ML Security PapersRobustness, Cost, and Attack-Surface Concentration in Phishing Detection
Julian Allagan , Mohamed Elbakary , Zohreh Safari , Weizheng Gao , Gabrielle Morgan , Essence Morgan , Vladimir Deriglazov
Published on arXiv
2603.19204
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Median MEC equals 2 across Logistic Regression, Random Forests, Gradient Boosted Trees, and XGBoost; over 80% of minimal-cost evasions concentrate on three low-cost surface features
Cost-aware evasion framework with MEC/RCI diagnostics
Novel technique introduced
Phishing detectors built on engineered website features attain near-perfect accuracy under i.i.d.\ evaluation, yet deployment security depends on robustness to post-deployment feature manipulation. We study this gap through a cost-aware evasion framework that models discrete, monotone feature edits under explicit attacker budgets. Three diagnostics are introduced: minimal evasion cost (MEC), the evasion survival rate $S(B)$, and the robustness concentration index (RCI). On the UCI Phishing Websites benchmark (11\,055 instances, 30 ternary features), Logistic Regression, Random Forests, Gradient Boosted Trees, and XGBoost all achieve $\mathrm{AUC}\ge 0.979$ under static evaluation. Under budgeted sanitization-style evasion, robustness converges across architectures: the median MEC equals 2 with full features, and over 80\% of successful minimal-cost evasions concentrate on three low-cost surface features. Feature restriction improves robustness only when it removes all dominant low-cost transitions. Under strict cost schedules, infrastructure-leaning feature sets exhibit 17-19\% infeasible mass for ensemble models, while the median MEC among evadable instances remains unchanged. We formalize this convergence: if a positive fraction of correctly detected phishing instances admit evasion through a single feature transition of minimal cost $c_{\min}$, no classifier can raise the corresponding MEC quantile above $c_{\min}$ without modifying the feature representation or cost model. Adversarial robustness in phishing detection is governed by feature economics rather than model complexity.
Key Contributions
- Introduces three adversarial robustness diagnostics: minimal evasion cost (MEC), evasion survival rate S(B), and robustness concentration index (RCI) for discrete feature-space attacks
- Proves formal robustness ceiling: no classifier can improve median MEC beyond minimal single-feature transition cost without changing feature representation
- Demonstrates attack-surface concentration: 80%+ of successful evasions concentrate on three low-cost surface features across all tested architectures
🛡️ Threat Analysis
Paper evaluates adversarial evasion attacks on ML-based phishing detectors through discrete feature manipulation at inference time. The attack model is domain-constrained (monotone feature edits) rather than gradient-based, but the core threat is adversarial input manipulation causing misclassification—which is ML01's definition. The paper introduces minimal evasion cost (MEC) and robustness concentration index (RCI) as diagnostics for measuring classifier vulnerability to feature-space evasion.