{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T14:05:25Z","timestamp":1777903525976,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,26]],"date-time":"2023-11-26T00:00:00Z","timestamp":1700956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"European Union Horizon 2020 Research and Innovation Actions","award":["101019206"],"award-info":[{"award-number":["101019206"]}]},{"DOI":"10.13039\/100014810","name":"Fondazione di Sardegna","doi-asserted-by":"publisher","award":["F73C22001320007"],"award-info":[{"award-number":["F73C22001320007"]}],"id":[{"id":"10.13039\/100014810","id-type":"DOI","asserted-by":"publisher"}]},{"name":"European Union NextGenerationEU","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3605764.3623920","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:12:17Z","timestamp":1700568737000},"page":"233-244","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Raze to the Ground: Query-Efficient Adversarial HTML Attacks on Machine-Learning Phishing Webpage Detectors"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-6870-8075","authenticated-orcid":false,"given":"Biagio","family":"Montaruli","sequence":"first","affiliation":[{"name":"SAP Security Research & EURECOM, Mougins, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5104-1476","authenticated-orcid":false,"given":"Luca","family":"Demetrio","sequence":"additional","affiliation":[{"name":"University of Genova & Pluribus One, Genova, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1944-2875","authenticated-orcid":false,"given":"Maura","family":"Pintor","sequence":"additional","affiliation":[{"name":"University of Cagliari & Pluribus One, Cagliari, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1072-4352","authenticated-orcid":false,"given":"Luca","family":"Compagna","sequence":"additional","affiliation":[{"name":"SAP Security Research, Mougins, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5957-6213","authenticated-orcid":false,"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"EURECOM, Biot, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7752-509X","authenticated-orcid":false,"given":"Battista","family":"Biggio","sequence":"additional","affiliation":[{"name":"University of Cagliari & Pluribus One, Cagliari, Italy"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417233"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISI53945.2021.9624751"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3375708.3380315"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3567980"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3567980"},{"key":"e_1_3_2_1_6_1","volume-title":"Proc. of USENIX Security Symposium.","author":"Arp Daniel","year":"2022","unstructured":"Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, and Konrad Rieck. 2022. Dos and Don'ts of Machine Learning in Computer Security. In Proc. of USENIX Security Symposium."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLANT53170.2021.9690540"},{"key":"e_1_3_2_1_8_1","volume-title":"DeepPhish: Simulating Malicious AI. In 2018 APWG symposium on electronic crime research (eCrime). 1--8.","author":"Bahnsen Alejandro Correa","year":"2018","unstructured":"Alejandro Correa Bahnsen, Ivan Torroledo, Luis David Camacho, and Sergio Villegas. 2018. DeepPhish: Simulating Malicious AI. In 2018 APWG symposium on electronic crime research (eCrime). 1--8."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2022.109037"},{"key":"e_1_3_2_1_10_1","volume-title":"Network and System Security,","author":"Bertholon Beno\u00eet","unstructured":"Beno\u00eet Bertholon, S\u00e9bastien Varrette, and Pascal Bouvry. 2013. JShadObf: A JavaScript Obfuscator Based on Multi-Objective Optimization Algorithms. In Network and System Security, , Javier Lopez, Xinyi Huang, and Ravi Sandhu (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 336--349."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1010933404324"},{"key":"e_1_3_2_1_13_1","volume-title":"Improving black-box adversarial attacks with a transfer-based prior. Advances in neural information processing systems","author":"Cheng Shuyu","year":"2019","unstructured":"Shuyu Cheng, Yinpeng Dong, Tianyu Pang, Hang Su, and Jun Zhu. 2019. Improving black-box adversarial attacks with a transfer-based prior. Advances in neural information processing systems , Vol. 32 (2019)."},{"key":"e_1_3_2_1_14_1","volume-title":"Ting Yu, and Issa Khalil.","author":"Choo Euijin","year":"2022","unstructured":"Euijin Choo, Mohamed Nabeel, Ravindu De Silva, Ting Yu, and Issa Khalil. 2022. A Large Scale Study and Classification of VirusTotal Reports on Phishing and Malware URLs. arXiv preprint arXiv:2205.13155 (2022)."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66402-6_22"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3082330"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3341105.3373962"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2017.2700270"},{"key":"e_1_3_2_1_19_1","volume-title":"Explaining Transferability of Evasion and Poisoning Attacks. In 28th USENIX Security Symposium (USENIX Security 19)","author":"Demontis Ambra","year":"2019","unstructured":"Ambra Demontis, Marco Melis, Maura Pintor, Matthew Jagielski, Battista Biggio, Alina Oprea, Cristina Nita-Rotaru, and Fabio Roli. 2019. Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 321--338."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3603507"},{"key":"e_1_3_2_1_21_1","volume-title":"Deep Learning","author":"Goodfellow Ian","unstructured":"Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning. MIT Press. http:\/\/www.deeplearningbook.org"},{"key":"e_1_3_2_1_22_1","volume-title":"Darling","author":"Gressel Gilad","year":"2021","unstructured":"Gilad Gressel, Niranjan Hegde, Archana Sreekumar, and Michael C. Darling. 2021. Feature Importance Guided Attack: A Model Agnostic Adversarial Attack. CoRR , Vol. abs\/2106.14815 (2021)."},{"key":"e_1_3_2_1_23_1","volume-title":"Towards Benchmark Datasets for Machine Learning Based Website Phishing Detection: An experimental study. CoRR","author":"Hannousse Abdelhakim","year":"2020","unstructured":"Abdelhakim Hannousse and Salima Yahiouche. 2020. Towards Benchmark Datasets for Machine Learning Based Website Phishing Detection: An experimental study. CoRR , Vol. abs\/2010.12847 (2020)."},{"key":"e_1_3_2_1_24_1","unstructured":"Philippe Le H\u00e9garet Lauren Wood and Jonathan Robie. 2004. Document Object Model (DOM) Level 3 Core Specification. Technical Report. W3C. https:\/\/www.w3.org\/TR\/DOM-Level-3-Core."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11235-017-0414-0"},{"key":"e_1_3_2_1_26_1","first-page":"1","article-title":"The Base16, Base32, and Base64 Data Encodings","volume":"3548","author":"Josefsson Simon","year":"2003","unstructured":"Simon Josefsson. 2003. The Base16, Base32, and Base64 Data Encodings. RFC , Vol. 3548 (2003), 1--13. https:\/\/api.semanticscholar.org\/CorpusID:5739143","journal-title":"RFC"},{"key":"e_1_3_2_1_27_1","volume-title":"Spam and phishing","year":"2022","unstructured":"Kaspersky. 2023. Spam and phishing in 2022. https:\/\/securelist.com\/spam-phishing-scam-report-2022\/108692\/"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1080\/0144929X.2013.875221"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","unstructured":"Bin Liang Miaoqiang Su Wei You Wenchang Shi and Gang Yang. 2016. Cracking Classifiers for Evasion: A Case Study on the Google's Phishing Pages Filter. In Proceedings of the 25th International Conference on World Wide Web (Montr\u00e9al Qu\u00e9bec Canada) (WWW '16). International World Wide Web Conferences Steering Committee Republic and Canton of Geneva CHE 345--356. https:\/\/doi.org\/10.1145\/2872427.2883060","DOI":"10.1145\/2872427.2883060"},{"key":"e_1_3_2_1_30_1","volume-title":"International Conference on Learning Representations (ICLR). https:\/\/openreview.net\/forum?id=rJzIBfZAb","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In International Conference on Learning Representations (ICLR). https:\/\/openreview.net\/forum?id=rJzIBfZAb"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1049\/iet-ifs.2013.0202"},{"key":"e_1_3_2_1_32_1","volume-title":"The Eleventh International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=7oFuxtJtUMH","author":"Mark Niklas M\u00fc","unstructured":"Mark Niklas M\u00fc ller, Franziska Eckert, Marc Fischer, and Martin T. Vechev. 2023. Certified Training: Small Boxes are All You Need. In The Eleventh International Conference on Learning Representations. https:\/\/openreview.net\/forum?id=7oFuxtJtUMH"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISI.2018.8587410"},{"key":"e_1_3_2_1_34_1","volume-title":"PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Oest Adam","year":"2020","unstructured":"Adam Oest, Yeganeh Safaei, Penghui Zhang, Brad Wardman, Kevin Tyers, Yan Shoshitaishvili, and Adam Doup\u00e9. 2020. PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 379--396."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"crossref","unstructured":"Alina Oprea and Apostol Vassilev. 2023. Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (Draft). Technical Report. National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.AI.100--2e2023.ipd","DOI":"10.6028\/NIST.AI.100-2e2023.ipd"},{"key":"e_1_3_2_1_36_1","volume-title":"Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2022.12.019"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3355369.3355585"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2010.5462216"},{"key":"e_1_3_2_1_40_1","volume-title":"State of the Phish","year":"2023","unstructured":"ProofPoint. 2023. State of the Phish 2023. https:\/\/www.proofpoint.com\/us\/resources\/threat-reports\/state-of-phish"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/CONECCT50063.2020.9198349"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447548.3467386"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1002\/int.22510"},{"key":"e_1_3_2_1_44_1","unstructured":"Todd Stansfield. 2023. Q4 2022 Malware and Phishing Report. Technical Report. Vade. https:\/\/www.vadesecure.com\/en\/blog\/q4--2022-phishing-and-malware-report"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.3390\/make3030034"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278569"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2020.107275"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2012.6461002"},{"key":"e_1_3_2_1_49_1","volume-title":"The Fuzzing Book","author":"Zeller Andreas","unstructured":"Andreas Zeller, Rahul Gopinath, Marcel B\u00f6hme, Gordon Fraser, and Christian Holler. 2023. Mutation-Based Fuzzing. In The Fuzzing Book. CISPA Helmholtz Center for Information Security. https:\/\/www.fuzzingbook.org\/html\/MutationFuzzer.html Retrieved 2023-01-07 14:53:0001:00."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00126"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3036801"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623920","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605764.3623920","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T01:37:18Z","timestamp":1755913038000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605764.3623920"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":51,"alternative-id":["10.1145\/3605764.3623920","10.1145\/3605764"],"URL":"https:\/\/doi.org\/10.1145\/3605764.3623920","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}