Phishing detection is inherently adversarial. Attackers adapt observable website characteristics to evade classification, while defenders evaluate models under static train–test splits. A classifier may achieve near-perfect held-out accuracy yet remain operationally fragile when its predictions rest on surface-level attributes alterable at low cost. Recent studies report detection accuracies exceeding 95% using refined feature engineering and ensemble methods [1]-[4], but these results assume a passive threat model in which adversarial adaptation is excluded. In deployed systems, this assumption rarely holds [5]-[7].

The tension is acute because manipulation costs are asymmetric. Presentation-layer cues—URL structure, HTML artifacts, certificate presentation—are inexpensive to modify, whereas infrastructure-coupled signals such as domain age, DNS records, and traffic require sustained investment or third-party validation [8]-[11]. Many robustness analyses rely on continuous perturbation models that abstract away discrete feature semantics, or adopt worst-case threat models that ignore economically plausible attacker behavior [12]-[14].

Phishing robustness studies fall broadly into three categories. Continuous perturbation approaches apply ℓ p -bounded adversarial examples to feature vectors, treating each coordinate as a real-valued input amenable to gradient-based attack [12][15]. While methodologically convenient, this abstraction obscures the discrete, semantically constrained nature of website feature edits. Heuristic attack studies evaluate classifiers against hand-crafted manipulation strategies without formalizing attacker cost or optimality [1][3][16]. Problem-space constraint work emphasizes that adversarial perturbations must satisfy domain constraints, yet typically does not assign explicit economic costs to individual transitions or characterize the resulting attack-surface structure [6][13][17].

We adopt a complementary perspective. Evasion is formulated as exact shortest-path search over a cost-weighted discrete transition graph. We introduce concentration diagnostics—RCI and FirstTop1—as primary structural indicators, and establish an architecture-independent cost-floor bound. The combination of exact discrete-cost optimization, attack-surface concentration measurement, and a formal robustness ceiling distinguishes this work from prior analyses.

To bridge the gap between static evaluation and adversarial deployment, we develop a cost-aware adversarial evaluation framework that assigns explicit costs to discrete feature edits and evaluates classifiers under bounded attacker budgets. We study sanitization-style evasion under monotone edits, where the attacker removes phishing indicators and pushes feature values toward legitimate states. This threat model represents a lower bound on attacker capability: it excludes anti-feature injection, extractor-level attacks, and non-monotone manipulation, all of which can only expand the feasible action set and reduce MEC. The restriction to monotone edits is operationally motivated by empirical evidence that most phishing campaigns are short-lived (24 - 72 hours), favoring indicator removal over infrastructure construction [10][11]. Section 7 discusses how relaxing this restriction would affect concentration and the cost floor.

Rather than measuring aggregate degradation, we address a structural question central to defensive design: under budget-constrained manipulation, do evasion pathways disperse across many features or collapse onto a small attack surface? The answer determines whether architectural complexity redistributes adversarial risk or leaves dominant failure modes intact.

We operationalize this analysis with three diagnostics. Minimal evasion cost (MEC) is the smallest cumulative cost required to induce misclassification for a correctly detected phishing instance. The evasion survival rate S ( B ) = Pr ( MEC ( x ) > B ) measures resistance to the attacker’s budget B . The robustness concentration index (RCI) quantifies whether successful minimal-cost edits are diffuse or concentrated on a small subset of features. Empirically, across models and full feature sets, evasion succeeds under modest budgets (median MEC = 2), and more than 80% of traces concentrate on three low-cost surface features. We formalize this convergence with a structural result: when a nontrivial fraction of instances admit evasion via a single feature transition of minimal cost, no classifier architecture can raise the corresponding robustness quantiles without modifying the feature space or cost model. We term this action-set-limited invariance.

We model post-deployment evasion as a shortest-path problem on a directed graph whose nodes are discrete feature vectors, whose edges represent admissible monotone manipulations, and whose edge weights encode attacker cost.

We now establish a structural limit imposed by feature-level manipulation costs. The result identifies a cost floor that bounds achievable robustness independently of model architecture.

Proposition3.1(Costfloor).Let c min = min j , v , v ′ c ( j , v → v ′ ) betheminimumcostamongalladmissiblesingle-featuretransitions.Fixaclassifier f andlet

denotethesetofphishinginstancescorrectlydetectedby f .Ifafraction α > 0 ofinstancesin

admitevasionviaasingletransitionofcost c m i n , then

Inparticular, if α ≥ 1 2 , then median ( MEC ) ≤ c min .Hencethe α -quantileoftheMECdistributioncannotexceed c min withoutmodifyingthefeaturespaceorcostschedule.

Proof. For each

admitting a single-feature evasion ( j , v → v ′ ) of cost c min , one has MEC ( x ) ≤ c min by definition of the infimum. Since these instances constitute at least an α fraction of

, the distributional bound follows directly. The median statement is an immediate consequence of the definition: when α ≥ 1 2 , at least half the probability mass lies at or below c min .

The force of Proposition 3.1 is not in the proof technique—which is elementary—but in the structural invariance it implies. Regardless of how a classifier partitions feature space, any instance that lies within a single cheap transition of a legitimate-classified region is evadable at cost c min . Whether that fraction α is large depends on the interaction between the cost landscape and the classifier’s decision boundary, and the empirical contribution of this work is to show that α is indeed large across all tested architectures.

Corollary3.1(Action-set-limitedinvariance).Fix X = { − 1 , 0 , + 1 } d andamonotonecostfunction c withminimumtransitioncost c min .Let { f 1 , ⋯ , f K } beclassifiersevaluatedonacommonconditioningset

, andsupposethatforeach f k atleastan α > 0 fractionof

admitssingle-transitionevasionatcost c min .Thenforevery k :

Architecturalvariationalonecannotexceedthisbound.Invariancebreakswhenthefeaturerepresentationchanges (removingorhardeningfeatures), whenthecostscheduleismodified (raising c min ), orwhenthefeatureextractorismaderobusttomanipulation (reducingtheattacker’seffectiveactionset).

Proof. Under a common action set and shared conditioning set, Proposition 3.1 applies identically to each f k .

Table 5 reports the empirical fraction α ^ c min per classifier and feature configuration, confirming that the cost floor binds in practice and that the invariance argument is supported individually for each architecture rather than only in aggregate.

Table 5. Empirical mass at the cost floor

, reported per classifier and feature configuration. The architecture-invariance argument of Corollary 3.1 is supported individually across all models.

Table 6 reports held-out classification performance on the full feature set. All models achieve strong discrimination (AUC between 0.979 and 0.995), suggesting reliable deployment under static evaluation. The adversarial analysis below demonstrates that this conclusion does not survive once feature manipulation is permitted.

Table 6. Held-out classification performance (Full feature set, threshold = 0.5).

Table 7 presents the central robustness results. Two regularities dominate across all configurations.

Table 7. Robustness across feature sets and schedules. NoEvasion reports infeasible mass within B max = 18 .

First, robustness is bounded by a low effective cost floor. On the full feature set, all architectures exhibit median MEC = 2 with narrow interquartile ranges and small FRI values. Although single-feature transitions of cost 1 exist, the empirical mass at cost 1 falls below one half, so the median binds at the next effective threshold. The convergence of linear, bagging, and boosting models to the same median MEC confirms the action-set-limited invariance of Corollary 3.1.

Second, successful evasion concentrates sharply on a small feature subset. For the full feature set under the base schedule, RCI₃ exceeds 0.78 across models and reaches 0.96 for logistic regression. Evasion traces collapse onto low-cost, high-influence features rather than dispersing across the representation. The 95% bootstrap confidence intervals (200 resamples) confirm that these patterns are statistically stable: median MEC = [2, 2] for all models, RCI₃ within ±0.03, and FRI within ±0.01 (Table 8).

Table 8. 95% bootstrap confidence intervals (200 resamples, Full/base, 300-instance intersection).

The RA-8 configuration makes the cost-floor mechanism explicit. Despite emphasizing infrastructure features, RA-8 retains SSLfinal_State, a low-cost surface coordinate. Median MEC remains 2, while concentration becomes nearly degenerate ( RCI 3 ≈ 1 , FirstTop 1 ≈ 1 ). The surface-only VA-7b set exhibits the lowest robustness (median MEC = 1, FRI < 0.05).

Cost schedules matter only when they eliminate dominant cheap paths. This occurs in RA-8 under the strict schedule: ensemble models exhibit 17% - 19% infeasible mass, raising FRI to 0.23 - 0.25, while median MEC among evadable instances remains 2. The gain arises from blocked feasibility rather than uniformly higher evasion costs. Logistic regression remains fully evadable in RA-8/strict, indicating alternative low-cost paths in the linear boundary.

Figure 2 displays evasion survival curves. VA-7b collapses immediately ( S ( B ) < 0.05 by B = 2 ). Full and RA-8/base decay to near zero by B = 4 . RA-8/strict exhibits a persistent plateau near 0.18, matching the infeasible mass in Table 7. The strict schedule generates a structural tail rather than shifting the central cost distribution.

Figure 2. Evasion survival curves. RA-8/strict exhibits a persistent plateau corresponding to instances whose dominant low-cost path is blocked. Shaded bands (omitted for clarity) are narrow: 95% bootstrap intervals for S ( 2 ) span ± 0.04 across configurations.

Figure 3 displays first-edit concentration across feature sets. RA-8 concentrates nearly all optimal traces on a single initial edit (SSLfinal_State), while Full distributes first edits across a small but nontrivial subset. Even in the latter case, concentration remains substantial.

Figure 3. First-edit concentration by feature set and schedule. RA-8 exhibits near-total concentration on SSLfinal_State.

Stratification by the bottleneck feature confirms the blocked-path mechanism in RA-8/strict. When SSLfinal_State begins at −1 or 0, low-cost upgrades remain available and evasion succeeds with median MEC between 1 and 2. When SSLfinal_State is already +1, the dominant path is blocked and a persistent infeasible tail appears (Figure 4).

Figure 4. RA-8/strict survival stratified by SSLfinal_State initial value. A persistent infeasible tail appears when the bottleneck feature is already at +1.

Figure 5 compares i.i.d. accuracy with median MEC. All architectures align along a horizontal band at MEC = 2, confirming that higher accuracy does not yield higher median robustness when low-cost transitions remain available.

Figure 5. Accuracy versus median MEC. All architectures converge to the effective cost floor, consistent with Corollary 3.1.

Table 9 compares exact MEC with greedy approximations under query budgets of 50, 100, and 500. Query limitations modestly increase survival, particularly at 50 queries, but the deviation from exact MEC is small and narrows rapidly. In Full/base, the maximum gap at B = 2 is 0.08. Exact MEC thus provides a meaningful upper bound on attacker capability: query-limited adversaries are less efficient but face the same structural cost-floor constraints.

Table 9. Evasion survival S ( B ) under query-limited greedy search versus exact MEC. The greedy attacker is described in Section 2.5.

We evaluate robustness under three classes of cost perturbation to assess whether conclusions depend on the specific magnitudes chosen. First, surface costs are scaled by λ surf ∈ { 1 , 2 , 3 , 4 } . Second, semi-domain and infrastructure costs are scaled independently by λ ∈ { 0.5 , 1 , 2 } . Third, SSLfinal_State is reclassified from surface to semi-domain, and a rank-preserving perturbation multiplies each cost by an independent factor U ~ Uniform [ 0.8 , 1.2 ] over 50 draws.

Table 10 reports results under surface scaling. The median MEC shifts proportionally, confirming linear cost-floor behavior: doubling surface costs increases the median from 2 to 4, while preserving the identity and ordering of the three most-edited features. Even at λ surf = 4 , concentration remains high ( RCI 3 ≥ 0.80 ).

Table 10. Median MEC and concentration under surface cost scaling (Full/base, GBDT).

Table 11 reports extended perturbations. Scaling semi-domain or infrastructure costs does not alter median MEC because surface transitions remain dominant. Reclassifying SSLfinal_State increases median MEC to 3 in RA-8 (where it is the bottleneck) but leaves Full unchanged due to alternative surface paths. Under rank-preserving noise, mean RCI₃ = 0.88 ± 0.02, indicating stability to moderate cost uncertainty.

Table 11. Extended cost sensitivity (Full/base, GBDT unless noted).

The main results use a fixed decision threshold of τ = 0.5 for all models. To verify that robustness conclusions are not conflated with cross-model calibration differences, we re-evaluate median MEC and RCI₃ under thresholds τ ∈ { 0.3 , 0.4 , 0.5 , 0.6 , 0.7 } , redefining

at each threshold. We additionally compare models at a matched operating point where thresholds are adjusted per model to achieve phishing TPR ≈ 0.95.

Table 12 reports results for Full/base across all four models. Median MEC is 2 for τ ∈ { 0.4 , 0.5 , 0.6 , 0.7 } across all models. At τ = 0.3 , conditioning on high-confidence phishing detections shifts the median to 3 for all models, consistent with the cost floor: these instances tend to be farther from the decision boundary, and a single cheap transition is insufficient for a larger fraction of them. At the matched TPR ≈ 0.95 operating point, median MEC remains 2 for all models. RCI₃ is stable across thresholds (range 0.80 - 0.97). These results confirm that the robustness convergence is not an artifact of threshold choice.

Table 12. Median MEC under varying classification thresholds (Full/base). Matched TPR row adjusts each model’s threshold to achieve phishing TPR ≈ 0.95.

These experiments reveal two conditions. In the cost-floor condition, MEC quantiles scale with the cheapest admissible transition and architecture invariance holds. In the path-removal condition, prohibiting dominant transitions induces infeasible mass without shifting the cost distribution among evadable instances. The strict schedule operates in the latter condition for RA-8, producing robustness gains through blocked feasibility.

Across all tested feature sets, cost schedules, and model families, robustness is governed by the cheapest admissible manipulation that remains available. The median MEC follows the effective cost floor across all configurations, rendering Proposition 3.1 empirically tight. When a low-cost transition suffices for a nontrivial fraction of correctly detected instances, architectural complexity does not move the median. This action-set-limited invariance means that linear models, bagging ensembles, and boosting methods converge to the same robustness ceiling.

The implication is a shift in defensive emphasis from model selection to representation design and attacker economics. A feature may be highly predictive under i.i.d. evaluation yet operationally brittle if it is inexpensive to edit. The RA-8 configuration illustrates this: although it prioritizes infrastructure-leaning signals, retaining a single low-cost coordinate (SSLfinal_State) creates a bottleneck through which nearly all optimal evasions pass. Cost schedules improve robustness only when they eliminate dominant cheap paths, producing infeasible mass rather than uniformly higher evasion costs. Meaningful robustness gains require removing or economically disabling low-cost transitions and anchoring detection on signals whose manipulation costs exceed realistic attacker budgets, even at the expense of i.i.d. accuracy.

The sanitization-only threat model constitutes a lower bound. Relaxing monotonicity, by allowing anti-feature injection (adding benign-looking HTML artifacts to boost legitimacy scores) or extractor-level manipulation (crafting raw pages to flip computed features without semantic change [13][17]), enlarges the feasible action set. The cost floor can only decrease or remain unchanged, since every monotone path remains available. Concentration may increase if newly available non-monotone transitions converge on a small set of vulnerable coordinates, or shift to different features if injected anti-features provide cheaper evasion than indicator removal. The infeasible mass observed under the strict schedule would likely shrink or vanish, as non-monotone paths can bypass blocked transitions. Formalizing these effects requires specifying non-monotone cost structures and is left to future work, but the qualitative conclusion is reinforced: the monotone analysis provides a conservative bound on attacker capability.

Limitationsandexternalvalidity. The UCI Phishing Websites benchmark [19] is a standard reference point but is dated: it uses a fixed, hand-engineered vocabulary that omits modern signals, including certificate-transparency logs, visual similarity [9], JavaScript behavioral fingerprints [20], and infrastructure patterns in contemporary kit-based campaigns [10][11]. Quantitative transfer to modern settings requires re-validation on current datasets, mapping contemporary features to a cost schedule via the time-to-effect principle, and verifying whether low-cost transitions continue to dominate MEC.

Several structural conclusions are nevertheless important to the dataset choice. The surface-versus-infrastructure cost asymmetry is an economic regularity: presentation-layer signals are cheaper to manipulate than infrastructure-coupled signals, regardless of the specific feature dictionary [8][18]. Proposition 3.1 is a property of the action set and cost model, not the dataset; it applies whenever a nontrivial fraction of instances admit single-transition evasion at minimal cost. Concentration follows from heterogeneous costs interacting with feature influence, a generic property in discrete domains with uneven manipulation friction.

Our MEC computation assumes unconstrained black-box label access. Table 9 shows that reasonable query budgets reduce attacker efficiency without altering feasibility patterns, but production systems with aggressive rate-limiting can increase observed survival. The cost schedule represents dimensionless operational friction calibrated by the time-to-effect principle rather than direct monetary expenditure; translating to market-level budgets remains an open empirical problem.

Near-perfect held-out accuracy does not imply deployment security when evasion is cheap. Across all model architectures, feature configurations, and cost schedules studied here, robustness is determined by the minimum manipulation cost available to the attacker, not by classifier complexity. Feature economics dominate adversarial robustness under cost-constrained post-deployment manipulation: the central obstacle to robustness is the continued availability of low-cost transitions, and architecture choice cannot compensate for this structural exposure. Effective defense requires either removing cheap-to-edit features from the detection vocabulary or raising their manipulation cost through verifiable infrastructure anchoring—even at some sacrifice in i.i.d. accuracy.

This work was supported by the U.S. Department of Education under grant number P382G240006. The authors thank the anonymous reviewers for their helpful suggestions and careful reading of the manuscript.

Table A1 maps all 30 UCI Phishing Websites features to their cost group assignment under the base schedule, along with the transition costs and a one-line time-to-effect rationale. The assignment is governed by the time-to-effect principle: surface features require at most one day to modify under campaign-operational conditions; semi-domain features require days to weeks; infrastructure features require weeks to months or are effectively infeasible within a typical campaign window. This table is provided to make the cost calibration fully reproducible.

Table A1. Complete feature-to-cost-group mapping for the UCI Phishing Websites dataset (base schedule). Transition costs follow Table 1. The strict schedule sets infrastructure − 1 → 1 and 0 → 1 to ∞ .