- The paper introduces a dual-stage framework that integrates machine learning with non-monotonic reasoning for improved phishing detection.
- It employs ASP-based rules to revise initial classifier outputs using contextual cues like meta tags, mitigating adversarial vulnerabilities.
- Empirical results demonstrate a reduction in false positives and enhanced adaptability, with a 5% prediction revision rate noted.
PHISHREV: A Hybrid Machine Learning and Post-Hoc Non-Monotonic Reasoning Framework for Context-Aware Phishing Website Classification
Introduction
PHISHREV introduces a dual-stage framework that integrates conventional machine learning classifiers with a non-monotonic reasoning layer, designed to enhance context-aware classification of phishing websites. While the core statistical learning is retained, the framework innovatively applies Answer Set Programming (ASP) for post-hoc symbolic reasoning and belief revision. This arrangement enables the system to leverage expert knowledge for decision adjustment, mitigating the limitations inherent in purely statistical approaches, particularly their susceptibility to adversarial manipulation and their inability to adapt to new contextual evidence without retraining.
Figure 1: The PHISHREV hybrid framework architecture integrating ML-based prediction and post-hoc non-monotonic ASP-based reasoning.
Background and Motivation
Contemporary phishing detection predominantly employs statistical machine learning or deep learning architectures, typically exploiting URL lexical and structural features for classification. While effective under static distributions, such systems are vulnerable to evolving attack methodologies—such as lexical obfuscation, adversarial sample generation, and spoofed metadata—that erode generalizability.
Purely statistical methods, by design, lack the capacity to explicitly encode domain rules or facilitate rational belief revision once new context (e.g., domain knowledge, content semantics) arises. In contrast, non-monotonic reasoning (NMR), and in particular ASP, allow for the formal representation and revision of classifier outcomes in light of contradictory or supplementary evidence, which is especially valuable in dynamic environments with incomplete information.
Methodology
The PHISHREV framework comprises two sequential phases: statistical learning for initial belief generation and a post-hoc non-monotonic reasoning layer for context-aware decision revision.
Phase 1: Statistical Learning
Standard supervised classifiers—including SVM, KNN, Decision Tree, and Random Forest—are trained on 87 normalized features derived from a benchmark dataset (11,430 URLs, split evenly between phishing and legitimate classes). Individual classifiers generate predictions (legitimate/phishing) on test set instances, establishing "initial beliefs" for each URL.
Classifier selection and hyperparameter tuning are conducted using cross-validation. Reported metrics on the test set show high discriminative capability, with Random Forest, SVM, and KNN achieving accuracy in the range of 95–96% and F1-scores near 0.95–0.96 for both classes.
Phase 2: Post-Hoc Non-Monotonic Reasoning
In the second phase, classifier outputs are mapped into a symbolic knowledge base at the instance level, alongside a critical contextual binary feature: the presence or absence of website meta tags (description, author, keywords, etc.). The ASP-based reasoning module encodes domain-specific rules to revise classifier beliefs. Specifically, if a classifier predicts a URL as phishing, but meta tags are present (a strong indicator of legitimacy), the decision is revised to benign. Otherwise, the original prediction is retained.
The revision rule is formally implemented via ASP, enabling efficient, evidence-driven belief change and the seamless integration of new domain knowledge without retraining the ML models.
Empirical Results
Analysis of the dataset reveals that meta tags are present in approximately 50.5% of legitimate URLs but only 9.95% of phishing URLs, justifying their usage as discriminative auxiliary features within the reasoning layer.
The non-monotonic reasoning module revised 465 out of 9,144 classifier-level test predictions (5.08%). Critically, the application of the reasoning layer yields a consistent reduction in false positives across all classifier architectures (e.g., for Random Forest, false positives were reduced from 49 to 35), thereby lowering alert fatigue and improving operational reliability.
Comparison with Existing Methods
PHISHREV distinguishes itself from the state-of-the-art by augmenting monotonic statistical models with a linear-time (O(n)) symbolic reasoning layer for post-hoc belief revision. While classification accuracy remains on par with leading approaches, PHISHREV's main contribution lies in enabling the rapid assimilation of new domain evidence without end-to-end retraining, which has direct implications for real-world adaptability as adversarial tactics shift.
Computational Complexity
The dominant computational burden lies in the classifier training phase (O(T⋅n⋅f⋅logn)). The reasoning layer’s overhead is linear in the number of test instances. The post-hoc ASP revision can incorporate new rules or contextual evidence in O(n) time, offering efficiency and adaptability unattainable by traditional retraining routines.
Discussion and Implications
PHISHREV empirically demonstrates that integrating symbolic non-monotonic reasoning with data-driven models can selectively revise classifier outputs, particularly reducing false positive rates. The framework's architecture inherently supports modular updating of the knowledge base—enabling rapid adjustment to emergent signals (e.g., new phishing strategies or content indicators) at test time.
The primary limitation arises from reliance on handcrafted meta-tag-based rules, which may be exploited by sophisticated adversaries mimicking legitimate website behavior. This underscores the need for broader contextual modeling and multi-faceted reasoning strategies. Incorporating richer semantic features, aggregating additional content-based cues, or dynamically learning revision rules could further enhance robustness against adaptive attackers.
Conclusion
PHISHREV provides a concrete demonstration of fusing statistical learning with non-monotonic, context-sensitive symbolic reasoning for phishing detection. The resultant architecture achieves robust false positive reduction and high adaptability with minimal computational overhead. Future research should focus on expanding the repertoire of contextual signals and formalizing multi-rule, multi-modal ASP-based reasoning, with the aim of improving both the coverage and reliability of belief revision in adversarial settings.