A Lightweight Hybrid MLP-Based Framework for Real-Time Phishing URL Detection Using Structural URL Features
Pith reviewed 2026-06-28 18:23 UTC · model grok-4.3
The pith
A multi-layer perceptron using 16 structural URL features detects phishing at 99.24 percent accuracy with 1.2 millisecond inference.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The central claim is that an MLP classifier supplied solely with 16 URL-derived structural features, after an initial blacklist check, produces higher accuracy, precision, recall, F1, and ROC-AUC scores than Random Forest, Logistic Regression, XGBoost, LightGBM, or CatBoost on the PhiUSIIL dataset while maintaining an average inference latency of 1.2 ms per URL and supporting 4,200 URLs per second under concurrent load.
What carries the argument
The hybrid pipeline that extracts 16 structural URL features and routes them through a multi-layer perceptron after blacklist screening.
If this is right
- Real-time blocking becomes feasible on resource-limited devices because no page content or external calls are required.
- The same 16 features suffice to outperform five other common classifiers under matched evaluation conditions.
- A desktop application can be built that processes thousands of URLs per second while remaining lightweight.
- Detection stays reactive only to the blacklist layer and proactive via the MLP for unseen URLs.
- Deployment does not depend on third-party APIs or visual rendering steps.
Where Pith is reading between the lines
- If the structural features capture stable patterns, the same MLP could be retrained periodically on newer data without changing the feature extractor.
- Browser extensions could integrate the pipeline to intercept navigation before a page loads, reducing exposure time.
- The approach may extend to related URL-based threats such as malware distribution links if the feature definitions remain discriminative.
- Organizations could run the classifier locally on endpoints to avoid sending URL data to cloud services.
Load-bearing premise
The 16 structural features stay effective at separating phishing from legitimate URLs even after the training data cutoff and in live traffic whose distribution matches the PhiUSIIL collection.
What would settle it
Measure accuracy on a new collection of phishing and legitimate URLs gathered after the original dataset was assembled; if accuracy falls below 95 percent the claim that the feature set remains sufficient is falsified.
Figures
read the original abstract
Phishing attacks remain a major cybersecurity threat, exploiting deceptive URLs to steal sensitive user information. Traditional blacklist and rule-based detection approaches are reactive and often fail to identify newly emerging phishing URLs. This paper proposes a lightweight hybrid framework for real-time phishing URL detection that combines blacklist-based screening with a Multi-Layer Perceptron (MLP) classifier operating solely on structural URL features. The framework extracts 16 URL-derived features capturing structural, domain-based, and security-related characteristics without requiring webpage content access, third-party APIs, or visual rendering, making it computationally efficient for real-time deployment. The system was trained and evaluated on the PhiUSIIL phishing dataset containing 235,795 labelled URLs. Experimental results show that the proposed MLP achieved 99.24% accuracy, 98.74% precision, 99.95% recall, 99.34% F1-score, and 99.65% ROC-AUC, outperforming Random Forest, Logistic Regression, XGBoost, LightGBM, and CatBoost under the same evaluation setting. The hybrid architecture achieved an average inference latency of 1.2 ms per URL and a peak throughput of 4,200 URLs per second under concurrent processing. A functional desktop application prototype, CyberGuard, further demonstrates deployment viability. The results indicate that the proposed framework provides an accurate and computationally efficient solution for real-time phishing URL detection in resource-constrained environments.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a lightweight hybrid framework for real-time phishing URL detection that combines blacklist screening with an MLP classifier using only 16 structural, domain-based, and security-related URL features (no webpage content, APIs, or rendering required). Trained and evaluated on the PhiUSIIL dataset of 235,795 labeled URLs, the MLP reports 99.24% accuracy, 98.74% precision, 99.95% recall, 99.34% F1, and 99.65% ROC-AUC, outperforming Random Forest, Logistic Regression, XGBoost, LightGBM, and CatBoost; the system achieves 1.2 ms average inference latency and 4,200 URLs/sec throughput, with a desktop prototype (CyberGuard) demonstrating deployment.
Significance. If the performance holds under rigorous validation, the work offers a computationally efficient, content-free approach to phishing detection that could be practical in resource-constrained real-time settings. The explicit focus on structural features alone and the provision of a working prototype are concrete strengths for operational relevance.
major comments (2)
- [Abstract and experimental evaluation] Abstract and experimental evaluation section: the reported metrics (99.24% accuracy etc.) are presented without any description of the train-test split strategy, cross-validation procedure, hyperparameter search method, or whether feature definitions/thresholds were finalized before or after inspecting test labels. This information is load-bearing for the central performance claim and for the assertion that the MLP outperforms the baselines under the same setting.
- [Evaluation and deployment claims] Evaluation and deployment claims: no temporal hold-out, collection-date split, or forward-chronological test is described. Because the central claim is that the 16 structural features enable detection of newly emerging phishing URLs in real time, the absence of any evaluation on URLs appearing after the training corpus was assembled leaves the headline metrics non-predictive of operational performance against adaptive adversaries.
minor comments (2)
- [Feature extraction] The exact definitions, extraction code, and any thresholds used for the 16 structural features should be provided (e.g., in a table or appendix) to allow reproduction.
- [Results] Figure or table presenting the per-model comparison metrics would benefit from including standard deviations across multiple runs or folds rather than single-point estimates.
Simulated Author's Rebuttal
We thank the referee for the constructive comments on the experimental methodology. We address each point below and indicate planned revisions.
read point-by-point responses
-
Referee: [Abstract and experimental evaluation] Abstract and experimental evaluation section: the reported metrics (99.24% accuracy etc.) are presented without any description of the train-test split strategy, cross-validation procedure, hyperparameter search method, or whether feature definitions/thresholds were finalized before or after inspecting test labels. This information is load-bearing for the central performance claim and for the assertion that the MLP outperforms the baselines under the same setting.
Authors: We agree these details are essential for reproducibility and validating the performance claims. The revised manuscript will add a dedicated paragraph in the Experimental Evaluation section describing the train-test split strategy, cross-validation procedure, hyperparameter search method, and confirmation that feature definitions and thresholds were finalized on training data only before test evaluation. revision: yes
-
Referee: [Evaluation and deployment claims] Evaluation and deployment claims: no temporal hold-out, collection-date split, or forward-chronological test is described. Because the central claim is that the 16 structural features enable detection of newly emerging phishing URLs in real time, the absence of any evaluation on URLs appearing after the training corpus was assembled leaves the headline metrics non-predictive of operational performance against adaptive adversaries.
Authors: We agree that temporal validation would strengthen claims about detecting emerging threats. The PhiUSIIL dataset lacks collection timestamps, so a forward-chronological split cannot be performed. The revised manuscript will explicitly acknowledge this limitation and discuss its implications for operational claims, while noting that the structural features target generalizable patterns. revision: partial
- The absence of timestamps in the PhiUSIIL dataset prevents conducting the requested temporal hold-out evaluation.
Circularity Check
No circularity: standard empirical ML evaluation on fixed dataset
full rationale
The paper performs feature extraction of 16 structural URL features followed by supervised training and evaluation of an MLP (and baselines) on the PhiUSIIL dataset, reporting accuracy, precision, recall, F1, and AUC on a test split. No equations, predictions, or uniqueness claims are present. No self-citations are invoked to justify any derivation or ansatz. All reported metrics are computed directly from the model's outputs on held-out data rather than being redefined in terms of fitted parameters. This matches the default case of a self-contained empirical study with no load-bearing circular steps.
Axiom & Free-Parameter Ledger
free parameters (2)
- MLP architecture and training hyperparameters
- Exact definitions and thresholds for the 16 structural features
axioms (2)
- domain assumption The PhiUSIIL dataset labels are accurate and its distribution matches real-world phishing URLs encountered after training.
- domain assumption Structural features alone suffice for reliable classification without webpage content or third-party data.
Reference graph
Works this paper leans on
-
[1]
(2025, January 10)
Control D. (2025, January 10). 99 global phishing statistics & industry trends (2023–2025). Control D. Retrieved April 2025, from https://controld.com/blog/phishing-statistics-industry-trends 26
2025
-
[2]
Statista. (2024). Distribution of industries worldwide most targeted by phishing attacks in 4th quarter 2024. Statista. Retrieved April 2025, from https://www.statista.com/statistics/266161/websites- most-affected-by-phishing
2024
-
[3]
Elsadig, M., Saleh, M., & Abdalla, E. (2022). Intelligent deep -machine-learning cyber phishing URL detection based on BERT features extraction. Electronics, 11 (22), Article 3647. https://doi.org/10.3390/electronics11223647
-
[4]
Chiew, K. L., Tan, C. L., Wong, K. S., Yong, K. S. C., & Tiong, W. K. (2018). A new hybrid ensemble feature selection framework for machine learning -based phishing detection. Computers & Security, 76, 84–102. https://doi.org/10.1016/j.cose.2018.02.018
-
[5]
Srinivasa Rao, R., & Pais, A. R. (2017). Detecting phishing websites using automation of human behavior. Procedia Computer Science, 106, 87–94. https://doi.org/10.1016/j.procs.2017.03.009
-
[6]
Yang, R., Zheng, K., Wu, B., Wu, C., & Wang, X. (2021). Phishing website detection based on deep convolutional neural network and Random Forest ensemble learning. Sensors, 21(24), Article 8281. https://doi.org/10.3390/s21248281
-
[7]
Prakash, B., Kumar, M., Kompella, R. R., & Gupta, M. (2010). PhishNet: Predictive blacklisting to detect phishing attacks. Proceedings of IEEE INFOCOM 2010. https://doi.org/10.1109/INFCOM.2010.5462216
-
[8]
Zhang, Y., Hong, J., & Cranor , L. (2008). A highly predictive blacklisting system for phishing detection. Proceedings of the 3rd International Conference on Malicious and Unwanted Software, 45–
2008
-
[9]
https://doi.org/10.1109/MALWARE.2008.4690856
-
[10]
Rao, R. S., & Ali, S. T. (2015). PhishShield: A desktop application to detect phishing webpages through heuristic approach. Procedia Computer Science, 54, 147–156. https://doi.org/10.1016/j.procs.2015.06.017
-
[11]
K., Buber, E., Demir, O., & Diri, B
Sahingoz, O. K., Buber, E., Demir, O., & Diri, B. (2019). Machine learning -based phishing detection from URLs. Expert Systems with Applications, 117, 345–357. https://doi.org/10.1016/j.eswa.2018.09.029
-
[12]
Xiang, G., Hong, J., Rose, C., & Cranor, L. (2011). CANTINA+: A feature-rich machine learning framework for detecting phishing web pages. ACM Transactions on Information and System Security, 14(2), Article 21. https://doi.org/10.1145/2019599.2019606
-
[13]
Zouina, A., & Outtaj, M. (2017). Lightweight URL phishing detection using support vector machines and similarity indices. International Journal of Computer Network and Information Security, 9(5), 9–18. https://doi.org/10.5815/ijcnis.2017.05.02
-
[14]
Zhu, J., Tan, Z., Wang, Z., Chen, Q., & Peng, L. (2019). OFS -NN: An optimal feature selection method for neural networks in phishing website detection. IEEE Access, 7, 76129–76140. https://doi.org/10.1109/ACCESS.2019.2951047 27
-
[15]
An in-depth experimen- tal study of anomaly detection using gradient boosted machine,
Mohammad, R. M., Thabtah, F., & McCluskey, L. (2014). Predicting phishing websites based on self-structuring neural network. Soft Computing, 18 (11), 2363–2375. https://doi.org/10.1007/s00521- 013-1490-z
-
[16]
Aljofey, A., Jiang, Q., Qu, Q., Huang, M., & Niyigena, J. (2020). An effective phishing detection model based on character -level convolutional neural network from URL. Electronics, 9 (9), Article
2020
-
[17]
https://doi.org/10.3390/electronics9091514
-
[18]
Wang, X., Chen, H., & Huang, Y. (2019). PDRCNN: Precise phishing detection using recurrent convolutional neural networks. Security and Communication Networks, 2019, Article 2595794. https://doi.org/10.1155/2019/2595794
-
[19]
Zhu, J., Wang, T., & Li, P. (2021). Hybrid DNN-LSTM model for phishing URL detection. Future Internet, 13(10), Article 256. https://doi.org/10.3390/fi13100256
-
[20]
Alhothali, A., & Zohdy, M. (2022). Phishing detection using deep learning and natural language processing. IEEE Access, 10, 12345–12367. https://doi.org/10.1109/ACCESS.2022.3157890
-
[21]
Tang, L., & Mahmoud, Q. H. (2021). A comparative study of machine learning techniques for phishing website detection. Computers & Security, 100, Article 102094. https://doi.org/10.1016/j.cose.2020.102094
-
[22]
Shrivastava, R., & Bhatt, A. (2023). A survey of machine learning -based phishing detection techniques. Journal of Cybersecurity Research, 6(1), 22–35. https://doi.org/10.1016/j.jcsr.2023.01.005
-
[23]
Zhang, J., Zhang, Y., & Guo, W. (2024). Hybrid deep learning for phishing detection using CNN and RNN. Future Generation Computer Systems, 152, 123–135. https://doi.org/10.1016/j.future.2023.10.012
-
[24]
Basit, A., Khan, M., & Ahmed, S. (2021). PhishHaven: A convolutional neural network approach for phishing detection. Journal of Network and Computer Applications, 175, Article 102934. https://doi.org/10.1016/j.jnca.2020.102934
-
[25]
Prasad, A., & Chandra, S. (2024). PhiUSIIL Phishing URL dataset. UCI Machine Learning Repository. https://doi.org/10.24432/C5GW2J
-
[26]
Whittaker, C., Ryner, B., & Nazif, M. (2010). Large -scale automatic classification of phishing pages. Proceedings of the Network and Distributed System Security Symposium (NDSS 2010). Internet Society
2010
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.