Beyond Gradient-Based Attacks: Adversarial Robustness and Explainability Stability in Cybersecurity Classifiers
Summary
Adversarial attacks on cybersecurity classifiers pose a dual threat by degrading predictions and destabilizing SHAP-based explanations crucial for security analysts. This research extends a prior MLP study to Random Forest and XGBoost models, evaluating five attack methods, including three black-box techniques, across four tabular security datasets: phishing URLs, UNSW-NB15, NF-ToN-IoT, and HIKARI-2021. A new metric, the Explainability Stability Index (ESI), is introduced, measuring TreeSHAP attribution drift on a [0,1] scale, similar to the Robustness Index (RI). A key finding reveals that gradient-based black-box attacks like ZOO yield degenerate robustness results for XGBoost (apparent RI ~0.98) due to its piecewise-constant prediction surfaces, while score-based Square Attack exposes genuine vulnerability (RI ~0.36). Despite high apparent robustness, these perturbations still cause significant attribution drift, with XGBoost ESI ranging from ~0.06-0.16 compared to RF's 0.14-0.29. This underscores that prediction robustness and explanation stability are distinct axes requiring joint measurement, supported by a two-axis framework for attack evaluation.
Key takeaway
For AI Security Engineers evaluating tree ensemble cybersecurity classifiers, you must jointly measure both prediction robustness and explanation stability. Relying solely on robustness metrics like RI can be misleading, as gradient-based attacks may show false resilience (e.g., XGBoost RI ~0.98) while explanation stability (ESI ~0.06-0.16) significantly degrades. Prioritize score-based black-box attacks, like Square Attack, for a genuine assessment of your model's vulnerabilities and the trustworthiness of its SHAP explanations.
Key insights
Prediction robustness and explanation stability are distinct axes requiring joint measurement in cybersecurity classifiers under adversarial attack.
Principles
- Gradient-based attacks can fail on tree models.
- Prediction surfaces impact attack effectiveness.
- Robustness and explanation stability are distinct.
Method
Introduce the Explainability Stability Index (ESI) from TreeSHAP attribution drift. Evaluate five adversarial attacks, including black-box methods, on Random Forest and XGBoost models, using a two-axis framework for attack ranking.
In practice
- Jointly measure robustness and explanation stability.
- Use score-based attacks for tree ensembles.
- Account for piecewise-constant prediction surfaces.
Topics
- Adversarial Attacks
- Cybersecurity Classifiers
- Explainable AI
- SHAP Explanations
- Tree Ensembles
- Model Robustness
- Black-box Attacks
Best for: AI Security Engineer, AI Scientist, Research Scientist
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.