pith. sign in

arxiv: 2606.00889 · v1 · pith:WBKBQAUBnew · submitted 2026-05-30 · 💻 cs.CR · cs.LG

A Lightweight Hybrid MLP-Based Framework for Real-Time Phishing URL Detection Using Structural URL Features

Pith reviewed 2026-06-28 18:23 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords phishing URL detectionmulti-layer perceptronstructural URL featuresreal-time classificationhybrid detection frameworklightweight machine learningcybersecurityPhiUSIIL dataset
0
0 comments X

The pith

A multi-layer perceptron using 16 structural URL features detects phishing at 99.24 percent accuracy with 1.2 millisecond inference.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper sets out to show that a hybrid system can screen URLs first against a blacklist and then classify the rest with a lightweight MLP that looks only at 16 structural, domain, and security-derived features extracted directly from the URL string. This combination avoids any need to fetch page content, call external services, or render visuals, which keeps the entire process fast enough for real-time use on ordinary hardware. On a dataset of over 235,000 labeled URLs the MLP reaches 99.24 percent accuracy and 99.65 percent ROC-AUC while beating five other standard classifiers under identical conditions. The measured throughput of 4,200 URLs per second and the working desktop prototype indicate the method can be embedded in browsers or endpoint tools without heavy resource demands.

Core claim

The central claim is that an MLP classifier supplied solely with 16 URL-derived structural features, after an initial blacklist check, produces higher accuracy, precision, recall, F1, and ROC-AUC scores than Random Forest, Logistic Regression, XGBoost, LightGBM, or CatBoost on the PhiUSIIL dataset while maintaining an average inference latency of 1.2 ms per URL and supporting 4,200 URLs per second under concurrent load.

What carries the argument

The hybrid pipeline that extracts 16 structural URL features and routes them through a multi-layer perceptron after blacklist screening.

If this is right

  • Real-time blocking becomes feasible on resource-limited devices because no page content or external calls are required.
  • The same 16 features suffice to outperform five other common classifiers under matched evaluation conditions.
  • A desktop application can be built that processes thousands of URLs per second while remaining lightweight.
  • Detection stays reactive only to the blacklist layer and proactive via the MLP for unseen URLs.
  • Deployment does not depend on third-party APIs or visual rendering steps.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the structural features capture stable patterns, the same MLP could be retrained periodically on newer data without changing the feature extractor.
  • Browser extensions could integrate the pipeline to intercept navigation before a page loads, reducing exposure time.
  • The approach may extend to related URL-based threats such as malware distribution links if the feature definitions remain discriminative.
  • Organizations could run the classifier locally on endpoints to avoid sending URL data to cloud services.

Load-bearing premise

The 16 structural features stay effective at separating phishing from legitimate URLs even after the training data cutoff and in live traffic whose distribution matches the PhiUSIIL collection.

What would settle it

Measure accuracy on a new collection of phishing and legitimate URLs gathered after the original dataset was assembled; if accuracy falls below 95 percent the claim that the feature set remains sufficient is falsified.

Figures

Figures reproduced from arXiv: 2606.00889 by Gideon Francis Oghie, Uche Unoke Emmanuel.

Figure 1
Figure 1. Figure 1: Proposed Hybrid Two-Stage Phishing URL Detection Pipeline. 3.4 MLP Model Design and Configuration Network Architecture. The MLP neural network employs a 16-64-32-16-1 topology, consisting of an input layer of 16 neurons corresponding to the extracted feature vector, three hidden layers of 64, 32, and 16 neurons respectively, and a single output neuron for binary classification. The progressive reduction in… view at source ↗
Figure 2
Figure 2. Figure 2: MLP Neural Network Topology (16-64-32-16-1 Architecture) Activation Functions. Rectified Linear Unit (ReLU) activation is applied to all hidden layers. ReLU was selected over sigmoid and tanh alternatives for its resistance to the vanishing gradient problem in deeper network layers and its computational efficiency during both forward and backward propagation passes. The output layer employs sigmoid activat… view at source ↗
read the original abstract

Phishing attacks remain a major cybersecurity threat, exploiting deceptive URLs to steal sensitive user information. Traditional blacklist and rule-based detection approaches are reactive and often fail to identify newly emerging phishing URLs. This paper proposes a lightweight hybrid framework for real-time phishing URL detection that combines blacklist-based screening with a Multi-Layer Perceptron (MLP) classifier operating solely on structural URL features. The framework extracts 16 URL-derived features capturing structural, domain-based, and security-related characteristics without requiring webpage content access, third-party APIs, or visual rendering, making it computationally efficient for real-time deployment. The system was trained and evaluated on the PhiUSIIL phishing dataset containing 235,795 labelled URLs. Experimental results show that the proposed MLP achieved 99.24% accuracy, 98.74% precision, 99.95% recall, 99.34% F1-score, and 99.65% ROC-AUC, outperforming Random Forest, Logistic Regression, XGBoost, LightGBM, and CatBoost under the same evaluation setting. The hybrid architecture achieved an average inference latency of 1.2 ms per URL and a peak throughput of 4,200 URLs per second under concurrent processing. A functional desktop application prototype, CyberGuard, further demonstrates deployment viability. The results indicate that the proposed framework provides an accurate and computationally efficient solution for real-time phishing URL detection in resource-constrained environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes a lightweight hybrid framework for real-time phishing URL detection that combines blacklist screening with an MLP classifier using only 16 structural, domain-based, and security-related URL features (no webpage content, APIs, or rendering required). Trained and evaluated on the PhiUSIIL dataset of 235,795 labeled URLs, the MLP reports 99.24% accuracy, 98.74% precision, 99.95% recall, 99.34% F1, and 99.65% ROC-AUC, outperforming Random Forest, Logistic Regression, XGBoost, LightGBM, and CatBoost; the system achieves 1.2 ms average inference latency and 4,200 URLs/sec throughput, with a desktop prototype (CyberGuard) demonstrating deployment.

Significance. If the performance holds under rigorous validation, the work offers a computationally efficient, content-free approach to phishing detection that could be practical in resource-constrained real-time settings. The explicit focus on structural features alone and the provision of a working prototype are concrete strengths for operational relevance.

major comments (2)
  1. [Abstract and experimental evaluation] Abstract and experimental evaluation section: the reported metrics (99.24% accuracy etc.) are presented without any description of the train-test split strategy, cross-validation procedure, hyperparameter search method, or whether feature definitions/thresholds were finalized before or after inspecting test labels. This information is load-bearing for the central performance claim and for the assertion that the MLP outperforms the baselines under the same setting.
  2. [Evaluation and deployment claims] Evaluation and deployment claims: no temporal hold-out, collection-date split, or forward-chronological test is described. Because the central claim is that the 16 structural features enable detection of newly emerging phishing URLs in real time, the absence of any evaluation on URLs appearing after the training corpus was assembled leaves the headline metrics non-predictive of operational performance against adaptive adversaries.
minor comments (2)
  1. [Feature extraction] The exact definitions, extraction code, and any thresholds used for the 16 structural features should be provided (e.g., in a table or appendix) to allow reproduction.
  2. [Results] Figure or table presenting the per-model comparison metrics would benefit from including standard deviations across multiple runs or folds rather than single-point estimates.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive comments on the experimental methodology. We address each point below and indicate planned revisions.

read point-by-point responses
  1. Referee: [Abstract and experimental evaluation] Abstract and experimental evaluation section: the reported metrics (99.24% accuracy etc.) are presented without any description of the train-test split strategy, cross-validation procedure, hyperparameter search method, or whether feature definitions/thresholds were finalized before or after inspecting test labels. This information is load-bearing for the central performance claim and for the assertion that the MLP outperforms the baselines under the same setting.

    Authors: We agree these details are essential for reproducibility and validating the performance claims. The revised manuscript will add a dedicated paragraph in the Experimental Evaluation section describing the train-test split strategy, cross-validation procedure, hyperparameter search method, and confirmation that feature definitions and thresholds were finalized on training data only before test evaluation. revision: yes

  2. Referee: [Evaluation and deployment claims] Evaluation and deployment claims: no temporal hold-out, collection-date split, or forward-chronological test is described. Because the central claim is that the 16 structural features enable detection of newly emerging phishing URLs in real time, the absence of any evaluation on URLs appearing after the training corpus was assembled leaves the headline metrics non-predictive of operational performance against adaptive adversaries.

    Authors: We agree that temporal validation would strengthen claims about detecting emerging threats. The PhiUSIIL dataset lacks collection timestamps, so a forward-chronological split cannot be performed. The revised manuscript will explicitly acknowledge this limitation and discuss its implications for operational claims, while noting that the structural features target generalizable patterns. revision: partial

standing simulated objections not resolved
  • The absence of timestamps in the PhiUSIIL dataset prevents conducting the requested temporal hold-out evaluation.

Circularity Check

0 steps flagged

No circularity: standard empirical ML evaluation on fixed dataset

full rationale

The paper performs feature extraction of 16 structural URL features followed by supervised training and evaluation of an MLP (and baselines) on the PhiUSIIL dataset, reporting accuracy, precision, recall, F1, and AUC on a test split. No equations, predictions, or uniqueness claims are present. No self-citations are invoked to justify any derivation or ansatz. All reported metrics are computed directly from the model's outputs on held-out data rather than being redefined in terms of fitted parameters. This matches the default case of a self-contained empirical study with no load-bearing circular steps.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 0 invented entities

The performance numbers rest on the choice of 16 features whose definitions are not supplied, the MLP architecture and training hyperparameters that were selected to fit the data, and the assumption that the labeled dataset is representative of future attacks.

free parameters (2)
  • MLP architecture and training hyperparameters
    Number of layers, hidden units, learning rate, regularization, and early-stopping criteria are chosen to produce the reported accuracy.
  • Exact definitions and thresholds for the 16 structural features
    Feature extraction rules (e.g., length cutoffs, character counts) are selected to capture phishing signals but not enumerated in the abstract.
axioms (2)
  • domain assumption The PhiUSIIL dataset labels are accurate and its distribution matches real-world phishing URLs encountered after training.
    All accuracy claims depend on this representativeness.
  • domain assumption Structural features alone suffice for reliable classification without webpage content or third-party data.
    The framework is built on this premise.

pith-pipeline@v0.9.1-grok · 5786 in / 1586 out tokens · 16983 ms · 2026-06-28T18:23:21.408069+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

26 extracted references · 21 canonical work pages

  1. [1]

    (2025, January 10)

    Control D. (2025, January 10). 99 global phishing statistics & industry trends (2023–2025). Control D. Retrieved April 2025, from https://controld.com/blog/phishing-statistics-industry-trends 26

  2. [2]

    Statista. (2024). Distribution of industries worldwide most targeted by phishing attacks in 4th quarter 2024. Statista. Retrieved April 2025, from https://www.statista.com/statistics/266161/websites- most-affected-by-phishing

  3. [3]

    Elsadig, M., Saleh, M., & Abdalla, E. (2022). Intelligent deep -machine-learning cyber phishing URL detection based on BERT features extraction. Electronics, 11 (22), Article 3647. https://doi.org/10.3390/electronics11223647

  4. [4]

    L., Tan, C

    Chiew, K. L., Tan, C. L., Wong, K. S., Yong, K. S. C., & Tiong, W. K. (2018). A new hybrid ensemble feature selection framework for machine learning -based phishing detection. Computers & Security, 76, 84–102. https://doi.org/10.1016/j.cose.2018.02.018

  5. [5]

    Srinivasa Rao, R., & Pais, A. R. (2017). Detecting phishing websites using automation of human behavior. Procedia Computer Science, 106, 87–94. https://doi.org/10.1016/j.procs.2017.03.009

  6. [6]

    Yang, R., Zheng, K., Wu, B., Wu, C., & Wang, X. (2021). Phishing website detection based on deep convolutional neural network and Random Forest ensemble learning. Sensors, 21(24), Article 8281. https://doi.org/10.3390/s21248281

  7. [7]

    R., & Gupta, M

    Prakash, B., Kumar, M., Kompella, R. R., & Gupta, M. (2010). PhishNet: Predictive blacklisting to detect phishing attacks. Proceedings of IEEE INFOCOM 2010. https://doi.org/10.1109/INFCOM.2010.5462216

  8. [8]

    Zhang, Y., Hong, J., & Cranor , L. (2008). A highly predictive blacklisting system for phishing detection. Proceedings of the 3rd International Conference on Malicious and Unwanted Software, 45–

  9. [9]

    https://doi.org/10.1109/MALWARE.2008.4690856

  10. [10]

    S., & Ali, S

    Rao, R. S., & Ali, S. T. (2015). PhishShield: A desktop application to detect phishing webpages through heuristic approach. Procedia Computer Science, 54, 147–156. https://doi.org/10.1016/j.procs.2015.06.017

  11. [11]

    K., Buber, E., Demir, O., & Diri, B

    Sahingoz, O. K., Buber, E., Demir, O., & Diri, B. (2019). Machine learning -based phishing detection from URLs. Expert Systems with Applications, 117, 345–357. https://doi.org/10.1016/j.eswa.2018.09.029

  12. [12]

    Xiang, G., Hong, J., Rose, C., & Cranor, L. (2011). CANTINA+: A feature-rich machine learning framework for detecting phishing web pages. ACM Transactions on Information and System Security, 14(2), Article 21. https://doi.org/10.1145/2019599.2019606

  13. [13]

    Zouina, A., & Outtaj, M. (2017). Lightweight URL phishing detection using support vector machines and similarity indices. International Journal of Computer Network and Information Security, 9(5), 9–18. https://doi.org/10.5815/ijcnis.2017.05.02

  14. [14]

    Zhu, J., Tan, Z., Wang, Z., Chen, Q., & Peng, L. (2019). OFS -NN: An optimal feature selection method for neural networks in phishing website detection. IEEE Access, 7, 76129–76140. https://doi.org/10.1109/ACCESS.2019.2951047 27

  15. [15]

    An in-depth experimen- tal study of anomaly detection using gradient boosted machine,

    Mohammad, R. M., Thabtah, F., & McCluskey, L. (2014). Predicting phishing websites based on self-structuring neural network. Soft Computing, 18 (11), 2363–2375. https://doi.org/10.1007/s00521- 013-1490-z

  16. [16]

    Aljofey, A., Jiang, Q., Qu, Q., Huang, M., & Niyigena, J. (2020). An effective phishing detection model based on character -level convolutional neural network from URL. Electronics, 9 (9), Article

  17. [17]

    https://doi.org/10.3390/electronics9091514

  18. [18]

    Wang, X., Chen, H., & Huang, Y. (2019). PDRCNN: Precise phishing detection using recurrent convolutional neural networks. Security and Communication Networks, 2019, Article 2595794. https://doi.org/10.1155/2019/2595794

  19. [19]

    Zhu, J., Wang, T., & Li, P. (2021). Hybrid DNN-LSTM model for phishing URL detection. Future Internet, 13(10), Article 256. https://doi.org/10.3390/fi13100256

  20. [20]

    Alhothali, A., & Zohdy, M. (2022). Phishing detection using deep learning and natural language processing. IEEE Access, 10, 12345–12367. https://doi.org/10.1109/ACCESS.2022.3157890

  21. [21]

    Tang, L., & Mahmoud, Q. H. (2021). A comparative study of machine learning techniques for phishing website detection. Computers & Security, 100, Article 102094. https://doi.org/10.1016/j.cose.2020.102094

  22. [22]

    Shrivastava, R., & Bhatt, A. (2023). A survey of machine learning -based phishing detection techniques. Journal of Cybersecurity Research, 6(1), 22–35. https://doi.org/10.1016/j.jcsr.2023.01.005

  23. [23]

    Zhang, J., Zhang, Y., & Guo, W. (2024). Hybrid deep learning for phishing detection using CNN and RNN. Future Generation Computer Systems, 152, 123–135. https://doi.org/10.1016/j.future.2023.10.012

  24. [24]

    Basit, A., Khan, M., & Ahmed, S. (2021). PhishHaven: A convolutional neural network approach for phishing detection. Journal of Network and Computer Applications, 175, Article 102934. https://doi.org/10.1016/j.jnca.2020.102934

  25. [25]

    Prasad, A., & Chandra, S. (2024). PhiUSIIL Phishing URL dataset. UCI Machine Learning Repository. https://doi.org/10.24432/C5GW2J

  26. [26]

    Whittaker, C., Ryner, B., & Nazif, M. (2010). Large -scale automatic classification of phishing pages. Proceedings of the Network and Distributed System Security Symposium (NDSS 2010). Internet Society