Machine-learning phishing webpage detectors (ML-PWD) have been shown to suffer from adversarial manipulations of the HTML code of the input webpage. Nevertheless, the attacks recently proposed have demonstrated limited effectiveness due to their lack of optimizing the usage of the adopted manipulations, and they focus solely on specific elements of the HTML code. In this work, we overcome these limitations by first designing a novel set of fine-grained manipulations which allow to modify the HTML code of the input phishing webpage without compromising its maliciousness and visual appearance, i.e., the manipulations are functionality- and rendering-preserving by design. We then select which manipulations should be applied to bypass the target detector by a query-efficient black-box optimization algorithm. Our experiments show that our attacks are able to raze to the ground the performance of current state-of-the-art ML-PWD using just 30 queries, thus overcoming the weaker attacks developed in previous work, and enabling a much fairer robustness evaluation of ML-PWD.

翻译：摘要：机器学习钓鱼网页检测器（ML-PWD）已被证实易受对输入网页HTML代码的对抗性操纵影响。然而，近期提出的攻击因未能优化所采用操纵手段的使用方式，且仅聚焦于HTML代码的特定元素，其有效性有限。本研究通过以下设计克服了这些局限：首先提出一系列细粒度操纵手段，能够在保持恶意性和视觉外观不变的前提下修改输入钓鱼网页的HTML代码——即这些操纵手段在设计上具有功能保留与渲染保留特性；随后通过查询高效的黑盒优化算法筛选攻击策略以绕过目标检测器。实验表明，我们的攻击仅需30次查询即可将当前最先进ML-PWD的性能彻底击溃，从而超越了先前研究中较弱的攻击方法，为ML-PWD提供了更公平的鲁棒性评估基准。