HEURISTIC-PHISH: A Lightweight Feature-Based Framework for Malicious URL Detection

الملخص

Cybersecurity threats from phishing attacks have remained persistent. Currently, three distinct types of detection methods are available, each with several limitations. Phishing websites are commonly detected via URL blacklists, although they generally have very little ability to detect zero-day attacks, high latency in terms of identification, and require significant amounts of training or time before they can be used effectively to prevent phishing attacks. The resulting design (HEURISTIC-PHISH) consists of a set of 13 heuristic algorithms based on the lexical, domain name, and structural characteristics of URL's to identify whether phishing attacks are occurring at specific locations or are coming from valid (non-phishing) locations from a particular URL. With regard to the performance metrics reported in this research study, HEURISTIC-PHISH produced 86.53% accuracy, 98.90% precision, 73.89% recall, F1-score of 0.8459, 0.82% false positive rate (FPR), 15,320/FPS throughput of performance, and 5.4MB of peak RAM consumption from a balanced corpus of 200,000 URLs (100,000 benign, 100,000 malicious), split into training/calibration (120,000), validation (40,000), and test (40,000) sets. The high precision found from the results of this study produces only a few false positives, thus HEURISTIC-PHISH can be considered usable for browser extensions and edge gateway implementations, but the moderate level of recall indicates that HEURISTIC-PHISH must be used in conjunction with other detection methods before it should be used as the final stop in phishing detection. Additionally, the sole use of internal indicators for detecting phishing and the exclusion of external APIs, Deep Packet Inspection, and other methods for identifying fraud indicate that HEURISTIC-PHISH provides good performance for resource-limited, real-time, and air-gapped environments.