EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

A Comparative Analysis of SHAP and LIME in Detecting Malicious URLs

Ayush Nair and Fabio Di Troia ()
Additional contact information
Ayush Nair: San Jose State University
Fabio Di Troia: San Jose State University

A chapter in Machine Learning, Deep Learning and AI for Cybersecurity, 2025, pp 291-325 from Springer

Abstract: Abstract Malicious URLs pose significant vulnerabilities, leaving users exposed as they navigate the digital world. To counter this, cybersecurity experts develop machine learning models using complex algorithms to protect users from cybercrime. Machine learning models are often referred to as “black boxes” due to their opaque nature. However, understanding the decision-making processes of these models is crucial. In fact, it is through this understanding that we can build robust protections for users and platforms. This research investigates the structural properties of URLs using machine learning models trained to classify them into five categories, specifically, benign, malware, phishing, defacement, and spam. By leveraging LIME and SHAP analysis, we identify key features that influence the model’s decision-making process for each classification. Through detailed analysis, the study highlights influential factors that impact URL classification, including positive, negative, and interactive effects between features. Benign URLs are characterized by simplicity, often shorter with fewer numeric or special characters, and minimal domain complexity. Malware URLs tend to be longer, with a higher density of numeric characters and complex domain structures, masking their malicious intent. Phishing URLs are detected based on features like short query lengths and minimal domain tokens, designed to resemble trusted sources and deceive users. Defacement URLs show complex domain structures and advanced techniques aimed at webpage tampering. Spam URLs exhibit shorter domains and simple paths, making them ideal for bulk distribution in spam campaigns. These insights provide a deeper understanding of how harmful and benign URLs can be distinguished based on structural attributes. The findings contribute to refining URL classification models and improving their effectiveness in the ever-changing threat landscape.

Date: 2025
References: Add references at CitEc
Citations:

There are no downloads for this item, see the EconPapers FAQ for hints about obtaining it.

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:spr:sprchp:978-3-031-83157-7_11

Ordering information: This item can be ordered from
http://www.springer.com/9783031831577

DOI: 10.1007/978-3-031-83157-7_11

Access Statistics for this chapter

More chapters in Springer Books from Springer
Bibliographic data for series maintained by Sonal Shukla () and Springer Nature Abstracting and Indexing ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-12-11
Handle: RePEc:spr:sprchp:978-3-031-83157-7_11