Phishing websites remain a persistent security threat. Thus far, machine learning approaches appear to have the best potential as defenses. But, there are two main concerns with existing machine learning approaches for phishing detection. The first is the large number of training features used and the lack of validating arguments for these feature choices. The second concern is the type of datasets used in the literature that are inadvertently biased with respect to the features based on the website URL or content. To address these concerns, we put forward the intuition that the domain name of phishing websites is the tell-tale sign of phishing and holds the key to successful phishing detection. Accordingly, we design features that model the relationships, visual as well as statistical, of the domain name to the key elements of a phishing website, which are used to snare the end-users. The main value of our feature design is that, to bypass detection, an attacker will find it very difficult to tamper with the visual content of the phishing website without arousing the suspicion of the end user. Our feature set ensures that there is minimal or no bias with respect to a dataset. Our learning model trains with only seven features and achieves a true positive rate of 98% and a classification accuracy of 97%, on sample dataset. Compared to the state-of-the-art work, our per data instance classification is 4 times faster for legitimate websites and 10 times faster for phishing websites. Importantly, we demonstrate the shortcomings of using features based on URLs as they are likely to be biased towards specific datasets. We show the robustness of our learning algorithm by testing on unknown live phishing URLs and achieve a high detection accuracy of 99.7%.
more »
« less
This content will become publicly available on June 1, 2024
Feature Selections for Phishing URLs Detection Using Combination of Multiple Feature Selection Methods
Cite: Abulfaz Hajizada and Sharmin Jahan. 2023. Feature Selections for Phishing
URLs Detection Using Combination of Multiple Feature Selection Methods.
In 2023 15th International Conference on Machine Learning and Computing
(ICMLC 2023), February 17–20, 2023, Zhuhai, China. ACM, New York, NY,
USA, 7 pages. https://doi.org/10.1145/3587716.3587790
ABSTRACT
In this internet era, we are very prone to fall under phishing attacks
where attackers apply social engineering to persuade and manipulate
the user. The core attack target is to steal users’ sensitive
information or install malicious software to get control over users’
devices. Attackers use different approaches to persuade the user.
However, one of the common approaches is sending a phishing
URL to the user that looks legitimate and difficult to distinguish.
Machine learning is a prominent approach used for phishing URLs
detection. There are already some established machine learning
models available for this purpose. However, the model’s performance
depends on the appropriate selection of features during
model building. In this paper, we combine multiple filter methods
for feature selections in a procedural way that allows us to reduce a
large number of feature list into a reduced number of the feature list.
Then we finally apply the wrapper method to select the features
for building our phishing detection model. The result shows that
combining multiple feature selection methods improves the model’s
detection accuracy. Moreover, since we apply the backward feature
selection method as our wrapper method on the data set with a
reduced number of features, the computational time for backward
feature selection gets faster.
more »
« less
- Award ID(s):
- 2055557
- NSF-PAR ID:
- 10408623
- Date Published:
- Journal Name:
- ACM ICMLC 2023 : ACM--2023 15th International Conference on Machine Learning and Computing (ICMLC 2023)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Existing studies have demonstrated that using traditional machine learning techniques, phishing detection simply based on the features of URLs can be very effective. In this paper, we explore the deep learning approach and build four RNN (Recurrent Neural Network) models that only use lexical features of URLs for detecting phishing attacks. We collect 1.5 million URLs as the dataset and show that our RNN models can achieve a higher than 99% detection accuracy without the need of any expert knowledge to manually identify the features. However, it is well known that RNNs and other deep learning techniques are still largely in black boxes. Understanding the internals of deep learning models is important and highly desirable to the improvement and proper application of the models. Therefore, in this work, we further develop several unique visualization techniques to intensively interpret how RNN models work internally in achieving the outstanding phishing detection performance. Especially, we identify and answer six important research questions, showing that our four RNN models (1) are complementary to each other and can be combined into an ensemble model with even better accuracy, (2) can well capture the relevant features that were manually extracted and used in the traditional machine learning approach for phishing detection, and (3) can help identify useful new features to enhance the accuracy of the traditional machine learning approach. Our techniques and experience in this work could be helpful for researchers to effectively apply deep learning techniques in addressing other real-world security or privacy problems.more » « less
-
null (Ed.)Phishing websites trick honest users into believing that they interact with a legitimate website and capture sensitive information, such as user names, passwords, credit card numbers, and other personal information. Machine learning is a promising technique to distinguish between phishing and legitimate websites. However, machine learning approaches are susceptible to adversarial learning attacks where a phishing sample can bypass classifiers. Our experiments on publicly available datasets reveal that the phishing detection mechanisms are vulnerable to adversarial learning attacks. We investigate the robustness of machine learning-based phishing detection in the face of adversarial learning attacks. We propose a practical approach to simulate such attacks by generating adversarial samples through direct feature manipulation. To enhance the sample’s success probability, we describe a clustering approach that guides an attacker to select the best possible phishing samples that can bypass the classifier by appearing as legitimate samples. We define the notion of vulnerability level for each dataset that measures the number of features that can be manipulated and the cost for such manipulation. Further, we clustered phishing samples and showed that some clusters of samples are more likely to exhibit higher vulnerability levels than others. This helps an adversary identify the best candidates of phishing samples to generate adversarial samples at a lower cost. Our finding can be used to refine the dataset and develop better learning models to compensate for the weak samples in the training dataset.more » « less
-
Cyberbullying has become one of the most pressing online risks for adolescents and has raised serious concerns in society. Traditional efforts are primarily devoted to building a single generic classification model for all users to differentiate bullying behaviors from the normal content [6, 3, 1, 2, 4]. Despite its empirical success, these models treat users equally and inevitably ignore the idiosyncrasies of users. Recent studies from psychology and sociology suggest that the occurrence of cyberbullying has a strong connection with the personality of victims and bullies embedded in the user-generated content, and the peer influence from like-minded users. In this paper, we propose a personalized cyberbullying detection framework PI-Bully with peer influence in a collaborative environment to tailor the prediction for each individual. In particular, the personalized classifier of each individual consists of three components: a global model that captures the commonality shared by all users, a personalized model that expresses the idiosyncratic personality of each specific user, and a third component that encodes the peer influence received from like-minded users. Most of the existing methods adopt a two-stage approach: they first apply feature engineering to capture the cyberbullying patterns and then employ machine learning classifiers to detect cyberbullying behaviors. However, building a personalized cyberbullying detection framework that is customized to each individual remains a challenging task, in large part because: (1) Social media data is often sparse, noisy and high-dimensional (2) It is important to capture the commonality shared by all users as well as idiosyncratic aspects of the personality of each individual for automatic cyberbullying detection; (3) In reality, a potential victim of cyberbullying is often influenced by peers and the influences from different users could be quite diverse. Hence, it is imperative to develop a way to encode the diversity of peer influence for cyberbullying detection. To summarize, we study a novel problem of personalized cyberbullying detection with peer influence in a collaborative environment, which is able to jointly model users' common features, unique personalities and peer influence to identify cyberbullying cases.more » « less
-
The high impedance fault (HIF) has random, irregular and unsymmetrical characteristics, making such a fault difficult to detect in distribution grids via conventional relay measurements with relatively low resolution and accuracy. This paper proposes a stochastic HIF monitoring and location scheme using high-resolution time-synchronized data in μ-PMUs for distribution network protection. Specifically, we systematically design a process based on feature selections, semi-supervised learning (SSL), and probabilistic learning for fault detection and location. For example, a wrapper method is proposed to leverage output data in feature selection to avoid overfitting and reduce communication demand. To utilize unlabeled data and quantify uncertainties, an SSL-based method is proposed using the Information Theory for fault detection. For location, a probabilistic analysis is proposed via moving window total least square based on the probability distribution of the fault impedance. For numerical validation, we set up an experiment platform based on the real-time simulator, so that the real-time property of μ-PMU can be examined. Such experiment shows enhanced HIF detection and location, when compared to the traditional methods.more » « less
