Feature Selection for Phishing Website Classification
Vanamala Shivani, A.B.Pravallika ,
MuthyamVaishnavi
Department of Electronics and Communication Engineering
Email id:
[email protected]
,vanamalashivani Hyderabad, India
[email protected]
,
[email protected]
Email id:
[email protected]
Sridevi Women’s Engineering College,
Hyderabad, India
Abstract— Phishing is an attempt to obtain confidential
information about a user or an organization. It is an act of
impersonating a credible webpage to lure users to expose
sensitive data, such as username, password and credit card
information. It has cost the online community and various
stakeholders hundreds of millions of dollars. There is a need to
detect and predict phishing, and the machine learning
classification approach is a promising approach to do so.
However, it may take several phases to identify and tune the
effective features from the dataset before the selected classifier
can be trained to identify phishing sites correctly. This paper
presents the performance of phishing webpage detection via two
different machine learning techniques:-XGboost, Logistic
Regression and by using deep learning technique LSTM
Algorithm. The most effective classification performance of two
machine learning algorithms is further rectified. The
observational results have shown that the optimized XGboost
achieves the highest performance among all the techniques.
Keywords— Relevant features; phishing; web threat;
classification; machine learning; deep learning
I. INTRODUCTION
In today’s world, technology has become an integral part of
the twenty-first century. The internet is one of these
technologies, which is growing rapidly every year and plays
an important role in individuals’ lives. It has become a
valuable and a convenient mechanism for supporting public
transactions such as e-banking and e-commerce transactions.
That has led the users to trust it is convenient to provide their
private information to the Internet. As a result, the security
thieves that have started to target this information have
become a major security problem. Phishing websites are
considered to be one of these problems. They are using a
social engineering trick, which can be described as fraudsters
that try to manipulate the user into giving them their personal
information based on exploiting human vulnerabilities rather
than software vulnerabilities. Statistics have shown that the
number of phishing attacks keeps increasing, which presents
a security risk to the user information according to the Anti
Phishing Working Group (APWG) and recorded phishing
attacks by Kaspersky Lab, which stated that it has increased
by 47.48% from all of the phishing attacks that have been
detected during 2016. Recently, there have been several
studies that tried to solve the phishing problem. Some
researchers used the URL and compared it with existing
blacklists that contain lists of malicious websites, which they
have been creating, and there are others that have used the
URL in an opposite manner, namely comparing the URL
with a whitelist of legitimate websites. The latter approach
MR.Mallesh Hatti
Department of Electronics and Communication Engineering
Sridevi Women’s Engineering College,
uses heuristics, which uses a signature database of any
known attacks that match the signature of the heuristic
pattern to decide if it is a phishing website. Additionally,
measuring website traffic using Alexa is another way that has
been implemented by researchers to detect phishing
websites. Moreover, other researchers have used machine
learning techniques. Machine learning is a field of computer
science, which is also a branch of artificial intelligence (AI)
that performs tasks and is capable of learning or acting in an
intelligent way. It has two different types of learning:
supervised learning and unsupervised learning. Supervised
learning is based on training a model by giving it a set of
measured features of data associated with a target label
related to these data, and once the model is trained it can
generate a new target label with unknown data. On the other
hand, unsupervised learning is based on generating new data
without giving any target label in the training process.
II. LITERATURE SURVEY
A.Cantina: AContent-based Approach to Detecting Phishing
Web Sites
Phishing is a significant problem involving fraudulent email
and web sites that trick unsuspecting users into revealing
private information. In this paper, we present the design,
implementation, and evaluation of CANTINA, a novel,
content-based approach to detecting phishing web sites,
based on the TF-IDF information retrieval algorithm. We
also discuss the design and evaluation of several heuristics
we developed to reduce false positives. Our experiments
show that CANTINA is good at detecting phishing sites,
correctly labelling approximately 95% of phishing sites.
B. Techniques for detecting zero day phishing websites
Phishing is a means of obtaining confidential information
through fraudulent web sites that appear to be legitimate.
There are many phishing detection techniques available, but
current practices leave much to be desired. A central problem
is that web browsers rely on a black list of known phishing
sites, but some phishing sites have a lifespan as short as a few
hours. A faster recognition system is needed by the web
browser to identify zero day phishing sites which are new
phishing sites that have not yet been discovered.
This research improves upon techniques used by popular
anti-phishing software and introduces a new method of
detecting fraudulent web pages using cascading style sheets
(CSS). Current phishing detection techniques are examined
and a new detection method is implemented and evaluated
against hundreds of known phishing sites.
C.PhishShield: A Desktop Application to Detect Phishing Webpages
through Heuristic Approach
Phishing is a website forgery with an intention to track and
steal the sensitive information of online users. The attacker
fools the user with social engineering techniques such as
SMS, voice, email, website and malware.
In this paper, we implemented a desktop application called
PhishShield, which concentrates on URL and Website
Content of phishing page. PhishShield takes URL as input and
outputs the status of URL as phishing or legitimate website.
The heuristics used to detect phishing are footer links with
null value, zero links in body of html, copyright content, title
content and website identity. PhishShield is able to detect zero
hour phishing attacks which blacklists unable to detect and it
is faster than visual based assessment techniques that are used
in detecting phishing. The accuracy rate obtained for
PhishShield is 96.57% and covers a wide range of phishing
web sites resulting less false negative and false positive rate.
D.Detecting phishing web sites: A heuristic URL-based
approach
With the growth of Internet, e-commerce plays a vital role in
the society. As a result, phishing, the act of stealing personal
user data used in e-commerce transaction, has been becoming
an emergency problem in modern society. Many techniques
have been proposed to protect online users, e.g. blacklist,
pagerank. However, the numbers of victims have been
increasing due to inefficient protection technique. This is due
to the fact that phishers try to make the URL of phishing sites
look similar to original sites. In this paper, we are interested
in proposing a new approach to detect phishing site by using
the features of URL. Particularly, we derive different
components from URL and compute a metric for each
component. Then, the page ranking will be combined with the
achieved metrics to decide whether the websites are phishing
websites. The proposed phishing detection technique was
evaluated with the dataset of contains 9,661 phishing websites
and 1,000 legitimate websites. The results show that our
proposed technique can detect over 97% phishing websites.
E.A Novel Multi-Layer Heuristic Model for Anti-Phishing
Phishing website detection1 is very important for e-banking
and e-commerce users. Current detection methods for
antiphishing have proved to be well-performed in term of
accuracy, recall rate and F-measure. However, increasingly
complex phishing methods make it more necessary to
optimize the detection scheme by timely recognizing new
features and accurately choosing the optimal feature subset.
To react changing phishing means and resolve feature
updating issues, we propose a novel multi-layer heuristic anti-
phishing model with feature selection algorithms and
heuristic classification algorithms. Five feature selection
algorithms are utilized to pre-process feature sets. Then four
classification algorithms are applied to identify phishing
websites and legitimate websites. Experimental results show
that the proposed model utilizing information gain algorithm
in procedure of feature subset selection and Random Tree
algorithm in heuristic classification achieves 96% accuracy
with less time cost.
F. Web phishing detection using classifier ensemble
This research adapts and develops various methods in
Artificial Intelligent (A.I) field to improve web phishing
detection. Based on the features from Carnegie Mellon
Antiphishing and Network Analysis Tool (CANTINA), we
add, modify or reduce features in case of using to train a
machine learning method. We also add our developed
features called homepage similarity features to the machine.
Moreover, we applied the classifier ensemble concept to the
study. After training with 500 phishing web pages and 500
non-phishing web pages, the experiments on 1,500 pages per
each class showed that our proposed methodology could
boost accuracy up to approximately 30% from traditional
heuristic method's results.
III .METHODOLOGY
The framework in figure 1 represents the module explanation
of the analysis.
Figure 1. Block diagram.
A.Dataset
URLs of benign websites were collected from
www.alexa.com and The URLs of phishing websites were
collected from www.phishtank.com. The data set consists
of total 25,469 URLs which include 12,058 benign URLs
and 13411 phishing URLs. Benign URLs are labelled as
“B” and phishing URLs are labelled as “M”.
B..Data Preprocessing
Data preprocessing consists of cleansing, instance
selection, feature extraction, normalization, transformation,
etc. The results of data preprocessing is that the absolute
training dataset. Data preprocessing may impact how results
of the ultimate processing is interpreted. Data cleaning could
be a step where filling the lost data, smoothing of noise,
recognizing or removing outliers and resolving
incompatibilities is done. Data Integration may be a method
where the addition of certain databases, or data sets is done.
Data transformation is whereby collection and normalization
are performed to measure a particular data. By doing data coefficients are at fitting the underlying data. A logical
reduction we can achieve an overview of the dataset that is understanding of loss function would depend on what we are
very small in size but, which helps to produce the identical trying to optimize. [20]
outcome of the analysis
C. XGBoost
C.Exploratory Data Analysis
A technique in data analysis that provides more than one XGBoost is a refined and customized version of a Gradient
method that is primarily diagrammatic is known as Boosting to provide better performance and speed. The most
Exploratory Data Analysis (EDA) as shown in Figure 3. It important factor behind the success of XGBoost is its
maximizes the perception of a data set, unveil the hidden scalability in all scenarios. The XGBoost runs more than ten
structure, excerpt essential parameters, locates outliers as well times faster than popular solutions on a single machine and
as anomalies and test hidden presumptions. scales to billions of examples in distributed or memory limited
settings. The scalability of XGBoost is due to several
D.Train-test split important algorithmic optimizations. These innovations
The dataset is part into two subsets as testing set and training include a novel tree learning algorithm for handling sparse
set so that the training dataset can be equipped with the data; a theoretically justified weighted quantile sketch
algorithms and then used for detecting the phishing websites procedure enables handling instance weights in approximate
on testing dataset. 30% of the data is reviewed for the testing tree learning. Parallel and distributed computing make learning
set so that the training model will train and learn the data faster which enables quicker model exploration. More
effectively. importantly, XGBoost exploits outof-core computation and
enables data scientists to process hundreds of millions of
examples on a desktop. Finally, it is even more exciting to
IV. MACHINE LEARNING APPROACH
combine these techniques to make an end-to-end system that
Machine learning provides simplified and efficient scales to even larger data with the least amount of cluster
methods for data analysis. It has indicated promising resources. [21]
outcomes in realtime classification problems recently. The
key advantage of machine learning is the ability to create
flexible models for specific tasks like phishing detection. V. MODELING PHISHING URLS WITH
Since phishing is a classification problem, Machine learning RECURRENT NEURAL NETWORKS
models can be used as a powerful tool. Machine learning
A neural network is a bio-inspired machine learning model
models could adapt to changes quickly to identify patterns of
that consists of a set of artificial neurons with connections
fraudulent transactions that help to develop a learning-based
between them. Recurrent Neural Networks (RNN) are a type
identification system. Most of the machine learning models
of neural network that is able to model sequential patterns.
discussed here are classified as supervised machine learning,
The distinctive characteristic of RNNs is that they introduce
This is where an algorithm tries to learn a function that maps
the notion of time to the model, which in turn allows them to
an input to an output based on example input-output pairs. It
process sequential data one element at a time and learn their
infers a function from labeled training data consisting of a set
sequential dependencies [10].
of training examples. We present machine learning methods
that we used in our study.
A. Logistic Regression
Logistic Regression is a classification algorithm used to assign
observations to a discrete set of classes. Unlike linear
regression which outputs continuous number values, Logistic
Regression transforms its output using the logistic sigmoid
function to return a probability value which can then be
mapped to two or more discrete classes. Logistic regression
works well when the relationship in the data is almost linear
despite if there are complex nonlinear relationships between
variables, it has poor performance. Besides, it requires more
statistical assumptions before using other techniques.
B. Gradeint Boosting
Gradient Boosting trains many models incrementally and Figure.2.Recurrent neural network for classifying phishing
sequentially. The main difference between Ada-Boost and URLs based on LSTM units.
Gradient Boosting Algorithm is how algorithms identify the
shortcomings of weak learners like decision trees. While the Each input character is translated by an
Ada-Boost model identifies the shortcomings by using high 128dimension embedding. The translated URL is fed into
weight data points, Gradient Boosting performs the same a LSTM layer as a 150-step sequence. Finally, the
methods by using gradients in the loss function. The loss classification is performed using an output sigmoid
function is a measure indicating how good the models neuron.
 One limitation of general RNNs is that they are XGboost 93.80 93.40 93.42
unable to learn the correlation between elements more than
5 or 10 time steps apart [29]. A model that overcomes this
problem is Long Short Term Memory (LSTM). This
model can bridge elements separated by more than 1,000
time steps without loss of short time lag capabilities [30].
LSTM is an adaptation of RNN. Here, each
neuron is replaced by a memory cell that, in addition to a
conventional neuron representing an internal state, uses
multiplicative units as gates to control the flow of
information. A typical LSTM cell has an input gate that
controls the input of information from the outside, a forget
cell that controls whether to keep or forget the information
in the internal state, and an output gate that allows or Figure.3. Comparision of ML algorithms
prevents the internal state to be seen from the outside.
In this work, we used LSTM units to build a CONCLUSION
model that receives as input a URL as character sequence This paper aims to enhance detection method to detect
and predicts whether or not the URL corresponds to a case phishing websites using machine learning technology. We
of phishing. The architecture is illustrated in Fig. 2. Each achieved 97.14% detection accuracy using random forest
input character is translated by a 128-dimension algorithm with lowest false positive rate. Also result shows
embedding. The translated URL is fed into a LSTM layer that classifiers give better performance when we used more
as a 150-step sequence. Finally, the classification is data as training data. In future hybrid technology will be
performed using an output sigmoid neuron. The network implemented to detect phishing websites more accurately, for
is trained by backpropagation using a crossen tropy loss which random forest algorithm of machine learning
function and dropout in the last layer. technology and blacklist method will be used.

RESULT ACKNOWLEDGMENT
The phishing website detection model has been tested and Special thanks for the guidance to our supervisor professor
trained using many classifiers and ensemble algorithms to Mr.Mallesh Hatti.
analyze and compare the model’s result for best accuracy.
REFERENCES
[1] AO Kaspersky lab. (2017). The Dangers of
Phishing: Help employees avoid the lure of cybercrime.
[Online]
Available:https://go.kaspersky.com/DangersPhishingLandin
g-Page- Soc.html [Oct 30, 2017].
[2] ”Financial threats in 2016: Every Second Phishing
Attack Aims to Steal Your Money” 2017 financial-
threatsin-2016. Feb 22, 2017 [Oct 30, 2017].
Each algorithm will give its evaluated accuracy after all the [3] Y. Zhang, J. I. Hong, and L. F. Cranor, ”Cantina: A
algorithms return its result. each is compared with other Content-based Approach to Detecting Phishing Web Sites,”
algorithms to see which provides the high accuracy percentage New York, NY, USA, 2007, pp. 639-648.
as shown in Table 1. Each algorithm’s accuracy will be [4] M. Blasi, ”Techniques for detecting zero day phishing
depicted in the confusion matrix for greater comprehension. websites.” M.A. thesis, Iowa State University, USA, 2009.
The dataset is also trained using a deep learning algorithm. The [5] R. S. Rao and S. T. Ali, ”PhishShield: A Desktop
final accuracy comparison of algorithms is shown in Figures Application to Detect Phishing Webpages through Heuristic
4. Approach,” Procedia Computer Science, vol. 54, no.
Supplement C, pp. 147-156, 2015.
Table 1.Comparision Table [6] Z. Zhang, Q. He, and B. Wang, ”A Novel Multi-Layer
Classifiers Training Testing Precision Heuristic Model for Anti-Phishing,” New York, NY, USA,
set set accuracy 2017, p. 21:1-21:6.
accuracy accuracy [7]N. Sanglerdsinlapachai and A. Rungsawang, ”Web
Phishing Detection Using Classifier Ensemble,” New York,
Logistic 92.00 92.00 89.00 NY, USA, 2010, pp. 210-215.
Regression [6] R. M. Mohammad, F. Thabtah, and L. McCluskey,
”Predicting phishing websites based on self-structuring