1. Introduction
Blocklist-based phishing defences lag newly registered malicious domains by hours to days, during which users remain exposed, motivating detection approaches that assess a URL structural and registration characteristics without needing to fetch page content.
2. Methodology
A dataset of 180,000 URLs, balanced between confirmed phishing and legitimate sources, was processed to extract 27 lexical features including domain length, entropy, presence of IP-literal hosts, and character n-gram statistics, combined with WHOIS-derived domain-age and registrar-reputation features, and used to train a random forest classifier with 300 trees.
3. Results
The classifier achieved 97.4 percent accuracy and an F1-score of 0.973 on a held-out test set, with a false positive rate of 1.1 percent, and domain age together with URL entropy ranked as the two most important features by mean decrease in impurity. Average per-URL inference time was under 5 milliseconds on commodity hardware.
4. Conclusion
Lexical and registration-based features enable fast, content-independent phishing detection suitable for real-time browser protection. Future work will evaluate robustness against adversarially crafted URLs designed to mimic benign lexical statistics.
References
[1] Sahoo D. et al., Malicious URL detection using machine learning: A survey, arXiv, 2017. [2] Mohammad R. M. et al., Predicting phishing websites based on self-structuring neural network, Neural Computing and Applications, 2014.