A Comparative Analysis of Machine Learning Models for URL-Based Phishing Detection | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article A Comparative Analysis of Machine Learning Models for URL-Based Phishing Detection Rafi MRM, Nuski F.A.M, Suhaif A.M, Shaminda K.A.S This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-6439154/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Phishing attacks pose a significant and ongoing cybersecurity threat, necessitating effective countermeasures. The challenge lies in accurately and automatically detecting malicious URLs, as traditional methods often fall short against evolving attacker techniques. This research addresses the need for improved detection by evaluating machine learning approaches applied to URL analysis. A dataset of labeled phishing and legitimate URLs, characterized by 30 distinct features encompassing lexical, host-based, and content-related attributes, formed the basis of this study. Five machine learning models were trained and comparatively evaluated: Decision Tree (DT), Random Forest (RF), Support Vector Machine (SVM), XGBoost (XGB), and a Stacking Classifier ensemble. Performance analysis revealed that the XGBoost classifier achieved the highest accuracy, correctly classifying approximately 97.4% of URLs in the test set. This study demonstrates the effectiveness of machine learning, particularly XGBoost, for high-accuracy phishing URL detection using comprehensive feature sets and contributes a functional prototype system demonstrating the approach. Artificial Intelligence and Machine Learning Phishing Detection URL Analysis Machine Learning Cybersecurity XGBoost Random Forest SVM Stacking Classifier Feature Engineering Feature Extraction Classification Malicious URL Detection Network Security Scikit-learn Python Figures Figure 1 Figure 2 Figure 3 Figure 4 I. INTRODUCTION The pervasive nature of the internet has revolutionized communication and commerce, yet it has also given rise to significant cybersecurity challenges. Among the most prevalent and damaging threats is phishing, a deceptive practice where attackers masquerade as trustworthy entities in electronic communications to illicitly obtain sensitive information such as login credentials, financial details, and personal identifiers. These attacks often leverage social engineering tactics and sophisticated technical methods, resulting in substantial financial losses, identity theft, and compromised organizational security. The scale and evolving complexity of phishing necessitate the development of robust, automated detection systems. Uniform Resource Locators (URLs) are fundamental to web navigation and serve as the primary vector for directing users to malicious websites in many phishing campaigns. Attackers craft these URLs carefully, often embedding subtle indicators of fraud by mimicking legitimate domains, using obfuscation techniques like URL shortening or complex paths, or exploiting structural anomalies. Consequently, the automated analysis of URL characteristics provides a critical early opportunity to identify and mitigate phishing threats before users interact with potentially harmful links. Traditional anti-phishing methods, such as blacklist filtering and basic heuristic rule-based systems, face significant limitations. Blacklists are inherently reactive and often lag behind the rapid creation and disposal of phishing domains used in modern campaigns. Simple heuristics, while useful, can be easily bypassed by attackers aware of the rules and may struggle with the nuances of sophisticated attacks, leading to inadequate accuracy with high rates of false positives or false negatives. This paper addresses the need for more effective phishing detection by exploring the application of machine learning (ML) techniques to URL analysis. ML models offer the potential to learn complex patterns from diverse URL features, enabling more accurate and adaptive detection compared to static methods. The objective of this research is to develop and rigorously evaluate a high-accuracy phishing URL detection system by: 1) utilizing a comprehensive set of 30 URL-based features encompassing lexical, host-based, content-derived, and external reputation attributes; 2) training and comparing five distinct ML classifiers (Decision Tree, Random Forest, Support Vector Machine, XGBoost, and a Stacking ensemble); and 3) identifying the most effective model based on empirical performance evaluation. This paper is structured as follows: Section II details the methodology, including dataset description, feature engineering, model implementation, and evaluation metrics. Section III provides an overview of the system architecture and implementation. Section IV presents and discusses the experimental results, comparing model performance and highlighting the best-performing classifier. Finally, Section V concludes the paper and outlines directions for future research. II. METHODOLOGY This section outlines the systematic approach employed for developing and evaluating the machine learning models for phishing URL detection. It covers the dataset used, the feature engineering process, data preprocessing steps, the machine learning algorithms implemented, and the metrics used for performance evaluation. A. Dataset The study utilized a publicly available dataset sourced from Kaggle, commonly used for phishing website detection research (PhishingDataset.csv) [ 4 ]. This dataset comprises 11,055 URL instances, each labeled as either phishing (-1) or legitimate (1). Each instance is represented by 30 pre-extracted numerical features, designed to capture various characteristics indicative of a URL's legitimacy, plus the target label column ('Result'). An initial inspection confirmed the dataset was complete with no missing value. B. Feature Set The detection models were trained using the 30 features provided in the dataset [ 4 ]. These features capture a diverse range of URL characteristics potentially indicative of phishing activity and are encoded numerically, primarily using values of -1 (suspicious), 0 (neutral/intermediate), and 1 (legitimate). The implementation logic for extracting these features from raw URLs is contained within a dedicated Python script (extract_script_py.py) developed as part of this project's broader scope. These features can be categorized as: Lexical Features : Attributes derived directly from the URL string, such as the presence of an IP address, URL length categorization, use of shortening services, presence of special characters ('@', '//', '-'), subdomain complexity (dot count), and inclusion of 'http'/'https' tokens within the domain/path. Host-Based Features : Information related to the domain's registration and hosting environment, including domain registration duration, domain age, SSL certificate validity status, DNS record existence, and abnormalities detected via WHOIS lookups. Content-Based & External Features : Characteristics derived from analyzing basic webpage content or querying external services, such as the ratio of external links (anchors, images), usage of specific HTML tags (iframes, forms submitting to email, scripts), port status, redirect counts, website traffic rank, PageRank proxies (Domain Authority), Google indexing status, and checks against statistical lists of known phishing domains/IPs. This comprehensive feature set aims to provide the models with sufficient information to distinguish between phishing and legitimate URLs based on established indicators. C. Experimental Setup The dataset was randomly partitioned into a training set (80%, 8844 samples) and a testing set (20%, 2211 samples) using Scikit-learn's train_test_split function [ 5 ] with a fixed random_state = 12 to ensure reproducibility. Due to the nature of the features (encoded as -1, 0, 1), explicit feature scaling was deemed unnecessary and not applied. For compatibility with the XGBoost classifier, the target variable ('Result') was transformed from {-1, 1} to {0, 1}, where 0 represents Phishing and 1 represents Legitimate, for both training and testing sets. D. Machine Learning Models Five distinct machine learning classifiers were implemented and trained on the preprocessed training data: Decision Tree (DT) : Implemented using sklearn.tree.DecisionTreeClassifier with max_depth = 5 to prevent overfitting. Random Forest (RF) : An ensemble model using sklearn.ensemble.RandomForestClassifier also with max_depth = 5 for the base trees. Support Vector Machine (SVM) : Implemented using sklearn.svm.SVC with a kernel='poly' and default regularization (C = 1.0). XGBoost (XGB) : Implemented using the xgboost.XGBClassifier library. Hyperparameter tuning was performed (Section III-E), with the final model using parameters optimized for performance (e.g., learning_rate = 0.4, max_depth = 7). Stacking Classifier : A multi-layer ensemble implemented with sklearn.ensemble.StackingClassifier, using RF, KNN, and DT as first-layer estimators, and another DT/RF stack followed by Logistic Regression as the final meta-learner. All models were trained on the X_train, y_train data [ 5 ] [ 6 ]. E. Evaluation Metrics Model performance was evaluated on the unseen test set using the following standard classification metrics from Scikit-learn [ 5 ]: Accuracy Precision Recall (Sensitivity) F1-Score Area Under the ROC Curve (ROC AUC) Confusion Matrix (analyzing TP, TN, FP, FN) These metrics provide a comprehensive view of each model's effectiveness in correctly identifying both phishing and legitimate URLs. III. SYSTEM ARCHITECTURE & IMPLEMENTATION OVERVIEW This section describes the overall architecture designed for the phishing URL detection system and provides an overview of the implementation details, including the tools used and the integration of different components. A. System Architecture The system architecture integrates offline model training and evaluation with an online prediction pipeline for classifying new URLs. The core components and data flow are depicted in Fig. 3. The architecture comprises: Data Preparation: Sourcing and preprocessing the dataset [ 4 ] (as described in Section II-A, II-C). Model Training & Evaluation: Training multiple ML models (DT, RF, SVM, XGB, Stacking) in parallel on the training data and evaluating them on the test data using defined metrics (Section II-D, II-E). Model Selection & Persistence: Selecting the best model (XGBoost based on evaluation) and saving the trained model object using pickle for deployment. Feature Extraction Module: A dedicated module (extract_script_py.py) responsible for taking a raw URL input and generating the required 30-feature vector by executing various lexical, host-based, content-based, and external checks (detailed in Section II-B). Prediction Engine: Loads the persisted XGBoost [ 6 ] model and uses it to classify the feature vector generated by the extraction module, outputting a 'Phishing' or 'Legitimate' prediction. User Interface (Web/Extension): A simple web UI developed to allow users to input a URL and initiate the detection process [ 8 ]. IV. RESULTS AND DISCUSSION This section presents the empirical results obtained from evaluating the five machine learning models on the test dataset. The performance of each model is compared, the best-performing model is analyzed in detail, and the overall findings are discussed. A. Model Performance Comparison The performance of the Decision Tree (DT), Random Forest (RF), Support Vector Machine (SVM), XGBoost (XGB), and Stacking Classifier models were evaluated on the held-out test set using the metrics defined in Section II-E. Figure 2 summarizes the key performance results. As shown in Table II, the XGBoost classifier [ 6 ] significantly outperformed the other models across all major metrics, achieving the highest Test Accuracy, Precision, Recall, F1 Score, and ROC AUC. The Stacking Classifier and SVM also demonstrated strong performance, surpassing the Decision Tree and Random Forest models implemented with limited depth. B. ROC Curve Analysis The Receiver Operating Characteristic (ROC) curves provide a visual comparison of the models' ability to distinguish between phishing and legitimate URLs across different thresholds. Figure 4 displays the ROC curves for all five models plotted [ 9 ] against a baseline random classifier (TPR = FPR). The ROC curve analysis visually confirms the quantitative results presented in Fig. 2. The XGBoost curve is positioned closest to the top-left corner, indicating superior performance with high True Positive Rates (Recall) and low False Positive Rates across various thresholds. The Stacking Classifier and SVM curves are also significantly above the baseline and the curves for the simpler Decision Tree and Random Forest models, demonstrating strong discriminative power. The area under the curve (AUC) values numerically summarize this, with XGBoost [ 6 ] achieving the highest AUC of 0.9730. C. Confusion matrix for the XGBoost model True Negatives (TN) : 966 (Correctly identified phishing URLs) False Positives (FP) : 35 (Legitimate URLs incorrectly flagged as phishing) False Negatives (FN) : 23 (Phishing URLs incorrectly identified as legitimate) True Positives (TP) : 1187 (Correctly identified legitimate URLs) D. Feature Importance While detailed feature importance analysis varies slightly between models, examination of the importance scores generated by tree-based models like XGBoost consistently highlighted the significance of certain feature categories. Features related to SSL certificate status (SSLfinal_State), domain characteristics (age_of_domain, Domain_registeration_length), link structures within the page (URL_of_Anchor, Links_in_tags), and external reputation metrics (web_traffic, Page_Rank) frequently appeared among the most influential predictors. This suggests that a combination of security indicators, domain trustworthiness signals, page structure analysis, and external reputation is key to effective detection. V. CONCLUSION AND FUTURE WORK This research successfully developed and evaluated a machine learning system for detecting phishing URLs, demonstrating the high efficacy of modern algorithms combined with comprehensive feature engineering for this critical cybersecurity task. Through a comparative analysis of five distinct classifiers trained on a dataset of over 11,000 URLs characterized by 30 diverse features, the XGBoost [ 6 ] model was identified as the most effective, achieving approximately 97.4% accuracy on the test set. This result, along with the strong performance of the Stacking Classifier and SVM, underscores the potential of machine learning to significantly enhance phishing detection capabilities beyond traditional methods. The project also involved the practical implementation of a feature extraction module and a prototype system, validating the feasibility of the approach. The main contributions include a quantitative performance benchmark for contemporary ML models on this task and dataset, validation of XGBoost's high accuracy, and the development of a proof-of-concept system. However, the study acknowledges limitations related to dataset representativeness and, critically, the potential unreliability and latency associated with extracting certain features dependent on external APIs and web scraping in real-time, high-volume scenarios. Future work should focus on several key areas to build upon these findings and address the limitations. Firstly, enhancing model robustness and performance could involve exploring different algorithms (e.g., LightGBM, deep learning sequence models like LSTMs), conducting more extensive hyperparameter tuning, and incorporating techniques to handle potential class imbalance in real-world data. Secondly, significant effort is required in improving feature engineering, focusing on identifying a core subset of reliable, low-latency features, investigating dynamic analysis techniques, enhancing content analysis (NLP, visual similarity), and potentially replacing less stable free feature sources with commercial data feeds or more resilient scraping methods coupled with effective caching. Thirdly, expanding and continuously updating the dataset with more diverse and recent phishing examples is crucial for maintaining model relevance and improving generalization against zero-day attacks. Finally, advancing the system implementation towards a production-ready state necessitates deploying the model as a robust API, significantly improving the UI/UX with better explainability and feedback mechanisms, developing practical integrations like browser extensions, and potentially implementing adaptive learning loops for ongoing model refinement based on new data and user feedback. Addressing the reliability of feature extraction remains a paramount challenge for transitioning such research into highly dependable, real-world security tools. References Filippi P et al (Oct. 2019) An approach to forecast grain crop yield using multi-layered, multi-farm data sets and machine learning. Precis Agric 20(5):1015–1029. 10.1007/s11119-018-09628-4 Dhanapal R, Ajanraj A, Balavinayagapragathish S, Balaji J (1916) Crop price prediction using supervised machine learning algorithms, J. Phys. Conf. Ser., vol. no. 1, p. 012042, Jun. 2021. 10.1088/1742-6596/1916/1/012042 Izzo Z, Smart MA, Chaudhuri K, Zou JY (2021) Approximate Data Deletion from Machine Learning Models, in Proceedings of the 24th International Conference on Artificial Intelligence and Statistics (AISTATS), vol. 130, pp. 1–9. [Online].Available: http://proceedings.mlr.press/v130/izzo21a.html Phishing Website Dataset Kaggle. Accessed: Nov. 15, 2024. [Online].Available: [ https://docs.google.com/spreadsheets/d/1yAeNDJlba4cGQSZ1xvv6hKxO3-UQ8np8Kqt3SfH1LPk/edit?usp=sharing ] Scikit-learn, Developers Scikit-learn: Machine Learning in Python, Version [Insert Version Used, e.g., 1.2.2]. Accessed: Dec. 05, 2024. [Online]. Available: https://scikit-learn.org/stable/ XGBoost C XGBoost Documentation, Release [Insert Version Used, e.g., 1.7.0]. Accessed: Dec. 10, 2024. [Online]. Available: https://xgboost.readthedocs.io/ Keras Team, Keras Documentation Accessed: Jan. 20, 2025. [Online]. Available: https://keras.io Gradio Team, Gradio Build & Share Delightful Machine Learning Apps. Accessed: Feb. 01, 2025. [Online]. Available: https://www.gradio.app/ Matplotlib Development Team Matplotlib: Visualization with Python, Version [Insert Version Used, e.g., 3.7.1]. Accessed: Nov. 20, 2024. [Online]. Available: https://matplotlib.org/ Waskom ML (Apr. 2021) Seaborn: statistical data visualization. J Open Source Softw 6(60):3021. 10.21105/joss.03021 Additional Declarations The authors declare no competing interests. Supplementary Files PhishingDataset.csv PhishingDataset MLbasedphishingurldetection.ipynb ML Based Phishing URLs Detection Research Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-6439154","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":442259479,"identity":"5511c1e2-71dd-48df-9e64-90d7f523c9c0","order_by":0,"name":"Rafi MRM","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA9UlEQVRIiWNgGAWjYBACNgbmAwc/GEjw8LM3HwAJyLAxA8kHB/BoYWNLPCxRYSMn2XMsASTAw8YM1JOARwsDG4/xAZ4zacYGN3IMwFoYGAho4ZNvMDgg2XY4seHMma+beRjqePjY+Q8wJJzB5zCgiYVALY3tvdtu8zAchjrsBl4tB8C2NPOcBWk5ANXyAZ8WxoYDvEAtbRI5z26DHEaEFmYGsPd5JHLYgFqYiXFYGgM4kCV4jpndnGMA9ovBAXzel28+//kjKCrtjzc/u/Gmok5Ovv/gwwcfjuHWggKYeAwgjANEamBgYPxBtNJRMApGwSgYSQAAkHFQhGmmzKwAAAAASUVORK5CYII=","orcid":"","institution":"Sri Lanka Institute of Information Technology","correspondingAuthor":true,"prefix":"","firstName":"Rafi","middleName":"","lastName":"MRM","suffix":""},{"id":442259587,"identity":"a726e626-f277-4513-a7eb-549b38cf7c52","order_by":1,"name":"Nuski F.A.M","email":"","orcid":"","institution":"Sri Lanka Institute of Information Technology","correspondingAuthor":false,"prefix":"","firstName":"Nuski","middleName":"","lastName":"F.A.M","suffix":""},{"id":442259588,"identity":"2f2a948a-8c86-467c-9742-b91e6c49fbfc","order_by":2,"name":"Suhaif A.M","email":"","orcid":"","institution":"Sri Lanka Institute of Information Technology","correspondingAuthor":false,"prefix":"","firstName":"Suhaif","middleName":"","lastName":"A.M","suffix":""},{"id":442259589,"identity":"6e57ce34-4ed8-4e62-b492-eddacc85f5e7","order_by":3,"name":"Shaminda K.A.S","email":"","orcid":"","institution":"Sri Lanka Institute of Information Technology","correspondingAuthor":false,"prefix":"","firstName":"Shaminda","middleName":"","lastName":"K.A.S","suffix":""}],"badges":[],"createdAt":"2025-04-13 12:29:17","currentVersionCode":1,"declarations":{"humanSubjects":false,"vertebrateSubjects":false,"conflictsOfInterestStatement":false,"humanSubjectEthicalGuidelines":false,"humanSubjectConsent":false,"humanSubjectClinicalTrial":false,"humanSubjectCaseReport":false,"vertebrateSubjectEthicalGuidelines":false},"doi":"10.21203/rs.3.rs-6439154/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-6439154/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":80591246,"identity":"ddb93c9c-f0c3-4b22-9efa-ef2d0fc776d3","added_by":"auto","created_at":"2025-04-15 02:36:18","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":125480,"visible":true,"origin":"","legend":"\u003cp\u003eInterface to Input URLs\u003c/p\u003e","description":"","filename":"Figure1.png","url":"https://assets-eu.researchsquare.com/files/rs-6439154/v1/f74b48c9360c107de83e6166.png"},{"id":80591245,"identity":"866aef0c-c0e2-4716-98db-be498b5456a7","added_by":"auto","created_at":"2025-04-15 02:36:18","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":10335,"visible":true,"origin":"","legend":"\u003cp\u003eModel Performance Comparison\u003c/p\u003e","description":"","filename":"Figure2.png","url":"https://assets-eu.researchsquare.com/files/rs-6439154/v1/b211238c9f5f30cf686d7fcb.png"},{"id":80591955,"identity":"d5486e9a-e541-473f-9228-75d2bc7c36bf","added_by":"auto","created_at":"2025-04-15 02:44:18","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":1581990,"visible":true,"origin":"","legend":"\u003cp\u003eOverall System Architecture\u003c/p\u003e","description":"","filename":"Figure3.png","url":"https://assets-eu.researchsquare.com/files/rs-6439154/v1/06cb456ab7c21cc1344722e2.png"},{"id":80591957,"identity":"ee3a2529-e84e-47fb-927b-d7c674398412","added_by":"auto","created_at":"2025-04-15 02:44:18","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":143756,"visible":true,"origin":"","legend":"\u003cp\u003eROC Curve Plot\u003c/p\u003e","description":"","filename":"Figure4.png","url":"https://assets-eu.researchsquare.com/files/rs-6439154/v1/771aa1754c4f4cb7e9322fcd.png"},{"id":80593039,"identity":"055f22d6-09ad-4623-9031-dc8d03322eff","added_by":"auto","created_at":"2025-04-15 03:08:18","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":919578,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-6439154/v1/f47c1046-7d1e-4c59-892d-7c57a5ea197f.pdf"},{"id":80591250,"identity":"4ad1fa71-9a77-4046-9473-4c4f59461e84","added_by":"auto","created_at":"2025-04-15 02:36:18","extension":"csv","order_by":1,"title":"","display":"","copyAsset":false,"role":"supplement","size":789147,"visible":true,"origin":"","legend":"\u003cp\u003ePhishingDataset\u003c/p\u003e","description":"","filename":"PhishingDataset.csv","url":"https://assets-eu.researchsquare.com/files/rs-6439154/v1/123a63f80fc6c6b156cace5a.csv"},{"id":80592170,"identity":"640566fe-010a-499e-bf4f-500771f94c55","added_by":"auto","created_at":"2025-04-15 02:52:18","extension":"ipynb","order_by":2,"title":"","display":"","copyAsset":false,"role":"supplement","size":1028361,"visible":true,"origin":"","legend":"\u003cp\u003eML Based Phishing URLs Detection Research\u003c/p\u003e","description":"","filename":"MLbasedphishingurldetection.ipynb","url":"https://assets-eu.researchsquare.com/files/rs-6439154/v1/f2c9e64c196e99a1b73cf264.ipynb"}],"financialInterests":"The authors declare no competing interests.","formattedTitle":"\u003cp\u003eA Comparative Analysis of Machine Learning Models for URL-Based Phishing Detection\u003c/p\u003e","fulltext":[{"header":"I. INTRODUCTION","content":"\u003cp\u003eThe pervasive nature of the internet has revolutionized communication and commerce, yet it has also given rise to significant cybersecurity challenges. Among the most prevalent and damaging threats is phishing, a deceptive practice where attackers masquerade as trustworthy entities in electronic communications to illicitly obtain sensitive information such as login credentials, financial details, and personal identifiers. These attacks often leverage social engineering tactics and sophisticated technical methods, resulting in substantial financial losses, identity theft, and compromised organizational security. The scale and evolving complexity of phishing necessitate the development of robust, automated detection systems.\u003c/p\u003e \u003cp\u003eUniform Resource Locators (URLs) are fundamental to web navigation and serve as the primary vector for directing users to malicious websites in many phishing campaigns. Attackers craft these URLs carefully, often embedding subtle indicators of fraud by mimicking legitimate domains, using obfuscation techniques like URL shortening or complex paths, or exploiting structural anomalies. Consequently, the automated analysis of URL characteristics provides a critical early opportunity to identify and mitigate phishing threats before users interact with potentially harmful links.\u003c/p\u003e \u003cp\u003eTraditional anti-phishing methods, such as blacklist filtering and basic heuristic rule-based systems, face significant limitations. Blacklists are inherently reactive and often lag behind the rapid creation and disposal of phishing domains used in modern campaigns. Simple heuristics, while useful, can be easily bypassed by attackers aware of the rules and may struggle with the nuances of sophisticated attacks, leading to inadequate accuracy with high rates of false positives or false negatives.\u003c/p\u003e \u003cp\u003eThis paper addresses the need for more effective phishing detection by exploring the application of machine learning (ML) techniques to URL analysis. ML models offer the potential to learn complex patterns from diverse URL features, enabling more accurate and adaptive detection compared to static methods. The objective of this research is to develop and rigorously evaluate a high-accuracy phishing URL detection system by: 1) utilizing a comprehensive set of 30 URL-based features encompassing lexical, host-based, content-derived, and external reputation attributes; 2) training and comparing five distinct ML classifiers (Decision Tree, Random Forest, Support Vector Machine, XGBoost, and a Stacking ensemble); and 3) identifying the most effective model based on empirical performance evaluation.\u003c/p\u003e \u003cp\u003eThis paper is structured as follows: Section II details the methodology, including dataset description, feature engineering, model implementation, and evaluation metrics. Section III provides an overview of the system architecture and implementation. Section IV presents and discusses the experimental results, comparing model performance and highlighting the best-performing classifier. Finally, Section V concludes the paper and outlines directions for future research.\u003c/p\u003e"},{"header":"II.\tMETHODOLOGY","content":"\u003cp\u003eThis section outlines the systematic approach employed for developing and evaluating the machine learning models for phishing URL detection. It covers the dataset used, the feature engineering process, data preprocessing steps, the machine learning algorithms implemented, and the metrics used for performance evaluation.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eA. Dataset\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe study utilized a publicly available dataset sourced from Kaggle, commonly used for phishing website detection research (PhishingDataset.csv) [\u003cspan class=\"CitationRef\"\u003e4\u003c/span\u003e]. This dataset comprises 11,055 URL instances, each labeled as either phishing (-1) or legitimate (1). Each instance is represented by 30 pre-extracted numerical features, designed to capture various characteristics indicative of a URL's legitimacy, plus the target label column ('Result'). An initial inspection confirmed the dataset was complete with no missing value.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eB. Feature Set\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe detection models were trained using the 30 features provided in the dataset [\u003cspan class=\"CitationRef\"\u003e4\u003c/span\u003e]. These features capture a diverse range of URL characteristics potentially indicative of phishing activity and are encoded numerically, primarily using values of -1 (suspicious), 0 (neutral/intermediate), and 1 (legitimate). The implementation logic for extracting these features from raw URLs is contained within a dedicated Python script (extract_script_py.py) developed as part of this project's broader scope. These features can be categorized as:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eLexical Features\u003c/strong\u003e: Attributes derived directly from the URL string, such as the presence of an IP address, URL length categorization, use of shortening services, presence of special characters ('@', '//', '-'), subdomain complexity (dot count), and inclusion of 'http'/'https' tokens within the domain/path.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eHost-Based Features\u003c/strong\u003e: Information related to the domain's registration and hosting environment, including domain registration duration, domain age, SSL certificate validity status, DNS record existence, and abnormalities detected via WHOIS lookups.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eContent-Based \u0026amp; External Features\u003c/strong\u003e: Characteristics derived from analyzing basic webpage content or querying external services, such as the ratio of external links (anchors, images), usage of specific HTML tags (iframes, forms submitting to email, scripts), port status, redirect counts, website traffic rank, PageRank proxies (Domain Authority), Google indexing status, and checks against statistical lists of known phishing domains/IPs.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThis comprehensive feature set aims to provide the models with sufficient information to distinguish between phishing and legitimate URLs based on established indicators.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eC. Experimental Setup\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe dataset was randomly partitioned into a training set (80%, 8844 samples) and a testing set (20%, 2211 samples) using Scikit-learn's train_test_split function [\u003cspan class=\"CitationRef\"\u003e5\u003c/span\u003e] with a fixed random_state\u0026thinsp;=\u0026thinsp;12 to ensure reproducibility. Due to the nature of the features (encoded as -1, 0, 1), explicit feature scaling was deemed unnecessary and not applied. For compatibility with the XGBoost classifier, the target variable ('Result') was transformed from {-1, 1} to {0, 1}, where 0 represents Phishing and 1 represents Legitimate, for both training and testing sets.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eD. Machine Learning Models\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eFive distinct machine learning classifiers were implemented and trained on the preprocessed training data:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eDecision Tree (DT)\u003c/strong\u003e: Implemented using sklearn.tree.DecisionTreeClassifier with max_depth\u0026thinsp;=\u0026thinsp;5 to prevent overfitting.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eRandom Forest (RF)\u003c/strong\u003e: An ensemble model using sklearn.ensemble.RandomForestClassifier also with max_depth\u0026thinsp;=\u0026thinsp;5 for the base trees.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eSupport Vector Machine (SVM)\u003c/strong\u003e: Implemented using sklearn.svm.SVC with a kernel='poly' and default regularization (C\u0026thinsp;=\u0026thinsp;1.0).\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eXGBoost (XGB)\u003c/strong\u003e: Implemented using the xgboost.XGBClassifier library. Hyperparameter tuning was performed (Section III-E), with the final model using parameters optimized for performance (e.g., learning_rate\u0026thinsp;=\u0026thinsp;0.4, max_depth\u0026thinsp;=\u0026thinsp;7).\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eStacking Classifier\u003c/strong\u003e: A multi-layer ensemble implemented with sklearn.ensemble.StackingClassifier, using RF, KNN, and DT as first-layer estimators, and another DT/RF stack followed by Logistic Regression as the final meta-learner.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAll models were trained on the X_train, y_train data [\u003cspan class=\"CitationRef\"\u003e5\u003c/span\u003e] [\u003cspan class=\"CitationRef\"\u003e6\u003c/span\u003e].\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eE. Evaluation Metrics\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eModel performance was evaluated on the unseen test set using the following standard classification metrics from Scikit-learn [\u003cspan class=\"CitationRef\"\u003e5\u003c/span\u003e]:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAccuracy\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePrecision\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRecall (Sensitivity)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eF1-Score\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eArea Under the ROC Curve (ROC AUC)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eConfusion Matrix (analyzing TP, TN, FP, FN)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese metrics provide a comprehensive view of each model's effectiveness in correctly identifying both phishing and legitimate URLs.\u003c/p\u003e"},{"header":"III. SYSTEM ARCHITECTURE \u0026 IMPLEMENTATION OVERVIEW","content":"\u003cp\u003eThis section describes the overall architecture designed for the phishing URL detection system and provides an overview of the implementation details, including the tools used and the integration of different components.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eA.\u003c/strong\u003e\u0026nbsp;\u003cstrong\u003eSystem Architecture\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe system architecture integrates offline model training and evaluation with an online prediction pipeline for classifying new URLs. The core components and data flow are depicted in Fig. 3.\u003c/p\u003e\n\u003cp\u003eThe architecture comprises:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\n\u003cp\u003eData Preparation: Sourcing and preprocessing the dataset [\u003cspan class=\"CitationRef\"\u003e4\u003c/span\u003e] (as described in Section II-A, II-C).\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eModel Training \u0026amp; Evaluation: Training multiple ML models (DT, RF, SVM, XGB, Stacking) in parallel on the training data and evaluating them on the test data using defined metrics (Section II-D, II-E).\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eModel Selection \u0026amp; Persistence: Selecting the best model (XGBoost based on evaluation) and saving the trained model object using pickle for deployment.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003eFeature Extraction Module: A dedicated module (extract_script_py.py) responsible for taking a raw URL input and generating the required 30-feature vector by executing various lexical, host-based, content-based, and external checks (detailed in Section II-B).\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePrediction Engine: Loads the persisted XGBoost [\u003cspan class=\"CitationRef\"\u003e6\u003c/span\u003e] model and uses it to classify the feature vector generated by the extraction module, outputting a 'Phishing' or 'Legitimate' prediction.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eUser Interface (Web/Extension): A simple web UI developed to allow users to input a URL and initiate the detection process [\u003cspan class=\"CitationRef\"\u003e8\u003c/span\u003e].\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e"},{"header":"IV. RESULTS AND DISCUSSION","content":"\u003cp\u003eThis section presents the empirical results obtained from evaluating the five machine learning models on the test dataset. The performance of each model is compared, the best-performing model is analyzed in detail, and the overall findings are discussed.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eA. Model Performance Comparison\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe performance of the Decision Tree (DT), Random Forest (RF), Support Vector Machine (SVM), XGBoost (XGB), and Stacking Classifier models were evaluated on the held-out test set using the metrics defined in Section II-E. Figure\u0026nbsp;2 summarizes the key performance results.\u003c/p\u003e\n\u003cp\u003eAs shown in Table II, the XGBoost classifier [\u003cspan class=\"CitationRef\"\u003e6\u003c/span\u003e] significantly outperformed the other models across all major metrics, achieving the highest Test Accuracy, Precision, Recall, F1 Score, and ROC AUC. The Stacking Classifier and SVM also demonstrated strong performance, surpassing the Decision Tree and Random Forest models implemented with limited depth.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eB. ROC Curve Analysis\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe Receiver Operating Characteristic (ROC) curves provide a visual comparison of the models' ability to distinguish between phishing and legitimate URLs across different thresholds. Figure\u0026nbsp;\u003cspan class=\"InternalRef\"\u003e4\u003c/span\u003e displays the ROC curves for all five models plotted [\u003cspan class=\"CitationRef\"\u003e9\u003c/span\u003e] against a baseline random classifier (TPR\u0026thinsp;=\u0026thinsp;FPR).\u003c/p\u003e\n\u003cp\u003eThe ROC curve analysis visually confirms the quantitative results presented in Fig.\u0026nbsp;2. The XGBoost curve is positioned closest to the top-left corner, indicating superior performance with high True Positive Rates (Recall) and low False Positive Rates across various thresholds. The Stacking Classifier and SVM curves are also significantly above the baseline and the curves for the simpler Decision Tree and Random Forest models, demonstrating strong discriminative power. The area under the curve (AUC) values numerically summarize this, with XGBoost [\u003cspan class=\"CitationRef\"\u003e6\u003c/span\u003e] achieving the highest AUC of 0.9730.\u003c/p\u003e\n\u003cp\u003e\u0026nbsp;C.\u0026nbsp;\u003cstrong\u003eConfusion matrix for the XGBoost model\u003c/strong\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eTrue Negatives (TN)\u003c/strong\u003e:\u003cbr /\u003e966 (Correctly identified phishing URLs)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eFalse Positives (FP)\u003c/strong\u003e:\u003cbr /\u003e35 (Legitimate URLs incorrectly flagged as phishing)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eFalse Negatives (FN)\u003c/strong\u003e:\u003cbr /\u003e23 (Phishing URLs incorrectly identified as legitimate)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003cstrong\u003eTrue Positives (TP)\u003c/strong\u003e:\u003cbr /\u003e1187 (Correctly identified legitimate URLs)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eD. Feature Importance\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eWhile detailed feature importance analysis varies slightly between models, examination of the importance scores generated by tree-based models like XGBoost consistently highlighted the significance of certain feature categories. Features related to SSL certificate status (SSLfinal_State), domain characteristics (age_of_domain, Domain_registeration_length), link structures within the page (URL_of_Anchor, Links_in_tags), and external reputation metrics (web_traffic, Page_Rank) frequently appeared among the most influential predictors. This suggests that a combination of security indicators, domain trustworthiness signals, page structure analysis, and external reputation is key to effective detection.\u003c/p\u003e"},{"header":"V.\tCONCLUSION AND FUTURE WORK","content":"\u003cp\u003eThis research successfully developed and evaluated a machine learning system for detecting phishing URLs, demonstrating the high efficacy of modern algorithms combined with comprehensive feature engineering for this critical cybersecurity task. Through a comparative analysis of five distinct classifiers trained on a dataset of over 11,000 URLs characterized by 30 diverse features, the XGBoost [\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e] model was identified as the most effective, achieving approximately 97.4% accuracy on the test set. This result, along with the strong performance of the Stacking Classifier and SVM, underscores the potential of machine learning to significantly enhance phishing detection capabilities beyond traditional methods. The project also involved the practical implementation of a feature extraction module and a prototype system, validating the feasibility of the approach.\u003c/p\u003e \u003cp\u003eThe main contributions include a quantitative performance benchmark for contemporary ML models on this task and dataset, validation of XGBoost's high accuracy, and the development of a proof-of-concept system. However, the study acknowledges limitations related to dataset representativeness and, critically, the potential unreliability and latency associated with extracting certain features dependent on external APIs and web scraping in real-time, high-volume scenarios.\u003c/p\u003e \u003cp\u003eFuture work should focus on several key areas to build upon these findings and address the limitations. Firstly, enhancing model robustness and performance could involve exploring different algorithms (e.g., LightGBM, deep learning sequence models like LSTMs), conducting more extensive hyperparameter tuning, and incorporating techniques to handle potential class imbalance in real-world data. Secondly, significant effort is required in improving feature engineering, focusing on identifying a core subset of reliable, low-latency features, investigating dynamic analysis techniques, enhancing content analysis (NLP, visual similarity), and potentially replacing less stable free feature sources with commercial data feeds or more resilient scraping methods coupled with effective caching. Thirdly, expanding and continuously updating the dataset with more diverse and recent phishing examples is crucial for maintaining model relevance and improving generalization against zero-day attacks. Finally, advancing the system implementation towards a production-ready state necessitates deploying the model as a robust API, significantly improving the UI/UX with better explainability and feedback mechanisms, developing practical integrations like browser extensions, and potentially implementing adaptive learning loops for ongoing model refinement based on new data and user feedback. Addressing the reliability of feature extraction remains a paramount challenge for transitioning such research into highly dependable, real-world security tools.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003eFilippi P et al (Oct. 2019) An approach to forecast grain crop yield using multi-layered, multi-farm data sets and machine learning. Precis Agric 20(5):1015\u0026ndash;1029. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1007/s11119-018-09628-4\u003c/span\u003e\u003cspan address=\"10.1007/s11119-018-09628-4\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDhanapal R, Ajanraj A, Balavinayagapragathish S, Balaji J (1916) Crop price prediction using supervised machine learning algorithms, J. Phys. Conf. Ser., vol. no. 1, p. 012042, Jun. 2021. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1088/1742-6596/1916/1/012042\u003c/span\u003e\u003cspan address=\"10.1088/1742-6596/1916/1/012042\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eIzzo Z, Smart MA, Chaudhuri K, Zou JY (2021) Approximate Data Deletion from Machine Learning Models, in Proceedings of the 24th International Conference on Artificial Intelligence and Statistics (AISTATS), vol. 130, pp. 1\u0026ndash;9. [Online].Available: \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://proceedings.mlr.press/v130/izzo21a.html\u003c/span\u003e\u003cspan address=\"http://proceedings.mlr.press/v130/izzo21a.html\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePhishing Website Dataset Kaggle. Accessed: Nov. 15, 2024. [Online].Available: [\u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://docs.google.com/spreadsheets/d/1yAeNDJlba4cGQSZ1xvv6hKxO3-UQ8np8Kqt3SfH1LPk/edit?usp=sharing\u003c/span\u003e\u003cspan address=\"https://docs.google.com/spreadsheets/d/1yAeNDJlba4cGQSZ1xvv6hKxO3-UQ8np8Kqt3SfH1LPk/edit?usp=sharing\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e]\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eScikit-learn, Developers Scikit-learn: Machine Learning in Python, Version [Insert Version Used, e.g., 1.2.2]. Accessed: Dec. 05, 2024. [Online]. Available: \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://scikit-learn.org/stable/\u003c/span\u003e\u003cspan address=\"https://scikit-learn.org/stable/\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eXGBoost C XGBoost Documentation, Release [Insert Version Used, e.g., 1.7.0]. Accessed: Dec. 10, 2024. [Online]. Available: \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://xgboost.readthedocs.io/\u003c/span\u003e\u003cspan address=\"https://xgboost.readthedocs.io/\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKeras Team, Keras Documentation Accessed: Jan. 20, 2025. [Online]. Available: https://keras.io\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eGradio Team, Gradio Build \u0026amp; Share Delightful Machine Learning Apps. Accessed: Feb. 01, 2025. [Online]. Available: \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://www.gradio.app/\u003c/span\u003e\u003cspan address=\"https://www.gradio.app/\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eMatplotlib Development Team Matplotlib: Visualization with Python, Version [Insert Version Used, e.g., 3.7.1]. Accessed: Nov. 20, 2024. [Online]. Available: \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://matplotlib.org/\u003c/span\u003e\u003cspan address=\"https://matplotlib.org/\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWaskom ML (Apr. 2021) Seaborn: statistical data visualization. J Open Source Softw 6(60):3021. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.21105/joss.03021\u003c/span\u003e\u003cspan address=\"10.21105/joss.03021\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":true,"highlight":"","institution":"Sri Lanka Institute of Information Technology","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Phishing Detection, URL Analysis, Machine Learning, Cybersecurity, XGBoost, Random Forest, SVM, Stacking Classifier, Feature Engineering, Feature Extraction, Classification, Malicious URL Detection, Network Security, Scikit-learn, Python","lastPublishedDoi":"10.21203/rs.3.rs-6439154/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-6439154/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003ePhishing attacks pose a significant and ongoing cybersecurity threat, necessitating effective countermeasures. The challenge lies in accurately and automatically detecting malicious URLs, as traditional methods often fall short against evolving attacker techniques. This research addresses the need for improved detection by evaluating machine learning approaches applied to URL analysis. A dataset of labeled phishing and legitimate URLs, characterized by 30 distinct features encompassing lexical, host-based, and content-related attributes, formed the basis of this study. Five machine learning models were trained and comparatively evaluated: Decision Tree (DT), Random Forest (RF), Support Vector Machine (SVM), XGBoost (XGB), and a Stacking Classifier ensemble. Performance analysis revealed that the XGBoost classifier achieved the highest accuracy, correctly classifying approximately 97.4% of URLs in the test set. This study demonstrates the effectiveness of machine learning, particularly XGBoost, for high-accuracy phishing URL detection using comprehensive feature sets and contributes a functional prototype system demonstrating the approach.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e","manuscriptTitle":"A Comparative Analysis of Machine Learning Models for URL-Based Phishing Detection","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-04-15 02:36:13","doi":"10.21203/rs.3.rs-6439154/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"0547b26e-eead-48e2-9ea4-b11fc46d09c7","owner":[],"postedDate":"April 15th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[{"id":47085488,"name":"Artificial Intelligence and Machine Learning"}],"tags":[],"updatedAt":"2025-04-15T02:36:13+00:00","versionOfRecord":[],"versionCreatedAt":"2025-04-15 02:36:13","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-6439154","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-6439154","identity":"rs-6439154","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.