Web content filtering is crucial for maintaining network security and regulatory compliance in organizations[ 1, 2 ]. The aim of a web content filtering system is to prevent employees from accessing inappropriate content that violates regulatory requirements or company policies, and by filtering out high-risk content categories, such as pornography and weapons, it helps to avoid legal liability, reduces the risk of legal or ethical issues arising from exposure to unsuitable content, and promotes a professional work environment. Unlike security classification, which detects hosted malware and phishing attacks, content filtering models address a more general problem that is independent of the attack mechanism. In this work, we address the problem of web content categorization.

Traditional approaches to website categorization have relied upon creating and maintaining domain-to-category mappings, which are lists of domains grouped by their manually assigned categories [ 3 ]. A natural extension to list-based URL categorization is to enhance them with signatures created by analysts, that would generalize better than exact string matching. In the case of web content filtering, the most straightforward signaturebased approach is to propagate labels based on domains and subdomains, although more complex rules may be applied [ 4, 5, 6 ]. An example of this kind of label propagation is to maintain a list of known domains with predetermined labels, such as labeling “onlineshop.com” as an e-commerce site and “news-site.com” as a news site. All URLs under these domains inherit the label. For instance, any URL under “online-shop.com” such as “online-shop.com/products/clothing”, “online-shop.com/products/electronics”, and “onlineshop.com/cart” can be labeled as e-commerce. Similarly, any URL under “news-site.com”, such as “news-site.com/politics”, “news-site.com/technology”, and “news-site.com/entertainment” can be labeled as news. In the manuscript, we focus on domain label propagation signatures for acquiring ground truth for the sake of simplicity, but it could be trivially extended to longest prefix matching of the URL for ambiguous websites. To provide comprehensive customer telemetry coverage for organizations, one of the most resource-efective manual methods involves ranking domains by frequency and labeling them in descending order. This approach maximizes coverage by prioritizing the labeling of a single domain. As new websites emerge daily and with over a billion existing websites, maintaining and scaling signature approaches manually for the long tail has become increasingly challenging. This necessitates the integration of machine learning into the classification pipeline[ 7, 8, 9 ]. Figure 1 illustrates the telemetry coverage of a large security vendor, with the space above the bars representing the infrequently seen long tail distribution of domains not already covered by domain labeling and label propagation signatures.

Maintaining domain-to-category mapping lists and extending them with signatures remains critical in the early stages of security pipelines [ 10 ]. These labels serve as initial shortcuts in the filtering pipeline to prevent catastrophic false positives, and provide low latency on more commonly seen websites. Websites like ’stackoverflow.com’ are well-known and need not be evaluated by a model whereas a potential false positive would translate to a negative impact on the productivity of an organization. In this work, we focus our evaluations on the long tail of the distribution, which aligns with actual deployment scenarios and emphasizes the need for machine learning to address the challenges associated with classifying this ever-growing subset of domains.

In addition to acting as a pre-filter, domain-to-category mapping lists and label propagation signatures are often used to create the training sets for machine learning models. However, machine learning algorithms tend to memorize patterns rather than understand underlying concepts [ 11, 12 ], thus learning from already labeled URLs is insuficient for accurate content classification in the long tail of the URL distribution. A model whose parameters are configured to memorize the head of the distribution is undesired as signatures already cover such domains without risking false positives. Therefore, our objective is to identify models with superior generalization capabilities for out-of-distribution samples.

For unknown or new domains, the model must infer a description from the URL. It is useful to view URL classification, especially for web content filtering, as a natural language processing task, considering URLs as semi-sentences. For a fair amount of our categories, the URL will frequently have explicit words to advertise its content, specifically semantically related keywords for the given category. For example, a site selling weapons will often contain keywords such as “armaments” or “glock” or “gun”. The current state-of-the-art in URL detection and our chosen baseline, URLTran [ 9 ], frames URL detection as a natural language processing task and ifne-tunes a pre-trained BERT model [ 13 ] to detect phishing URLs. The BERT model is an early example of the transformer architecture [ 14 ] which has since been refined and scaled, giving rise to large language models. Large language models (LLMs) are state-of-the-art on natural language tasks [ 15 ]. LLMs are first pre-trained on large amounts of unlabeled textual data in a task-agnostic manner, learning a general understanding of language such as syntax and semantics [ 15 ]. Once pre-trained LLMs can efectively generalize to new tasks upon fine-tuning or few-shot prompting with much smaller amounts of data [ 15 ]. The amount of data needed for LLMs to generalize to new tasks is often several orders of magnitude less than the amount of data needed to fully train a smaller model.

Direct use of LLMs for URL content classification in production is prohibitive due to cost considerations at scale [ 16 ]. Fine-tuning smaller LLMs that have lower inference costs results in a loss of performance. Through knowledge distillation [ 17 ], the LLM-labeled long tail data enables a smaller student model to improve its performance while maintaining the necessary computational eficiency for production. Turc et al. [ 18 ] proposed an approach that utilizes knowledge distillation from the teacher’s predictive distribution (soft labels) followed by supervised fine-tuning of the student model. In the domain of web content classification, we combine the steps of distillation and fine-tuning and our computationally eficient student matches the performance of the teacher model. Instead of a predictive distribution, we distill the teacher using hard labels. The student model has a low inference cost and is well-suited for the purposes of web content filtering in production.

The main contributions of this paper are as follows: • We demonstrate that when fine-tuned on data labeled with domain propagation signatures, large language models outperform standard deep learning models by 9% in terms of accuracy on the long tail categorization problem. • We demonstrate that we can fine-tune a large language model using 10000 samples to achieve better performance than the current state-of-the-art approach trained on 10 million samples. • We showcase the efective application of knowledge distillation from a fine-tuned LLM to boost the performance of a smaller, more computationally eficient model, specifically for web content filtering tasks. We attain performance levels comparable to the original LLM using a model that is 175 times smaller, decreasing from 770 million parameters to just 4 million. This reduction in size makes the model more suitable for production and enables practical deployment across various contexts, such as serving as a general pre-filter for all incoming network trafic in firewalls. • We propose a novel validation approach for the community to adopt, which more accurately assesses model performance in realistic scenarios where it works alongside a domain-to-category mapping list of ground truth labels, extended via domain label propagation signatures. In this setting, the model analysis focuses on labeling the long tail, focusing on a more relevant metric.

Our paper is structured as follows: In Section 1 we introduce the research problem and elucidate the motivation behind our proposed approach. In Section 2 we review relevant literature and prior work in the field. In Section 3, we provide a comprehensive description of our methodology, encompassing the dataset and experimental setups. In Section 4 we present our results, which include a comparison of our approach’s performance against the current state-of-the-art, an analysis of the benefits of LLMs in terms of accuracy and sample eficiency, as well as an exploration of deployment challenges and our proposed solution utilizing knowledge distillation for more compact and computationally eficient models. Lastly, In Section 5 we conclude the paper, outlining potential avenues for future research in this domain.

Previous work in this field has primarily focused on security classification rather than content classification and filtering. Since machine learning approaches to security classification can be readily reformulated from binary classification to multi-class classification through modification of the last layer in the neural network, approaches to security classification are relevant to the task of content classification. We will compare and build upon security publications as they are better studied.

Early work on URL-only classification for phishing detection using manually derived feature sets employed both generic features and features meant to detect certain obfuscation techniques such as obfuscation of the host with another domain [ 19 ]. The features were divided into four groups: Page Based, Domain Based, Type Based, and Word Based. The authors focused on manual feature engineering and only applied logistic regression as their classifier. A range of machine learning models, including Random Forests, Logistic Regression, Support Vector Machines, Naive Bayes, and Gradient Boosting, have been applied to detect phishing URLs using manually extracted feature sets [ 7, 20 ]. Feature sets may be entirely lexically derived such as the length of the URL, the number of digits in the primary domain, and the number of special characters in the path [ 21 ]. In addition to lexical features, domain-specific features such as the number of passive DNS changes or the remaining time of the SSL certificate may be incorporated [ 22 ]. Manual features may also be extracted from the retrieved information of lookups (Whois, GSB Reporting, Google Ranking, and Selenium Rendering) [ 23 ].

The manual feature extraction approach is dificult to maintain as adversaries tend to adapt obfuscation methods to avoid detection so models have shifted to a featureless approach based on the raw string as input. Deep learning methods learn and then automatically extract the feature set from the raw URL during training. The use of automatically extracted features does not preclude the inclusion of manual features however as the optimal input combination of manual and automatic features can be optimized with genetic algorithms [ 24, 25 ].

Automatic feature extraction can be done on various levels of granularity starting at the character level. Saxe et al. [ 8 ] encode a URL by replacing each character with its corresponding ID whereby features are extracted from the encoded URL with sequential embedding and convolutional layers. This approach outperformed a baseline which uses a manual feature set. Learning meaningful context-independent representations is dificult when using character-level tokenization as a character token doesn’t carry the same meaning that a word does. More recent approaches like subword-level and word-level tokenization have been developed in natural language processing in order to make it easier for models to maintain semantic meaning in common subwords and learn more meaningful context-independent representations.

The application of word-level tokenization to URL classification was first proposed by Le et al. [ 26 ] who extracted both character-level and word-level features. Each feature set is fed through its own series of sequential embedding and convolutional layers before being fused. Tajaddodianfar et al. [ 27 ] expand on this approach by first training the word embeddings in an unsupervised manner via FastText [28]. The word and character convolutional stems include several convolutional layers in parallel with dilated convolutions allowing the model to adaptively grow in depth and width, extracting N-grams of various lengths. In addition to using both character and word-level feature models, Bu et al.[29] apply a triplet network structure in order to address class imbalances and better learn the similarity between URLs.

In addition, to feature set selection, the choice of model architecture plays a large role in the performance of a URL classification model. Transformers have achieved state-of-the-art results in many natural language processing tasks making them a good candidate for URL classification after fine-tuning or even custom pre-training [ 30, 31, 9, 32, 33 ]. In addition to the URL, a transformer can leverage tokenized features of the HTML [34]. A URL classification system might employ diferent architectures in parallel, fusing the output of models with a convolutional architecture and a transformer architecture [35]. Instead of fusing model outputs, a system may employ an ensemble of diferent architectures including Decision Trees, LSTMs, and transformers for URL classification [36].

Other architectures applied to URL classification include graphical networks [ 37, 38] and GANs [39, 40]. AutoEncoders have proven useful against zero-day attacks [41]. In addition to the URL and HTML sequences, but beyond the scope of this paper, images of the webpage may be incorporated [42, 43]. The task of classification may be reformulated by approaching detection from a reinforcement learning perspective [44] or from the perspective of thwarting an adversarial opponent [ 45, 46 ].

The current state-of-the-art for URL-only classification for phishing detection, URLTran [ 9 ], utilizes the transformer architecture underpinning LLMs. Maneriker et al. fine-tune a pretrained BERT model on Microsoft’s Edge and Internet Explorer production browsing telemetry. Parallel to URLTRan is the Unified Text-to-Text Cybersecurity (UTS) model. Pal et al. [ 47 ] train a multi-task encoder-decoder LLM on cybersecurity data that includes URL phishing detection. Although Pal et al. introduce LLMs to URL phishing detection, they do not explore the few shot capabilities of LLMs in the URL domain nor test the capabilities of LLMs at scale. Compared to URLTran, UTS does not consider a methodology which would allow its large model to be used in production and reports a lower F1 score on a random split compared to URLTran’s evaluation on the industry standard time split. Therefore, URLTran will act as our baseline to which all of our results will be compared.

3.1. Data In this section, we describe our methodology for collecting data and constructing training, validation, and test sets. We also explain our experimental setup and provide a detailed account of how we trained our model.

We obtained our dataset from a large security vendor’s customer telemetry data sourced from its firewall and endpoint products over a period spanning July 1, 2022 to December 23, 2022.

We track 30 categories in our dataset. These categories were defined by a team of expert analysts to be representative of the most common internet content categories as well as the most impactful, which we define as the potential to impact productivity, the degree of liability for the organization, and the degree of associated ethical concerns. The categories include: “Chat”, “Games”, “Shopping”, “Sports”, “News”, “Job Search”, “Search Engines”, “Alcohol”, “Gambling”, “Weapons”, “Porn”, “Banking”, “Business”, “Education”, “Entertainment”, “Food and Dining”, “Government”, “Health and Medicine”, “Motor Vehicles”, “Peer to Peer”, “Real Estate”, “Religion”, “Travel”, “Translators”, “Computer and Internet”, “Hunting and Fishing”, “Marijuana”, “Radio and Audio Hosting”, “Social Networking”, and “Video Hosting”. The majority of websites in our dataset belong to categories such as “Computer and Internet”, “Search Engines”, and “Business”, while niche categories such as “Hunting and Fishing” and “Marijuana” have fewer instances. Figure A5 shows the distribution of categories in our dataset. We define our categorization task as a closed-world problem, meaning every URL belongs to one of the 30 categories. It’s important to note that, due to limitations in the domain-to-category database, we only consider a single category per URL, even though some pages may realistically have multiple category labels.

In this section, we present the key findings and results of our two sets of experiments. We report the results in terms of accuracy, with additional metrics for both experiments provided in the Appendix.

The performance of various models as a function of the log of the training sample counts is displayed in Figure 3. The top-scoring configuration for each model is detailed in Table 2. On the domain and time split, the best performing model, T5 Large, achieves 46.3% accuracy after being fine-tuned on 10,000 samples. GPT-3 Babbage attains 44.4% accuracy after fine-tuning on 10,000 samples. Both LLMs surpass the best baseline configuration, which achieves 38.3% accuracy. BERTiny and eXpose achieve 35.7% and 30.2% accuracy, respectively, when trained on 5 million samples.

On the time split, eXpose achieves 92.8% accuracy when trained on 5 million samples. BERTiny, ifne-tuned on 5 million samples, attains 97.6% accuracy. The best configurations for the baseline, GPT-3 Babbage, and T5 Large achieve 97.1%, 98.14%, and 97.5% accuracy, respectively. Additional metrics for the time split are reported in Table A10, and for the domain and time split in Table A9 for all experiments.

On the domain and time split, the best performance was achieved with T5 on 10,000 training samples, so we selected it as our teacher model. For the domain and time split, we found the best ratio to be 1.0, where every training sample had 10 million previously unlabeled URLs labeled by T5. Training eXpose on all of them increases the accuracy from 31.5% to 45%. Fine-tuning BERTiny on all 10 million LLM labels, compared to the 10 million base training set, improves the accuracy from 37.5% to 46.2%. Finally, fine-tuning URLTran on all 10 million LLM labels, compared to the 10 million base training set, raises the accuracy from 41.6% to 46.8%.

For the traditional time split, the augmentation at a ratio of 0.75 also increased the performance, albeit marginally.

The performance of the students and the baseline trained via knowledge distillation is shown in the augmentation plot of Figure 3 as a function of the LLM label ratio in the training data. The top-scoring distillation configuration for each student model is detailed in Table 2. 4.1. Discussion A comparison of the models’ performance on the two evaluation splits reveals that results on the time split, the traditional validation approach, are overly optimistic. Small models such as BERTiny, trained merely on signature-driven data, exhibit performance comparable to T5 and GPT-3. The disparity in model performance between the domain and time split versus the time split, particularly for small models, underscores that signature-sourced data is repetitive and can be memorized with just a few million parameters. Time split validation measures a model’s ability to match the signature distribution while in a production setting the primary concern within the context of the overall pipeline is a model’s capacity to generalize to new data from the long tail that falls outside the coverage of signatures.

When considering the domain and time split—which aligns more closely with real-world performance on unlabeled data—small models no longer match the performance of LLMs, as seen in Figure 3. Beyond 10,000 samples, LLMs show minimal to no performance gains when scaling up further. Conversely, the performance of small models and the baseline has not yet converged at 5 million training samples. This demonstrates the sample-eficiency of LLMs in the domain of website content categorization.

LLMs outperform student models in terms of performance, but they still fall short of perfection when applied to domain and test splits. This discrepancy can be attributed to two main factors. First, due to dataset limitations, web content classification is framed as a single-label classification problem. Table 3 displays a set of LLM misclassifications on domain and time split, highlighting that a URL could potentially belong to multiple categories. In the first three samples, the analyst opted for the more generic label, while the model choose the more generic labels in the following three samples. Both predicted and true labels could be considered correct in all six cases, suggesting that the true performance is likely better than the metrics indicate because of the single-label limitation. This trade-of between equally correct specific and general labels becomes evident when examining the confusion matrix, displayed in Figure A4 in the Appendix, for a T5 Large model’s performance on the domain and time split. As we can see on the confusion matrix, the LLM tends to generate class labels that are more specific than manual labels.

The second factor occurs when a URL lacks keywords or context related to its category, as demonstrated by the last six entries in Table 3. For the middle two URLs, the model was misled by a prominent keyword in the URL, which was unrelated to its content. The final four URLs contain no apparent signal. Consequently, the large-scale pre-training of LLMs struggles to efectively transfer knowledge to a URL from the long tail. This means that if a URL lacks clear or strong indicators of its category, the LLM may not accurately classify it, leading to misclassifications.

Our results reveal that mixing in the LLM-generated labels significantly enhances the performance of student models BERTiny and eXpose as we can see on Figure 3. Through this simple form of augmentation, we nearly matched the 46.3% accuracy of T5 Large, the best-performing LLM, with a transformer model that has a parameter count several orders of magnitude smaller (0.57% of the teacher) and could reasonably be deployed in-line in production.

In conclusion, our paper contributes to the field of web content classification with the development of lightweight models distilled from fine-tuned LLMs. We have demonstrated that LLMs, when fine-tuned on data labeled with domain propagation signatures, significantly outperform the current state-of-the-art approach on the long tail categorization problem. Our teacherstudent training approach enables the distillation of LLMs into models 175 times smaller without sacrificing accuracy, thus making deployment practical in a wide variety of new contexts. The amount of manual labels required to finetune the teacher LLM is orders of magnitude smaller than what is required for convergence of the current state-of-the-art approach. Furthermore, we have proposed a new validation approach that better measures model performance in more realistic scenarios, which should be adapted by the community to improve generalization capabilities to unseen data.

Expanding beyond web content classification, the cybersecurity field could greatly benefit from proven methods of distilling large language models (LLMs) into more compact versions. This approach is particularly valuable when dealing with large data volumes and expensive training samples, especially when the model is applied to out-of-distribution cases. For addressing web content classification tasks specifically, we suggest future work should focus on augmenting the training data and feature space with HTML and image data, utilizing GPT-4 as a teacher, allowing URLs to have more than one label, and re-working signatures for the assignment of general categories. [28] A. Joulin, E. Grave, P. Bojanowski, M. Douze, H. Jégou, T. Mikolov, Fasttext.zip: Compressing text classification models, arXiv preprint arXiv:1612.03651 (2016). [29] S.-J. Bu, H.-J. Kim, Learning disentangled representation of web address via convolutionalrecurrent triplet network for classifying phishing urls, in: 2021 International Conference on Electronics, Information, and Communication (ICEIC), IEEE, 2021, pp. 1–4. [30] E. M. Rudd, A. Abdallah, Training transformers for information security tasks: A case study on malicious url prediction, arXiv preprint arXiv:2011.03040 (2020). [31] E. M. Rudd, M. S. Rahman, P. Tully, Transformers for end-to-end infosec tasks: A feasibility study, in: Proceedings of the 1st Workshop on Robust Malware Analysis, 2022, pp. 21–31. [32] W. Chang, F. Du, Y. Wang, Research on malicious url detection technology based on bert model, in: 2021 IEEE 9th International Conference on Information, Communication and Networks (ICICN), IEEE, 2021, pp. 340–345. [33] H. Shirazia, K. Haynesb, I. Raya, Towards performance of nlp transformers on url-based phishing detection for mobile devices, Journal of Ubiquitous Systems and Pervasive Networks, Volume 17,No. 1(2022) pp. 35-42 (2022). [34] Q. Hu, H. Zhou, Q. Liu, Phishing website detection based on multi-feature stacking, in: 2021 2nd International Conference on Artificial Intelligence and Computer Engineering (ICAICE), IEEE, 2021, pp. 716–720. [35] C. Wang, Y. Chen, Tcurl: Exploring hybrid transformer and convolutional neural network on phishing url detection, Knowledge-Based Systems (2022) 109955. [36] S. Venugopal, S. Y. Panale, M. Agarwal, R. Kashyap, U. Ananthanagu, Detection of malicious urls through an ensemble of machine learning techniques, in: 2021 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), IEEE, 2021, pp. 1–6. [37] S. Ariyadasa, S. Fernando, S. Fernando, Combining long-term recurrent convolutional and graph convolutional networks to detect phishing sites using url and html, IEEE Access 10 (2022) 82355–82375. [38] T. Bilot, G. Geis, B. Hammi, Phishgnn: A phishing website detection framework using graph neural networks, Conference: SECRYPT 2022At: Lisbon (2022). [39] S. A. Kamran, S. Sengupta, A. Tavakkoli, Semi-supervised conditional gan for simultaneous generation and detection of phishing urls: A game theoretic perspective, arXiv preprint arXiv:2108.01852 (2021). [40] J. Geng, S. Li, Z. Liu, Z. Cheng, L. Fan, Efective malicious url detection by using generative adversarial networks, in: International Conference on Web Engineering, Springer, 2022, pp. 341–356. [41] S.-J. Bu, S.-B. Cho, Deep character-level anomaly detection based on a convolutional autoencoder for zero-day phishing url detection, Electronics 10 (2021) 1492. [42] J. Yuan, G. Chen, S. Tian, X. Pei, Malicious url detection based on a parallel neural joint model, IEEE Access 9 (2021) 9464–9472. [43] R. Liu, Y. Lin, X. Yang, S. H. Ng, D. M. Divakaran, J. S. Dong, Inferring phishing intention via webpage appearance and dynamics: A deep vision based approach, in: 30th {USENIX} Security Symposium ({USENIX} Security 21), 2022, p. 1. [44] O. Lavie, A. Shabtai, G. Katz, A transferable and automatic tuning of deep reinforcement learning for cost efective phishing detection, arXiv preprint arXiv:2209.09033 (2022). [45] Z. Peng, Y. He, Z. Sun, J. Ni, B. Niu, X. Deng, Crafting text adversarial examples to attack the

vocab_size 76 filter_size 128 dropout 0.05 learning rate 1e-3 batch size 49160 optimizer Adam maximum training epochs 20 scale_parameter relative_step warmup_init