A Hybrid Ensemble–Instance Learning Framework for Malicious URL Detection Using XGBoost and Adaptive KNN

Abstract

The use of malicious URLs is a constantly evolving and persistent cybersecurity threat, as it is the primary instruments of phishing, ransomware delivery, and account theft. Past studies have been constrained in ensemble and instance-based paradigms in URL threat classification, with ensemble approaches offering high-accuracy global classification and instance-based approaches offering high-quality local boundary detection. This paper presents a meta-learning framework, called Hybrid Ensemble-Instance Learning ( HEIL ) which combines XGBoost and adaptive K-Nearest Neighbors (KNN) in a synergetic way to enhance the performance of both on detecting malicious URLs. The HEIL framework was tested with an augmented sample of 2,134 samples with 27 engineered lexical, host, DNS, network, and temporal attributes. The model obtained an accuracy of 98.94, a prediction latency of 3.2 ms per URL (model inference time alone, not including feature extraction overhead) and a F1-score of 98.87, which are statistically significant higher than standalone XGBoost. The validation tactics such as SHAP interpretability, ablation studies and adversarial robustness testing are thorough and illustrate and affirm the complementary character of global and local paradigms of learning. The HEIL framework shows competitive performance over the baseline approaches to hybrid ensemble-instance models especially in cybersecurity context.