Published by : International Journal of Engineering Research & Technology (IJERT)

http://www.ijert.org ISSN: 2278-0181

Vol. 8 Issue 11, November-2019

Detection of URL based Phishing Attacks using

Machine Learning
Ms. Sophiya Shikalgar Dr. S. D. Sawarkar Mrs.Swati Narwane
Department of Computer Engineering Department of Computer Engineering Department of Computer Engineering
Datta Meghe College of Engineering, Datta Meghe College of Engineering, Datta Meghe College of Engineering,
Airoli, Navi Mumbai, INDIA Airoli, Navi Mumbai, INDIA Airoli, Navi Mumbai, INDIA

Abstract—A grift attempt to get sensitive and personal Sometimes these criminals also gather information
information like password, username, and bank details like which can give them direct access to the social media
credit/debit card details by masking as a reliable organization in account their emails. [3]
electronic communication. The phishing website will appear the A lot of software / approaches and algorithms are used
same as the legitimate website and directs the user to a page to enter
personal details of the user on the fake website. Through machine
for phishing detection. These are used at academic and
learning algorithms one can improve the accuracy of the prediction. commercial organisation levels. A phishing URL and
The proposed method predicts the URL based phishing attacks based the parallel page have many features which are
on features and also gives maximum accuracy. This method uses different from the malignant URL. Let us take an
uniform resource locator (URL) features. We identified features that example to hide the original domain name the phishing
phishing site URLs contain. The proposed method employs those attacker can select very long and confusing name of the
features for phishing detection. The proposed system predicts the domain. This is very easily visible. Sometimes they use
URL based phishing attacks with maximum accuracy. We shall talk the IP address instead of using the domain name. On
about various machine learning, the algorithm which can help in the other hand they can also use a shorter domain name
decision making and prediction. We shall use more than one
algorithm to get better accuracy of prediction. Different machine
which will not be relevant to the original legitimate
learning algorithms are used in the proposed system to detect URL website. Apart from the URL based feature of phishing
based phishing attacks. The hybrid algorithm approach by combining detection there are many different features which can
the algorithms will increase accuracy. also be used for the detection of Phishing websites
namely the Domain-Based Features, Page-Based
Keywords— Phishing, legitimate, URL, feature extraction, machine Features and Content-Based Features. [16]
learning, applications, classification, approach, algorithm. In the training phase, we should use the labeled data in
which there are samples such as phish area and
I. INTRODUCTION
legitimate area. If we do this then classification will not
Phishing imitates the characteristics and features of emails
be a problem for detecting the phishing domain. To do
and makes it look the same as the original one. It appears similar
a working detection model it is very crucial to use data
to that of the legitimate source. The user thinks that this email has
set in the training phase. We should use samples whose
come from a genuine company or an organisation. This makes the
classes are known to us, which means the samples
user to forcefully visit the phishing website through the links given
whom we label as phishing should be detected only as
in the phishing email. These phishing websites are made to mock
phishing. Similarly the samples which are labeled as
the appearance of an original organisation website. The phishers
legitimate will be detected as legitimate URL. The
force user to fill up the personal information by giving alarming
dataset to be used for machine learning must actually
messages or validate account messages etc so that they fill up the
consist these features.There so many machine learning
required information which can be used by them to misuse it. They
algorithms and each algorithm has its own working
make the situation such that the user is not left with any other
mechanism which we have already seen in the previous
option but to visit their spoofed website. [8]
chapter. The existing system uses any one of the
Phishing is a cyber crime, the reason behind the phishers doing
suitable machine learning algorithms for the detection
this crime is that it is very easy to do this, it does not cost anything
of phishing URL and predicts its accuracy. The existing
and it effective. The phishing can easily access the email id of any
system has good accuracy but it is still not the best as
person it is very easy to find the email id now a day and you can
phishing attack is a very crucial, we have to find a best
sending an email to anyone is freely available across the world.
solution to eliminate this. In the currently existing
These attakers put very less cost and effort to get valuable data
system, only one machine learning algorithm is used to
quickly and easily. The phishing frauds leads to malware
predict the accuracy, using only one algorithm is not a
infections, loss of data, identity theft etc. The data in which these
good approach to improve the prediction accuracy.
cyber criminals are interested is the crucial information of a user
Each of the algorithms which explain in the earlier
like the password, OTP, credit/ debit card numbers CVV, sensitive
chapter has some disadvantages hence it is not
data related to business, medical data, confidential data etc.
recommended to use one machine learning algorithm to
further improve the accuracy. [10]

IJERTV8IS110269 www.ijert.org 537

(This work is licensed under a Creative Commons Attribution 4.0 International License.)
Published by : International Journal of Engineering Research & Technology (IJERT)
http://www.ijert.org ISSN: 2278-0181
Vol. 8 Issue 11, November-2019

II. METHODOLOGY
In this section we shall learn about the various classifiers used • XGBoost: Recently, the researches have come
in machine learning to predict phishing. We shall also explain our across an algorithm “XGBoost” and its usage
proposed methodology to detect phishing website. In section A we is very useful for machine learning
shall explain various classifiers and methods which can be used to classification. It is very much fast and its
check the phising and legtiminate website. In section B we shall performance is better as it is an execution of a
explain our proposed system. boosted decision tree. This classification
model is used to improve the performance of
A. Machine learning classifiers and methods to detect the phising
the model and also to improve the speed. [21]
website
Detecting and identifying Phishing Websites is really a complex
Once the model is trained it is very important to
and dynamic problem. Machine learning has been widely used in
evaluate the classifier which we shall use and validate
many areas to create automated solutions.The phishing attacks can
its capability. Now in the above section we have seen
be carried out in many ways such as email, website, malware,sms
all the advantages and disadvantages of all the
and voice.In this work, we concentrate on detecting website
available classifier. Hence we propose to use more than
phishing (URL), which is achieved by making use of the Hybrid
one classifier that is we can use a combination of two
Algorithm Approach. Hybrid Algorithm Approach is a mixture of
classifiers to improve the accuracy further of
different classifiers working together which gives good prediction
prediction. We shall evaluate each of the classifiers and
rate and improves the accuracy of the system.
use Naive Bayes and Random forest, by using the
Depending on the application and nature of the dataset used we
combination mentioned in this section we shall
can use any classification algorithms mentioned below. As there
improve the accuracy and make it better. After
are different applications, we can not differentiate which of the
applying the classification the results are generated and
algorithms are superior or not. Each of classifiers have its own
the URLs are classified into phishing and legitimate
way of working and classification. Let us discuss each of them in
URLs. The Phishing URLs are blacklisted in the
details.[5]
database and the legitimate are white list in the
• Naive Bayes Classifier: This classifier can also be
database. [12]
known as a Generative Learning Model. The
classification here is based on Baye’s Theorem, it B. Proposed System
assumes independent predictors. In simple words, this The dataset of phishing and legitimate URL's is given
classifier will assume that the existence of specific to the system which is then pre-processed so that the
features in a class is not related to the existence of any data is in the useable format for analysis. The features
other feature. If there is dependency among the features have around 30 characteristics of phishing websites
of each other or on the presence of other features, all of which is used to differentiate it from legitimate ones.
these will be considered as an independent contribution to Each category has its own characteristics of phishing
the probability of the output. This classification algorithm attributes and values are defined. The specified
is very much useful to large datasets and is very easy to characteristics are extracted for each URL and valid
use. [14] ranges of inputs are identified. These values are then
• Random Forest: This classification algorithm are similar assigned to each phishing website risk. For each input
to ensemble learning method of classification. The the values range from 0 to 10 , while for output range is
regression and other tasks, work by building a group of from 0 to 100. The phishing attributes values are
decision trees at training data level and during the output represented with binary no 0 and 1 which indicates the
of the class, which could be the mode of classification or attribute is present or not.
prediction regression for individual trees. This classifier After this the data is trained we shall apply a relevant
accuracy for decision trees practice of overfitting the machine learning algorithm to the dataset. The machine
training data set.[8][14] learning algorithms are already explained in previous
section. After this we use a hybrid classification in
• Support vector machine (SVM): This is also one of the which we combine two of the classifier namely Naive
classification algorithm which is supervised and is easy to Bayes and Random forest to predict the accuracy of the
use. It can used for both classification and regression detection of the phishing URL, hence we get our
applications, but it is more famous to be used in desired result. This is also called a hybrid approach to
classification applications. In this algorithm each point test the data, in this method we propose to use the
which is a data item is plotted in a dimensional space, this combination of two classifiers, as mentioned above.
space is also known as n dimensional plane, where the ‘n’ We shall then test the data and evaluate the prediction
represents the number of features of the data. The accuracy which shall be more than the existing system.
classification is done based on the differentiation in the We shall now see the different classifiers and discuss
classes, these classes are data set points present in the hybrid combination used for our proposed system.
different planes.

IJERTV8IS110269 www.ijert.org 538

(This work is licensed under a Creative Commons Attribution 4.0 International License.)
Published by : International Journal of Engineering Research & Technology (IJERT)
http://www.ijert.org ISSN: 2278-0181
Vol. 8 Issue 11, November-2019

Fig. 1: Proposed System block diagram

In the training phase, we should use the labeled data in which use one machine learning algorithm to detect the
there are samples such as phish area and legitimate area. If we do phishing website [10]
this then classification will not be a problem for detecting the
phishing domain. To do a working detection model it is very III. SYSTEM OVERVIEW
crucial to use data set in the training phase. We should use System design is used for understanding the
samples whose classes are known to us, which means the samples construction of system. We have explained the flow of
whom we label as phishing should be detected only as phishing. our system and the software used in the system in this
Similarly the samples which are labeled as legitimate will be section.
detected as legitimate URL. The dataset to be used for machine
A. System Flow
learning must actually consist these features.There so many
The Fig. 2 explains the flow chart of the system design,
machine learning algorithms and each algorithm has its own
we shall explain each of the components of
working mechanism which we have already seen in the previous
the flow chart in each section below. To get structured
chapter. The existing system uses any one of the suitable machine
data we do feature generation of the data at the pre-
learning algorithms for the detection of phishing URL and predicts
processing stage. We have used techniques like XG
its accuracy. Each of the algorithms which explain in the earlier
Boost, Naive Bayes,SVM, Meta classifiers and
section has some disadvantages hence it is not recommended to
stacking classifier to detect the phishing and legitimate
websites.

IJERTV8IS110269 www.ijert.org 539

(This work is licensed under a Creative Commons Attribution 4.0 International License.)
Published by : International Journal of Engineering Research & Technology (IJERT)
http://www.ijert.org ISSN: 2278-0181
Vol. 8 Issue 11, November-2019

Fig 2. Flow chart of the system

• Data set: The data of urls is obtained from Phishtank

website,where Phishtank is an anti-phishing site.It
contains 2905 urls which is in unstructured form. Our
main objective is to detect whether the url is phishing or
legitimate based on the features extracted.

Fig 4. Structured Data

Table 1: URL Features

Sr. No Feature name Description

Fig 3. Unstructured Data Whether domain is in the

In Preprocessing we have done feature extraction where 1 IP address
form of an IP address
The URLs are transmitted to the feature extractor, which
extracts feature values through the predefined URL-based 2 Length of URL Length of URL
features.The features have assigned binary values 0 and 1
which indicates that feature is present or not as shown in Whether URL has ‗@‘,
3 Suspicious character
figure below. The extracted feature values are stored as ‗//‘
input and passed to the classifiers.
A structured dataset is given to the classifiers. We use 4 Prefix and suffix Whether URL has ‗-‘
four methods classification namely: XG Boost, SVM,
5 Length of subdomain Length of subdomain
Naive Bayes and stacking classifier for detection of url as
phishing or legitimate. Now the classifier will find 6 Number of ‘/’ Number of ‘/’ in URL
whether a requested site is a phishing site. When there is
a page request , the URL of the requested site is radiated 7 HTTPS protocol Whether URL use https.
to the feature extractor. It extracts the feature values
through the predefined URL-based features. These 8
Phishing words in Whether url has phishing
feature values are act as a input for the classifier. After URL terms
this we will come to know if the site is phishing or not
9 Number of ‘.’ Number of dots ’.’ in url

• URL Features: Refering Table 1. above,

Features 1 to 4 are associated with suspicious
URL patterns and characters. Characters such

IJERTV8IS110269 www.ijert.org 540

(This work is licensed under a Creative Commons Attribution 4.0 International License.)
Published by : International Journal of Engineering Research & Technology (IJERT)
http://www.ijert.org ISSN: 2278-0181
Vol. 8 Issue 11, November-2019

as ‗@‘ and ‗//‘ rarely appear in a URL. Feature 5 is used are XG Boost,SVM,Naive Bayes and
known for recognising newly created phishing sites with Stacking,where stacking uses XG Boost and
the proposed methodology. Currently, to prevent a user SVM as its base classifier and Random Forest
from identifying that a site is not legitimate, phishing as its meta classifier.
sites typically hide the primary domain; the URLs of 5. Then classifier detects the given url based on
these phishing sites have unusually long subdomains. the training data that is if the site is phishing it
Feature 8 is another new feature that reflects current shows a pop-up and if legitimate it opens that
phishing trends. This feature includes seven words that page in browser.
are predefined as phishing terms. The seven phishing 6. We compare the accuracy of different
terms are secure,websrc, ebaysapi, signin, banking, classifiers and found XG Boost and Stacking
confirm, login.Thus, through experiments, we identified are the best classifiers which gives the
seven new phishing terms and we employ them in our maximum accuracy.
phishing detection technique. We have already discussed 7. Below are the screen shots for the
the different classifiers in the above sections. implementation process.
We have the test screen:
IV. IMPLEMENTATION

This section provides knowledge about the implementation

environment and throws light on the actual steps for the
implementation of dataset to get better accuracy to predict
phishing by using different classifiers combination.

A. Hardware requirements
The following hardware was used for the implementationof the
system:

• 4 GB RAM
• 10GB HDD
• Intel 1.66 GHz Processor Pentium 4 Fig. 5: Testing Screen
We will now test the legitimate website by entering the
B. Software requirements URL on the test screen
The following software was used for the implementationof the
system:

• Windows 7
• Python 3.6.0
• Visual Studio Code

C. Implementation steps
In this section we shall discuss about the actual steps which
were implemented while doing the m experiment. We shall
explain the stepwise procedure used to analyse the data and to
predict the phising . The system consists of the following main
Fig 6. Testing the legitimate site
steps, We have used unstructured data which consists only
urls.There are 2905 urls obtained from Phishtank website
which consists of both phishing and legitimate url where most
of urls obtained are phishing.
1. We have collected unstructured data of urls from
Phishtank website.
2. In preprocessing ,feature generation is done where nine
features are generated from unstructured data. These
features are length of url,url has http,url has suspicious
character,prefix/suffix,number. of dots,number of
slash,url has phishing term,length of subdomain,url
contains ip address.
3. After this a structured dataset is created in which each
feature contains binary value(0,1) which is then passed to
the different classifiers. Fig 7. The legitimate site opens up
4. Next we train the four different classifiers and compare
their performance on the basis of accuracy four classifiers

IJERTV8IS110269 www.ijert.org 541

(This work is licensed under a Creative Commons Attribution 4.0 International License.)
Published by : International Journal of Engineering Research & Technology (IJERT)
http://www.ijert.org ISSN: 2278-0181
Vol. 8 Issue 11, November-2019

We will now test the phishing website.

Fig 12. Classification of the stacking classifier

Fig 8. Testing for the phishing site

We have used similar steps and got ROC curves for
XGBoost, SVM and Naive Bayes classifier. See the
below screenshots for the same.

Fig 9. The phishing site

We do this testing by using 4 different techniques of classification.
We shall show the screenshot of stacking classfier of all stages and
ROC curve for the other 3 methods

Fig 13. ROC curve for SVM

Fig 10. Confusion matrix of stacking classifier

Fig 14. ROC curve for Naive Bayes

V. OBSERVATIONS AND RESULT

A. Observation
As discussed in the earlier sections, we have used four
different classifiers to predict and detect if the website
is phishing or legitimate. Comparisons of these
classifiers have been shown below in the accuracy
table.
Fig 11. ROC curve of stacking classifier

IJERTV8IS110269 www.ijert.org 542

(This work is licensed under a Creative Commons Attribution 4.0 International License.)
Published by : International Journal of Engineering Research & Technology (IJERT)
http://www.ijert.org ISSN: 2278-0181
Vol. 8 Issue 11, November-2019

VI. CONCLUSION AND FUTURE SCOPE

Table 2: Observation Table
A. Conclusion
It is found that phishing attacks is very crucial and it
is important for us to get a mechanism to detect it. As
very important and personal information of the user can
be leaked through phishing websites, it becomes more
critical to take care of this issue. This problem can be
easily solved by using any of the machine learning
algorithm with the classifier. We already have
classifiers which gives good prediction rate of the
phishing beside, but after our survey that it will be
better to use a hybrid approach for the prediction and
further improve the accuracy prediction rate of
phishing websites. We have seen that existing system
gives less accuracy so we proposed a new phishing
method that employs URL based features and also we
B. Result generated classifiers through several machine learning
We have got the desired results of testing the site is phishing or algorithms.We have found that our system provides us
not by using four different classifiers. Refer the graph below for with 85.5 % of accuracy for XG Boost Classifier,
the exact results. Refer the graphs in Fig.15 and Fig.16 for the 86.3% accuracy for SVM Classifier, 80.2 % accuracy
results. In the graph, shown in Fig. 15 shows the AUC, precision, for Naïve Bayes Classifier and finally 85.6 percentage
recall and the F1 score obtained by using different classifiers. The of accuracy when using Stacking Classifier.Hence we
graph shown in Fig 16. explains about the accuracy obtained by found that the best among all the above classifiers is
using different classifiers in the histogram graphical SVM and Stacking Classifier which shows maximum
representation. accuracy. The proposed technique is much more
secured as it detects new and previous phishing sites.

B. Future scope

In future if we get structured dataset of phishing

we can perform phishing detection much more
faster than any other technique.In future we can use
a combination of any other two or more classifier to
get maximum accuracy. We also plan to explore
various phishing techniques that uses Lexical
features, Network based features,Content based
features, Webpage based features and HTML and
JavaScript features of web pages which can
improve the performance of the system. In
particular, we extract features from URLs and pass
Fig 15. Graph of AUC, Precision, Recall and F1score
it through the various classifiers.

REFERENCES
[1] Wong, R. K. K. (2019). An Empirical Study on Performance
Server Analysis and URL Phishing Prevention to Improve
System Management Through Machine Learning. In
Economics of Grids, Clouds, Systems, and Services: 15th
International Conference, GECON 2018, Pisa, Italy,
September 18-20, 2018, Proceedings (Vol. 11113, p. 199).
Springer.
[2] Rao, R. S., & Pais, A. R. (2019). Jail-Phish: An improved
search engine based phishing detection system. Computers &
Security, 83, 246-267.
[3] Ding, Y., Luktarhan, N., Li, K., & Slamu, W. (2019). A
keyword-based combination approach for detecting phishing
webpages. computers & security, 84, 256-275.
[4] Marchal, S., Saari, K., Singh, N., & Asokan, N. (2016, June).
Know your phish: Novel techniques for detecting phishing
sites and their targets. In 2016 IEEE 36th International
Fig 16. Results Conference on Distributed Computing Systems (ICDCS)
(pp. 323-333). IEEE.

IJERTV8IS110269 www.ijert.org 543

(This work is licensed under a Creative Commons Attribution 4.0 International License.)
Published by : International Journal of Engineering Research & Technology (IJERT)
http://www.ijert.org ISSN: 2278-0181
Vol. 8 Issue 11, November-2019

[5] Shekokar, N. M., Shah, C., Mahajan, M., & Rachh, S. (2015). An ideal
approach for detection and prevention of phishing attacks. Procedia
Computer Science, 49, 82-91.
[6] Rathod, J., & Nandy, D. Anti-Phishing Technique to Detect URL
Obfuscation.
[7] Hodžić, A., Kevrić, J., & Karadag, A. (2016). Comparison of machine
learning techniques in phishing website classification. In International
Conference on Economic and Social Studies (ICESoS'16) (pp. 249-256).
[8] Pujara, P., & Chaudhari, M. B. (2018). Phishing Website Detection using
Machine Learning: A Review.
[9] Desai, A., Jatakia, J., Naik, R., & Raul, N. (2017, May). Malicious web
content detection using machine leaning. In 2017 2nd IEEE International
Conference on Recent Trends in Electronics, Information &
Communication Technology (RTEICT) (pp. 1432-1436). IEEE.
[10] Lakshmi, V. S., & Vijaya, M. S. (2012). Efficient prediction of phishing
websites using supervised learning algorithms. Procedia Engineering, 30,
798-805.
[11] Jain, A. K., & Gupta, B. B. (2018). PHISH-SAFE: URL features-based
phishing detection system using machine learning. In Cyber Security (pp.
467-474). Springer, Singapore.
[12] Kazemian, H. B., & Ahmed, S. (2015). Comparisons of machine learning
techniques for detecting malicious webpages. Expert Systems with
Applications, 42(3), 1166-1177.
[13] Mao, J., Bian, J., Tian, W., Zhu, S., Wei, T., Li, A., & Liang, Z. (2019).
Phishing page detection via learning classifiers from page layout feature.
EURASIP Journal on Wireless Communications and Networking, 2019(1),
43.
[14] Mohammad, R. M., Thabtah, F., & McCluskey, L. (2012, December). An
assessment of features related to phishing websites using an automated
technique. In 2012 International Conference for Internet Technology and
Secured Transactions (pp. 492-497). IEEE.
[15] https://www.researchgate.net/publication/226420039-Detection-of-
Phishing-Attacks-A-Machine-Learning-Approach
[16] https://www.proofpoint.com/us/threat-reference/phishing
[17] https://towardsdatascience.com/phishing-domain-detection-with-ml-
5be9c99293e5
[18] https://en.wikipedia.org/wiki/Phishing
[19] https://www.techrepublic.com/article/how-to-tackle-phishing-with-
machine-learning/
[20] https://www.irjet.net/archives/V5/i3/IRJET-V5I3580.pdf
[21] https://www.hackerearth.com/practice/machine-learning/machine-learning-
algorithms/beginners-tutorial-on-xgboost-parameter-tuning-r/tutorial/
[22] https://www.datacamp.com/community/tutorials/svm-classification-scikit-
learn-python
[23] He, M., Horng, S. J., Fan, P., Khan, M. K., Run, R. S., Lai, J. L., ... &
Sutanto, A. (2011). An efficient phishing webpage detector. Expert
systems with applications, 38(10), 12018-12027.
[24] Le, A., Markopoulou, A., & Faloutsos, M. (2011, April). Phishdef: Url
names say it all. In 2011 Proceedings IEEE INFOCOM (pp. 191-195).
IEEE.
[25] Sahingoz, O. K., Buber, E., Demir, O., & Diri, B. (2019). Machine
learning based phishing detection from URLs. Expert Systems with
Applications, 117, 345-357.
[26] Tewari, A., Jain, A. K., & Gupta, B. B. (2016). Recent survey of various
defense mechanisms against phishing attacks. Journal of Information
Privacy and Security, 12(1), 3-13.
[27] Jain, A. K., & Gupta, B. B. (2016, March). Comparative analysis of
features based machine learning approaches for phishing detection. In
2016 3rd International Conference on Computing for Sustainable Global
Development (INDIACom) (pp. 2125-2130). IEEE.
[28] Yuan, H., Chen, X., Li, Y., Yang, Z., & Liu, W. (2018, August). Detecting
Phishing Websites and Targets Based on URLs and Webpage Links. In
2018 24th International Conference on Pattern Recognition (ICPR) (pp.
3669-3674). IEEE.
[29] Nguyen, L. A. T., To, B. L., Nguyen, H. K., & Nguyen, M. H. (2013,
October). Detecting phishing web sites: A heuristic URL-based approach.
In 2013 International Conference on Advanced Technologies for
Communications (ATC 2013) (pp. 597-602). IEEE.

IJERTV8IS110269 www.ijert.org 544

(This work is licensed under a Creative Commons Attribution 4.0 International License.)