Robustness, Cost, and Attack-Surface Concentration in Phishing Detection

Technical Deep Dive: Robustness, Cost, and Attack-Surface Concentration in Phishing Detection

Overview

This paper presents a cost-aware adversarial framework for evaluating the robustness of phishing detection models. The key findings are:

• Phishing detectors achieve near-perfect accuracy under i.i.d. evaluation, but robustness to post-deployment feature manipulation is fragile.
• Robustness is bounded by a low effective cost floor: across architectures, the median minimal evasion cost (MEC) is 2, meaning most instances can be evaded at modest budgets.
• Successful evasion overwhelmingly concentrates on a small subset of low-cost features, rather than dispersing across the representation.
• This concentration and cost-floor behavior is invariant to model architecture, as long as the feature representation and cost schedule are held constant.

Methodology

The authors formulate evasion as an exact shortest-path search over a cost-weighted discrete transition graph, where nodes are feature vectors and edges represent admissible monotone feature edits. They introduce three key diagnostics:

1. Minimal Evasion Cost (MEC): The smallest cumulative cost required to induce misclassification for a correctly detected phishing instance.
2. Evasion Survival Rate S(B): The fraction of instances for which MEC exceeds a given attacker budget B.
3. Robustness Concentration Index (RCI): The fraction of edits concentrated on the k most frequently edited features.

They evaluate four classifier families (Logistic Regression, Random Forests, Gradient Boosted Trees, XGBoost) on the UCI Phishing Websites benchmark, under two cost schedules that model surface-level versus infrastructure-level feature edits.

Results

1. Cost Floor: Across all models and feature sets, the median MEC is bounded by the cost of the cheapest admissible feature edit (c_min = 1 or 2). This structural cost floor cannot be exceeded without modifying the feature representation or cost schedule.
2. Attack Surface Concentration: More than 80% of successful minimal-cost evasions concentrate on just 3 low-cost surface features, rather than dispersing across the representation.
3. Architecture Invariance: Due to the cost-floor constraint, the central robustness metrics (median MEC, RCI) converge across linear, bagging, and boosting models when the feature set and cost schedule are held constant.
4. Feature Selection: Emphasizing infrastructure-leaning signals improves held-out accuracy but does not raise the robustness ceiling if a single low-cost surface feature remains.
5. Cost Schedules: Strict schedules that prohibit upgrading infrastructure features to the fully legitimate state can introduce infeasible mass, but do not shift the cost distribution among evadable instances.

Limitations & Uncertainties

• The analysis is based on the dated UCI Phishing Websites benchmark, which lacks many modern phishing signals. Quantitative transfer to current datasets requires re-validation.
• The cost schedules represent dimensionless operational friction rather than direct monetary expenditure. Translating to real-world budgets is an open empirical question.
• The MEC computation assumes unconstrained black-box label access. Rate-limiting in production could increase observed survival rates without changing the underlying feasibility patterns.
• The monotone sanitization-only threat model is a lower bound. Relaxing monotonicity to allow anti-feature injection or extractor-level manipulation could further reduce the cost floor.

Conclusion

Robust phishing detection requires anchoring on signals whose manipulation costs exceed realistic attacker budgets, even at the expense of i.i.d. accuracy. Architectural complexity alone cannot overcome the fragility imposed by feature-level economics. Defensive emphasis should shift from model selection to representation design and attacker-centric analysis of the cost landscape.

Sources:

• Robustness, Cost, and Attack-Surface Concentration in Phishing Detection