A SEMINAR (CS705PC) REPORT

On

“PHISHING ATTACKS DETECTION USING ML”

By

YANAMALA YAMUNA

H.T. No: 20261A0560

Under the Guidance of

Mr. A. RATNA RAJU

(Assistant Professor)

BACHELOR OF TECHNOLOGY

IN

COMPUTER SCIENCE AND ENGINEERING

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

MAHATMA GANDHI INSTITUTE OF TECHNOLOGY

(Affiliated to Jawaharlal Nehru Technology University Hyderabad)

GANDIPET, HYDERABAD-500075, Telangana (INDIA)

 (MGIT)

MAHATMA GANDHI INSTITUTE OF TECHNOLOGY

(Estd. in 1997 by Chaitanya Bharathi Educational Society) (Affiliated to JNTUH, Hyderabad
Accredited by NBA, AICTE, New Delhi) Kokapet (village & gram panchayat), Gandipet,
(Mandal), Ranga Reddy (Dist.), Chaitanya Bharathi P.O, Hyderabad- 500075

CERTIFICATE

This is to certify that the Seminar (CS705PC) entitled “PHISHING ATTACKS DETECTION
USING ML” being submitted by YANAMALA YAMUNA bearing Roll No: 20261A0560 in
partial fulfillment of the requirements for the Award of the Degree of Bachelor of Technology
in Computer Science and Engineering is a record of bonafide work carried out by her.

COORDINATORS HEAD OF DEPARTMENT

Ms. M. Mamatha Dr.C.R.K.Reddy

Professor, Dept. Of CSE
Dr. K. Sreekala

PHISHING ATTACKS DETECTION

Yanamala Yamuna
. Department of Computer Science & Engineering
Mahatma Gandhi Institute of Technology
Hyderabad, India [email protected]


Abstract
Phishing is an online threat where an attacker
impersonates an authentic and trustworthy
organization to obtain sensitive information from a
victim. One example of such is trolling, which has
long been considered a problem. However, recent
advances in phishing detection, such as machine
learning-based methods, have assisted in
combatting these attacks. Therefore, this paper
develops and compares four models for
investigating the efficiency of using machine
learning to detect phishing domains. It also
compares the most accurate model of the four with
existing solutions in the literature. These models
were developed using artificial neural networks
(ANNs), support vector machines (SVMs),
decision trees (DTs), and random forest (RF)
techniques. Moreover, the uniform resource
locator’s (URL’s) UCI phishing domains dataset is
used as a benchmark to evaluate the models. Our
findings show that the model based on the random
forest technique is the most accurate of the other
four techniques and outperforms other solutions in
the literature.
1. Introduction
Phishing is an online crime that tries to trick
unsuspecting users into exposing their sensitive
(and valuable) personal information. This can
include usernames, passwords, financial account
details, login credentials, personal addresses, and
social relationships, which the attacker then uses for
malicious purposes, such as identity theft. Phishing
is usually perpetrated by a hacker disguising
themself as a trustworthy entity, an effect achieved
by combining both social engineering and technical
tricks.
Phishing domains are one type of attack.
These domains obtain sensitive information
without authorization, either through blackmail or
by directing users to a fake website that looks
similar to a real one. Both then request personal
information. Security breaches occur when users
enter their private data into these sites, as the
assailant now has personal information that may be
used to commit identity theft.
Most financial and government institutions
have improved their direct internet offerings to
combat potential security breaches such as phishing
domains. However, as services on the Internet
continue to grow, so has the public’s reliance on
online services. Despite the risks that phishing
attacks pose, online shopping, banking, and bill
payment have all become popular in the United
States and developed European countries.
Successful phishing attempts have had an impact on
global finances, raising the risk for both clients and
businesses and further increasing the need for
protection online. The process of defending
cyberspace against threats such as phishing is
known as cybersecurity. Protecting internet-
connected resources from cyber-attacks is
cybersecurity’s main goal.
Cybersecurity is becoming increasingly
complicated as cyber-attacks become more
complex and more frequent, making it difficult to
recognize, assess, and handle significant risk
events. The Anti-Phishing Working Group
(APWG) discovered more than 51,000 distinct
phishing websites. According to the Rivest–
Shamir–Adleman (RSA) analysis, phishing attacks
cost global enterprises $9 billion in 2016. Over one
million phishing attacks were listed in 2016, a 65%
increase from the previous year [. The frequency of
these attacks erodes consumers’ trust in social
works, such as webpages.
There are various types of web fraud, and
phishing websites are a common entry point for
online social engineering attempts. To start, the
hacker creates a webpage by impersonating a
reputable website. They then send these fishy URLs
to potential victims via spam chats, messages, or
social media sites, hoping that unsuspecting users
will believe it is a real URL. If users enter their
personal information (bank account numbers,
government savings numbers, and so on) at the link
sent by the hacker, that data will be compromised.
There are a lot of strategies to combat
phishing. Artificial intelligence (AI) has had a huge
impact on almost every industry, including
cybersecurity because AI can detect spam,
phishing, spear phishing, and other assaults using
past attacks in the form of datasets.
This paper develops and compares the
effectiveness of machine learning (ML)
classification models in detecting phishing
domains. The goal is to improve detection by using
the most accurate model of the four to predict if a
webpage is a phish or legal. A phished domain is
difficult to analyze and comprehend since it
involves social and technical issues for which there
is no one-size-fits-all analysis. As a result, all
phishing domain causes and features were analyzed
quantitatively and qualitatively to determine where
to focus the model to better decrease the danger
arising from a visit to a phishing website,
particularly regarding consumer trust.
2. Background
Common machine learning classification
techniques have proven efficient in phishing
domain detection, including the following:
2.1. Decision Tree the dataset into two sections: the training set and the
test set. It then randomly selects multiple samples
A decision tree helps individuals make better
from the training set. Next, the researcher uses the
decisions via a tree-like graph or modeling of
decision tree for each sample, which divides each
alternatives and their possible implications, such as
selection into two daughters using best division.
likely outcomes, resource costs, and utility. It is one
Thereafter, users must repeat the last step to vote for
strategy of many to demonstrate an algorithm
each prediction result and select the most voted
completely made up of conditional control
prediction as the final result. The main hyper-
statements. Decision trees are frequently used to
parameters in the random forest are used to either
analyze the underlying relationships in big datasets.
increase the predictive power of the model or to
The decision tree’s goal is to observe a process; by
make the model faster. In this context, a higher
doing this, researchers can utilize its attributes,
number of trees can increase the performance as
allowing it to be assigned to a certain class, as
well as make the predictions more stable, but it also
shown in Figure 1, which shows a training
increases the processing time. The employment of
algorithm that creates the structure of such a
a maximum number of features, in addition to a
decision tree. After its construction, a decision tree
minimum number of leaves, may improve
may be used to assess further samples with variable
algorithm performance.
degrees of success, depending on how well it
Once the training step is completed, the
represents the dataset. The success rate is
model can be applied to a test dataset. This
determined by several aspects, including the size of
procedure allows for the estimation of predictions
the dataset used to create the tree, the class-wise
and then for the comparison of the results against
overlapping of variable observations, the algorithm
the expected values. Figure 2 shows how each tree
used to build the tree, and the usage of extra
is responsible for producing a distinct output after
methods to enhance tree development.
being fed an independent random sample vector.
The random forest is used for its error
generalization technique, and the random forest’s
accuracy improves as the forest grows in size. After
randomly picking the features for the error rate, the
accuracy is entirely dependent on the correlation
between the trees. The random forest’s
characteristics might be created by tracking the
error and correlation between nodes. As a
consequence, the relevance of a variable can be
measured [17].

Figure 1. Decision tree algorithm.

The root node is the starting point of the
decision tree (also known as the parent node). It
represents the full dataset, which is then split into
two or more homogenous groups, also called child
nodes. These eventually lead to the leaf nodes,
which are the tree’s final output, after which no
further splits are possible. Splitting is the process of
separating the root node into sub-nodes based on
the conditions specified. A branch/sub-tree is a tree
that has been created by splitting a larger tree.
Pruning is the removal of unwanted branches.
2.2. Random Forest
Random forest is an ensemble of supervised
learning algorithms for classification and
regression used in predictive modeling and machine
learning techniques. The random forest has
attracted the attention of academics because of its
speed and accuracy in categorization. It gathers the
results and predictions of several decision trees to
choose the best output: the mode of the classes (the
value that appears most often in the decision tree
results) or mean prediction. Random forest splits
Figure 2. A comparison of DT and RF.
2.3. Support Vector Machine
SVM is a supervised learning method based
on statistical learning theory utilized for pattern
identification and regression. Statistical learning
theory can pinpoint the factors needed to
successfully learn specific, easy algorithms; real-
world applications frequently require more
complicated tools and algorithms (such as neural
networks), which are much more difficult to
analyze theoretically. SVMs are the meeting point
of learning theory and practice. They create models
that are both complicated (including a huge class of
neural networks, for example) and simple enough
to be mathematically examined. This is because an
SVM is a linear algorithm in a high-dimensional
space. As shown in Figure 3, SVM predicts labels
by generating a decision boundary, such as a
hyperplane, between two specified classes with a
minimum of one label. The data points and support
vectors are handled by the hyperplane. It takes
advantage of the distance between data points to
categorize each class independently.
Figure 3. Support vector machine.
Previous research has demonstrated that the
hyperplane with the greatest margin of separation
between the two classes offers the highest
generalization performance. The best hyperplane is
found by solving a convex optimization problem
involving the minimization of a quadratic function
under linear inequality constraints. The answer may
be expressed in terms of support vectors, which are
a subset of the training instances. Support vectors
include all the information required to solve a
classification issue since the result will remain the
same even if all other vectors are removed.
2.4. Ensemble Classification Techniques
Building a fair model from a dataset is one of
the main goals of machine learning algorithms.
Learning, or training, is the process of developing
models from data, and the learned model is referred
to as a hypothesis or learner. Ensemble methods
learn algorithms that create a set of classifiers and
then use their predictions to put new data points into
categories.
Ensembles are far more accurate than the
individual classifiers that make them up. Ensemble
methods, also known as committee-based learning
or learning multiple classifier systems, are used to
train numerous hypotheses to solve a problem.
Random forest trees are a common form of
ensemble modeling in which many decision trees
are utilized to predict outcomes. Figure 4 shows a
general ensemble architecture .
An ensemble is made up of numerous
hypotheses or learners that are produced from
training data using a basic learning method. Most
ensemble methods produce homogeneous base
learners or homogeneous ensembles using a single-
based learning algorithm, but some approaches use
multiple learning algorithms to build heterogeneous
ensembles. The ability of ensemble approaches to
enhance weak learners is well established. Below
are three major types of meta-algorithms that are
regularly used in ensemble approaches .
2.4.1. Bagging
Bagging, or bootstrap aggregation, is a
powerful, effective, and simple ensemble method
[24]. The method uses bootstrapping to sample
several copies of a training set. It may be applied
with any form of classification or regression model,
as demonstrated in Figure 4. Bagging works well
with nonlinear models that are unstable.
Figure 4. Ensemble learning (bagging) [25].
2.4.2. Boosting
Boosting is a meta-algorithm that can be
thought of as a method of model averaging. It is the
most popular ensemble approach, as well as one of
the most effective learning concepts. This method
was created for classification, but it can also be
applied to regression. The original boosting
algorithm created a strong learner by combining
three weak learners.
2.4.3. Stacking
Stacking is the process of integrating
numerous classifiers created by various learning
algorithms into a single dataset of feature vector
pairs and their classifications. A set of base-level
classifiers is constructed in the first phase, and a
meta-level classifier is trained in the second phase,
as shown in Figure 5.
Figure 5. Ensemble learning, bagging, and
boosting machine learning techniques .
2.5. Ensemble Classification Techniques
A neural network (NN) is a mathematical
model that mimics the behaviour of biological
neurons and the nervous system. ANNs utilize
technological solutions to imitate the architecture
and functions of the neural system of human brains
[29]. They use neural network topologies to
represent physical systems in this way. McCulloch
and Pitts introduced the ANN theory for the first
time in [30]. ANNs are appropriate for addressing
the mapping issue from one dataset to another when
they have strong nonlinear mapping capabilities
[31]. ANNs can be categorized into two types of
signal transmission modes: feedforward and
feedback neural networks, each of which has a
distinct framework. Feedback neural networks play
a significant role in AI; however, they have only
been used in a few applications due to solid waste
concerns. In the application of biosorption capacity,
several researchers compared the models of
feedforward neural networks such as multilayer
perception ANNs and feedback neural networks,
which found that feedforward neural networks had
lower prediction errors than feedback neural
networks.
In a multilayer feedforward neural network,
neurons in one layer communicate with those in the
next layer through various weighted linkages. There
are three kinds of neuron layers: input, hidden, and
output. The neurons in the input layer receive
external data, such as from sensory receivers; the
neurons in the hidden layer imitate a biological
neural network to transmit that data, and the
neurons in the output layer offer a judgment output.
Although several hidden layers are feasible,
typically, only one hidden layer is employed,
especially with small sample sizes. Neurons only
link between layers, not inside them. In a
feedforward neural network, signals can only go
one direction, from input to output. ANNs have
been extensively employed in numerous activities,
including environmental difficulties and even solid
waste-related issues, due to these simplifications.
Complex systems and correlations in labeled
data are recognized using these models. Deep
neural networks (DNNs) are more complicated
neural networks with hidden layers that conduct
much more complex functions than basic sigmoid
or ReLU activations . The architecture of a deep
learning model is shown in Figure 6.
Figure 6. A deep neural network used for phishing
detection.
3. Related Work
Users, overall, tend to overlook a website’s
URL. This makes them more likely to fall prey to a
phishing domain, which might otherwise be
avoided by determining whether a URL is
authentic. Unfortunately, traditional methods for
detecting phishing attacks have limited accuracy
and can only detect roughly 20% of attempts. ML
techniques for phishing detection produce better
results, but they are time-consuming, even on small
databases, and they are not scalable. Furthermore,
heuristics-based phish detection has a significant
false-positive rate. Previous research on anti-
phishing models has concentrated on strategies to
modify efficiency. Even so, feature reduction and
the use of an ensemble model can improve these
models’ accuracy even further.
For phishing domain detection, machine
learning algorithms are prevalent, and using them
has become a straightforward categorization
problem. The data at hand must have properties
relevant to phishing and legitimate website classes
to build an ML-based detection model. Previous
works have shown that when robust machine-
learning approaches are utilized, detection accuracy
is high. To reduce features, a variety of feature
selection strategies are applied.
To train a machine learning model to predict
phishing attacks versus legal traffic, a batch of data
is given as the input. Dataset visualization becomes
more efficient and intelligible when characteristics
are reduced. The DT, C4.5, k-NN, and SVM
algorithms are the most important classifiers; they
have been utilized in numerous research projects,
and they have detected phishing attacks with the
greatest accuracy and efficiency. According to the
empirical experiment’s findings, manual parameter
adjustment, protracted training periods, and poor
detection accuracy are prevalent problems with
modern deep learning systems.
Despite these benefits, researchers have noted
the limits of their studies. Many pointed out that
ensemble learning techniques have not been applied
and that feature selection and reduction have not
been performed. A range of strategies has been
applied to combat phishing attacks. One paper used
different classifiers, such as naive Bayes and SVM.
Similarly, the authors in utilized random forest to
differentiate phishing attacks from normal
websites.
Subasi et al. reported that their proposed
classifiers were extremely effective at classifying
phishing websites. They reported that random forest
was the most accurate classifier, at 97.26%.
The authors of proposed a paper
concentrating on feature selection in phishing
websites. They sorted the characteristics into six
groups using the UCI dataset, which has more than
11,000 URLs and 30 characteristics. They chose
three groups and decided that these were the best
solutions for detecting phishing attacks accurately.
 Patil et al. suggested three strategies for
detecting phishing websites. The first entailed
assessing various URL attributes; the second
determined the validity of the website by
determining where it was hosted and who managed
it; and the third method determined the authenticity
of the website through visual, appearance-based
analysis. They used ML methodologies and
algorithms to assess the numerous aspects of the
URLs and websites.
Joshi et al. used a binary classifier based on
an RF algorithm and a feature selection algorithm
based on the relief algorithm. They utilized data
from the Mendeley domain as the source for their
feature selection algorithm. They then used the
selected features to train an RF algorithm to predict
phishing attacks.
The work of Ubing et al. employed three
ensemble learning strategies: bagging, boosting,
and stacking. Their dataset had 30 characteristics
and 5126 records in the result column. The data
comes from UCI, which is open to the public. They
integrated their classifiers to achieve the highest
level of accuracy possible from a DT.
The authors of suggested a new method based
on both URLs as inputs and HTML-related data.
After the features were extracted, a stacking
strategy merged the learners. The researchers then
ran tests on a variety of datasets, including 2000
webpages taken from Phishtank (1000 legitimate
and 1000 phishing sites). The second dataset came
from Alexa and contained nearly 50,000 websites.
To improve their accuracy, they used SVMs, NNs,
DT, and RF, which they combined through
stacking. This study obtained a high level of
accuracy using a variety of classifiers.
The authors of looked at how stacking
techniques could be used to identify phishing
websites. The goal of these tests was to enhance
precision metrics using PCA and stacking the most
efficient classifiers. Other classifiers using
proposed features N1 and N2 outperformed
stacking (RF, NN, stowing). The tests were carried
out using datasets from phishing websites. With
11,055 web pages, the dataset had 32 preprocessed
characteristics.
Another strategy is the extra-tree base
classifier utilized by the authors of , who used it to
classify several meta models: AdaBoost, bagging,
rotation forest, and LogitBoost-Extra Tree. The
suggested models outperformed current ML-based
phishing attack detection models, and, as a result,
the authors recommended using meta-algorithms to
create phishing attack detection models.
To improve the detection of phishing
websites, the authors of suggested a phishing
detection model based on a particle swarm
optimization (PSO) algorithm. Their proposed
method used PSO to weigh distinct websites,
resulting in increased accuracy for classifying
abnormal phishing websites. PSO weighting
distinguishes different aspects of a website,
considering how important they are in detecting
phishing from legitimate websites. According to the
findings, their proposed PSO-based component
weighting improved the ML model’s ability to
recognize and monitor both phishing and legitimate
websites individually.
The authors of employed an evolutionary
neuro-fuzzy intelligence system-based resilient
approach with integrated features to identify and
guard against phishing attacks.
The authors of introduced the PhishBench
benchmarking structure, which permits researchers
to evaluate the characteristics of phishing attacks
and fully comprehend different evaluation
circumstances, unified framework specifications,
data, machine learning algorithms, and evaluation
metrics. When the proportion of phishing and
authentic traffic fell from one to 10, the
classification execution was reduced. In terms of
the F1 score, the drop in execution ranged from
5.9% to 42%.
An intelligent phishing website identification
method was proposed by Subasi and Kremic. They
used proprietary machine learning approaches to
differentiate phishing websites. Several classifier
approaches were applied to create a reliable and
intelligent phishing detection system. The
performances of their ML approaches were
evaluated using ROC area, F-measure, and AUC.
With a 97.61% accuracy, Adaboost with SVM
outperformed all other classification approaches.
Alternatively, Mao et al. developed a
learning-based technique for determining page
design comparability, which might be utilized to
identify phishing attack pages. They built a
phishing classifier using dual ML algorithms, a
support vector machine, and a decision tree for
effective page layout aspects. They used genuine
website page testing from phishtank.com and
alexa.com to validate their methodology.
Tyagi et al. employed a dataset from the
University of California at Irvine’s machine
learning repository, which had 2456 unique URLs
and more than 11,000 URLs, with 6157 phishing
and 4898 normal URL. They took 30 characteristics
from the URLs and utilized them to forecast attacks.
They employed DT, RF, gradient boosting,
generalized linear, and PCA as machine learning
techniques.
Chen and Chen employed the SMOTE
approach to increase their model’s detection
coverage. They trained machine learning models
such as bagging, RF, and XGboost. The XGboost
approach, which they proposed, yielded the
maximum accuracy. They utilized the Phishtank
database, which contained over 24,000 phishing
and 4000 legitimate websites.
 Alternatively, Abdelhamid et al. developed a
model content and feature comparison to detect
attacks. They used a PhishTank dataset with
approximately 11,000 samples. They utilized a
technique called enhanced dynamic rule induction,
which they said was the first machine learning and
deep learning algorithm to be used as an anti-
phishing tool. With two major threshold
frequencies and rule strength, this algorithm passed
datasets. Only “strong” characteristics were stored
in the training dataset, and these features became
part of the rule, while others were eliminated.
A study by Jain and Gupta tested two
databases. Their model was more accurate on
Phishtank, which has over 1500 phishing URLs,
followed by Openphish, which has over 600
phishing URLs and 1600 real URLs, as well as 66
valid URLs and 252 legal URLs. They enhanced
phishing detection accuracy using machine learning
methods such as RF, SVM, NN, logistic regression
(LR), and NB. On the client side, they employed a
successful feature extraction approach.
Lakshmi et al. suggested a novel method for
detecting phishing websites by looking for
hyperlinks in the source code of the corresponding
website’s HTML page. The suggested method
employed a feature vector with 30 parameters to
detect malicious online pages. These characteristics
were used to train a supervised DNN model with an
Adam optimizer to distinguish between fraudulent
and legitimate websites. To do so, the model
employed a listwise process. When compared to
other traditional ML algorithms such as SVM,
Adaboost, and AdaRank, the proposed model
outperformed the others, with a 96% accuracy rate.
Table 1 presents the summary of ML
approaches for phishing website detection. The next
table shows that some studies provide highly
efficient results using ML for phishing attack
detection.
Table 1. Comparison table of the latest research
focusing on machine learning phishing detection
techniques.
4. Methodology
Utilizing the UCI dataset, four phishing
detection models were developed using ANN,
SVM, DTs, and RF algorithms. The MinMax
normalization feature was employed as a
preprocessing strategy to improve the models'
accuracy. The proposed models were able to detect
different types of attacks from the UCI dataset.The
following subsections discuss the dataset used and
implemented algorithms; Section 4.1 and Section
4.2, respectfully.
4.1. Dataset Used: UCI Phishing Websites
Standard datasets already exist for the
development of phishing website detection
algorithms. Other studies classified websites to
establish a list of legitimate and phishing sites for
further consideration. This work, on the other hand,
utilizes the freely accessible phishing dataset from
UCI machine learning repository that can be found
in , and was prepared by. This dataset was created
to build machine learning-based phishing website
detection algorithms. It is comprised of extensive
properties that span four distinct categories. They
designed and extracted characteristics from the
following categories: Address Bar, HTML and
JavaScript, Abnormal, and Domain. This study was
performed using a phishing domain dataset with 31
attributes that can either take a binary or ternary
value. This dataset has 11,055 records, and each
record includes 31 characteristics. The
characteristics of the collection are identified by
names, such as URL Length, Submitting to Email,
Shortening Service, Abnormal URL, Having an At
Symbol, and Redirect.
4.2. Implemented Algorithm
To increase accuracy, this paper utilized the
MinMax normalization feature as a preprocessing
step in each proposed model. Normalization is a
useful strategy for improving the accuracy of
machine learning models, and it is required for
some models to work properly. The MinMax
normalization technique in the suggested model
compresses the data to a domain of [0, 1], which
improves the model training input quality (see
Equations (1) and (2)).
X_std = (X − X.min)/(X.max − X.min)
(1)
X_scalar = X_std × (max − min) + min
(2)
To enhance the model performance and
complexities, we used a data normalization
strategy, as shown in Table 2. The algorithm
selects significant aspects from the initial dataset by
determining the prediction outcome, which is
performed by filtering it through 30 features. The
UCI dataset is split 80/20 into training and testing
sets, respectively, by using c5-fold cross-validation,
which presented the best performance in the latest
research. The prediction model is then taught using
machine learning, which employs various learning
models. This is particularly useful for making
predictions, as utilizing many models ensures that
the results are not biased toward a single model. To
account for this, we present the results of all the
models combined and totaled to establish their
maximum accuracies. If most of the models
indicate that a domain is phishing, then the model’s
prediction accuracy confirms that the domain is a
phishing attempt.
Table 2. The performance results before and after
using the normalization technique.
5. Model’s Flowchart
Phishing is a concern to many individuals.
However, existing methods, such as browser
security indicators, cannot detect phishing
websites. Due to the limits of current technology,
users must evaluate whether a URL is phishing or
not on their own. As a result, an automated
technique for phishing website identification
should be explored for increased cyber safety. This
study shows how an implemented feature extraction
approach and a prediction model based on a random
forest classifier help increase the likelihood that a
user will correctly identify a phishing website.
Each of the developed models, as shown
in Figure 7, employs a feature selection technique
to increase its accuracy. The data analysis heat map
picks those that are most crucial in affecting the
forecasted result by filtering the most interesting
features out of the original dataset. As a result,
irrelevant features have no effect on the model’s
efficiency or prediction.
Figure 7. Model’s flowchart.
A summary of models’ flowchart steps
follows:
1. Read the URL’s UCI phishing
websites dataset.
2. Check the data features.
3. Check the proposed data types.
4. Clean missing values from the
data.
5. Split the data into training and
testing sets.
6. Train the model using four
machine-learning techniques: RF, SVM,
DT, and ANN.
7. Evaluate the model’s performance
to estimate the accuracy and calculate the
accuracy results.
8. Select the best model as the final
model.
6. Findings and Analysis
To identify the most accurate machine
learning model for detecting phishing domains, this
paper employed an experimental approach using
four ML techniques: SVM, ANN, RF, and DT.
With a total of 11,055 data instances, the UCI
dataset was utilized for experimentation. Thirty
features were used for evaluating the dataset, and
the 31st feature was used as the output. Table
3 displays the outcomes of the simulation with the
true positive rate (TPR), false positive rate (FPR),
true negative rate (TNR), and false negative rate.
Moreover, a five-fold cross-validation method was
employed for the classification procedure. The 10-
fold cross-validation approach was used to locate a
greater performance accuracy dataset. Cross-
validation is a predictive performance model
evaluation technique used to check a machine-
learning algorithm’s performance in generating
predictions on newer data on which it has not been
trained. The examination of the confusion matrix is
the basis for the classification technique’s result
performance.
Table 3. Evaluation results and parameters used of
the proposed classifiers.
The results are shown in Table 4. The RF
model provided the highest detection accuracy rate
at 97%, followed by DT at 96%, ANNs at 95%, and
SVM at 94%. Figure 8 depicts these results.
Finally, Table 5 compares the RF model to the
state-of-the-art results in the literature.

Figure 8. Proposal evaluation results.
Table 4. Evaluation results in (%).
Table 5. Examining existing phishing domain
detection model.
Table 5 lists other research dealing with
phishing attacks and crucial information about
different machine-learning techniques. Three
solutions based on ensemble learning, including the
bagging, boosting, and stacking methods, were
developed by Ubing et al.They combined their
classifiers to attain a 95.4% accuracy rate in their
results. Lakshmi et al. proposed a new method for
detecting phishing websites by scanning the source
code of the related website’s HTML page for
linkages. They achieved a 96% accuracy rate. The
researchers in suggested three meta-learner models
using ForestPA; the suggested meta-learners are
efficient, according to their experimental data, with
the lowest accuracy at 97.4%. The accuracy values
in this paper vary from 0.95 to 0.97%, except for
Alsariera et al. [71], who got 97.4%, but this model
takes longer to train and implement than RF and DT
classifiers.
7. Conclusions and Future Works
In this work, we investigated the practicality
and the efficiency of using machine learning for
phishing detection. We developed four machine
learning models based on artificial neural networks
(ANNs), support vector machines (SVMs),
decision trees (DTs), and random forest (RF)
techniques. We then selected the most
outperforming model of the fours and compared its
performance with other solutions in the literature.
The overall results show random forest (RF) model
achieved the highest performance and outperforms
other schemes in the literature.
Future work includes examining more
machine learning algorithm techniques for phishing
domains.
XII. REFERENCES
1. F. Salahdine and N. Kaabouch, "Social
Engineering Attacks: A Survey", Future Internet J,
vol. 11, no. 89, pp. 1-17, 2019.
2. R. Mohammad, F. Thabtah and L. McCluskey,
"Intelligent rule-based phishing websites
classification", IET Inf. Secur., pp. 153-160, 2014.
3. F. Salahdine and N. Kaabouch, "Security threats
detection and countermeasures for physical layer in
cognitive radio networks: A survey", Physical
Commun. J., 2020.
4. J. He and Y. Zhu, "Social
engineering/phishing", Encycl. Soc. Netw. Anal.
Min., pp. 1777-1783, 2014.
5. M. Moghimi and A. Varjani, "New rule-based
phishing detection method", Expert Syst. Appl., vol.
53, pp. 231-242, 2016.
6. B. Gupta, N. Arachchilage and K. Psannis,
"Defending against phishing attacks: Taxonomy of
methods current issues and future
directions", Telecommun. Syst., vol. 67, pp. 247-
267, 2018.
7. J. Hong, T. Kim and S. Kim, "Phishing URL
detection with lexical features and blacklisted
domains", Adaptive Auton. Secur. Cyber Syst., pp.
253-267, 2020.
8. Y. Huang, Q. Yang, J. Qin and W. Wen,
"Phishing URL Detection via CNN and Attention-
Based Hierarchical RNN", IEEE Int. Conf. Trust
Security Privacy Comput. Commun., pp. 112-119,
2019.
9. M Moghimi and AY Varjani, "New rule-based
phishing detection method", Expert systems with
applications., vol. 1, no. 53, pp. 231-42, 2016.
10. G. Ramesh, I. Krishnamurthi and K. Kumar,
"An efficacious method for detecting phishing
webpages through target domain
identification", Decision Support Systems, vol. 61,
pp. 12-22, 2014.
11. Y. Suga, "SSL/TLS servers status survey about
enabling forward secrecy", Int. Conf. Network-
Based Information Systems, pp. 501-505, 2014.
12. A. Albarqi, E. Alzaid, F. Ghamdi, S. Asiri and
J. Kar, "Public key infrastructure: A survey", J. Inf.
Secur., vol. 06, no. 01, pp. 31-37, 2015.
13. S. Krishnamurthy and A. Ve, "Information
retrieval models: Trends and techniques", Web
Semant. Textual Vis. Inf. Retr., pp. 17-42, 2017.
14. A. Kharraz, W. Robertson and E. Kirda,
"Surveylance: Automatically detecting online
survey scams", IEEE Symp. Secur. Privacy, pp.
723-739, 2018.

15. Y. Reddy and N. Varma, "Review on

supervised learning techniques", Emerg. Res. Data
Eng. Syst. Comput. Commun. J., pp. 577-587, 2020.
16. C. Bircano and N. Arıca, "A comparison of
activation functions in artificial neural
networks", Signal Proc. Commun. App. Conf, pp.
1-4, 2018.
17 Y. Arjoune, F. Salahdine, Md. Islam, E. Ghribi
and N. Kaabouch, "A novel jamming attacks
detection approach based on machine learning for
wireless communication", Int. Conf. Inf. Netw, pp.
1-6, 2020.

18.F.Salahdine and N,Kaabouch, “Social

Engineering Attacks: A Survey,” Future Internet J,,
11, 89, pp. 1-17, 2022.
19. R. Mohammad, F. Thabtah, and L. McCluskey,
“Intelligent rule-based phishing websites
classification,” IET Inf. Secur., pp. 153–160, 2021.
20. F. Salahdine and N. Kaabouch, “Security
threats, detection, and countermeasures for physical
layer in cognitive radio networks: A survey,”
Physical Commun. J., 2020