KEMBAR78
Phishing Detection via Machine Learning | PDF | Computers
0% found this document useful (0 votes)
36 views3 pages

Phishing Detection via Machine Learning

This document discusses using machine learning algorithms to detect phishing websites. It extracts 10 features from URLs, including presence of IP addresses, sensitive words, URL length, and redirection symbols. It then uses these features to train three machine learning models - Decision Tree, Random Forest, and Support Vector Machine - to classify URLs as legitimate or phishing. The models are evaluated based on accuracy, false positives, and false negatives to determine the best algorithm for phishing detection.

Uploaded by

swetha r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
36 views3 pages

Phishing Detection via Machine Learning

This document discusses using machine learning algorithms to detect phishing websites. It extracts 10 features from URLs, including presence of IP addresses, sensitive words, URL length, and redirection symbols. It then uses these features to train three machine learning models - Decision Tree, Random Forest, and Support Vector Machine - to classify URLs as legitimate or phishing. The models are evaluated based on accuracy, false positives, and false negatives to determine the best algorithm for phishing detection.

Uploaded by

swetha r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

International Journal of Computer Applications (0975 – 8887)

Volume 181 – No. 23, October 2018

Phishing Website Detection using Machine Learning


Algorithms

Rishikesh Mahajan Irfan Siddavatam


MTECH Information Technology Professor, Dept. Information Technology
K.J. Somaiya College of Engineering, Mumbai - 77 K.J. Somaiya College of Engineering, Mumbai - 77

ABSTRACT decision or prediction on future data. Using this technique,


Phishing attack is a simplest way to obtain sensitive algorithm will analyze various blacklisted and legitimate
information from innocent users. Aim of the phishers is to URLs and their features to accurately detect the phishing
acquire critical information like username, password and bank websites including zero- hour phishing websites.
account details. Cyber security persons are now looking for
trustworthy and steady detection techniques for phishing
2. DATASET
websites detection. This paper deals with machine learning URLs of benign websites were collected from
technology for detection of phishing URLs by extracting and www.alexa.com and The URLs of phishing websites were
analyzing various features of legitimate and phishing URLs. collected from www.phishtank.com. The data set consists of
Decision Tree, random forest and Support vector machine total 36,711 URLs which include 17058 benign URLs and
algorithms are used to detect phishing websites. Aim of the 19653 phishing URLs. Benign URLs are labelled as “0” and
paper is to detect phishing URLs as well as narrow down to phishing URLs are labelled as “1”.
best machine learning algorithm by comparing accuracy rate,
false positive and false negative rate of each algorithm.
3. FEATURE EXTRACTION
We have implemented python program to extract features
Keywords from URL. Below are the features that we have extracted for
Phishing attack, Machine learning detection of phishing URLs.
1) Presence of IP address in URL: If IP address
1. INTRODUCTION present in URL then the feature is set to 1 else set to 0.
Nowadays Phishing becomes a main area of concern for Most of the benign sites do not use IP address as an URL
security researchers because it is not difficult to create the to download a webpage. Use of IP address in URL
fake website which looks so close to legitimate website. indicates that attacker is trying to steal sensitive
Experts can identify fake websites but not all the users can information.
identify the fake website and such users become the victim of
phishing attack. Main aim of the attacker is to steal banks 2) Presence of @ symbol in URL: If @ symbol present
account credentials. In United States businesses, there is a loss in URL then the feature is set to 1 else set to 0. Phishers
of US$2billion per year because their clients become victim to add special symbol @ in the URL leads the browser to
phishing [1]. In 3rd Microsoft Computing Safer Index Report ignore everything preceding the “@” symbol and the real
released in February 2014, it was estimated that the annual address often follows the “@” symbol [4].
worldwide impact of phishing could be as high as $5 billion
[2]. Phishing attacks are becoming successful because lack of 3) Number of dots in Hostname: Phishing URLs have
user awareness. Since phishing attack exploits the weaknesses many dots in URL. For example
found in users, it is very difficult to mitigate them but it is http://shop.fun.amazon.phishing.com, in this URL
very important to enhance phishing detection techniques. phishing.com is an actual domain name, whereas use of
“amazon” word is to trick users to click on it. Average
The general method to detect phishing websites by updating number of dots in benign URLs is 3. If the number of
blacklisted URLs, Internet Protocol (IP) to the antivirus dots in URLs is more than 3 then the feature is set to 1
database which is also known as “blacklist" method. To evade else to 0.
blacklists attackers uses creative techniques to fool users by
modifying the URL to appear legitimate via obfuscation and 4) Prefix or Suffix separated by (-) to domain: If
many other simple techniques including: fast-flux, in which domain name separated by dash (-) symbol then feature
proxies are automatically generated to host the web-page; is set to 1 else to 0. The dash symbol is rarely used in
algorithmic generation of new URLs; etc. Major drawback of legitimate URLs. Phishers add dash symbol (-) to the
this method is that, it cannot detect zero-hour phishing attack. domain name so that users feel that they are dealing with
a legitimate webpage. For example Actual site is
Heuristic based detection which includes characteristics that http://www.onlineamazon.com but phisher can create
are found to exist in phishing attacks in reality and can detect another fake website like http://www.online-amazon.com
zero-hour phishing attack, but the characteristics are not to confuse the innocent users.
guaranteed to always exist in such attacks and false positive
rate in detection is very high [3]. 5) URL redirection: If “//” present in URL path then
feature is set to 1 else to 0. The existence of “//” within
To overcome the drawbacks of blacklist and heuristics based the URL path means that the user will be redirected to
method, many security researchers now focused on machine another website [4].
learning techniques. Machine learning technology consists of
a many algorithms which requires past data to make a 6) HTTPS token in URL: If HTTPS token present in

45
International Journal of Computer Applications (0975 – 8887)
Volume 181 – No. 23, October 2018

URL then the feature is set to 1 else to 0. Phishers may


add the “HTTPS” token to the domain part of a URL in
order to trick users. For example, http://https-www- 4. MACHINE LEARNING ALGORITHM
paypal-it-mpp-home.soft-hair.com [4]. Three machine learning classification model Decision Tree,
Random forest and Support vector machine has been selected
7) Information submission to Email: Phisher might to detect phishing websites.
use “mail()” or “mailto:” functions to redirect the user’s
information to his personal email[4]. If such functions are 4.1 Decision Tree Algorithm [5]
present in the URL then feature is set to 1 else to 0. One of the most widely used algorithm in machine learning
technology. Decision tree algorithm is easy to understand and
8) URL Shortening Services “TinyURL”: TinyURL also easy to implement. Decision tree begins its work by
service allows phisher to hide long phishing URL by choosing best splitter from the available attributes for
making it short. The goal is to redirect user to phishing classification which is considered as a root of the tree.
websites. If the URL is crafted using shortening services Algorithm continues to build tree until it finds the leaf node.
(like bit.ly) then feature is set to 1 else 0 Decision tree creates training model which is used to predict
target value or class in tree representation each internal node
9) Length of Host name: Average length of the benign
of the tree belongs to attribute and each leaf node of the tree
URLs is found to be a 25, If URL’s length is greater than
belongs to class label. In decision tree algorithm, gini index
25 then the feature is set to 1 else to 0
and information gain methods are used to calculate these
10) Presence of sensitive words in URL: Phishing sites nodes.
use sensitive words in its URL so that users feel that they
are dealing with a legitimate webpage. Below are the 4.2 Random Forest Algorithm [6]
words that found in many phishing URLs :- 'confirm', Random forest algorithm is one of the most powerful
'account', 'banking', 'secure', 'ebyisapi', 'webscr', 'signin', algorithms in machine learning technology and it is based on
'mail', 'install', 'toolbar', 'backup', 'paypal', 'password', concept of decision tree algorithm. Random forest algorithm
'username', etc; creates the forest with number of decision trees. High number
of tree gives high detection accuracy.
11) Number of slash in URL: The number of slashes in
benign URLs is found to be a 5; if number of slashes in Creation of trees are based on bootstrap method. In bootstrap
URL is greater than 5 then the feature is set to 1 else to 0. method features and samples of dataset are randomly selected
with replacement to construct single tree. Among randomly
12) Presence of Unicode in URL: Phishers can make a selected features, random forest algorithm will choose best
use of Unicode characters in URL to trick users to click splitter for the classification and like decision tree algorithm;
on it. For example the domain “xn--80ak6aa92e.com” is Random forest algorithm also uses gini index and information
equivalent to "аррӏе.com". Visible URL to user is gain methods to find the best splitter. This process will get
"аррӏе.com" but after clicking on this URL, user will continue until random forest creates n number of trees.
visit to “xn--80ak6aa92e.com” which is a phishing site.
Each tree in forest predicts the target value and then algorithm
13) Age of SSL Certificate: The existence of HTTPS is will calculate the votes for each predicted target. Finally
very important in giving the impression of website random forest algorithm considers high voted predicted target
legitimacy [4]. But minimum age of the SSL certificate of as a final prediction.
benign website is between 1 year to 2 year.
4.3 Support Vector Machine Algorithm [7]
14) URL of Anchor: We have extracted this feature by Support vector machine is another powerful algorithm in
crawling the source code oh the URL. URL of the anchor machine learning technology. In support vector machine
is defined by <a> tag. If the <a> tag has a maximum algorithm each data item is plotted as a point in n-dimensional
number of hyperlinks which are from the other domain space and support vector machine algorithm constructs
then the feature is set to 1 else to 0. separating line for classification of two classes, this separating
line is well known as hyperplane.
15) IFRAME: We have extracted this feature by crawling
the source code of the URL. This tag is used to add Support vector machine seeks for the closest points called as
another web page into existing main webpage. Phishers support vectors and once it finds the closest point it draws a
can make use of the “iframe” tag and make it invisible line connecting to them. Support vector machine then
i.e. without frame borders [4]. Since border of inserted construct separating line which bisects and perpendicular to
webpage is invisible, user seems that the inserted web the connecting line. In order to classify data perfectly the
page is also the part of the main web page and can enter margin should be maximum. Here the margin is a distance
sensitive information. between hyperplane and support vectors. In real scenario it is
not possible to separate complex and non linear data, to solve
16) Website Rank: We extracted the rank of websites and this problem support vector machine uses kernel trick which
compare it with the first One hundred thousand websites transforms lower dimensional space to higher dimensional
of Alexa database. If rank of the website is greater than space.
10,0000 then feature is set to 1 else to 0.

46
International Journal of Computer Applications (0975 – 8887)
Volume 181 – No. 23, October 2018

Result shows that Random forest algorith1m gives better


detection accuracy which is 97.14 with lowest false negative
rate than decision tree and support vector machine algorithms.
Result also shows that detection accuracy of phishing
websites increases as more dataset used as training dataset.
All classifiers perform well when 90% of data used as training
dataset.
Fig. 1 show the detection accuracy of all classifiers when
50%, 70% and 90% of data used as training dataset and graph
clearly shows that detection accuracy increases when 90% of
data used as training dataset and random forest detection
accuracy is maximum than other two classifiers.

6. CONCLUSION
This paper aims to enhance detection method to detect
phishing websites using machine learning technology. We
Fig. 1 Detection accuracy comparison
achieved 97.14% detection accuracy using random forest
5. IMPLEMENTATION AND RESULT algorithm with lowest false positive rate. Also result shows
Scikit-learn tool has been used to import Machine learning that classifiers give better performance when we used more
algorithms. Dataset is divided into training set and testing set data as training data.
in 50:50, 70:30 and 90:10 ratios respectively. Each classifier In future hybrid technology will be implemented to detect
is trained using training set and testing set is used to evaluate phishing websites more accurately, for which random forest
performance of classifiers. Performance of classifiers has been algorithm of machine learning technology and blacklist
evaluated by calculating classifier's accuracy score, false method will be used.
negative rate and false positive rate.
Table 1: Classifier's performance
7. REFERENCES
[1] Gunter Ollmann, “The Phishing Guide Understanding &
Dataset False False Preventing Phishing Attacks”, IBMInternet Security
Accuracy Systems, 2007.
Split Classifiers Negative Positive
Score
ratio Rate Rate
[2] https://resources.infosecinstitute.com/category/enterprise
Decision Tree 96.71 3.69 2.93 /phishing/the-phishing-landscape/phishing-data-attack-
statistics/#gref
Random [3] Mahmoud Khonji, Youssef Iraqi, "Phishing Detection: A
50:50 96.72 3.69 2.91 Literature Survey IEEE, and Andrew Jones, 2013
Forest
Support [4] Mohammad R., Thabtah F. McCluskey L., (2015)
vector 96.40 5.26 2.08 Phishing websites dataset. Available:
machine https://archive.ics.uci.edu/ml/datasets/Phishing+Websites
Accessed January 2016
Decision Tree 96.80 3.43 2.99
[5] http://dataaspirant.com/2017/01/30/how-decision-tree-
algorithm-works/
Random
70:30 96.84 3.35 2.98
Forest [6] http://dataaspirant.com/2017/05/22/random-forest-
Support algorithm-machine-learing/
vector 96.40 5.13 2.17 [7] https://www.kdnuggets.com/2016/07/support-vector-
machine machines-simple-explanation.html

Decision Tree 97.11 3.18 2.66 [8] www.alexa.com


[9] www.phishtank.com
Random
90:10 97.14 3.14 2.61
Forest
Support
vector 96.51 4.73 2.34
machine

IJCATM : www.ijcaonline.org
47

You might also like