WSDM '26 | February 21, 2026
A New Attack Surface: XAI-guided Adversarial Comment Generation with LLMs to Attack Fake News Detectors
MD SHOAIB AHMED, FRANCESCA SPEZZANO
Securing Digital Trust: The Urgent Need for Robust AI Defenses
This research reveals critical vulnerabilities in AI-driven fake news detection, highlighting the ease with which sophisticated adversarial attacks can mislead these systems. For enterprises relying on AI for content moderation, brand protection, or information integrity, this translates into significant operational risks and potential reputational damage. Understanding and mitigating these new attack surfaces is paramount for maintaining digital trust and ensuring the reliability of AI applications.
0%
Average Attack Success Rate (ASR%) against TextCNN (Fake to Real)
0%
Average Include Token Utilization (GossipCop Fake-Targeted)
0%
Average Avoid Token Utilization (GossipCop Fake-Targeted)
Deep Analysis & Enterprise Applications
Select a topic to dive deeper, then explore the specific findings from the research, rebuilt as interactive, enterprise-focused modules.
Methodology
Vulnerability Analysis
LLM Effectiveness
Broader Implications
Novel Attack Framework: XAI-guided LLM Adversarial Comments
The paper introduces a novel attack surface that combines model interpretability (SHAP) with generative language models (LLMs) to craft contextually credible adversarial comments. This approach targets fake news detectors by first identifying influential tokens that drive classification and then leveraging LLMs to generate human-like comments that incorporate these tokens to flip model predictions without altering the original news content. This highlights a sophisticated new threat vector for AI systems.
Enterprise Process Flow
Surrogate Model Setup (BERT)
→
Influential Token Extraction (SHAP)
→
Adversarial Comment Generation (LLM Prompt Engineering)
→
Attack Execution & Evaluation
TextCNN Highly Susceptible, RoBERTa/dEFEND More Resilient
The study reveals varying vulnerabilities across different fake news detectors. TextCNN, having the lowest initial classification accuracy, proved highly susceptible to the XAI-guided LLM attack, achieving a near-perfect 100% Attack Success Rate (ASR) when flipping 'fake' news to 'real'. In contrast, more robust models like dEFEND and RoBERTa showed greater resilience but were still vulnerable, especially to attacks flipping 'real' news to 'fake'. This suggests a strong correlation between a model's inherent robustness and its susceptibility to adversarial manipulation, and that even strong models have blind spots.
| Model | Vulnerability (Fake to Real ASR%) | Vulnerability (Real to Fake ASR%) |
|---|---|---|
| TextCNN | 100% (High) | 1.40% (Low) |
| dEFEND | 3.56% (Low) | 18.83% (Moderate) |
| RoBERTa | 3.47% (Low) | 20.59% (Moderate) |
Key Takeaway: TextCNN models are critically exposed, while even robust models like RoBERTa and dEFEND show vulnerabilities to specific attack types, particularly flipping 'real' news to 'fake'.
SHAP Guidance and LLM Performance
The XAI-guided prompting effectively steers LLMs (LLaMA-3.0 and LLaMA-3.1) toward generating adversarially useful comments. Fake-targeted attacks on GossipCop utilized ~30-33% of 'include tokens' and ~16% of 'avoid tokens'. For real-targeted attacks, 'include tokens' utilization was higher (~39-41%) with fewer 'avoid tokens' (~6%). This demonstrates the LLM's ability to incorporate specific influential features for successful attacks, with LLaMA-3.1 showing a slight edge in real-class flips, validating the effectiveness of combining XAI with advanced generative AI.
31.5%
Average Include Token Usage by LLMs in Fake-Targeted Attacks
Dual-Use Risk of XAI: Enabling Adversarial AI
This research underscores the dual-use nature of Explainable AI (XAI). While XAI is crucial for transparency and trustworthiness, it can also be leveraged to identify system vulnerabilities and guide adversarial attacks. The findings emphasize the need for stronger defenses against sophisticated adversarial manipulations, especially when integrating explainability into NLP technologies. Enterprises must consider both offensive and defensive applications of XAI to secure their AI systems effectively.
The XAI Paradox: A New Frontier for AI Security
Explainable AI (XAI) offers critical insights into how models make decisions, fostering trust and enabling debugging. However, this paper demonstrates that these very insights can be weaponized. By understanding which features (tokens) a fake news detector relies on, an attacker can precisely craft inputs to mislead it. This creates a significant security challenge for enterprise AI systems:
- Understanding Vulnerabilities: XAI reveals not just what the model does, but why it does it, which adversaries can exploit.
- Sophisticated Attacks: Attacks are no longer random; they are surgically precise, targeting the model's decision-making logic.
- Proactive Defense: Enterprises must move beyond reactive security to proactive measures that anticipate and neutralize XAI-guided threats. This includes adversarial training and robust input validation.
The imperative is clear: develop AI systems that are not only explainable but also inherently resilient to attacks that leverage that explainability.
Quantify Your AI Investment Return
Understand the potential efficiency gains and cost savings by strategically implementing advanced AI solutions in your enterprise.
Projected Annual Savings
$0
Hours Reclaimed Annually
0
Your AI Implementation Roadmap
A phased approach to integrate robust AI defenses and advanced generative capabilities into your enterprise infrastructure.
Phase 1: Vulnerability Assessment & XAI Integration (2-4 Weeks)
Conduct a comprehensive audit of existing AI systems for adversarial vulnerabilities. Integrate SHAP-like XAI tools to understand decision-making processes.
Phase 2: Adversarial Training & LLM Fine-tuning (4-8 Weeks)
Implement adversarial training techniques using XAI-guided examples. Fine-tune internal LLMs to recognize and mitigate adversarially generated content.
Phase 3: Real-time Monitoring & Incident Response (Ongoing)
Deploy real-time monitoring systems to detect anomalous content generated by adversarial LLMs. Establish rapid incident response protocols for new attack vectors.
Phase 4: Continuous Research & Adaptation (Ongoing)
Invest in ongoing research into new adversarial AI techniques and defensive strategies. Regularly update models and defenses to adapt to evolving threats.
Ready to Secure Your AI Future?
Don't let adversarial attacks compromise your digital trust. Partner with us to build resilient, explainable, and secure AI systems.
Ready to Get Started?
Book Your Free Consultation.
Let's Discuss Your AI Strategy!
Lets Discuss Your Needs
Select a Date
Sun
Mon
Tue
Wed
Thu
Fri
Sat