Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robustness, Cost, and Attack-Surface Concentration in Phishing Detection

Julian Allagan, Mohamed Elbakary, Zohreh Safari, Weizheng Gao, Gabrielle Morgan, Essence Morgan, Vladimir Deriglazov

Abstract

Phishing detectors built on engineered website features attain near-perfect accuracy under i.i.d.\ evaluation, yet deployment security depends on robustness to post-deployment feature manipulation. We study this gap through a cost-aware evasion framework that models discrete, monotone feature edits under explicit attacker budgets. Three diagnostics are introduced: minimal evasion cost (MEC), the evasion survival rate $S(B)$, and the robustness concentration index (RCI). On the UCI Phishing Websites benchmark (11\,055 instances, 30 ternary features), Logistic Regression, Random Forests, Gradient Boosted Trees, and XGBoost all achieve $\mathrm{AUC}\ge 0.979$ under static evaluation. Under budgeted sanitization-style evasion, robustness converges across architectures: the median MEC equals 2 with full features, and over 80\% of successful minimal-cost evasions concentrate on three low-cost surface features. Feature restriction improves robustness only when it removes all dominant low-cost transitions. Under strict cost schedules, infrastructure-leaning feature sets exhibit 17-19\% infeasible mass for ensemble models, while the median MEC among evadable instances remains unchanged. We formalize this convergence: if a positive fraction of correctly detected phishing instances admit evasion through a single feature transition of minimal cost $c_{\min}$, no classifier can raise the corresponding MEC quantile above $c_{\min}$ without modifying the feature representation or cost model. Adversarial robustness in phishing detection is governed by feature economics rather than model complexity.

Robustness, Cost, and Attack-Surface Concentration in Phishing Detection

Abstract

Phishing detectors built on engineered website features attain near-perfect accuracy under i.i.d.\ evaluation, yet deployment security depends on robustness to post-deployment feature manipulation. We study this gap through a cost-aware evasion framework that models discrete, monotone feature edits under explicit attacker budgets. Three diagnostics are introduced: minimal evasion cost (MEC), the evasion survival rate , and the robustness concentration index (RCI). On the UCI Phishing Websites benchmark (11\,055 instances, 30 ternary features), Logistic Regression, Random Forests, Gradient Boosted Trees, and XGBoost all achieve under static evaluation. Under budgeted sanitization-style evasion, robustness converges across architectures: the median MEC equals 2 with full features, and over 80\% of successful minimal-cost evasions concentrate on three low-cost surface features. Feature restriction improves robustness only when it removes all dominant low-cost transitions. Under strict cost schedules, infrastructure-leaning feature sets exhibit 17-19\% infeasible mass for ensemble models, while the median MEC among evadable instances remains unchanged. We formalize this convergence: if a positive fraction of correctly detected phishing instances admit evasion through a single feature transition of minimal cost , no classifier can raise the corresponding MEC quantile above without modifying the feature representation or cost model. Adversarial robustness in phishing detection is governed by feature economics rather than model complexity.
Paper Structure (11 sections, 2 theorems, 7 equations, 5 figures, 9 tables, 1 algorithm)

This paper contains 11 sections, 2 theorems, 7 equations, 5 figures, 9 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Methods
  3. Threat model
  4. Cost schedules
  5. Dataset, models, and conditioning
  6. Robustness metrics
  7. Feature Economics and Robustness Limits
  8. Results
  9. Cost Sensitivity Analysis
  10. Discussion and Conclusion
  11. Limitations and external validity.

Key Result

Proposition 3.1

Let $c_{\min}=\min_{j,v,v'} c(j,v\to v')$ be the minimum cost among all admissible single-feature transitions. Fix a classifier $f$ and let $\mathcal{P}_0$ denote the set of phishing instances correctly detected by $f$. If a fraction $\alpha>0$ of instances in $\mathcal{P}_0$ admit evasion via a sin In particular, if $\alpha\ge \tfrac{1}{2}$, then $\mathrm{median}(\mathrm{MEC}) \le c_{\min}$. Henc

Figures (5)

  • Figure 1: Cost-aware adversarial robustness framework with MEC, survival curves, and attack-surface concentration.
  • Figure 2: Evasion survival curves. RA-8/strict exhibits a persistent plateau corresponding to instances whose dominant low-cost path is blocked. Shaded bands (omitted for clarity) are narrow: 95% bootstrap intervals for $S(2)$ span $\pm 0.04$ across configurations.
  • Figure 3: First-edit concentration by feature set and schedule. RA-8 exhibits near-total concentration on SSLfinal_State.
  • Figure 4: RA-8/strict survival stratified by SSLfinal_State initial value. A persistent infeasible tail appears when the bottleneck feature is already at $+1$.
  • Figure 5: Accuracy versus median MEC. All architectures converge to the effective cost floor, consistent with Corollary \ref{['cor:invariance']}.

Theorems & Definitions (4)

  • Proposition 3.1: Cost floor
  • proof
  • Corollary 3.1: Action-set-limited invariance
  • proof