Intelligent cyber-phishing detection for online

Highlights

• A combined blacklist-based, web content-based and heuristic approaches using multiple algorithms with features to detect fraudulent sites with higher accuracy in real-time.

• The methodology can reduce fraudulent attacks and protect online users.

• The integrated method and four categories of dataset are the core framework from which we extract comprehensive features.

Abstract

Phishing attacks are on the increase, resulting in financial loss and theft of sensitive information to online services and users. Anti-phishing approaches have concentrated on blacklist-based approaches that use manually verified Unified Resource Locators (URLs); or content-based methods that utilise heuristics-based machine learning (ML) classifiers. However, online deception is still on the rise. In this study, we introduce a novel methodology combining blacklist-based, web content-based and heuristic based approaches, using ML algorithms with comprehensive features to allow more accurate phishing attack detection. Extensive evaluation was carried out based on Adaptive neuro-fuzzy inference system (ANFIS), Naïve Bayes (NB), PART, J48, and JRip with features, using evaluation methods (metrics) to measure the proposed method performance. All the classifiers achieved over 99% - 99.33% accuracy. PART attained 99.33% accuracy with 0.006 seconds (secs) speed, which is the best performance. We experimentally demonstrate that the proposed methodology can detect phishing websites with a high accuracy in real-time and generalise well to new phishing attacks. The proposed approach has the best performance compared to related approaches in the field.

Introduction

Cyber phishing attacks have become a growing threat and are amongst the most challenging issues affecting governments, businesses and individuals in the world-wide web. Other major types of cyber-attacks are brute force, social engineering/cyber fraud, distributed denial-of-service attack, Pharming and malware/spyware/ransomware. Initially, we focus on cyber Phishing attacks, which have been evolving rapidly, putting more pressure on the existing detection methods (Xiang et al., 2009:1:3; Xiang et al., 2010:3; Xiang et al., 2011:8:26). Phishing is a form of social engineering in which attackers attempt to fraudulently obtain user's confidential information through communication media that direct users to fake websites claiming to be from known banks or organizations (Jackobson & Mayor, 2007; Xiang et al., 2011). According to the U.S. Federal Bureau of Investigation (USFBI) statistics reported, over $2.7 billion was lost to phishing through businesses and personal email accounts being compromised in 2018 alone (the U.S. FBI Internet Crime Complaint Center (IC3), 2018). This issue is expected to increase with time as online transactions are becoming a life trend. Also, the Anti-Phishing Working Group (APWG) (2018) found that the number of phishing sites detected in July through to September 2019 were 266,387. This was an increase of 46% from 182,465 in the second quarter of 2019 and almost doubled the 138,328 seen in the fourth quarter of 2018 (APWG, 2019). More than 55% of all phishing attacks detected in the second quarter of 2019 used Secure Socket Layer (SSL) encryption on Hypertext Transfer Protocol (HTTP) protected domains to fool victims into thinking HTTPS sites are safe (APWG, 2019).

Several past academic research on anti-phishing detection field has concentrated only on three single methods: blacklist-based approaches (Sahingoz et al., 2019; Chiew et al., 2019a; Rao and Pais, 2018); visual similarities-based (Mao et al., 2017) or content-based approaches (Adebowale et al., 2018) to detect phishing attacks.

In general, most blacklist methods are widely employed in industry due to low false positives, but blacklist alone cannot generalise well to unseen phishing instances (Xiang et al., 2011; Prakash et al., 2010; Sheng et al., 2009). For example, Xiang et al., (2011) reported that blacklist feature-based method alone cannot detect new phishing attacks more accurately because blacklist features are properties of the URL itself (NOT the content of the web page it references). A URL content contains properties of hyperlinks in source code itself, but not content of the webpage it references (Rao and Pais, 2018). There is scarcity of effective features and high false positive rates as a result (Xiang et al., 2011). These challenges require a careful consideration into how effective features can be identified

The aim of this study is to introduce a novel methodology combining blacklist-based features, web content-based and heuristic feature-based approaches, using ML algorithms to allow more accurate phishing attack detection.

Specifically, the objectives of the study are to:

• Identify a large set of data from different sources.

• Extract comprehensive features from the dataset: phishing, suspicious, spoofed web and legitimate sites.

• Model the proposed approach, using ML classification algorithms including ANFIS, NB, PART, J48 and JRip with features.

• Train and test the models utilising feature set.

• Evaluate the methodology performance using multiple evaluation methods.

• Compare the proposed method with the previous works.

Our proposed study contributes a new methodology integrating blacklist-based methods, web content-based and heuristic feature-based approaches, using ML classifiers with features to distinguish phishing attacks. We identified four categories of dataset: phishing sites, suspicious, spoofed webs and legitimate sites from different sources. These enable the identification and extraction of features, which are used to generate models, train and test the models. We experimentally demonstrated that the proposed method can detect phishing attacks more accurately and can generalise well to address new attacks.

The main advantages of the proposed method are: first, the outcome will significantly increase user's confidence in online transactions. Second, the approach could improve the accuracy of anti-phishing detection solutions. Spoofed webs that are difficult to trace could be detected to reduce the increasing phishing threats. Our feature model will be utilised in the implementation of a plugin toolbar that can be used on end-user's computers to keep users secure online.

The disadvantage is that attackers’ techniques evolve constantly (Xiang et al., 2009:1:3; Xiang et al., 2010:3; Xiang et al., 2011:8:26). Therefore, keeping ahead of attackers with regular feature updates is important.

Overall, our method using PART classifier with features from the data: phishing, suspicious and spoofed websites shows the best performance in time taken to build the model. Features are randomly split equally into 300 × 10 training-set and 300 × 10 testing-set. Once the training is complete, we test the model with independent unseen 300 × 10 testing-set, which obtained a significant result for this study, which suggest that our method can generalise well to address new phishing attacks.

The remainder of the paper: Section 2 reviews the existing related work. Section 3 describes the proposed methods, covering data extraction, feature selection and describes the multiple classification algorithms. Section 4 describes the experimental procedures; experiments results and discussions. Experiments based on 4 classifiers and results are also provided. Section 5 provides discussions, comparisons and evaluation. Section 6 concludes the paper, presenting contributions and further work.