing threat of quantum hacking attacks. However, the use of machine learning algorithms for detecting these attacks has uncovered a vulnerability to adversarial disturbances that can compromise security. By subtly perturbing the detection networks used in CVQKD, significant misclassifications can occur. To address this issue, we utilize an adversarial sample defense method based on non-negative matrix factorization (NMF), considering the nonlinearity and high-dimensional nature of CVQKD data. Specifically, we employ the Kernel Robust Manifold Non-negative Matrix Factorization (KRMNMF) algorithm to reconstruct input samples, reducing the impact of adversarial perturbations. Firstly, we extract attack features against CVQKD by considering the adversary known as Eve. Then, we design an Artificial Neural Network (ANN) detection model to identify these attacks. Next, we introduce adversarial perturbations into the data generated by Eve. Finally, we use the KRMNMF decomposition to extract features from CVQKD data and mitigate the influence of adversarial perturbations through reconstruction. Experimental results demonstrate that the application of KRMNMF can effectively defend against adversarial attacks to a certain extent. The accuracy of KRMNMF surpasses the commonly used Comdefend method by 32.2% and the JPEG method by 30.8%. Moreover, it exhibits an improvement of 20.8% compared to NMF and outperforms other NMF-related algorithms in terms of classification accuracy. Moreover, it can complement other defense strategies, thus enhancing the overall defensive capabilities of CVQKD systems.

1. Introduction

Driven by advancements in quantum secure communication technology, Quantum Key Distribution (QKD) has experienced widespread application and development [1]. QKD enables secure communication between two remote parties, Alice and Bob, in an untrusted execution environment by transmitting quantum states that are resistant to eavesdropping from Eve [2]. Leveraging the principles of quantum mechanics, QKD provides information-theoretic security to the legitimate communication parties [3]. However, achieving unconditional security depends on flawless device operation within a perfect model. In reality, deviations between theoretical and actual QKD implementations create opportunities for Eve to intercept information from the legitimate parties. Attacks such as wavelength attacks [4], local oscillator (LO) strength attacks [5], calibration attacks [6], and saturation attacks [7] have been observed in protocols like Gaussian-modulated coherent state (GMCS) Continuous Variable Quantum Key Distribution (CVQKD). Traditional defense strategies involve real-time monitoring modules or measurement devices, that require extensive knowledge and precise parameter estimation. However, due to the unpredictable nature of Eve’s attacks, it becomes challenging to anticipate the specific type of attack employed. To address this challenge, practical experiments have developed CVQKD detection and classification networks.

The field of CVQKD defense has greatly benefited from the rapid advancement of machine learning. Quezada et al. [8] have focused on machine learning to enhance the performance of QKD protocols, which have played a crucial role in furthering the practical implementation of CVQKD. In previous studies, we proposed defense strategies utilizing machine learning algorithms, particularly by extracting and analyzing the statistical distribution of features from the measurement data obtained in the CVQKD system. These features were used to detect and classify attacks under both specific and generalized scenarios [9,10]. However, recent research has uncovered a vulnerability in deep learning models known as adversarial samples, which are intentionally designed input samples that can deceive even well-performing deep learning models with minimal detectable disturbances. These samples lead to significant deviations in the prediction of classification outcomes, which are often undetectable to the human eye. For example, in image classification, an attacker can introduce subtle perturbations into a given image, transforming it into an adversarial sample. When such samples are fed into a well-trained deep neural network, they are commonly misclassified into incorrect categories. Su et al. [11] demonstrated this by generating one-pixel disturbances in image samples and successfully tricking a state-of-the-art deep neural network with high confidence. Moreover, recent studies indicate that adversarial examples can have real-world implications. Attackers can manipulate physical objects by, for example, deleting segments of pedestrians or manipulating stop signs in a car recognition system to confuse autonomous vehicles [12]. Since machine learning algorithms process inputs as numerical vectors, attackers have a high possibility of constructing targeted adversarial data to manipulate classification results. It is widely accepted that adversarial samples are prevalent in classical machine learning, regardless of the input data type or neural network architecture. Importantly, it should be noted that almost all learning models, such as logistic regression (e.g., soft-max regression), support vector machine (SVM), decision tree, nearest neighbor, and deep learning models, are susceptible to adversarial attacks [13,14].

Dimensionality reduction through feature extraction is a powerful technique for mitigating adversarial attacks in the field of computer vision and quantum key distribution (CVQKD) transmission data. Traditional methods for feature extraction include Principal Component Analysis (PCA), Linear Discriminant Analysis (LDA), Independent Component Analysis (ICA), Locally Linear Embedding (LLE), Vector Quantization (VQ), and Non-Negative Matrix Factorization (NMF) [15,16,17,18,19]. NMF, which was initially introduced by Lee and Seung and published in the Nature journal, is a matrix decomposition technique that ensures all decomposed components are non-negative. This property enables additive descriptions and facilitates dimensionality reduction. In this study, NMF is utilized to extract features from time-frequency image data with the intention of reducing dimensionality while preserving differentiation information among samples [20]. Consideration of the nonlinearity and non-stationarity characteristics of CVQKD data is crucial in this study. To extract nonlinear features from the data, we employ kernel functions and compute the objective function using the L-norm. Moreover, we incorporate a graph regularization term to capture the geometric structure of the feature space, which is referred to as Kernel-Robust Manifold Non-Negative Matrix Factorization (KRMNMF).

To address this, we begin by showing the fundamental structure of CVQKD and explaining the classical form of Eve’s attacks. Then, we introduce the defense method for CVQKD based on neural network models and analyze its vulnerability to adversarial attacks. In our previous work [21], we proposed a defense method against adversarial attacks in CVQKD. However, this method faced challenges such as the limitations imposed by local features. To overcome these challenges, a novel defense framework that utilizes the KRMNMF method is proposed for CVQKD adversarial attacks. This method recognizes the nonlinear and non-stationary characteristics of CVQKD signal data and addresses these issues by incorporating KRMNMF and leveraging manifold learning theory to capture the geometric structure of the feature space. This algorithm exhibits strong feature extraction capabilities compared to traditional methods. By reconstructing the samples using this algorithm, the influence of adversarial perturbations is minimized, leading to accurate classification by the CVQKD neural network model and effective adversarial defense. By employing our strategy, CVQKD network models can effectively defend against adversarial samples in real-time across various physical scenarios. Consequently, implementers of our approach can assert with confidence that they have enhanced overall security against potential attacks from adversarial samples.

This paper is organized as follows: In Section 2, we first summarize the principle of the CVQKD system and then demonstrate the impact of adversarial attacks on CVQKD attack detection networks. In Section 3, we introduce the proposed KRMNMF algorithm. We provide a detailed description of the defense framework and experimental setup to demonstrate the effectiveness of our method in Section 4. Finally, A brief conclusion is given in Section 5.

2. Preliminaries

2.1. Principle and System Description of CVQKD

The security of Quantum Key Distribution (QKD) protocols relies on Heisenberg’s uncertainty principle and the quantum no-cloning theorem, allowing for the exchange of unconditionally secure keys for communication [2]. In QKD, Alice and Bob are the two parties involved in communication, utilizing quantum information such as single photons or photon beams [4]. However, the presence of an eavesdropper, referred to as Eve, introduces interference. This interference is detected by both Alice and Bob, leading to the cancellation of the communication to ensure information security. While discrete-variable QKD relies on single photons to encode information, continuous-variable QKD (CVQKD) utilizes continuous quantum variables of the electromagnetic field, such as the quadratures of optical field modes, to carry information. Both prepare and measure techniques; the key difference is the variable used to encode the key. CVQKD has the advantage of integrating with existing optical fiber networks and showing significant potential for further development.

Figure 1 illustrates the schematic of a typical CVQKD system that employs the Gaussian Modulation Continuous Variable Quantum Key Distribution (GMCS CVQKD) methodology, utilizing homodyne detection. Initially, Alice generates coherent light pulses with a wavelength of 1550 nanometers using a telecom diode [22]. These pulses are split into a weak signal and a strong local oscillator (LO) through a beam splitter. Random modulation, involving phase and amplitude modulators, is applied to the signal pulses to follow a Gaussian distribution characterized by a variance $V_0{N}_0$. Polarization multiplexing is incorporated with the use of a polarizing beam splitter between the signal pulses and the LO. Subsequently, Alice transmits the modulated pulses to Bob through a quantum channel that may be susceptible to eavesdropping attempts by Eve. Importantly, Eve may launch both common CVQKD attacks and adversarial attacks simultaneously during the transmission process. Upon reaching Bob’s end, the signal pulses and the LO are separated by Bob, employing a polarizing beam splitter and implementing homodyne detection.

Moreover, within Bob’s signal path, a fraction of the signal pulses undergo random attenuation to facilitate the timely measurement of shot noise, while the remaining pulses remain unattenuated. A fraction of the LO pulses is also split for monitoring the LO power and generating the clock. By incorporating a phase modulator in the LO path, Bob can selectively choose the quadrature value to be detected by adjusting the measurement phase randomly. Ultimately, the obtained measurement results are forwarded to the data processing center for sampling and the detection of potential attacks. Thus, two related data strings—$x=\left[x_1,x_2\dots ,x_n\right]$ and $y=\left[y_1,y_2\dots ,y_n\right]$—are obtained by Alice and Bob; we found the following [23]:

$$\begin{array}{c}\overline{x}=0, V_x=V_0{N}_0,\\ \overline{y}=0, V_y=\kappa T{V}_0{N}_0+N_0+\kappa T\xi +v_{\mathrm{el}}{N}_0\end{array}$$

(1)

where the quadrature value $X_{\mathrm{A}}$ and $P_{\mathrm{A}}$ obey variance $V_0{N}_0. T$ represents quantum channel transmittance, and $\kappa$ denotes efficiency of the homodyne detector. $v_{\mathrm{el}}$ represents the electronic noise coefficient of the detector; $\xi$ is the technical excess noise of the system. We mainly consider four common attack strategies in CVQKD systems, including calibration attack, LO intensity attack, saturation attack, and hybrid attack. We find that the four attacks mentioned above in the actual CVQKD system affect different characteristics, such as the intensity $I_{L\mathrm{O}}$ of LO pulses, shot noise variance $N_0$. The feature vectors collected by the CVQKD system under the four attacks are highly nonlinear, and same event correlation is high, so it is suitable to apply deep learning models for signal diagnosis. The objective of the deep learning model in CVQKD is to obtain an output vector $\overrightarrow{v}$ from the input vector $\overrightarrow{u}$ by meticulously designing function $f:\overrightarrow{u}\to \overrightarrow{v}$, which is constructed from a training set

$$S_{\mathrm{train} }=\left\{\left(\overrightarrow{u_1},\overrightarrow{v_1}\right),\left(\overrightarrow{u_2},\overrightarrow{v_2}\right),\left(\overrightarrow{u_3},\overrightarrow{v_3}\right),\dots \right\}$$

2.2. Adversarial Attacks in CVQKD

The defense method for CVQKD is based on deep learning and employing deep learning models to identify and analyze the attack characteristics of an eavesdropper (referred as Eve) within the CVQKD system. This approach facilitates the classification of Eve’s attacks and enables the selection of targeted defensive measures to mitigate these attacks. However, deep learning techniques are vulnerable to the interference of adversarial samples during both the training and testing processes. These samples can lead to significant deviations in the predictions of the neural network, even though the differences between these samples and the original ones are imperceptible to the human eye. For instance, in image classification scenarios, an attacker can introduce subtle but specific perturbations to clean samples, causing them to be misclassified when processed by well-performing neural network models.

The proliferation of adversarial attacks presents significant security challenges for artificial intelligence (AI) systems. These attacks have also permeated the realm of physical applications, resulting in severe consequences. In the context of CVQKD networks, the examination of adversarial samples is essential to ensure their security. Regarding CVQKD systems, it has been observed that they are susceptible to adversarial disturbances due to the inherent vulnerability of quantum devices to adversarial attacks. This vulnerability is influenced by the following factors:

• Nonlinear Nature of Quantum Measurements: CVQKD systems rely on quantum measurements which introduce nonlinearity in the detection process. Adversarial disturbances can exploit this nonlinearity to manipulate the measurement outcomes and compromise the security of the system.
• Sensitivity to Measurement Conditions: CVQKD systems are sensitive to measurement conditions such as the intensity of local oscillator (LO) pulses and shot noise variance. Adversaries can manipulate these conditions to introduce additional noise or alter the statistical properties of the measurement results, leading to compromised key distribution.
• Imperfections in Quantum Devices: The quantum devices used in CVQKD systems, such as homodyne detectors, suffer from imperfections like electronic noise and technical excess noise. Adversarial attacks can exploit these imperfections to inject additional noise or modify the measurement outcomes.

We further demonstrate the vulnerability of quantum devices to adversarial perturbations in Appendix A.

Notably, several classical and advanced adversarial attack methods have been identified, including the fast gradient sign method (FGSM) [24], the basic iterative method (BIM) [25], the projected gradient descent (PGD) [26], the query efficient boundary-based blackbox attack (QEBA) [27], physical perturbations (RP2) [28], and adversarial camouflage (AdvCam). These attack methods are summarized in

Table 1. Summary of properties of various attack methods. “Perturbation norm“ indicates the restricted $L_t$ parametric number of perturbations making them imperceptible. The strength evaluations are based on what we found while reviewing the literature.

Method	Attack Principle	Black/ White Box	Targeted/ Non-Targeted	Perturbation Norm	Strength
FGSM	Gradient	White	Both	$L_{\infty }$	Hard
BIM	Gradient	White	Non-targeted	$L_{\infty }$	Hard
PGD	Gradient	White	Both	$L_2,L_{\infty }$	Hard
QEBA	Decision	Black	Both	$L_2$	Hard
RP2	Optimization	White	Targeted	$L_2,L_{\infty }$	Weak
AdvCam	Optimization	White	Both	$L_2,L_{\infty }$	Hard

. Adversarial attacks also pose a threat to quantum communication systems, particularly due to system linearization. For instance, adversary samples created by Eve can potentially deceive pretrained attack classification models, rendering traditional CVQKD defense methods ineffective. To assess the performance of adversarial attacks, we utilize a trained classifier and adopt the FGSM method. Figure 2 shows the confusion matrices of artificial neural networks (ANN) for CVQKD attack detection and classification [29]. Under normal circumstances, the artificial neural network (ANN) can effectively distinguish between normal signals and four types of attacks. However, introducing an adversarial perturbation of 0.3 into the communication channel through using the fast gradient sign method (FGSM) significantly decreases the classification accuracy of the system.

3. Methods

In this paper, a reconstruction method based on the NMF algorithm that uses neural network classifiers as a basis is proposed to defend against adversarial attacks in the field of CVQKD. The transmission in CVQKD is often high-dimensional, non-linear, and noisy. By using the dimension reduction property of the NMF algorithm, the influence of perturbations in adversarial samples can be reduced. In the process of decomposing the original matrix X using NMF, the goal is to find two non-negative low-rank matrices, the basis matrix W and the coefficient matrix H, so that X $\approx$ WH. In this decomposition process, the adversarial perturbations are minimized. Therefore, by using the approximation error before and after matrix decomposition, some imperceptible adversarial perturbations can be eliminated, and the reconstructed samples can reduce the influence of adversarial perturbations.

Based on this, the loss function of the NMF algorithm is selected according to the data type and application scenarios. Due to the non-linear and non-stationary nature of CVQKD data and the presence of noise that affects the decomposition results, this paper proposes the Kernel Robust Manifold Non-negative Matrix Factorization (KRMNMF) method, which extracts the non-linear features in the data using a kernel function. $L_{2,1}$ norm is used to calculate the objective function to reduce the impact of noise in the data. The graph regularization term is also employed to capture the geometric structure in the feature space, achieving superior adversarial defense results.

The objective of NMF is to decompose a high-dimensional non-negative matrix $X=R_{+}^{m\times n}$ into two non-negative low-rank matrices—$W=R_{+}^{m\times k}$ and $H=R_{+}^{k\times n}$—so that the product of these two matrices approximates the original matrix infinitely. This can be formally expressed as follows:

$$X_{m\times n}\approx W_{m\times k}{H}_{k\times n}$$

(2)

where $X=\left[x_1,\cdots ,x_n\right]$ represents the original data matrix, $W=\left[w_1,\cdots ,w_k\right]$ denotes the basis matrix, $H=\left[h_1,\cdots ,h_n\right]$ represents the coefficient matrix, and $k\ll m$. The standard NMF utilizes the Euclidean distance to compute the loss function, which can be expressed as follows:

$$\underset{W,H}{\min }\parallel X-WH{\parallel }_{\mathrm{F}}^2 \mathrm{s}. \mathrm{t}. W⩾0,H⩾0$$

(3)

where $\parallel \cdot {\parallel }_{\mathrm{F}}$ represents the Frobenius norm of a matrix.

Robust Non-negative Matrix Factorization (RNMF) employs the ${\mathrm{L}}_{2,1}$ norm to calculate the error, thereby reducing the influence of outliers with large errors and enhancing robustness. The objective function of RNMF can be formulated as follows:

$$\underset{W,H}{\min }\parallel X-WH{\parallel }_{2,1} \mathrm{s}. \mathrm{t}. W⩾0,H⩾0.$$

(4)

The definition of ${\mathrm{L}}_{2,1}$ norm is

$$\parallel X{\parallel }_{2,1}={{\displaystyle \sum }}_i^n\sqrt{{{\displaystyle \sum }}_j^m{X}_{ji}^2}={{\displaystyle \sum }}_i^n\Vert x_i\Vert$$

(5)

where $\parallel \cdot {\parallel }_{2,1}$ refers to the ${\mathrm{L}}_{2,1}$ norm, and ${\mathit{x}}_i$ represents the $i_{th}$ vector of $X$.

Based on the theory of manifold learning [30], manifold regularization can reduce the complexity of data in high-dimensional space while preserving the proximity relationship between neighboring data points in the low-dimensional manifold space. This implies that it is beneficial for dimensionality reduction and feature selection in the low-dimensional manifold space. By projecting the data onto the low-dimensional manifold space, we can reduce the dimensionality of the data and retain the important information that reaches these low-dimensional spaces. Through manifold regularization, it is possible to differentiate adversarial perturbation information, which helps eliminate adversarial perturbation in reconstruction.

The objective function of KRMNMF is defined as follows:

$$\begin{array}{ll}\hfill & \underset{F,H}{\min }\parallel \varphi \left(X\right)-\varphi \left(X\right)FH{\parallel }_{2,1}+\lambda \mathrm{Tr}\left(HL{H}^{\mathrm{T}}\right)\hfill \\ \hfill & \mathrm{s}. \mathrm{t}. F⩾0,H⩾0\hfill \end{array}$$

(6)

where $\in R_{+}^{m\times n},W\in R_{+}^{m\times k},H\in R_{+}^{k\times n}$, $\varphi$ is the Gaussian kernel function mapping, $x_i\to \varphi \left(x_i\right)$, $x_i$ represents the $i_{th}$ sample point in the original data space $X$, i.e., $X\to \varphi \left(X\right)$; $\lambda$ is a non-negative regularization parameter, $\mathrm{Tr} (\cdot )$ denotes the trace of a matrix, and $L$ is the Laplacian matrix defined as $L=V-W$, where $V$ is a diagonal matrix and $V_{ii}={{\displaystyle \sum }}_j{W}_{ij}$.

The objective function of KRMNMF is not jointly convex with respect to $F$ and $H$. However, when fixing the other variables, the individual variables are convex. In this paper, the Lagrangian multiplier method is adopted to solve the problem. The equivalent form of the objective function is as follows:

$$\underset{F,H}{\min }\mathrm{Tr}\left(\left(\varphi \left(X\right)-\varphi \left(X\right)FH\right)D{(\varphi \left(X\right)-\varphi \left(X\right)FH)}^{\mathrm{T}}\right)+\lambda \mathrm{Tr}\left(HL{H}^{\mathrm{T}}\right)$$

(7)

where $D$ is a diagonal matrix that satisfies

$$D_{ii}={\left({{\displaystyle \sum }}_{j=1}^n{(\varphi \left(X\right)-\varphi \left(X\right)FH)}_{ji}^2\right)}^{-\frac{1}{2}}$$

(8)

Let $\varphi {\left(x_i\right)}^{\mathrm{T}}\varphi \left(x_i\right)=K$; therefore,

$$D_{ii}={\left[{(\mathrm{I}-FH)}^{\mathrm{T}}K\left(\mathrm{I}-FH\right)\right]}_{ii}^{-\frac{1}{2}}$$

(9)

where $\mathrm{I}$ represents the identity matrix. Equation (7) is equivalent to

$$\begin{array}{c}\underset{F,H}{\min }\mathrm{Tr}\left(\varphi \left(X\right)D_{\varphi }{(X)}^{\mathrm{T}}\right)-2\mathrm{Tr}\left(\varphi \left(X\right)D{H}^{\mathrm{T}}{F}^{\mathrm{T}}\varphi {(X)}^{\mathrm{T}}\right)+\hfill \\ \mathrm{Tr}\left(\varphi \left(X\right)FHD{H}^{\mathrm{T}}{F}^{\mathrm{T}}\varphi {(X)}^{\mathrm{T}}\right)+\lambda \left(HL{H}^{\mathrm{T}}\right)\hfill \end{array}.$$

(10)

Let $\mathsf{\Psi }$ and $\mathsf{\Omega }$ be the Lagrange multipliers for $F$ and $H$, respectively. The Lagrangian function with respect to the objective function is given by the following:

$$\begin{array}{c} L=\underset{F,H}{\min }\mathrm{Tr}\left(\varphi \left(X\right)D\varphi {(X)}^{\mathrm{T}}\right)-2\mathrm{Tr}\left(\varphi \left(X\right)D{H}^{\mathrm{T}}{F}^{\mathrm{T}}\varphi {(X)}^{\mathrm{T}}\right)+\\ \mathrm{Tr}\left(\varphi \left(X\right)FHD{H}^{\mathrm{T}}{F}^{\mathrm{T}}\varphi {(X)}^{\mathrm{T}}\right)+\lambda \left(HL{H}^{\mathrm{T}}\right)+\mathrm{Tr}\left({\mathsf{\Psi }}^{\mathrm{T}}F\right)+\mathrm{Tr}\left({\mathsf{\Omega }}^{\mathrm{T}}H\right).\end{array}$$

(11)

Taking partial derivatives with respect to $F$ and $H$, respectively, yields the following:

$$\frac{\partial L}{\partial F}=-2\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)D{H}^{\mathrm{T}}+2\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)FHD{H}^{\mathrm{T}}+\mathsf{\Psi }$$

(12)

$$\frac{\partial L}{\partial H}=-2F^{\mathrm{T}}\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)D+2H\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)DF{F}^{\mathrm{T}}+2\lambda HV-2\lambda HW+\mathsf{\Omega }.$$

(13)

From the Karush–Kuhn–Tucker (KKT) conditions—${\mathsf{\Psi }}_{nk}{F}_{nk}=0,{\mathsf{\Omega }}_{kn}{H}_{kn}=0$—it follows that

$${\left(-2\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)D{H}^{\mathrm{T}}+2\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)FHD{H}^{\mathrm{T}}\right)}_{nk}{F}_{nk}+{\mathsf{\Psi }}_{nk}{F}_{nk}=0$$

(14)

$$(-2F^{\mathrm{T}}\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)D+2H\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)DF{F}^{\mathrm{T}}+2\lambda HV-2\lambda HW{)}_{kn}{H}_{kn}+{\mathsf{\Omega }}_{kn}{H}_{kn}=0.$$

(15)

Based on the above analysis, the updating rules for $F$ and $H$ can be obtained as follows:

$$F_{kn}\leftarrow F_{kn}\frac{{\left(\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)D{H}^{\mathrm{T}}\right)}_{kn}}{{\left(\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)FHH{H}^{\mathrm{T}}\right)}_{kn}}$$

(16)

$$H_{kn}\leftarrow H_{kn}\frac{{\left(F^{\mathrm{T}}\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)D+\lambda HW\right)}_{kn}}{{\left(H\varphi {(X)}^{\mathrm{T}}\varphi \left(X\right)DF{F}^{\mathrm{T}}+\lambda HV\right)}_{kn}}.$$

(17)

Let $\varphi {\left(x_i\right)}^{\mathrm{T}}\varphi \left(x_i\right)=K$; therefore,

$$F_{nk}\leftarrow F_{nk}\frac{{\left(KD{H}^{\mathrm{T}}\right)}_{nk}}{{\left(KFHD{H}^{\mathrm{T}}\right)}_{nk}}$$

(18)

$$H_{kn}\leftarrow H_{kn}\frac{{\left(F^{\mathrm{T}}KD+\lambda HW\right)}_{kn}}{{\left(HKDF{F}^{\mathrm{T}}+\lambda HV\right)}_{kn}}.$$

(19)

In summary, we have obtained a description of the KRMNMF algorithm (shown as Algorithm 1).

Algorithm 1 KRMNMF Algorithm

Input:$\mathrm{Data} \mathrm{matrix} \mathrm{x}\in R_{+}^{m\times \mathrm{n}}$$, \mathrm{parameter} \mathrm{a},\lambda ,\mathrm{k}$. Output:$\mathrm{Matrix} \mathrm{F}\in R_{+}^{m\times \mathrm{k}}$$, \mathrm{H}\in R_{+}^{k\times \mathrm{n}}$.

Initialization:$\mathrm{F}\in R_{+}^{m\times \mathrm{k}}$, $\mathrm{H}\in R_{+}^{k\times \mathrm{n}}.$ While not converging, do

1. Calculate the W,V and L matrices. 2. Determine whether the objective function (6) converges. 3. Update F according to equation (18). 4. Update H according to equation (19). Output:$\mathrm{Matrix} \mathrm{F}\in R_{+}^{m\times \mathrm{k}}$$, \mathrm{H}\in R_{+}^{k\times \mathrm{n}}$

4. Experiments

Despite the extensive application of non-negative matrix factorization (NMF) algorithms in various domains, they have not been combined with adversarial sample defense. This section introduces the parameter selection and comparative experiments of the KRMNMF algorithm in defense against CVQKD. The experimental environment included an AMD RYZEN 8 processor (Advanced Micro Devices, Santa Clara, CA, USA) MATLAB 2022b, and an RTX 3080 graphics card (Nvidia, Santa Clara, CA, USA). The experimental framework can be divided into the following four steps: Firstly, generating CVQKD datasets under different attacks by Eve [9]. Secondly, training a classifier using clean datasets, in this case, an ANN classifier, to achieve high recognition accuracy for clean samples. Next, using the FGSM algorithm to transform clean samples into adversarial samples and inputting them into the classifier, resulting in a significant decrease in the classifier’s recognition accuracy. Finally, utilizing the KRMNMF algorithm to reconstruct each adversarial sample and inputting them into the classifier to calculate the classification accuracy, quantifying the defense effect. The specific defense process is illustrated in Figure 3.

The parameter variables involved in the KRMNMF algorithm mainly include the selection of the kernel function, the number of nearest neighbor samples used in the edge adjacency matrix (W) denoted as a, the regularization parameter (λ), and the dimensionality of the decomposition matrix (k). In this study, the impact of other parameters on the KRMNMF algorithm was compared when a polynomial kernel function was chosen. Ultimately, a value of 3 was chosen for a; a value of 1 was chosen for λ, and k was set to 25, which resulted in better performance for the KRMNMF algorithm.

To validate the defense effectiveness of the KRMNMF algorithm against adversarial attacks in the CVQKD system, we conducted comparative experiments on the classification performance of the ANN model before and after adding adversary+al defense. In these experiments, the QEBA attack strength was set to 0.1. As shown in Figure 4, the selected comparative algorithms for defense models were JPEG [31] and ComDefend [32]. The experiments were conducted using the open source code and the best parameter settings provided in the corresponding literature. The comparison results presented in

Table 2. The accuracy of CVQKD detection classifiers under different defense strategies. The classification accuracy, including no adversarial defense, single defense method defense, and the combined use of KMRNMF defense with other defense methods. It can be observed that the KRMNMF defense method achieves high accuracy and can be combined with other methods to achieve better results.

Method	Average Classification Accuracy
With no attack	92.1%
With no defense	15.6%
With JPEG defense	40.8%
With Comdefend defense	39.4%
With KRMNMF defense	71.6%
With KRMNMF + JPEG defense	78.8%
With KRMNMF + Comdefend defense	79.5%

indicate that the proposed defense scheme in this paper exhibits outstanding performance in the CVQKD system. The adversarial perturbation classification accuracy achieved by our defense scheme surpasses that of the comparative methods. For instance, employing KRMNMF defense alone achieves an average classification accuracy of 71.6% (much better than the 39.4% achieved by Comdefend defense and 40.8% achieved by JPEG defense). While combining KRMNMF with JPEG defense or Comdefend defense enhances the accuracy to 78.8% and 79.5%, respectively, which outperforms other methods in terms of adversarial perturbation classification accuracy, it can be observed that our approach demonstrates significant advantages in filtering adversarial attacks, making it a highly effective defense strategy for the CVQKD system. It is worth noting that the KRMNMF method can be flexibly combined with other algorithms, and it achieves better results when combined with other defense algorithms. This further demonstrates the value of the KRMNMF algorithm.

To better evaluate the effectiveness of our algorithm, we compared it with existing classical NMF, kernel non-negative matrix factorization (KNMF), robust non-negative matrix factorization (RNMF), manifold non-negative matrix factorization (GNMF), and recent methods such as local non-negative matrix factorization (LNMF) [33], kernel robust non-negative matrix factorization (KRNMF) [34], and sparse non-negative matrix factorization (SNMF) [35]. We compared these algorithms in terms of feature extraction dimensionality and classification accuracy.

According to

Table 3. Based on the MNF-based algorithm’s accuracy and dimensionality for the adversarial defense of CVQKD data, it can be observed that the proposed KRMNMF defense method has the smallest dimensionality and achieves the best defense effectiveness.

Algorithm	Dimension	Average Classification Accuracy
NMF	74	50.8%
KNMF	32	45.5%
RNMF	100	48.4%
GNMF	38	68.5%
KRNMF	90	69.6%
SNMF	87	48.8%
LNMF	63	50.3%
KRMNMF	14	71.6%

, it can be observed that NMF, KNMF, RNMF, GNMF, KRNMF, SNMF, and LNMF algorithms exhibit significant fluctuations in accuracy as the dimensionality changes. Furthermore, our approach demonstrates a significant enhancement of 20.8% compared to NMF, surpassing the classification accuracy of the other NMF-related algorithms in our study. When compared to the KRMNMF algorithm, KRMNMF demonstrates higher accuracy, lower dimensionality, and greater stability. This indicates that the KRMNMF algorithm is capable of extracting a smaller number of features to characterize the CVQKD data, resulting in better performance in terms of adversarial sample filtering during reconstruction, thereby improving the defense capability.

The defense method proposed in this paper using the KRMNMF approach increases the accuracy of CVQKD attack identification from 15.6% to 71.6%, achieving the highest level compared to the other methods. Moreover, the incorporation of KRMNMF defense in conjunction with other methods such as JPEG defense or Comdefend defense further boosts the average classification accuracy to 78.8% and 79.5%, respectively. It is worth noting that there is still room for further improvement in this accuracy. This is due to the significant impact of the quality of adversarial attack generation on the final defense effectiveness. If the adversarial samples exhibit substantial differences from the original samples in the feature space, it may result in difficulties for the defense model to accurately classify these adversarial samples. Additionally, the complexity and nonlinearity of the CVQKD dataset also affect the final classification accuracy. Furthermore, in practical applications, the novel CVQKD adversarial defense strategy provided in this paper can be combined with other defense methods. For instance, the integration of the KRMNMF method with fingerprinting techniques or other defense approaches can further enhance the defensive capability against potential adversarial sample perturbations.

5. Conclusions

In this paper, we present a defense method against adversarial samples in CVQKD by utilizing the KRMNMF algorithm, which applies non-negative matrix factorization to reconstruct input samples and reduce adversarial perturbations in CVQKD. Our proposed method offers a cutting-edge solution to enhance the robustness of the CVQKD system against adversarial attacks. Recognizing the non-linear and non-stationary nature of CVQKD signal data, we employed kernel robust manifold to address these challenges by mapping samples from different attack strategies to a lower-dimensional space. By incorporating manifold learning theory, we capture the intrinsic geometric structure in the feature space. Our algorithm surpasses conventional feature extraction methods by demonstrating superior capabilities in exploring the features specific to CVQKD. We conducted experimental simulations using an artificial neural network model and conducted comparisons with other methods. The results convincingly illustrate the effectiveness of our approach in detecting and mitigating the impact of adversarial attacks. This comprehensive defense method for CVQKD can also be extended to other machine learning scenarios to counter potential adversarial interferences, thus ensuring the security of communication systems.