FlagThis

Abstract

Neuro-symbolic AI (NeSy) pairs neural perception with symbolic reasoning, making it attractive for highstakes domains where explainability and structured inference are required. However, this hybrid architecture introduces an enlarged attack surface spanning five layers: neural perception, symbolic knowledge bases, reasoning engines, agentic orchestration, and data storeseach exploitable in ways absent from purely neural systems. This paper makes six contributions: (1) formal definitions of _NeSy Attack Surface_ , _Symbolic Integrity Violation_ (SIV), and _Cross-Layer Amplification Ratio X_ , decomposed into neural-caused and adversariallyinduced autonomous symbolic sensitivity components; (2) a unified threat model extending MITRE ATLAS with 11 NeSy-specific tactic extensions and a five-profile attacker taxonomy; (3) a symbolic-layer threat catalogue covering KG poisoning, ontology-merging, and inference-engine subversion; (4) analysis of cognitive risks automation bias, authority bias, sycophantic reinforcementstructurally amplified by NeSys explicit logical explanations relative to black-box neural outputs; (5) interdisciplinary mitigations with measurable acceptance criteria aligned to NIST AI 600-1 and the EU AI Act; (6) three empirical benchmarks: (E1) targeted KG poisoning achieves break-even SIV at budget _B_ = 5 on a 205-entity medical KG, with a KG-specific stealth/SIV trade-off; (E2) PGD-10 at __ = 0 _._ 01 yields _X_ = 5 _._ 884 (95% CI [4 _._ 64 _,_ 8 _._ 00], _p <_ 0 _._ 0001)confirmed adversarially specific by a matched-random baseline ( _E_ rand _[R]_[=][ 0][)on a DistilBERT + ProbLog pipeline; (E3) single-axiom OWL edits] achieve 93.3% SIV success (equivalence/subclass templates) with 100% stealth, but held-out detection is 67.9% overall with STIX detector failure at 50% (random-guessing level), an open problem.