Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Empirical Analysis of Adversarial Robustness and Explainability Drift in Cybersecurity Classifiers

Mona Rajhans, Vishal Khawarey

TL;DR

The paper investigates adversarial robustness and explainability drift in cybersecurity classifiers, focusing on phishing URL detection and network intrusion. It studies $L_\infty$-bounded FGSM and PGD perturbations, introducing the Robustness Index (RI) and analyzing gradient sensitivity and SHAP attribution drift to quantify performance and explanation degradation. A key finding is that adversarial training improves RI by up to 9 percentage points while preserving clean-data accuracy, and that robustness degradation tracks with attribution drift, revealing a coupling between robustness and interpretability. The work provides actionable metrics and analyses for feature hardening and trustworthy AI in threat detection, with implications for deployment in real-world security pipelines.

Abstract

Machine learning (ML) models are increasingly deployed in cybersecurity applications such as phishing detection and network intrusion prevention. However, these models remain vulnerable to adversarial perturbations small, deliberate input modifications that can degrade detection accuracy and compromise interpretability. This paper presents an empirical study of adversarial robustness and explainability drift across two cybersecurity domains phishing URL classification and network intrusion detection. We evaluate the impact of L (infinity) bounded Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) perturbations on model accuracy and introduce a quantitative metric, the Robustness Index (RI), defined as the area under the accuracy perturbation curve. Gradient based feature sensitivity and SHAP based attribution drift analyses reveal which input features are most susceptible to adversarial manipulation. Experiments on the Phishing Websites and UNSW NB15 datasets show consistent robustness trends, with adversarial training improving RI by up to 9 percent while maintaining clean-data accuracy. These findings highlight the coupling between robustness and interpretability degradation and underscore the importance of quantitative evaluation in the design of trustworthy, AI-driven cybersecurity systems.

Empirical Analysis of Adversarial Robustness and Explainability Drift in Cybersecurity Classifiers

TL;DR

The paper investigates adversarial robustness and explainability drift in cybersecurity classifiers, focusing on phishing URL detection and network intrusion. It studies -bounded FGSM and PGD perturbations, introducing the Robustness Index (RI) and analyzing gradient sensitivity and SHAP attribution drift to quantify performance and explanation degradation. A key finding is that adversarial training improves RI by up to 9 percentage points while preserving clean-data accuracy, and that robustness degradation tracks with attribution drift, revealing a coupling between robustness and interpretability. The work provides actionable metrics and analyses for feature hardening and trustworthy AI in threat detection, with implications for deployment in real-world security pipelines.

Abstract

Machine learning (ML) models are increasingly deployed in cybersecurity applications such as phishing detection and network intrusion prevention. However, these models remain vulnerable to adversarial perturbations small, deliberate input modifications that can degrade detection accuracy and compromise interpretability. This paper presents an empirical study of adversarial robustness and explainability drift across two cybersecurity domains phishing URL classification and network intrusion detection. We evaluate the impact of L (infinity) bounded Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) perturbations on model accuracy and introduce a quantitative metric, the Robustness Index (RI), defined as the area under the accuracy perturbation curve. Gradient based feature sensitivity and SHAP based attribution drift analyses reveal which input features are most susceptible to adversarial manipulation. Experiments on the Phishing Websites and UNSW NB15 datasets show consistent robustness trends, with adversarial training improving RI by up to 9 percent while maintaining clean-data accuracy. These findings highlight the coupling between robustness and interpretability degradation and underscore the importance of quantitative evaluation in the design of trustworthy, AI-driven cybersecurity systems.
Paper Structure (19 sections, 7 equations, 4 figures, 3 tables)

This paper contains 19 sections, 7 equations, 4 figures, 3 tables.

Table of Contents

  1. INTRODUCTION
  2. Contributions
  3. RELATED WORK
  4. METHODOLOGY
  5. Adversarial Perturbation Model
  6. Robustness Evaluation Metric
  7. Feature Sensitivity and Explainability Drift
  8. Datasets
  9. Experimental Setup
  10. RESULTS
  11. Robustness Curves
  12. Feature-Level Vulnerability Analysis
  13. Ablation Study: Effect of Adversarial Training
  14. DISCUSSION
  15. Interpretation of FGSM vs. PGD Behavior.
  16. ...and 4 more sections

Figures (4)

  • Figure 1: Accuracy degradation under $L_\infty$-bounded FGSM and PGD perturbations for the Phishing Websites (left) and UNSW-NB15 (right) datasets. Robustness Index (RI) values are shown in legend. PGD curves exhibit higher stability as $\epsilon$ increases.
  • Figure 2: Feature-level vulnerability analysis for the Phishing Websites dataset. Left: gradient-based feature sensitivity (Eq. \ref{['eq:sensitivity']}). Right: mean SHAP attribution drift under adversarial perturbations (Eq. \ref{['eq:shap_drift']}).
  • Figure 3: Effect of adversarial training on FGSM and PGD robustness across datasets. Left: Phishing Websites. Right: UNSW-NB15. Adversarial training increases the Robustness Index (RI) for both attack types, flattening the degradation curves as $\epsilon$ increases.
  • Figure 4: Heatmap of mean SHAP attribution drift $\Delta\phi_i$ for the ten most influential features across $\epsilon\in[0,0.3]$. Redder regions indicate higher instability in feature importance.