Papers
Topics
Authors
Recent
Search
2000 character limit reached

PHISHREV: A Hybrid Machine Learning and Post-Hoc Non-monotonic Reasoning Framework for Context-Aware Phishing Website Classification

Published 28 Apr 2026 in cs.AI | (2604.25512v1)

Abstract: Phishing detection systems are predominantly rely on statistical machine learning models, which often lack contextual reasoning and are vulnerable to adversarial manipulation. In this work, we propose a hybrid framework that integrates machine learning classifiers with non-monotonic reasoning using Answer Set Programming (ASP) to enable context-aware decision refinement. The proposed post-hoc reasoning layer incorporates expert knowledge to revise classifier predictions through formal belief revisions. Experimental results indicate that the reasoning module modifies 5.08\% of classifier outputs, leading to improved decision consistency. A key advantage is that new domain knowledge can be incorporated into the reasoning layer in $\mathcal{O}(n)$ time, eliminating the need for model retraining.

Summary

  • The paper introduces a dual-stage framework that integrates machine learning with non-monotonic reasoning for improved phishing detection.
  • It employs ASP-based rules to revise initial classifier outputs using contextual cues like meta tags, mitigating adversarial vulnerabilities.
  • Empirical results demonstrate a reduction in false positives and enhanced adaptability, with a 5% prediction revision rate noted.

PHISHREV: A Hybrid Machine Learning and Post-Hoc Non-Monotonic Reasoning Framework for Context-Aware Phishing Website Classification

Introduction

PHISHREV introduces a dual-stage framework that integrates conventional machine learning classifiers with a non-monotonic reasoning layer, designed to enhance context-aware classification of phishing websites. While the core statistical learning is retained, the framework innovatively applies Answer Set Programming (ASP) for post-hoc symbolic reasoning and belief revision. This arrangement enables the system to leverage expert knowledge for decision adjustment, mitigating the limitations inherent in purely statistical approaches, particularly their susceptibility to adversarial manipulation and their inability to adapt to new contextual evidence without retraining. Figure 1

Figure 1: The PHISHREV hybrid framework architecture integrating ML-based prediction and post-hoc non-monotonic ASP-based reasoning.

Background and Motivation

Contemporary phishing detection predominantly employs statistical machine learning or deep learning architectures, typically exploiting URL lexical and structural features for classification. While effective under static distributions, such systems are vulnerable to evolving attack methodologies—such as lexical obfuscation, adversarial sample generation, and spoofed metadata—that erode generalizability.

Purely statistical methods, by design, lack the capacity to explicitly encode domain rules or facilitate rational belief revision once new context (e.g., domain knowledge, content semantics) arises. In contrast, non-monotonic reasoning (NMR), and in particular ASP, allow for the formal representation and revision of classifier outcomes in light of contradictory or supplementary evidence, which is especially valuable in dynamic environments with incomplete information.

Methodology

The PHISHREV framework comprises two sequential phases: statistical learning for initial belief generation and a post-hoc non-monotonic reasoning layer for context-aware decision revision.

Phase 1: Statistical Learning

Standard supervised classifiers—including SVM, KNN, Decision Tree, and Random Forest—are trained on 87 normalized features derived from a benchmark dataset (11,430 URLs, split evenly between phishing and legitimate classes). Individual classifiers generate predictions (legitimate/phishing) on test set instances, establishing "initial beliefs" for each URL.

Classifier selection and hyperparameter tuning are conducted using cross-validation. Reported metrics on the test set show high discriminative capability, with Random Forest, SVM, and KNN achieving accuracy in the range of 95–96% and F1-scores near 0.95–0.96 for both classes.

Phase 2: Post-Hoc Non-Monotonic Reasoning

In the second phase, classifier outputs are mapped into a symbolic knowledge base at the instance level, alongside a critical contextual binary feature: the presence or absence of website meta tags (description, author, keywords, etc.). The ASP-based reasoning module encodes domain-specific rules to revise classifier beliefs. Specifically, if a classifier predicts a URL as phishing, but meta tags are present (a strong indicator of legitimacy), the decision is revised to benign. Otherwise, the original prediction is retained.

The revision rule is formally implemented via ASP, enabling efficient, evidence-driven belief change and the seamless integration of new domain knowledge without retraining the ML models.

Empirical Results

Analysis of the dataset reveals that meta tags are present in approximately 50.5% of legitimate URLs but only 9.95% of phishing URLs, justifying their usage as discriminative auxiliary features within the reasoning layer.

The non-monotonic reasoning module revised 465 out of 9,144 classifier-level test predictions (5.08%). Critically, the application of the reasoning layer yields a consistent reduction in false positives across all classifier architectures (e.g., for Random Forest, false positives were reduced from 49 to 35), thereby lowering alert fatigue and improving operational reliability.

Comparison with Existing Methods

PHISHREV distinguishes itself from the state-of-the-art by augmenting monotonic statistical models with a linear-time (O(n)\mathcal{O}(n)) symbolic reasoning layer for post-hoc belief revision. While classification accuracy remains on par with leading approaches, PHISHREV's main contribution lies in enabling the rapid assimilation of new domain evidence without end-to-end retraining, which has direct implications for real-world adaptability as adversarial tactics shift.

Computational Complexity

The dominant computational burden lies in the classifier training phase (O(Tnflogn)\mathcal{O}(T \cdot n \cdot f \cdot \log n)). The reasoning layer’s overhead is linear in the number of test instances. The post-hoc ASP revision can incorporate new rules or contextual evidence in O(n)\mathcal{O}(n) time, offering efficiency and adaptability unattainable by traditional retraining routines.

Discussion and Implications

PHISHREV empirically demonstrates that integrating symbolic non-monotonic reasoning with data-driven models can selectively revise classifier outputs, particularly reducing false positive rates. The framework's architecture inherently supports modular updating of the knowledge base—enabling rapid adjustment to emergent signals (e.g., new phishing strategies or content indicators) at test time.

The primary limitation arises from reliance on handcrafted meta-tag-based rules, which may be exploited by sophisticated adversaries mimicking legitimate website behavior. This underscores the need for broader contextual modeling and multi-faceted reasoning strategies. Incorporating richer semantic features, aggregating additional content-based cues, or dynamically learning revision rules could further enhance robustness against adaptive attackers.

Conclusion

PHISHREV provides a concrete demonstration of fusing statistical learning with non-monotonic, context-sensitive symbolic reasoning for phishing detection. The resultant architecture achieves robust false positive reduction and high adaptability with minimal computational overhead. Future research should focus on expanding the repertoire of contextual signals and formalizing multi-rule, multi-modal ASP-based reasoning, with the aim of improving both the coverage and reliability of belief revision in adversarial settings.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.