Quantum neural networks (QNNs) exhibit vulnerability to adversarial attacks, yet their adversarial robustness remains empirically uncharacterized on real quantum hardware. Method: We conduct the first systematic experimental evaluation of QNN classifier robustness against adversarial perturbations on a 20-qubit superconducting quantum processor. We propose the first QNN-specific adversarial attack algorithm, establish an efficient attack framework, and quantitatively characterize robustness boundaries. Contribution/Results: We discover that intrinsic quantum noise inherently enhances adversarial robustness. We theoretically derive and experimentally validate a fidelity-based lower bound on robustness, achieving tightness with a deviation of only $3 imes 10^{-3}$. Furthermore, we implement adversarial training via input-gradient regularization, significantly improving QNN robustness—experimentally surpassing that of classical neural networks of comparable size. This work establishes foundational methodology and empirical benchmarks for assessing and enhancing adversarial robustness in near-term quantum machine learning models.

Quantum machine learning (QML) models, like their classical counterparts, are vulnerable to adversarial attacks, hindering their secure deployment. Here, we report the first systematic experimental robustness benchmark for 20-qubit quantum neural network (QNN) classifiers executed on a superconducting processor. Our benchmarking framework features an efficient adversarial attack algorithm designed for QNNs, enabling quantitative characterization of adversarial robustness and robustness bounds. From our analysis, we verify that adversarial training reduces sensitivity to targeted perturbations by regularizing input gradients, significantly enhancing QNN's robustness. Additionally, our analysis reveals that QNNs exhibit superior adversarial robustness compared to classical neural networks, an advantage attributed to inherent quantum noise. Furthermore, the empirical upper bound extracted from our attack experiments shows a minimal deviation ($3 imes 10^{-3}$) from the theoretical lower bound, providing strong experimental confirmation of the attack's effectiveness and the tightness of fidelity-based robustness bounds. This work establishes a critical experimental framework for assessing and improving quantum adversarial robustness, paving the way for secure and reliable QML applications.