Machine-learning phishing webpage detectors (ML-PWD) have been shown to suffer from adversarial manipulations of the HTML code of the input webpage. Nevertheless, the attacks recently proposed have demonstrated limited effectiveness due to their lack of optimizing the usage of the adopted manipulations, and they focus solely on specific elements of the HTML code. In this work, we overcome these limitations by first designing a novel set of fine-grained manipulations which allow to modify the HTML code of the input phishing webpage without compromising its maliciousness and visual appearance, i.e., the manipulations are functionality- and rendering-preserving by design. We then select which manipulations should be applied to bypass the target detector by a query-efficient black-box optimization algorithm. Our experiments show that our attacks are able to raze to the ground the performance of current state-of-the-art ML-PWD using just 30 queries, thus overcoming the weaker attacks developed in previous work, and enabling a much fairer robustness evaluation of ML-PWD.

翻译：机器学习钓鱼网页检测器（ML-PWD）已被证明易受输入网页HTML代码的对抗性篡改攻击。然而，近期提出的攻击因未能优化所采用篡改手段的使用方式且仅聚焦于HTML代码的特定元素，其有效性有限。本研究通过以下方式克服这些局限：首先设计一组新颖的细粒度篡改手段，允许在不损害钓鱼网页恶意性与视觉外观的前提下修改其HTML代码，即这些篡改手段在设计上具备功能保留与渲染保留特性；随后采用查询高效的黑盒优化算法选择应施加的篡改手段以规避目标检测器。实验表明，我们的攻击仅需30次查询即可令当前最先进ML-PWD的性能“夷为平地”，从而超越了先前研究中较弱的攻击方法，并实现了对ML-PWD更为公平的鲁棒性评估。