URLGuard: Automated URL Protection

• URLGuard is a modular system for detecting malicious URLs by integrating browser extensions and LLM-based classifiers for secure web interactions.
• It utilizes an exhaustive feature engineering pipeline and ensemble models, including LightGBM and LoRA-tuned Llama2, to achieve high detection accuracy.
• The system delivers near state-of-the-art performance with minimal runtime impact, deployable both as a browser extension and as an inline LLM pre-filter.

URLGuard is a modular system for automated malicious URL detection aimed at enhancing the security of web agents and browser environments. It operates either as a browser-integrated extension with machine-learned classifiers or as a compact LLM-based gatekeeper for agents, preemptively blocking or flagging potentially harmful URLs. The component leverages advanced feature engineering, ensemble tree models, and lightweight neural adaptation, enabling near state-of-the-art detection rates with minimal runtime or resource disruption.

1. System Architectures and Deployment Patterns

URLGuard manifests in two primary technical architectures: as a browser extension for end-user navigation security (Malik et al., 2024) and as a defense module fronting LLM-based web agents (Kong et al., 26 Jan 2026). In browser settings, URLGuard is a standard Chromium extension with a JavaScript front end that monitors URL navigation via the chrome.webRequest API. It connects, via REST, to a FastAPI-managed backend hosting the classification models and ancillary detectors. For LLM agents, URLGuard is a stand-alone LLM classifier (Llama2-7B-chat-hf + LoRA, ∼200 MB memory overhead, ~50 ms URL latency) operating inline before the main agent prompt. The detection workflow intercepts user input, classifies the URL, and either blocks access or relays the request onward.

Deployment Mode	Model Core	Runtime Location
Browser extension	LightGBM, NB	Remote FastAPI (server)
LLM pre-filter	LoRA-tuned Llama2	Local (agent wrapper)

2. Feature Engineering and Extraction

URLGuard’s detection efficacy stems from its exhaustive, hand-crafted feature extraction pipeline. The phishing model leverages an 87-dimensional feature set categorized as follows (Malik et al., 2024):

• Lexical features: URL string lengths, discrete character counts, suspicious substrings (e.g., “login,” “secure”).
• Character distribution: Symbol frequencies (hyphen, underscore, ‘@’), URL Shannon entropy.
• Host-based features: WHOIS-derived fields (domain age, registrar reputation), SSL certificate status, DNS record existence.
• Page-level and external references: External iframe and script tag counts, meta refresh prevalence, internal-to-external link ratios, cross-domain linkage scores.

JavaScript and Python microservices extract these fields during browser events and normalize feature inputs; continuous variables are z-normalized, binary attributes remain {0,1}, and numeric-capped at the 99th percentile.

3. Classification Methodologies and Detection Pipelines

The browser extension employs a LightGBM binary classifier, configured as follows (Malik et al., 2024):

• Objective: Minimize logistic loss augmented with a leaf-complexity regularizer:

$$L^{(t)} = \sum_{i=1}^N \ell(y_i, F^{(t-1)}(x_i) + f_t(x_i)) + \Omega(f_t)$$

$$\Omega(f) = \gamma \cdot T + \frac{1}{2} \lambda \sum_{j=1}^T w_j^2$$

• Hyperparameters: num_leaves=31, max_depth=7, learning_rate=0.05, min_data_in_leaf=20, feature_fraction=0.8, bagging_fraction=0.8, lambda_l2=1.0, lambda_l1=0.1.

For agent pre-filtering, the module applies a LoRA-tuned Llama2-7B chat model with adapters on QKV projections. It tokenizes URL components (subdomain, domain, path, parameters), encodes via the LLM, and applies a binary classification head (Kong et al., 26 Jan 2026). A probability threshold $P(\text{malicious}|u)\geq0.5$ triggers blocking.

A high-level pseudocode:

decision ← URLGuard_Classify(u) if decision == "Block": return "Warning: The link appears unsafe. Please verify before proceeding." else: return AgentResponse(u)

The module’s minimization of resource impact (sub-50 ms latency, <5 MB client memory consumption) enables seamless integration.

4. Performance Metrics and Empirical Results

URLGuard’s browser extension is evaluated on the Pierre Rochet phishing corpus (≈80,000 samples, balanced) with 80/20 train-test splits (Malik et al., 2024). Standard evaluation metrics:

• Accuracy: $0.965$
• Precision: $0.968$
• Recall: $0.962$
• F₁: $0.965$
• ROC AUC: $0.9931$

Confusion matrix (normalized):

	Predicted Phish	Predicted Safe
Actual Phish	0.962	0.038
Actual Safe	0.032	0.968

False-positive rate is $3.2\%$, false-negative rate $3.8\%$, ROC AUC is extremely high, suggesting robust discriminatory power.

For LLM-based defense, URLGuard’s effectiveness is quantified by risk score reduction on MalURLBench (61,845 attack instances, 10 scenarios) (Kong et al., 26 Jan 2026). Original Llama2-7B-chat-hf agent risk $F_s(\mathcal{M})$ is ≈94% (scenario average), while URLGuard reduces this by up to 81% on average, reaching near-complete blocking (TPR ≈ 99%) in several settings (e.g., s_food, s_mus, s_vid, s_new).

Scenario	Fₛ(𝓜)	Fₛ(D(𝓜))	Effectiveness
s_food	0.98	0.01	0.97
s_job	0.94	0.00	0.94
s_vid	0.69	0.00	0.69

Benign URL false-positive rates are unreported in LLM-agent settings.

5. Secondary Modules and Extension Capabilities

The browser variant of URLGuard incorporates modules for spam email detection and network anomaly monitoring (Malik et al., 2024). Spam filtering is handled by a Multinomial Naïve Bayes classifier, trained on public datasets (≥5,500 samples), with token/character/word counts and TF–IDF features, yielding accuracy 0.9709 and precision 1.0. Network monitoring parses HTTP response codes, flags sustained 4xx/5xx bursts within any 30-second window, and conveys anomalous status to users.

Planned extensions include sentiment analyzers for nuanced phishing detection, context-menu actions for on-demand scoring, client-side WASM models for offline deployment, and continuous retraining pipelines.

6. Limitations and Future Work

URLGuard’s robustness is constrained by several factors (Malik et al., 2024, Kong et al., 26 Jan 2026):

• Vulnerability to mimicry attacks: URLs engineered to resemble legitimate structures may evade feature-based classifiers.
• Third-party data reliance: Privacy protections or bot-blocking can impede retrieval of WHOIS/search features.
• Training corpus bias: Dominance of legacy phishing templates; incomplete coverage of emerging attack surfaces (e.g., domain shadowing, shortener-based lures).
• Limited benign URL calibration in LLM settings; false-positive behavior is unquantified.
• Static defense: Current modules treat each URL atomically; contextual or multimodal evidence (HTML wrappers, cookies, images, QR codes) are not leveraged.
• Small-scale fine-tuning: LLM URLGuard is trained on only 280 URLs from a single scenario; generalization to unseen formats and real-world scale is uncertain.

Proposed directions include augmenting training diversity (templates, attack vectors), multimodal defense integration, on-device inference for latency/bandwidth resilience, and dynamic context incorporation.

7. Comparative Context and Misconceptions

No direct comparative analysis against advanced co-modal URL–HTML fusion architectures (e.g., WebGuard++ (Tian et al., 24 Jun 2025)) is present in the referenced evaluations. Whereas WebGuard++ employs hierarchical Transformer–dynamic convolution URL encoding and subgraph-aware HTML graph partitioning with consensus voting for interpretability and ultra-low FPR, URLGuard focuses on pragmatic feature-based or compact neural classification for deployability within browser or agent pipelines. A plausible implication is that multi-modal or graph-based fusion methods may outperform URLGuard in settings where attacker artifacts are embedded within DOM structures; however, no cross-system benchmarks have been published.

Misconceptions may arise regarding the sufficiency of lexical or host-based features alone for adversarial robustness. Both the browser and LLM variants of URLGuard are susceptible to novel evasion tactics and concept drift, underscoring the necessity of continuous update and extension toward richer, context-aware feature sets.