Adversarial Robustness & Explainability in Cyber Classifiers

Arxiv pdf 2026-07-01T00:00:00
arXiv Paper — PDF not available. Only the Executive Summary is available here. To read or download the full paper, visit the arXiv abstract page.

Abstract

Adversarial attacks on cybersecurity classifiers pose a dual threat: degrading predictions and destabilising the SHAP-based explanations that security analysts rely on to understand and triage alerts. We extend our prior MLP conference study to Random Forest and XGBoost across four tabular security datasets (phishing URLs, UNSW-NB15, NFToN-IoT, HIKARI-2021), evaluating five attacks including three blackbox methods applicable to non-differentiable tree models. We introduce the Explainability Stability Index (ESI), a scalar metric computed from TreeSHAP attribution drift under adversarial perturbation, reported on the same [0 _,_ 1] scale as the Robustness Index (RI). A key finding is that gradient-based black-box attacks (ZOO) produce degenerate results against XGBoost (apparent RI __ 0.98) due to piecewise-constant prediction surfaces, while score-based Square Attack reveals genuine vulnerability (RI __ 0.36). These degenerate perturbations still drive substantial attribution drift: XGBoost ESI __ 0.060.16 despite near-perfect ZOO robustness, versus 0.140.29 for RF, showing that prediction robustness and explanation stability are distinct axes requiring joint measurement. A two-axis framework (gradient dependence, query efficiency) explains the observed attack ranking and yields practical guidance for tree ensemble evaluation. A step-size ablation explains a counterintuitive PGD anomaly on z-score normalised tabular data. Code and results are publicly available [21].

Loading executive summary...

LINK COPIED TO CLIPBOARD