An integrated model based on deep learning classifiers and pre-trained transformer for phishing URL detection

Abstract

The unique nature of website URLs has made phishing detection a challenging task. Unlike natural language, URLs have an unstructured nature with non-linear and sophisticated correlations. Therefore, they should be handled as both natural language and unstructured data sequences. However, the current solutions for phishing URL detection only focused on a single aspect of web page URLs. In this concern, this paper proposes an integrated model based on DL classifiers and pre-trained transformer to examine both the unique nature and the natural language structure of URL sequences simultaneously. The proposed model consists of three modules: RasNet (Keras-ResNet), TCMA (TCN-MHSA), and MPNet (Masked and Permuted Pre-training for Language Understanding). Considering the unique nature of the input data, RasNet combines two Keras embedding techniques to obtain the feature representations of URLs and then fuses them using a Residual Network (ResNet) to balance the weight distribution among the character-level and word-level information. Additionally, TCMA integrates the Temporal Convolutional Network (TCN) with the Multi-Head Self-Attention (MHSA) mechanism to optimize feature extraction and improve classification accuracy. Concurrently, MPNet joins the advantages and eliminates the drawbacks of Masked Language Modelling and Permuted Language Modelling to examine the nature language structure of web page URLs. The proposed model was trained and tested on four different datasets, including Ebbu2017, PhishCrawl, 420K-PD, and 1M-PD. The experimental results indicated that the proposed solution outperformed other models in classifying malicious URLs with the highest detection rate of 99.71% on the 1M-PD dataset, improving the performance accuracy of the state-of-the-art approaches by 1.37% to 2.01%.