Back to AI Research

AI Research

PHISHREV: A Hybrid Machine Learning and Post-Hoc No... | AI Research

Key Takeaways

  • PHISHREV: A Hybrid Machine Learning and Post-Hoc Non-monotonic Reasoning Framework for Context-Aware Phishing Website Classification Phishing detection syste...
  • Phishing detection systems are predominantly rely on statistical machine learning models, which often lack contextual reasoning and are vulnerable to adversarial manipulation.
  • In this work, we propose a hybrid framework that integrates machine learning classifiers with non-monotonic reasoning using Answer Set Programming (ASP) to enable context-aware decision refinement.
  • The proposed post-hoc reasoning layer incorporates expert knowledge to revise classifier predictions through formal belief revisions.
  • Experimental results indicate that the reasoning module modifies 5.08\% of classifier outputs, leading to improved decision consistency.
Paper AbstractExpand

Phishing detection systems are predominantly rely on statistical machine learning models, which often lack contextual reasoning and are vulnerable to adversarial manipulation. In this work, we propose a hybrid framework that integrates machine learning classifiers with non-monotonic reasoning using Answer Set Programming (ASP) to enable context-aware decision refinement. The proposed post-hoc reasoning layer incorporates expert knowledge to revise classifier predictions through formal belief revisions. Experimental results indicate that the reasoning module modifies 5.08\% of classifier outputs, leading to improved decision consistency. A key advantage is that new domain knowledge can be incorporated into the reasoning layer in $\mathcal{O}(n)$ time, eliminating the need for model retraining.

PHISHREV: A Hybrid Machine Learning and Post-Hoc Non-monotonic Reasoning Framework for Context-Aware Phishing Website Classification
Phishing detection systems typically rely on machine learning models that analyze the lexical patterns of URLs. While effective, these models are often vulnerable to adversarial manipulation and lack the ability to understand the broader context of a website. PHISHREV addresses this by introducing a dual-stage framework that combines traditional machine learning with a symbolic reasoning layer. This approach allows the system to refine its initial predictions by incorporating expert knowledge, leading to more consistent and reliable results without the need for expensive model retraining.

How the Framework Works

The PHISHREV process occurs in two distinct phases. First, standard machine learning classifiers (such as SVM, k-NN, Decision Trees, and Random Forest) analyze the lexical features of a URL to generate an initial prediction of whether it is legitimate or a phishing attempt.
In the second phase, a "post-hoc" reasoning layer takes these initial predictions and evaluates them against specific contextual evidence—in this case, the presence or absence of website meta tags (such as descriptions or author information). This layer uses Answer Set Programming (ASP), a form of non-monotonic reasoning. This allows the system to "change its mind" if new, contradictory evidence is found. For example, if a classifier initially flags a site as phishing, but the reasoning layer detects legitimate meta-information, the system can formally revise that conclusion to "benign."

Efficiency and Flexibility

A significant advantage of this hybrid approach is its computational efficiency. Because the reasoning layer acts as an independent module that sits on top of the machine learning classifiers, it can incorporate new domain knowledge or rules in $\mathcal{O}(n)$ time. This eliminates the need to retrain the underlying machine learning models whenever new phishing tactics emerge, saving significant time and computational resources.

Key Results and Performance

Experimental results demonstrate that the reasoning module successfully modified approximately 5.08% of the initial classifier outputs. By applying this symbolic reasoning, the framework consistently reduced the number of false positives across all tested machine learning models. This reduction is particularly important for real-world security applications, as it helps prevent "alert fatigue," where security systems overwhelm users or administrators with incorrect warnings.

Limitations and Future Outlook

While the framework shows promise in improving decision consistency, it currently relies on a single, hand-crafted rule regarding meta-tag availability. The authors note that as phishers become more sophisticated, they may attempt to mimic legitimate meta-tag behavior to bypass these checks. Consequently, future development will focus on incorporating more complex, multi-rule reasoning strategies to better distinguish between genuinely legitimate websites and adversarial attempts to replicate authentic site characteristics.

Comments (0)

No comments yet

Be the first to share your thoughts!