Beyond Gradient-Based Attacks: Adversarial Robustness and Explainability Stability in Cybersecurity Classifiers

· Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

Adversarial attacks on cybersecurity classifiers pose a dual threat by degrading predictions and destabilizing SHAP-based explanations crucial for security analysts. This research extends a prior MLP study to Random Forest and XGBoost models, evaluating five attack methods, including three black-box techniques, across four tabular security datasets: phishing URLs, UNSW-NB15, NF-ToN-IoT, and HIKARI-2021. A new metric, the Explainability Stability Index (ESI), is introduced, measuring TreeSHAP attribution drift on a [0,1] scale, similar to the Robustness Index (RI). A key finding reveals that gradient-based black-box attacks like ZOO yield degenerate robustness results for XGBoost (apparent RI ~0.98) due to its piecewise-constant prediction surfaces, while score-based Square Attack exposes genuine vulnerability (RI ~0.36). Despite high apparent robustness, these perturbations still cause significant attribution drift, with XGBoost ESI ranging from ~0.06-0.16 compared to RF's 0.14-0.29. This underscores that prediction robustness and explanation stability are distinct axes requiring joint measurement, supported by a two-axis framework for attack evaluation.

Key takeaway

For AI Security Engineers evaluating tree ensemble cybersecurity classifiers, you must jointly measure both prediction robustness and explanation stability. Relying solely on robustness metrics like RI can be misleading, as gradient-based attacks may show false resilience (e.g., XGBoost RI ~0.98) while explanation stability (ESI ~0.06-0.16) significantly degrades. Prioritize score-based black-box attacks, like Square Attack, for a genuine assessment of your model's vulnerabilities and the trustworthiness of its SHAP explanations.

Key insights

Prediction robustness and explanation stability are distinct axes requiring joint measurement in cybersecurity classifiers under adversarial attack.

Principles

Method

Introduce the Explainability Stability Index (ESI) from TreeSHAP attribution drift. Evaluate five adversarial attacks, including black-box methods, on Random Forest and XGBoost models, using a two-axis framework for attack ranking.

In practice

Topics

Best for: AI Security Engineer, AI Scientist, Research Scientist

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.