[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-83603-en":3,"doc-seo-83603-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},83603,16904993612988,"Olivia Brown","https://ap-avatar.wpscdn.com/davatar_a8503ba1806abce46bf441b54a3ca4cd",8,"Research & Report","Beyond Gradient-Based Attacks: Adversarial Robustness and Explainability Stability in Cybersecurity Classifiers","Adversarial attacks on cybersecurity classifiers threaten both predictive performance and the reliability of SHAP-based explanations used to triage alerts. Extending an earlier MLP study, the work evaluates Random Forest and XGBoost across four tabular security datasets, testing five attacks including black-box methods for non-differentiable tree models. It introduces the Explainability Stability Index (ESI) from TreeSHAP attribution drift under perturbations, comparable to the Robustness Index (RI). Results show prediction robustness and explanation stability are distinct: XGBoost can be nearly ZOO-robust yet still experience attribution drift, guided by a two-axis attack ranking framework.","arXiv :2607 .0 1679v 1 [ cs .CR] 2 Jul 2026  \nBeyond Gradient-Based Attacks: Adversarial Robustness and Explainability Stability in Cybersecurity Classifiers  \nMona Rajhans 1[0009−0002−4921−2832]⋆ and Vishal Khawarey2[0009−0004−1714−9386]  \n1 Palo Alto Networks, Santa Clara, CA, USA  \n[mrajhans@paloaltonetworks.com](mrajhans@paloaltonetworks.com)  \n[2](2 Quicken Inc)[ Quicken Inc](2 Quicken Inc). , [Menlo Park](Menlo Park), [CA](CA), [USA](USA)  \n[vishal.sanfran@gmail.com](vishal.sanfran@gmail.com)  \nAbstract. Adversarial attacks on cybersecurity classifiers pose a dual threat: degrading predictions and destabilising the SHAP-based explanations that security analysts rely on to understand and triage alerts. We extend our prior MLP conference study to Random Forest and XGBoost across four tabular security datasets (phishing URLs, UNSW-NB15, NFToN-IoT, HIKARI-2021), evaluating five attacks including three blackbox methods applicable to non-differentiable tree models. We introduce the Explainability Stability Index (ESI), a scalar metric computed from TreeSHAP attribution drift under adversarial perturbation, reported on the same [0 , 1] scale as the Robustness Index (RI) . A key finding is that gradient-based black-box attacks (ZOO) produce degenerate results against XGBoost (apparent RI ≈ 0.98) due to piecewise-constant prediction surfaces, while score-based Square Attack reveals genuine vulnerability (RI ≈0.36) . These degenerate perturbations still drive substantial attribution drift: XGBoost ESI ≈0.06–0.16 despite near-perfect ZOO robustness, versus 0.14–0.29 for RF, showing that prediction robustness and explanation stability are distinct axes requiring joint measurement.  \nA two-axis framework (gradient dependence, query efficiency) explains the observed attack ranking and yields practical guidance for tree ensemble evaluation. A step-size ablation explains a counterintuitive PGD anomaly on z-score normalised tabular data. Code and results are publicly available [21] .  \nKeywords: Adversarial machine learning · Adversarial robustness · Explainable AI · Feature attribution · SHAP · Black-box attacks · Tabular data · Cybersecurity · Network intrusion detection · Tree ensembles  \n1 Introduction  \nMachine learning classifiers are widely deployed in cybersecurity pipelines for phishing URL detection, network intrusion detection, and IoT anomaly detection, where both accurate predictions and trustworthy explanations are required  \n⋆ Corresponding author  \n2 M. Rajhans and V. Khawarey  \nfor operational use. Adversarial attacks, which apply small deliberate perturbations to inputs to cause misclassification, pose a dual threat: they degrade prediction accuracy and simultaneously destabilise the SHAP-based explanations that security analysts rely on to understand model decisions.  \nPrior work on adversarial robustness has focused almost exclusively on imageclassifiers and gradient-based attacks [13,17], with limited attention to the structured tabular data characteristic of network security [14,28] . A further gap is that most studies evaluate a single model family—typically deep neural networks—and a single attack class, providing an incomplete picture of cross-model robustness. Our conference paper [22] addressed the tabular-data gap for MLPclassifiers, introducing the Robustness Index (RI) and characterising SHAP attribution drift under FGSM and PGD. Reviewer feedback on that work called for tree-based classifiers, additional attack methods, and a rigorous explanation of the PGD \u003C FGSM anomaly observed in the results.  \nThis extended study addresses all three requests and adds further contributions. Specifically, we make the following new contributions beyond [22]:  \n– Tree ensemble evaluation. RF and XGBoost are evaluated alongside the MLP, representing the model family widely deployed in production cybersecurity systems [4] .  \n– Black-box attack framework. Three black-box attacks—ZOO, Square Attack, and HopSkipJump—are implem","cbCaisphXoCR5sGO","https://ap.wps.com/l/cbCaisphXoCR5sGO","pdf",3695272,1,28,"English","en",105,"# Introduction\n## Threat Model and Metrics\n## Adversarial Attack Methods\n## Experimental Setup\n## Model Extensions and Datasets\n## Robustness, Explanation Implications, and Guidance\n## Limitations and Future Work\n## Conclusion","[{\"question\":\"What dual risk do adversarial attacks pose in cybersecurity classifiers?\",\"answer\":\"They degrade prediction accuracy and destabilize SHAP-based explanations relied on by security analysts to understand and triage alerts.\"},{\"question\":\"What are RI and ESI, and how are they computed?\",\"answer\":\"RI measures robustness on the same 0–1 scale, while ESI is a scalar derived from TreeSHAP attribution drift under adversarial perturbations, also reported on a 0–1 scale.\"},{\"question\":\"Why can ZOO appear robust on XGBoost while explanations still change significantly?\",\"answer\":\"The study finds gradient-based black-box attacks like ZOO produce near-degenerate results on XGBoost due to piecewise-constant prediction surfaces, yet adversarial perturbations still induce substantial TreeSHAP attribution drift, making explanation stability distinct from prediction robustness.\"}]",1784189186,71,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"beyond-gradient-based-attacks-adversarial-robustness-and-explainability-stability-in-cybersecurity-classifiers","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/beyond-gradient-based-attacks-adversarial-robustness-and-explainability-stability-in-cybersecurity-classifiers/83603/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What dual risk do adversarial attacks pose in cybersecurity classifiers?","Question",{"text":75,"@type":76},"They degrade prediction accuracy and destabilize SHAP-based explanations relied on by security analysts to understand and triage alerts.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"What are RI and ESI, and how are they computed?",{"text":80,"@type":76},"RI measures robustness on the same 0–1 scale, while ESI is a scalar derived from TreeSHAP attribution drift under adversarial perturbations, also reported on a 0–1 scale.",{"name":82,"@type":73,"acceptedAnswer":83},"Why can ZOO appear robust on XGBoost while explanations still change significantly?",{"text":84,"@type":76},"The study finds gradient-based black-box attacks like ZOO produce near-degenerate results on XGBoost due to piecewise-constant prediction surfaces, yet adversarial perturbations still induce substantial TreeSHAP attribution drift, making explanation stability distinct from prediction robustness.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]