Exploring low-level statistical features of n-grams in phishing URLs: a comparative analysis with high-level features

Yahya Tashtoush, Moayyad Alajlouni, Firas Albalas, Omar Darwish
{"title":"Exploring low-level statistical features of n-grams in phishing URLs: a comparative analysis with high-level features","authors":"Yahya Tashtoush, Moayyad Alajlouni, Firas Albalas, Omar Darwish","doi":"10.1007/s10586-024-04655-5","DOIUrl":null,"url":null,"abstract":"<p>Phishing attacks are the biggest cybersecurity threats in the digital world. Attackers exploit users by impersonating real, authentic websites to obtain sensitive information such as passwords and bank statements. One common technique in these attacks is using malicious URLs. These malicious URLs mimic legitimate URLs, misleading users into interacting with malicious websites. This practice, URL phishing, presents a big threat to internet security, emphasizing the need for advanced detection methods. So we aim to enhance phishing URL detection by using machine learning and deep learning models, leveraging a set of low-level URL features derived from n-gram analysis. In this paper, we present a method for detecting malicious URLs using statistical features extracted from n-grams. These n-grams are extracted from the hexadecimal representation of URLs. We employed 4 experiments in our paper. The first 3 experiments used machine learning with the statistical features extracted from these n-grams, and the fourth experiment used these grams directly with deep learning models to evaluate their effectiveness. Also, we used Explainable AI (XAI) to explore the extracted features and evaluate their importance and role in phishing detection. A key advantage of our method is its ability to reduce the number of features required and reduce the training time by using fewer features after applying XAI techniques. This stands in contrast to the previous study, which relies on high-level URL features and needs pre-processing and a high number of features (87 high-level URL-based features). So our technique only uses statistical features extracted from n-grams and the n-gram itself, without the need for any high-level features. Our method is evaluated across different n-gram lengths (2, 4, 6, and 8), aiming to optimize detection accuracy. We conducted four experiments in our study. In the first experiment, we focused on extracting and using 12 common statistical features like mean, median, etc. In the first experiment, the XGBoost model achieved the highest accuracy using 8-gram features with 82.41%. In the second experiment, we expanded the feature set and extracted an additional 13 features, so our feature count became 25. XGBoost in the second experiment achieved the highest accuracy with 86.40%. Accuracy improvement continued in the third experiment, we extracted an additional 16 features (character count features), and these features increased XGBoost accuracy to 88.15% in the third experiment. In the fourth experiment, we directly fed n-gram representations into deep learning models. The Convolutional Neural Network (CNN) model achieved the highest accuracy of 94.09% in experiment four. Also, we applied XAI techniques, SHapley Additive exPlanations (SHAP), and Local Interpretable Model-agnostic Explanations (LIME). Through the explanation provided by XAI methods, we were able to determine the most important features in our feature set, enabling a reduction in feature count. Using fewer features (4, 7, 10, 13, 15), we got good accuracy compared to the 41 features used in experiment three and reduced the models’ training times and complexity. This research aimed to enhance phishing URL detection by using machine learning and deep learning models, leveraging a set of low-level URL features derived from n-gram analysis. Our findings show the importance of using minimal statistical features to identify malicious URLs. Notably, the use of CNN had a great advancement, achieving an accuracy rate of 94.09% with using n-grams of URLs, surpassing traditional machine learning models. This achievement not only validates the efficacy of deep learning models in complex pattern recognition tasks but also highlights the efficiency of our feature selection approach, which relies on a lower number of features and is less complex compared to existing high-level feature-based studies. The research outcomes demonstrate a promising pathway toward developing more robust, efficient, and scalable phishing detection systems.</p>","PeriodicalId":501576,"journal":{"name":"Cluster Computing","volume":"41 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-07-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cluster Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1007/s10586-024-04655-5","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Phishing attacks are the biggest cybersecurity threats in the digital world. Attackers exploit users by impersonating real, authentic websites to obtain sensitive information such as passwords and bank statements. One common technique in these attacks is using malicious URLs. These malicious URLs mimic legitimate URLs, misleading users into interacting with malicious websites. This practice, URL phishing, presents a big threat to internet security, emphasizing the need for advanced detection methods. So we aim to enhance phishing URL detection by using machine learning and deep learning models, leveraging a set of low-level URL features derived from n-gram analysis. In this paper, we present a method for detecting malicious URLs using statistical features extracted from n-grams. These n-grams are extracted from the hexadecimal representation of URLs. We employed 4 experiments in our paper. The first 3 experiments used machine learning with the statistical features extracted from these n-grams, and the fourth experiment used these grams directly with deep learning models to evaluate their effectiveness. Also, we used Explainable AI (XAI) to explore the extracted features and evaluate their importance and role in phishing detection. A key advantage of our method is its ability to reduce the number of features required and reduce the training time by using fewer features after applying XAI techniques. This stands in contrast to the previous study, which relies on high-level URL features and needs pre-processing and a high number of features (87 high-level URL-based features). So our technique only uses statistical features extracted from n-grams and the n-gram itself, without the need for any high-level features. Our method is evaluated across different n-gram lengths (2, 4, 6, and 8), aiming to optimize detection accuracy. We conducted four experiments in our study. In the first experiment, we focused on extracting and using 12 common statistical features like mean, median, etc. In the first experiment, the XGBoost model achieved the highest accuracy using 8-gram features with 82.41%. In the second experiment, we expanded the feature set and extracted an additional 13 features, so our feature count became 25. XGBoost in the second experiment achieved the highest accuracy with 86.40%. Accuracy improvement continued in the third experiment, we extracted an additional 16 features (character count features), and these features increased XGBoost accuracy to 88.15% in the third experiment. In the fourth experiment, we directly fed n-gram representations into deep learning models. The Convolutional Neural Network (CNN) model achieved the highest accuracy of 94.09% in experiment four. Also, we applied XAI techniques, SHapley Additive exPlanations (SHAP), and Local Interpretable Model-agnostic Explanations (LIME). Through the explanation provided by XAI methods, we were able to determine the most important features in our feature set, enabling a reduction in feature count. Using fewer features (4, 7, 10, 13, 15), we got good accuracy compared to the 41 features used in experiment three and reduced the models’ training times and complexity. This research aimed to enhance phishing URL detection by using machine learning and deep learning models, leveraging a set of low-level URL features derived from n-gram analysis. Our findings show the importance of using minimal statistical features to identify malicious URLs. Notably, the use of CNN had a great advancement, achieving an accuracy rate of 94.09% with using n-grams of URLs, surpassing traditional machine learning models. This achievement not only validates the efficacy of deep learning models in complex pattern recognition tasks but also highlights the efficiency of our feature selection approach, which relies on a lower number of features and is less complex compared to existing high-level feature-based studies. The research outcomes demonstrate a promising pathway toward developing more robust, efficient, and scalable phishing detection systems.

Abstract Image

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
探索网络钓鱼 URL 中 n-grams 的低级统计特征:与高级特征的比较分析
网络钓鱼攻击是数字世界中最大的网络安全威胁。攻击者通过冒充真实、可靠的网站来获取用户的敏感信息,如密码和银行对账单。这些攻击中的一种常见技术是使用恶意 URL。这些恶意 URL 模仿合法 URL,误导用户与恶意网站交互。这种做法,即 URL 网络钓鱼,对互联网安全构成了巨大威胁,强调了对先进检测方法的需求。因此,我们希望通过使用机器学习和深度学习模型,利用从 n-gram 分析中获得的一系列低级 URL 特征,来增强对网络钓鱼 URL 的检测。在本文中,我们提出了一种利用从 n-grams 中提取的统计特征检测恶意 URL 的方法。这些 n 符是从 URL 的十六进制表示中提取的。我们在论文中采用了 4 项实验。前 3 个实验使用了从这些 n-grams 中提取的统计特征进行机器学习,第 4 个实验直接使用这些 n-grams 和深度学习模型来评估其有效性。此外,我们还使用了可解释人工智能(XAI)来探索提取的特征,并评估它们在网络钓鱼检测中的重要性和作用。我们的方法的一个主要优势是能够减少所需的特征数量,并在应用 XAI 技术后通过使用更少的特征来缩短训练时间。这与之前的研究形成了鲜明对比,前者依赖于高级 URL 特征,需要预处理和大量特征(87 个基于 URL 的高级特征)。因此,我们的技术只使用从 n-gram 和 n-gram 本身提取的统计特征,而不需要任何高级特征。我们对不同 n-gram 长度(2、4、6 和 8)的方法进行了评估,旨在优化检测准确率。我们在研究中进行了四次实验。在第一个实验中,我们重点提取并使用了 12 个常见的统计特征,如平均值、中位数等。在第一个实验中,XGBoost 模型使用 8 个语法特征取得了 82.41% 的最高准确率。在第二次实验中,我们扩展了特征集,额外提取了 13 个特征,因此特征数量变为 25 个。XGBoost 在第二次实验中取得了 86.40% 的最高准确率。在第三次实验中,我们又提取了 16 个特征(字符数特征),这些特征将 XGBoost 的准确率提高到了 88.15%。在第四次实验中,我们直接将 n-gram 表示法输入深度学习模型。卷积神经网络(CNN)模型在第四次实验中取得了 94.09% 的最高准确率。此外,我们还应用了 XAI 技术、SHAPLE Additive exPlanations(SHAP)和 Local Interpretable Model-agnostic Explanations(LIME)。通过 XAI 方法提供的解释,我们能够确定特征集中最重要的特征,从而减少特征数量。使用较少的特征(4、7、10、13、15),与实验三中使用的 41 个特征相比,我们获得了良好的准确性,并减少了模型的训练时间和复杂性。这项研究旨在通过使用机器学习和深度学习模型,利用从 n-gram 分析中获得的一组低级 URL 特征,提高钓鱼网址的检测能力。我们的研究结果表明了使用最小统计特征识别恶意 URL 的重要性。值得注意的是,CNN 的使用取得了巨大进步,使用 n-grams 的 URL 准确率达到 94.09%,超过了传统的机器学习模型。这一成果不仅验证了深度学习模型在复杂模式识别任务中的有效性,还凸显了我们的特征选择方法的高效性,与现有的基于高级特征的研究相比,这种方法依赖的特征数量更少,复杂性更低。这些研究成果为开发更稳健、高效和可扩展的网络钓鱼检测系统指明了一条大有可为的道路。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Quantitative and qualitative similarity measure for data clustering analysis OntoXAI: a semantic web rule language approach for explainable artificial intelligence Multi-threshold image segmentation using a boosted whale optimization: case study of breast invasive ductal carcinomas PSO-ACO-based bi-phase lightweight intrusion detection system combined with GA optimized ensemble classifiers A scalable and power efficient MAC protocol with adaptive TDMA for M2M communication
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1