Have you ever clicked a link that looked normal but led you somewhere suspicious? This is not an accident! It is a kind of cyber-attack. Obfuscated URLs are used for cyberattacks. These URLs are disguised in such a way that they look harmless but lead to phishing sites, malware, and worse. These links might include spelling tweaks, special characters, or redirection tricks that can easily fool users and traditional security systems. To fight this problem, we have developed a cutting-edge model that not only detects such URLs but also describes how and why it catches them as obfuscated URLs.
The Problem
Every second, thousands of phishing attempts are launched through obfuscated URLs. They are designed to bypass the standard security filters and are so difficult to spot. The traditional mechanisms are evolving to deal with them, but they are still a black box. In cybersecurity, it is a huge strength to demonstrate why a URL is flagged rather than just stopping it.
Our Solution: An Explainable TabNet Ensemble Model
Cyber security team at NUST developed a model that brings together deep learning, feature selection, ensemble learning, and explainability. The team collected unique features of the URLs that are like the DNA of each URL. Then, we used the attention mechanism through the TabNet deep learning model to see which features are most important in making decisions. The insight into features through the TabNet is fed into an ensemble to finally check the credibility of the URL. The TabNet helped us to extract the features and reduce the noise to speed up the process of identification, ensuring higher accuracy. And finally, the explainability through LIME (Local Interpretable Model agnostic Explanations) confirmed that the right features are being used for the right reason. The analysts can now look at the flagged URLs and understand the reason behind. The complete workflow of the Explainable TabNet Ensemble Model is shown in Figure 1.
Why does Explainability matter?
If you are wondering, why take the trouble of making the model explainable? In cybersecurity, organizations don’t want to block a website unless they are sure of the dangerous nature of the website. Our model acts as a security guard. It is not just identifying the suspicious URLs but also pointing out the reason. This is a kind of trust that keeps the network safe.
The model possesses a strong real-world impact. It can be directly incorporated into the corporate firewall and email filters, and security extensions of the browser. By combining high performance and human understandability, the model empowers teams to act faster and smarter against threats.
This is the world where cyber threats evolve by each passing second; defense needs to be not just strong but transparent and smart. Our model is a step in this direction, where AI earns the trust of the user by protecting them through the work it is doing.
Results
Our proposed model underwent rigorous evaluations and achieved the promising results with Accuracy: 97.8%, Precision: 0.978, Recall: 0.976, F1 score: 0.978, Cohen’s Kappa: 0.968, 10-fold cross validation mean accuracy: 97.27% (±0.004). These metrics demonstrate not only high predictive power but consistent performance across validation folds and strong statistical reliability. To validate interpretability, we used LIME. LIME confirmed the importance of key features identified by TabNet’s attention mask mechanism. This reinforces the transparency of our model’s decision logic. The feature contribution through LIME is demonstrated in Figure 2.
The Future
As demonstrated by the results, our Explainable TabNet ensemble model offers a powerful blend of performance, transparency, and efficiency. With nearly 98% accuracy and robust explanations, it provides security teams with the tools to detect and understand obfuscated URLs. This fortifies safe web browsing in a rapidly evolving threat landscape. The work is fascinating by now, but moving forward, the model has the potential to become strong by understanding a variety of obfuscation techniques. Adversarial training of the model is another direction to make it resilient against evolving obfuscation techniques to evade the detection process. Training the model on multilingual phishing patterns is another route of advancement since the threats go beyond English. A user-friendly dashboard may help further to translate the technical insights into actionable intelligence. Ultimately, we are aiming to create a scalable, ethical and resilient system that adapts to the dynamic natures or evolving threats.
Reference
Naseer, M., Ullah, F., Saeed, S. et al. Explainable TabNet ensemble model for identification of obfuscated URLs with features selection to ensure secure web browsing. Sci Rep 15, 9496 (2025). https://doi.org/10.1038/s41598-025-93286-w
The author is an Assistant Professor at the College of Electrical and Mechanical Engineering, National University of Sciences and Technology (NUST), Islamabad, Pakistan. She can be reached at [email protected].
Research Profile: http://bit.ly/47UtQPU
