AI summaryⓘ
The authors examined how phishing detection models, which look at specific website features, perform well when tested normally but may fail when attackers intentionally change features to avoid detection. They created a framework to measure how hard it is for an attacker to evade detection by changing features within a set budget and introduced three new ways to understand this evasion difficulty. Their results showed that most attacks target a few easy-to-change features, and simply restricting features doesn’t help unless those risky features are fully removed. They concluded that the main challenge in making phishing detectors robust is about which features can be cheaply altered rather than the complexity of the detection models themselves.
phishing detectionfeature manipulationevasion attacksminimal evasion costrobustnesslogistic regressionrandom forestscost-aware evasionUCI phishing datasetfeature restriction
Authors
Julian Allagan, Mohamed Elbakary, Zohreh Safari, Weizheng Gao, Gabrielle Morgan, Essence Morgan, Vladimir Deriglazov
Abstract
Phishing detectors built on engineered website features attain near-perfect accuracy under i.i.d.\ evaluation, yet deployment security depends on robustness to post-deployment feature manipulation. We study this gap through a cost-aware evasion framework that models discrete, monotone feature edits under explicit attacker budgets. Three diagnostics are introduced: minimal evasion cost (MEC), the evasion survival rate $S(B)$, and the robustness concentration index (RCI). On the UCI Phishing Websites benchmark (11\,055 instances, 30 ternary features), Logistic Regression, Random Forests, Gradient Boosted Trees, and XGBoost all achieve $\mathrm{AUC}\ge 0.979$ under static evaluation. Under budgeted sanitization-style evasion, robustness converges across architectures: the median MEC equals 2 with full features, and over 80\% of successful minimal-cost evasions concentrate on three low-cost surface features. Feature restriction improves robustness only when it removes all dominant low-cost transitions. Under strict cost schedules, infrastructure-leaning feature sets exhibit 17-19\% infeasible mass for ensemble models, while the median MEC among evadable instances remains unchanged. We formalize this convergence: if a positive fraction of correctly detected phishing instances admit evasion through a single feature transition of minimal cost $c_{\min}$, no classifier can raise the corresponding MEC quantile above $c_{\min}$ without modifying the feature representation or cost model. Adversarial robustness in phishing detection is governed by feature economics rather than model complexity.