Multi-Attack Detection: General Defense Strategy Based on Neural Networks for CV-QKD

Abstract

The security of the continuous-variable quantum key distribution (CVQKD) system is subject to various attacks by hackers. The traditional detection method of parameter estimation requires professionals to judge known attacks individually, so the general detection model emerges to improve the universality of detection; however, current universal detection methods only consider the independent existence of attacks but ignore the possible coexistence of multiple attacks in reality. Here, we propose two multi-attack neural network detection models to handle the coexistence of multiple attacks. The models adopt two methods in multi-label learning: binary relevance (BR) and label power (LP) to deal with the coexistence of multiple attacks and can identify attacks in real-time by autonomously learning the features of known attacks in a deep neural network. Further, we improve the model to detect unknown attacks simultaneously. The experimental results show that the proposed scheme can achieve high-precision detection for most known and unknown attacks without reducing the key rate and maximum transmission distance.

1. Introduction

Compared with the classical secure communication system, quantum key distribution (QKD) can detect eavesdropping behavior and perceive the network security situation [1]. Its theoretical unconditional security is guaranteed by the Heisenberg uncertainty principle [2], and quantum state non-cloning principle [3]; however, its practical security is challenged by the imperfection of the devices, which may bring security loopholes for the active attack of Eve [4,5,6,7].

According to the carrier of information transmission, QKD can be divided into discrete-variable (DV) QKD [8,9,10] and continuous-variable (CV) QKD [11,12,13,14]. CVQKD can complete unconditional and secure distribution of keys only with standardized optical communication devices and has lower system costs and better application prospects. The system based on Gaussian modulated coherent state (GMCS) protocol has the properties of a classic light field, easy preparation, and longer secure transmission distance so that it can better meet application requirements [15]; therefore, this paper carries out research work around GMCS CVQKD systems.

The security analysis of the system is to calculate the key curve based on the channel transmission and the excess noise, and finally judge whether it is attacked [16]. There are many ways for Eve to attack the practical systems. On the one hand, Eve can manipulate local oscillator (LO) optical signals to perform calibration attacks (CA) [17] and local oscillator intensity attacks (LOIA) [18]. On the other hand, Eve may use the limited linear domain of the system detector to implement saturation attacks (SA) [19] and blinding attacks [20]. Moreover, Eve may carry out wavelength attacks through the wavelength dependence of the beam splitter at the receiving end of the system [21,22,23]. The main idea of counteracting quantum attacks is to add corresponding real-time monitoring modules for different types of attacks on the system. For example, to defend against LO pulse attacks, researchers have designed shot noise real-time monitoring solutions [17,24]; however, in practical systems, we do not know in advance which kind of attack Eve will launch, so we cannot take targeted measures and judge how many attacks occurred simultaneously. Thus it is necessary to detect multiple attacks. The quantum attack can be detected by some machine learning strategies, such as k-nearest neighbors (KNN) [25], support vector machines (SVM) [26], ensemble learning [27], hidden Markov models (HMM) [28], and neural networks (NN) [29,30]. These strategies can automatically detect and classify some known attacks by learning feature distribution instead of simple thresholds; however, there is also a drawback: the previous detection scheme was to select the one with the highest probability from different types of attacks without considering the coexistence of multiple attacks in practice.

In this paper, we propose a multi-attack detection and classification solution to defense CVQKD systems. We studied several typical features that would be affected by attacks and analyzed the changes of these features under different attacks, taking the normal unattacked state as a reference. Then, we put the preprocessed attack data into the multi-label neural network model for training. The model uses a unique multi-label detection method to simultaneously identify multiple types of attacks from different features, not only identifying a single attack but also including the coexistence of multiple attacks. With this model, Bob can automatically detect abnormal data in real-time to avoid attacks. Once the system receives abnormal data, it can immediately stop the key transmission with Alice without waiting until the key transmission is completed to check whether it is attacked. Experiments demonstrate that our model can identify known attacks and unknown attacks with high accuracy. In our work, we mainly considered three typical attack strategies against the systems, including calibration attacks, LO intensity attacks, and saturation attacks. The main idea of three typical attack strategies is to keep the excess noise and channel transmission unchanged before and after the attack in the system by changing the shot noise and using the inherent linear area defects of the detector. In addition, hybrid attack 1 [31] and hybrid attack 2 [29] are considered as two types of unknown attacks to apply to the detection and classification of unknown attacks.

2. Detection and Classification of Multi-Attack

2.1. Preparation of Multi-Attack Data Set

The study of combined attacks requires generating new data sets. The preparation of our data set consists of the following three steps. Firstly, each type of attack generates 500 data points as the original dataset, and the combined attack data are added to it to form a new data set. Secondly, the new data set is divided into M groups with 25 pulses in each group. At last, each group takes 25 pulses as a whole to generate shot noise variance as the unit for calculating group variance. According to the assumptions satisfied by machine learning theory: the training set and the test set meet the same distribution. So the larger the amount of data, the higher the quality, and the better the model fits the actual situation. In our experiment, only 500 data were used for the experiment, and the number of samples will be increased in further experiments. The reason we set the number of pulses per group to 25 is that the data are too long to detect short-term attacks. After experiments with 20, 25, and 30 pulses in each group, it was found that the experiment with 25 pulses in each group had the best effect.

In the absence of attacks, the mean and variance measured by Bob are given as Equations (1) and (2). Where the excess noise caused by signal pulses is the technical excess noise of the system ${\xi }_{tech}$ introduced by the preparation of Gaussian signal pulses, and the shot noise $N_0$ is the variance measured by Bob’s homodyne detector when the input signal is almost 0.

$$\overline{y}=0$$

(1)

$$\begin{array}{c}\hfill V_i=\eta T\left(V_A{N}_0+{\xi }_{tech}\right)+N_0+V_{el}\end{array}$$

(2)

The variance formula under the unattacked state can be described as follows. Alice’s side generates random pulses of Gaussian distribution with mean zero variance $V_A{N}_0$ and the system has inherent technical excess noise ${\xi }_{tech}=\epsilon N_0$. When the above three variances are transmitted to Bob through the channel, the channel transmission loss T and the detection loss $\eta$ of the detector should be considered. On Bob’s side, the detector has electronic noise $V_{el}=v_{el}{N}_0$, and the homodyne detection will introduce vacuum noise with a simplified variance $N_0$ (more details can be found in Appendix A).

For calibration attacks and LO intensity attacks, their strategy is to reduce the shot noise and thus reduce the excess noise introduced by the attack. The shot noise directly impacts the two-dimensional factor variance. The strategy of saturation attacks is to add a proper displacement $\Delta x$ to quadratures $X_A$ which will make the detector abnormally work in the saturation region, thus the attack is hidden. The adding displacement $\Delta x$ directly impacts the one-dimensional factor mean (more details can be found in Appendix B); here are the mean and variance under different combinations of calibration attacks, LO intensity attacks, and saturation attacks.

The joint attack of calibration attacks and LO intensity attacks: since both $N_0^{CA}$ and $N_0^{LOIA}$ have a proportional relationship with $N_0$, their superimposed shot noise $N_0^{CA\&LOIA}$ is multiplicative. The excess noise introduced on signal pulses under the joint attack of calibration attacks and LO intensity attacks could be divided into three parts: (i) ${\xi }^{PI{R}_{CA}}$ introduced by the intercept-resend (PIR) attack of calibration attacks, (ii) ${\xi }^{Ga{u}_{LOIA}}$ introduced by the Gaussian collective attack of LO intensity attacks, and (iii) ${\xi }_{tec{h}_{CA\&LOIA}}$ introduced by the system; therefore, the total excess noise $\xi$ and the superimposed shot noise $N_0^{CA\&LOIA}$ can be written as

$$\xi ={\xi }^{PI{R}_{CA}}+{\xi }^{Ga{u}_{LOIA}}+{\xi }_{{tech}_{CA\&LOIA}}=\left(2+\frac{1-k}{kT}+\epsilon \right)N_0^{CA\&LOIA}$$

(3)

$$N_0^{CA\&LOIA}=N_0^{CA}{N}_0^{LOIA}=k_1{k}_2{N}_0$$

(4)

Since calibration attacks and LO intensity attacks only attack the variance without modifying the mean, the mean and variance under this condition can be expressed as

$${\overline{y}}_{SA\&CA}=0$$

(5)

$$V^{CA\&LOIA}=\eta T\left(V_A{N}_0^{CA\&LOIA}+\xi \right)+\left(1+v_{el}\right)N_0^{CA\&LOIA}{V}_i=\eta T\left(V_A{N}_0+{\xi }_{tech}\right)+N_0+V_{el}$$

(6)

The joint attack of saturation attacks and calibration attacks, since saturation attacks do not change the shot noise, their superimposed shot noise is $N_0^{CA}$. The excess noise introduced on signal pulses under the joint attack of saturation attacks and calibration attacks could be divided into three parts: (i) ${\xi }^{PI{R}_{CA}}$ introduced by the PIR attack of calibration attacks, (ii) ${\xi }^{PI{R}_{SA}}$ introduced by the PIR attack of saturation attacks, and (iii) ${\xi }_{tec{h}_{CA}}$ introduced by the system; therefore, the total excess noise $\xi$ and the superimposed shot noise $N_0^{CA}$ can be written as

$$\xi ={\xi }^{PI{R}_{SA}}+{\xi }^{PI{R}_{CA}}+{\xi }_{{tech}_{CA}}=\left(4+\epsilon \right)N_0^{CA}$$

(7)

$$N_0^{CA}=k_1{N}_0$$

(8)

The variance of saturation attacks and calibration attacks under linear region can be expressed as

$$V^{CA\&lin}=\eta T\left(V_A{N}_0^{CA}+\xi \right)+\left(1+v_{el}\right)N_0^{CA}$$

(9)

Replacing $V^{lin}$ by $V^{CA\&lin}$ in $V^{SA}$ (Equation (A26)), the mean and variance of saturation attacks and calibration attacks under saturation region can be expressed as

$${\overline{y}}_{CA\&SA}=\alpha +C$$

(10)

$$V^{SA\&CA}=V^{CA\&lin}\left(\frac{1+A}{2}-\frac{B^2}{2\pi }\right)-(\alpha -\Delta )\sqrt{\frac{V^{CA\&lin}}{2\pi }}{A}^{*}B+\frac{{(\alpha -\Delta )}^2}{4}\left(1-A^2\right)$$

(11)

where

$$A=erf\left(\frac{\alpha -\Delta }{\sqrt{2V^{CA\&lin}}}\right)$$

(12)

$$B=e^{-\frac{{(\alpha -\Delta )}^2}{2V^{CA\&lin}}}$$

(13)

$$C=-\sqrt{\frac{V^{CA\&lin}}{2\pi }B+\frac{\alpha -\Delta }{2}+\frac{\alpha -\Delta }{2}A}$$

(14)

The joint attack of saturation attacks and LO intensity attacks, since saturation attacks do not change the shot noise, their superimposed shot noise is $N_0^{LOIA}$. The excess noise introduced on signal pulses under the joint attack of saturation attacks and LO intensity attacks could be divided into three parts: (i) ${\xi }^{PI{R}_{SA}}$ introduced by the PIR attack of saturation attacks, (ii) ${\xi }^{Ga{u}_{LOIA}}$ introduced by the Gaussian collective attack of LO intensity attacks, and (iii) ${\xi }_{tec{h}_{LOIA}}$ introduced by the system. The total excess noise $\xi$ and the superimposed shot noise $N_0^{LOIA}$ can be written as

$$\xi ={\xi }^{PI{R}_{SA}}+{\xi }^{{Gau}_{LOIA}}+{\xi }_{{tech}_{LOIA}}=\left(2+\frac{1-k}{kT}+\epsilon \right)N_0^{LOIA}$$

(15)

$$N_0^{LOIA}=k_2{N}_0$$

(16)

The variance of saturation attacks and LO intensity attacks under linear region can be expressed as

$$V^{LOIA\&lin}=\eta T\left(V_A{N}_0^{LOIA}+\xi \right)+\left(1+v_{el}\right)N_0^{LOIA}$$

(17)

Replacing $V^{lin}$ by $V^{LOIA\&lin}$ in $V^{SA}$ (Equation (A26)), the mean and variance of saturation attacks and LO intensity attacks under the saturation region can be expressed as

$${\overline{y}}_{SA\&LOIA}=\alpha +C$$

(18)

$$V^{SA\&LOIA}=V^{LOIA\&lin}\left(\frac{1+A}{2}-\frac{B^2}{2\pi }\right)-(\alpha -\Delta )\sqrt{\frac{V^{LOIA\&lin}}{2\pi }}{A}^{*}B+\frac{{(\alpha -\Delta )}^2}{4}\left(1-A^2\right)$$

(19)

where

$$A=erf\left(\frac{\alpha -\Delta }{\sqrt{2V^{LOIA\&lin}}}\right)$$

(20)

$$B=e^{-\frac{{(\alpha -\Delta )}^2}{2V^{LOIA\&lin}}}$$

(21)

$$C=-\sqrt{\frac{V^{LOIA\&lin}}{2\pi }B+\frac{\alpha -\Delta }{2}+\frac{\alpha -\Delta }{2}A}$$

(22)

For the joint attack of calibration attacks, LO intensity attacks, and saturation attacks, since saturation attacks do not change the shot noise, their superimposed shot noise is $N_0^{CA\&LOIA}$. The excess noise introduced on signal pulses under the joint attack of calibration attacks, LO intensity attacks, and saturation attacks could be divided into four parts: (i) ${\xi }^{PI{R}_{CA}}$ introduced by the PIR attack of calibration attacks; (ii) ${\xi }^{Ga{u}_{LOIA}}$ introduced by the Gaussian collective attack of LO intensity attacks; (iii) ${\xi }^{PI{R}_{SA}}$ introduced by the PIR attack of saturation attacks; (iv) ${\xi }_{tec{h}_{CA\&LOIA}}$ introduced by the system. The total excess noise $\xi$ can be written as

$$\xi ={\xi }^{PI{R}_{CA}}+{\xi }^{PI{R}_{SA}}+{\xi }^{Ga{u}_{LOIA}}+{\xi }_{tec{h}_{LOIA}}=\left(4+\frac{1-k}{kT}+\epsilon \right)N_0^{CA\&LOIA}$$

(23)

Then, the variance of calibration attacks, LO intensity attacks, and saturation attacks under linear region can be expressed as

$$\begin{array}{c}\hfill V^{CA\&LOIA\&lin}=\eta T\left(V_A{N}_0^{CA\&LOIA}+\xi \right)+\left(1+v_{el}\right)N_0^{CA\&LOIA}\end{array}$$

(24)

Replacing $V^{lin}$ by $V^{CA\&LOIA\&lin}$ in $V^{SA}$ (Equation (A26)), the mean and variance of calibration attacks, LO intensity attacks, and saturation attacks under saturation region can be expressed as

$${\overline{y}}_{CA\&LOIA\&SA}=\alpha +C$$

(25)

$$\begin{array}{cc}\hfill V^{CA\&LOIA\&SA}=& \hfill V^{CA\&LOIA\&lin}\left(\frac{1+A}{2}-\frac{B^2}{2\pi }\right)-(\alpha -\Delta )\sqrt{\frac{V^{CA\&LOIA\&lin}}{2\pi }}{A}^{*}B\hfill \end{array}$$

(26)

$$\begin{array}{cc}\hfill & \hfill +\frac{{(\alpha -\Delta )}^2}{4}\left(1-A^2\right)\hfill \end{array}$$

(27)

where

$$A=erf\left(\frac{\alpha -\Delta }{\sqrt{2V^{CA\&LOIA\&lin}}}\right)$$

(28)

$$B=e^{-\frac{{(\alpha -\Delta )}^2}{2V^{CA\&LOIA\&lin}}}$$

(29)

$$C=-\sqrt{\frac{V^{CA\&LOIA\&lin}}{2\pi }B+\frac{\alpha -\Delta }{2}+\frac{\alpha -\Delta }{2}A}$$

(30)

2.2. Feature Extraction

In the GMCS protocol, Alice prepares a series of coherent states $\left|X_A+i{P}_A\right.〉$, where the quadrature values $X_A$ and $P_A$ obey a Gaussian distribution with mean zero and variance $V_A$. Bob receives a series of time-based measurements $X_B=\left[x_1,x_2,\dots ,x_n\right]$. Different attacks or unknown threats introduced by Eve can affect multiple optical parameters and thus deviate from the measured values of the system. These optical parameters are the intensity $I_{LO}$ of the LO, the shot noise variance $N_0$, the mean $\overline{y}$, and variance $V_y$ measured by Bob.

Table 1. Impacts of combined attack strategies on measurable features. The symbol ‘✓’ represents that the feature is changed by the corresponding attack. The symbol ‘-’ represents that the feature is unchanged by the corresponding attack. k, $k_1$, and $k_2$ represent the proportional relationship compared with the original feature.

Feature	$\overline{\mathit{y}}$	${\mathit{V}}_{\mathit{y}}$	${\mathit{I}}_{\mathbf{LO}}$	${\mathit{N}}_0$
CA	-	✓	-	$k_2$
LOIA	-	✓	k	$k_2$
SA	✓	✓	-	-
CA&LOIA	-	✓	k	$k_1{k}_2$
CA&SA	✓	✓	-	$k_1$
LOIA&SA	✓	✓	k	$k_2$
CA&LOIA&SA	✓	✓	k	$k_1{k}_2$

shows the impact of combined attack strategies on measurable characteristics. In the experiment, the feature type of the sample we choose is a very important parameter in parameter estimation, and it is also an important parameter in the actual system. As the description in [29], learning the variation of these features helps to detect and classify different attacks.

Figure 1 shows a schematic diagram of Bob’s detection setup for simultaneously measuring the features of Table 1 and the experimental preparation for acquiring training data. In the experiment, a 1310 nm light source was introduced as the system independent clock. The pulse passes through the quantum channel and reaches Bob through CWDM for wavelength division multiplexing to separate the signal light source and the clock light source. The separated 1310 nm light source is used as the system clock to realize real-time shot noise variance monitoring. Alice generates 1550 nm coherent light at a repetition rate of 1 MHz from an external telecom-diode, which is the signal light source to Bob. Then a polarized beam splitter (PBS) is applied to separate the signal light source into signal pulses and LO pulses. After passing through the PBS, the LO pulses are split by a 90:10 beam splitter BS1, $10\%$ of the LO pulses are used for LO intensity monitoring, and the remaining $90\%$ of the LO pulses are split by another 90:10 beam splitter BS2. After passing through the BS2, $10\%$ of the LO pulses are used for shot noise monitoring, and the remaining $90\%$ of the LO pulses are used for homodyne detection. On the path of monitoring shot noise, the ATT is added to change the magnitude of the LO intensity to obtain the variance of the system shot noise under different LO intensities, thereby obtaining the linear relationship between the LO intensity and the variance of the shot noise. At the same time, in the LO pulse path for homodyne detection, a phase modulator (PM) is set in to control the measurement phase to randomly select the real-time intersection. Finally, data preprocessing is performed on the measurement results, and then they are put into a multi-label neural network model for attack detection. The results of model detection are used to assist the parameter estimation process.

In the post-processing stage, we install additional data preprocessing and attack detection procedures on the original processing module, which can provide pre-detection of known and unknown threats before implementing parameter estimation without changing the procedures for original parameter estimation and key extraction (more details can be found in Appendix B). Real-time data are collected and calculated in a high repetition frequency CV-QKD system, the experimental process or actual identification process takes less than 0.05 ms on a typical laptop computer with 16 GB memory, Intel Core 4.0 GHz CPU, and GeForce RTX 3070 GPU, which can fully fit about 1–100 Mbps system.

We perform preprocessing operations on the data under different attacks to make the original data more suitable for input to the neural network, including vectorization, normalization, sequential processing, and feature extraction. Additional data preprocessing in our model is as follows. Firstly, 500 data with Gaussian distribution are generated for each attack type to avoid data imbalance, and the combined attack has a total of 4000 data. Then the 4000 data are extracted to the output feature vectors. Our pulses are input in time series, every 25 pulses are grouped into groups, and each pulse data in this group are represented by the feature vectors $\left[\overline{y},V_y,I_{LO},N_0\right]$. Finally, the attack data transformed into feature vectors are put into our model for training.

2.3. Multi-Label Neural Network Attack Detection Model

This section introduces the structure of the neural network in our model and the method to improve the output of the neural network to deal with multi-label attacks.

2.3.1. Multi-Label Neural Network Framework

The data received by Bob are input in time series, so we choose long short-term memory (LSTM) class network. LSTM is very suitable for processing and predicting time series due to its unique design structure [32]. As a variant of LSTM, the gated recurrent unit (GRU) network has the advantages of low computational complexity, less overfitting, and relatively convenient experimental operations [33]. So we use the GRU network in our experiments.

Then we consider the network output of a multi-label attack. The existing research on the detection of quantum attacks is a single output, that is, only the one with the highest probability is considered as the result of multiple attack detection, but in fact, there may be a combination of multiple attacks, so the output is not a certain type of attack but a collection of attack labels. Thus, we introduce multi-label classification methods [34,35]. Multi-label classification methods can be divided into two types: problem transformation (PT) method and algorithm adaptation (AA) method. The PT strategy is to convert the multi-label classification problem into a single-label classification problem, so that the existing single-label learning algorithm can be simply applied to solve the multi-label problem. The AA strategy is to improve the current single-label learning algorithm and apply it to multi-label classification tasks. Compared with the AA method with high system complexity and easy to cause over-fitting, the PT method has better experimental results and lower system complexity, which is easier to study; therefore, the PT method is selected to classify quantum attacks. Considering the characteristics of quantum attacks and the controllability of the generated data sets, the binary relevance (BR) method and the label powerset (LP) methods of the PT strategy are used to solve the problem of detecting the combination of multiple quantum attacks.

We choose three known attacks to detect our model, which are calibration attacks, LO intensity attacks, and saturation attacks, with the unattacked state as a reference. To clearly show the model, we consider calibration attacks, LO intensity attacks, and saturation attacks as the notation y₁, y₂, and y₃, respectively. Thus, we got $Y=\left\{y_1,y_2,y_3\right\}$ as the label space with three possible class labels. The task of the multi-label neural network is to learn a function $h:X\to 2^Y$ from the training data set, where X represents the label set of the feature vector.

2.3.2. The BR-NN Model

The BR-NN model uses multiple binary classifiers to predict each label separately, and the output result is a set of original labels, which can be expressed as $Y^{\prime }=\left\{y_1,y_2,y_3\right\}$. In our model, We replace the softmax layer of the neural network with four binary classifiers, that is, four sigmoid layers for output. Each sigmoid layer detects if there is a corresponding attack. If the attack is detected, it will output 1 or 0 if it is not detected. One of the binary classifiers is to detect if the model is attacked, and it will output 0 if it detects attacks or 1 if it is not detected. In this way, multiple attacks can be output in parallel, as shown in Figure 2.

Figure 2 shows the structure of the BR-NN model. The input of the BR-NN model is the same as the LP-NN. After passing through the four-layer network, it is output by the sigmoid function. The input of the GRU layer is a three-dimensional vector (4000, 25, 4), and the output is a 64-dimensional vector; then the output of the GRU layer is divided into four sub-models, each model learns an attack type separately, and one of the models learns whether it is attacked. The input of the submodel is a 64-dimensional vector, and the output is the probability of each attack. The role of the intermediate dropout layer is to reduce the number of intermediate feature parameters and prevent overfitting. The four sub-models learn a specific attack type, respectively, which is clearly described as three sub-models learning calibration attacks, LO intensity attacks, and saturation attacks, while the other sub-model learns the unattacked state to judge whether the attack exists, as is shown in

Table 2. The multi-attack output of four sigmoid. CA: calibration attacks. LOIA: LO intensity attacks. SA: saturation attacks.

Output	Sigmoid1	Sigmoid2	Sigmoid3	Sigmoid4
Unattacked State	1	0	0	0
CA [17]	0	1	0	0
LOIA [18]	0	0	1	0
SA [19]	0	0	0	1
CA&LOIA	0	1	1	0
CA&SA	0	1	0	1
LOIA&SA	0	0	1	1
CA&LOIA&SA	0	1	1	1

. It is worth noting that contradictory abnormal situations such as the output [1 1 0 0] are what we will follow up later. The occurrence of this situation indicates that the collected data are abnormal, but there is no such abnormal situation in our experiment at present.

The attack labels of the BR-NN model only affect each other in the training stage and are independent of each other in the prediction stage. Because the BR labels are detected by learning the features of different labels in the training stage, the labels are related to each other; however, in the prediction stage, the output is multiple binary classifiers, so they are independent of each other.

2.3.3. The LP-NN Model

The LP-NN model regards any combination of different labels in the multi-label training data set as a new label and then adds them to the original label set, so that multi-label classification is transformed into a series of single-label classification problems. The LP model changed the output type of the softmax layer of the neural network. The softmax layer has changed from the original four outputs to eight outputs, as shown in Figure 3. The original four outputs included three types of attacks and one type of non-attack. The new label set can be expressed as $Y^{\prime }=\left\{y_1,y_2,y_3,y_1+y_2,y_1+y_3,y_2+y_3,y_1+y_2+y_3\right\}$.

Figure 3 shows the structure of the LP-NN model. As mentioned in Section 2.2, the input of the LP-NN model is the feature vectors $\left[\overline{y},V_y,I_{LO},N_0\right]$, a matrix of shape (25,4). After passing through the three-layer network, it is output by the softmax function. The input layer, GRU layer, and dense layer 1 are the feature extraction part, and dense layer 2, and softmax layer are the decision part. The input layer inputs a two-dimensional vector set (25,4), where 25 is the time dimension and 4 is the feature dimension; the softmax layer outputs the confidence score of each attack and then takes the highest probability as the output.

Unlike the BR-NN model, the LP-NN model considers the interaction between the attacks in the prediction stage while solving the problem of multiple outputs of the attack. Since the output is the softmax layer, the attacks are related to each other.

The comparison between the LP-NN model and the LP-NN model is as follows. The BR model has fewer parameters because the neurons between modules are not linked, so the resource consumption is low, and it is not easy to overfit; however, the LP-NN model is more practical significance, that is, considering the interaction between attacks in practice and the model can fully analyze the impact of each feature on the prediction results, thereby the performance of the LP-NN model is better than the BR-NN model for known attacks.

2.4. Detection of Unknown Attacks

For the detection of unknown attacks, it can be attributed to an open set classification problem in essence. That is, the classifier has not learned unknown attacks during training, but when unknown attacks appear in the test data set, the classifier can perceive the unknown attack data and judge it as an unknown type. The most commonly used anomaly detection models are based on content similarity [36], among which the most representative is the one-class SVM [37]. Alternatively, deep learning can be used for anomaly detection, such as confidence estimation [38] through neural networks, or autoencoders [39] and generative adversarial networks (GAN) [40] based on reconstruction errors. Reconstruction error-based methods require a high complexity of the generative model to learn good features, which is due to the complexity inherent features of high-dimensional data. At the same time, the basis of the generated model is a neural network with many hyperparameters. The parameter adjustment process is time-consuming and labor-intensive. The complexity of the model is far greater than that of the one-class SVM, not to mention the overfitting problem of the generated model.

The method of detecting unknown attacks in this paper is to directly add the one-class SVM anomaly detection module to our model, as shown in Figure 4. The one-class SVM can learn a hypersphere in the high-dimensional feature space by modeling all known attack types in the training set, and those within the hypersphere are considered to be known attack types. Then the classifier judges whether the data in the test data set belongs to a known attack type, and if not, it is judged as an unknown attack. The anomaly detection method using the one-class SVM has low model complexity and is easy to implement. In addition, it has good generality, which means that it can be directly grafted onto models of detecting known attacks without parameter tuning.

The confidence estimation method can also be used on the LP-NN model to detect unknown attacks because the LP-NN models all attacks and takes the attack class with the highest confidence as the output. When the confidence level meets the requirements, the output is the known attack; otherwise, it is the unknown attack. The method of setting a fixed threshold value can be used as the confidence level, but it requires continuous experimentation to obtain a suitable threshold value, which is time-consuming and labor-intensive. The neural network method can also be used to learn the appropriate confidence level, but parameter adjustment is still a complex process, and inappropriate parameters will reduce the classification accuracy; therefore, the one-class SVM method is used in the paper to detect unknown attacks.

3. Performance

3.1. Implementation Details and Comparison with Existing Scheme

We implemented the data set preparation on MatlabR2019b, and the training and testing of the attack detection model on pycharm 2021. In the experiment, the learning rate of the attack model is set to 0.01, and the maximum number of the epoch is 400. The data set size for each attack type is N = 1 × 500, and the number of pulses in each block is Q = 25, so the data set for each attack type can be divided into M = 400 feature vectors. To verify the actual performance of the model, we tested the trained model. The validated experimental data adopts nine different sequence groups, including seven known attack sequence groups, one normal sequence group and an unknown attack sequence group. For known attacks, the attack types of the training and test datasets are consistent; however, unlike known attacks, unknown attacks in the test data set are not included in the training data set of the model. It is worth noting that our test and training data set are generated independently of each other. The training phase of our model takes 10–15 min on a typical laptop with 16 GB memory, Intel Core 4.0 GHz CPU, and GeForce RTX 3070 GPU. In the prediction phase, we only need a brief preprocessing of the data and then apply the trained model to any future dataset, which can take about 2–5 min to implement on a computer. The trained model will be used as an attack detection module before parameter estimation in the post-processing of the system (more details can be found in Appendix C).

In the case of coexistence of multiple attacks, the single-attack detection model will theoretically miss detection or misidentify. In addition, it is verified through experiments that the single attack model will misidentify which type of attack it is, and it is analyzed from the experimental results which type of attack is dominant when multiple attacks occur at the same time, so it is more necessary to be vigilant about the defense of this attack.

Table 3. Detection results of combined attacks by different models. The symbol ‘✓’ represents that the model can correctly identify the combined attack. CA: calibration attacks. LOIA: LO intensity attacks. SA: saturation attacks.

Model	CA-LOIA	CA-SA	LOIA-SA	CA-LOIA-SA
BR-NN	✓	✓	✓	✓
LP-NN	✓	✓	✓	✓
ANN-based [29]	LOIA	SA	SA	LOIA

shows the detection results of combined attacks by different models.

In Table 3, our model can correctly detect the simultaneous attacks, while the ANN-based model has the following omissions: (i) the joint attack of calibration attacks and LO intensity attacks, the detection result is LO intensity attacks while the calibration attack is ignored; (ii) the joint attack of saturation attacks and calibration attacks, the detection result is calibration attacks while the saturation attack is ignored; (iii) the joint attack of saturation attacks and LO intensity attacks, the detection result is LO intensity attacks while the saturation attack is ignored; (iv) the joint attack of calibration attacks, LO intensity attacks, and saturation attacks, the detection result is LO intensity attacks while the saturation attack and the calibration attack are ignored. Moreover, the result of (iv) is also a centralized description of the error detection results of the ANN-based model, that is, when the calibration attacks or LO intensity attacks occur simultaneously with saturation attacks, saturation attacks are not dominant; when calibration attacks and LO intensity attacks occur simultaneously, LO intensity attacks dominate. It is worth noting that when calibration attacks or LO intensity attacks occur simultaneously with saturation attacks, calibration attacks, or LO intensity attacks must be carried out first. Because triggering saturation attacks first will cause the detector to directly enter the saturation region, calibration attacks or LO intensity attacks that work in the linear region cannot be triggered.

3.2. Multi-Attack Detection Performance of the Model

We use accuracy, precision, and recall as metrics to evaluate the performance of our model during the training phase.

Figure 5a shows the performance of the LP-NN model. We can conclude that the accuracy of the LP-NN model metrics grows between 0 and 20 training epochs, and then fluctuates between 20 and 60 training epochs at 0.8 and 1. After 60 training epochs, the metrics of the LP-NN model tend to be stable and can reach 1. Figure 5b–d show the performance of each sub-model in the BR-NN model. We can conclude that the accuracy of the BR-NN model metrics grows between 0 and 35 training epochs. After 35 training epochs, the metrics of the BR-NN model tend to be stable and can reach 1. It shows that both the BR-NN model and the LP-NN model can detect the known combined attacks with $100\%$ accuracy, but the training time of the LP-NN model is twice that of the BR-NN model. Because the LP model has more parameters, the training time is longer. In the case of the same accuracy, the LP model is more realistic considering the mutual influence between attacks, so the LP-NN model is more recommended to detect multiple known attacks. In our experiments, the confusion matrix is used to show the prediction of our model. As can be seen in Figure 6, the data falls exactly on the diagonal of the confusion matrix, so the BR-NN model and the LP-NN model can obtain completely correct classification results for known attacks.

3.3. Multi-Attack Detection for Unknown Attacks

The above experiments are all for known attacks. We mentioned in Section 2.4 that the one-class SVM could be utilized to detect unknown attacks. We treat hybrid attack 1 and hybrid attack 2 as two types of unknown attacks generating 500 data, which is the same amount as each known attack above, and then put the test data set with the unknown attacks into the one-class SVM classifier for anomaly detection. The unknown attacks we mention here are attacks other than known attacks, which may be a single unknown attack or a combination of unknown attacks. In addition, the detection of unknown attacks is carried out independently and there is no combined relationship between known attacks.

Figure 7 shows the predicted results of our model for unknown attacks after adding the one-class SVM. It can be concluded that the improved model can perfectly detect unknown attacks while hardly affecting the prediction accuracy of known attacks. Based on further analysis of Figure 7, we can conclude that the BR-NN model is more suitable for detecting unknown attacks since the BR-NN model has less impact on the detection of known attacks.

3.4. Security Analysis

Compared with the method of measuring shot noise by blocking the signal light in [29], we add another detector to measure the shot noise without influencing signal pulses; therefore, our scheme does not suffer from the reduction in maximum security distance and key rate due to the decrease in the number of signal pulses available to extract the key as mentioned in [17]. Because the monitoring method in our experiment has no effect on the key rate and the communication of the GMCS CVQKD systems, we only need to consider the security of the quantum attack detection model.

In general, the following four parts of a detection model can be attacked: the input, the data set, the model, and the output. In our system, the model input and output are dependent on the system itself; therefore, we mainly analyze the attacks on both the data set and the model and then give corresponding countermeasures. According to different camouflage methods, attacks on data sets can be divided into two types: poisoning attacks [41,42] and data preprocessing attacks [43]. In poisoning attacks, the attacker injects poisoned samples into the training data set, thereby affecting the training of the model. Hence, the introduction of poisoning data makes model training meaningless. In data preprocessing attacks, the attacker changes the data preprocessing rules so that the model detects anomalies; therefore, the defender will mistake it as a system change rather than an attack. Next, we consider the attack on the model, in which the most common attack is the adversarial example attack [44,45]. In adversarial example attacks, attackers add tiny and imperceptible noise perturbations to the original samples, thereby causing the model misclassification, i.e., giving incorrect outputs with high confidence.

Several attacks against the neural network detection model have been discussed above, then we present defenses against these attacks below. For poisoning attacks, data cleaning [46], and robust machine learning including pruning defense and fine-tuning methods can be employed [47]. For data preprocessing attacks, an autoencoder can be placed between the input data and the neural network as an input preprocessor so that the input and output of the preprocessor are of the same size, and the output of the preprocessor is the input of the neural network. For defense against adversarial sample attacks, adversarial training [44,48], gradient masking [49], adversarial sample detection [50], and formal verification of model robustness can be implemented [51,52,53]. Adversarial training is a simple way to defend against adversarial examples because the robustness of the model can be enhanced simply by adding some adversarial examples to the training set to retrain the model; however, adversarial training is only effective on adversarial samples of known methods, so it is difficult to defend against black-box attacks. For the black-box model, generating adversarial examples with adversarial networks is an effective defense [54].

4. Conclusions

We propose two deep learning models for detecting known attacks, which could detect the coexistence of multiple attacks and achieve real-time monitoring of the CVQKD systems. In addition, to detect unknown attacks, the step is to adopt the one-class SVM to our model. Experiments show that our models can identify known attacks and unknown attacks with high accuracy. Given the invariance of the shot noise measurement to the key transmission in our experiment, the defense scheme of the detection models needs to be further studied.