1. Introduction

2. Literature Review

2.2. Machine Learning-Based Detection

In the last couple of decades, machine learning has been vigorously applied for phishing detection through different models and methods for various purposes [32,33,34]. For instance, Wang [35] proposed ensemble classifiers for email filtering that eliminated five algorithms: Support Vector Machines, K-Nearest Neighbor, Gaussian Naive Bayes, Bernoulli Naive Bayes, and Random Forest Classifier. Finally, random forest enhanced its accuracy from 94.09 percent to 98.02 percent.

Table 1. The literature review summary compares phishing detection studies utilizing machine and deep learning techniques.

Table 1. The literature review summary compares phishing detection studies utilizing machine and deep learning techniques.

Category	Ref.	Method	Datasets	Findings	Limitations and future gaps
Phishing detection	[36]	Character embedding CNN and RF to classify phishing websites based on multi-level features.	PhishTank (47,210) and Alex (83,857)	95.49% on dataset D2	Reliance on URL features only and limited to character-level features.
	[29]	PNN and K-medoids clustering are combined and trained on pre-classified websites and relevant features.	11,055 phishing and benign websites	87% using address bar-related features	The potential impact of the Gaussian smoothing parameter on performance and the limited effectiveness of HTML- and JavaScript-based features.
	[37]	Two-level filtering mechanism using lightweight visual similarity and heuristic filtering to detect phishing	PhishTank and Google, 100 search results	Matthew′s correlation coefficient is 97%	Inability to detect variations of blacklisted sites and the generation of false negatives when encountering out-of-list legitimate sites.
ML-based detection	[38]	Rule-based system that extracts hidden knowledge to detect phishing attacks.	Dataset3 (103 phishing and 73 legitimate)	Average accuracy 90.51% with SVM and 1.35% error rate	Reliance on webpage content for feature sets, which may not account for attackers redesigning phishing webpages
	[24]	Whitelists and blacklists for classifying legitimate and phishing web pages.	Ebbu2017 contains 73,575 URLs	Accuracy rate of 10.86% with DT	Limited dataset size (1400 items) and the high acceptance for noisy data.
	[25]	Detects phishing sites using client-side, URL-based features, independent of third-party services, and fast computation.	Common-crawl, Alexa database, PhishTank, total samples: 85,409	CatchPhish accuracy is 94.26% with Random Forest	Model misclassified some phishing sites hosted on free or compromised hosting servers.
DL-based detection	[39]	Mapas detects malware using API call graph patterns with a CNN model.	9,000 malicious apps, 9,000 benign from Google Play	Accuracy 91.27% with CNN	Excludes obfuscated apps that cannot extract API call graphs with flow-droid.
	[21]	Uses RNN to extract global features and CNN for local features from URLs for phishing detection.	Alexa and PhishTank, 500,000 sample	Accuracy 93.48% (RNN) 95.03% (CNN)	Training time was too long, and unable to classify URLs if it′s not semantics.
	[19]	Utilizes a CNN-LSTM with feature extraction for phishing detection.	PhishTank and dmoztools.net (989,021 URLs)	Accuracy is 94.41%	Not supported to webpage code and webpage text detection.

Rahman et al. [40] utilized six machine learning classifiers (KNN, DT, SVM, RF, ERT, and GBT). They applied three publicly accessible datasets with multidimensional attributes that could also be used to detect phishing attacks in several anti-phishing systems due to a lack of proper selection of machine learning classifiers. To quantify the classifier performance, use the confusion matrix, precision, recall, F1-score, accuracy, and misclassification rate. It finds greater performance than Random Forest and Exceptionally Randomized Tree, which achieved 97% and 98% accuracy rates for detecting phishing URLs, respectively. Gradient Boosting Tree performs best for the multiclass feature set, with 92% accuracy.

Mogimi et al. [38] proposed a phishing detector that exhibits a lack of symmetry in its approach. The support vector machine (SVM) method is initially employed to train a phishing detection model, followed by the decision tree (DT) approach to uncover concealed phishing. Although the suggested method achieves high true positive rates (0.99) and low false negative rates (0.001) in a large dataset, it operates under the assumption that phishing web pages exclusively utilize innocuous page content. This assumption lacks symmetry with real-world scenarios, where phishing pages may employ deceptive elements. Rao et al. [25] recently presented CatchPhish, a lightweight program that predicts URL validity without examining the website′s content. The suggested framework uses the random forest classifier to retrieve the suspicious URL′s hand-crafted and Term Frequency-Inverse Document Frequency (TF-IDF) characteristics.

3. AntiPhishStack Proposed Model

Figure 1. AntiPhishStack: proposed LSTM-based stock generalization model′s flow.

Figure 1. AntiPhishStack: proposed LSTM-based stock generalization model′s flow.

Table 2. Notations and their meanings.

3.2. Feature Distribution

Features and the capacity to use these features must be examined prior to examining the features selection section [47]. There are four major features and a total of 30 sub-features. Based on the details, each characteristic provides information on whether the website is phishing, legitimate, or suspect. This section contains the plans for highlighting the characteristics.

3.2.1. URL Features

Uniform Resource Locator (URL) provides the location of online resources such as pictures, files, hypertext, video, etc. In general, attackers attempt to build phishing URLs that look to users as reputable websites. Attackers use URL jamming tactics to mislead users into disclosing personal information that can be exploited against them. This research aims to detect phishing websites quickly, utilizing lightweight characteristics, i.e., weight factor URL token system, inspired by [48]. For example, the segmentation of URL (Figure 2) provides the different tokens and their final weight $W_i$ for $i$-th distinct words can be calculated as:

$$W_i=\frac{h_i}{n}{\displaystyle \sum }_{x=1}^S\frac{N_x}{x^2}$$

(1)

where, $h_i$ indicates the length of $i$-th distinct word, $S$ denotes the total steps available for tokens, $n$ shows the number of URLs from webpages, $N_x$ total number of $i$-th word occurrences in step $S$ with respect $x$ level.

Calculating this weight delivers the weight value of each URL assigned to neural network gates for phishing prediction. This is accomplished by extracting only characteristics from the URL rather than accessing the website′s content. Figure 2 shows an example of URL characteristics for the weight.

Figure 2. Tokenization of URL characteristics and components for the weight calculation.

Figure 2. Tokenization of URL characteristics and components for the weight calculation.

The first component of the URL is a protocol (https, http, ftp, etc.), which is a set of rules that regulates how data is transported from data transmission. The second component is the location of the host IP address or resource. The hostname is separated into two parts: major domains and top-level domains (TLD). The URL′s hostname is comprised of the principal domain and the TLD. The hostname is followed by a port number, which is optional. The third component uses the path to identify the specific resource inside the domain accessed by a user. An optional field, such as inquiry, follows the path. The protocol, hostname, and URL path are appended to the base URL. The combination of the second domain and top-level domain names, known as the host domain, makes the URL unique. As a result, cybersecurity firms are working hard to identify the fraudster websites used for phishing offenses by name. If a hostname is designated as phishing, an IP address can be banned to prevent it from accessing the web pages included within it.

It has the following sub-features, according to the dataset:

• IP Address: If an IP address is used instead of a domain name in the URL of a phishing website, the client may virtually be certain that someone is attempting to steal his credentials. From this dataset, 570 URLs with an IP address were discovered, accounting for 22.8 percent of the dataset, and a rule IP address is in URL that is termed Phishing; otherwise, it is Legitimate was suggested.
• Operate the @ Symbol: Web browsers usually ignore the section preceded by the @ sign. Because it is maintained separately from real-world addresses, finding 90 URLs with the ′@′ sign will provide just 3.6 percent of the total, according to the dataset.
• Operate the "//" symbol: As valid URLs, the "//" sign is used after HTTP or HTTPS. If the URL changes after the initial protocol declaration, it is called a phishing URL. The "//" sign is used to redirect to other websites.
• Domain name prefixes and suffixes separated by the "-" sign: A URL with the "-" sign in its domain name is a phishing URL. In general, verified URLs do not include the "-" sign.
• Use the "." sign in the domain: Use the "." sign in the domain. Adding a sub-domain with the domain name must include the dot. Consider it suspect if you drop out more than one subdomain, and anything greater than that will indicate phishing.
• HTTPS (secure socket layer): The majority of legal sites use the HTTPS protocol. Therefore, the age of the certificate is quite important when utilizing HTTPS. This necessitates the use of a trustworthy certificate.
• Favicon: A favicon might redirect clients to dubious sites when layered from outside space. It is mainly used on websites and is a graphic picture.

3.2.2. Character Level Features

Term Frequency-Inverse Document Frequency is abbreviated as TF-IDF. The TF-IDF score indicates a term′s relative significance in the document and throughout the whole corpus. The TF-IDF score is made up of two terms: the first computes the normalized Term Frequency (TF), and the second computes the Inverse Document Frequency (IDF), which is calculated as the logarithm of the number of documents in the corpus divided by the number of documents in which the specific term appears [49,50].

$$TF \left(t,d\right)=\frac{Number of times term t appears in a document d}{Total number of terms in the document }$$

(2)

$$IDF\left(t,D\right)=lo{g}_e\left(\frac{Total number of documents D}{Number of documents with term t in it}\right)$$

(3)

$$TF-IDF\left(t,d,D\right)=TF\left(t,d\right)\ast IDF\left(t,D\right)$$

(4)

TF-IDF Vectors may be produced at many levels of input tokens (words, characters, n-grams):

• Word level TF-IDF: A matrix indicating the TF-IDF scores of each term in distinct texts.
• Character level TF-IDF: A matrix indicating the TF-IDF scores of character-level n-grams in the corpus.
• N-gram level TF-IDF: N-grams are the collection of N terms. This matrix indicates the TF-IDF scores of N-grams.

It should be mentioned that TF-IDF has been used in numerous studies to identify website phishing by examining URLs [25] to get indirectly related connections, target websites, and the validity of suspicious websites [49]. TF-IDF retrieves prominent keywords from the textual content. However, it has certain limitations. One of the limitations is that the approach fails when extracting misspelled terms. Because the URL might contain nonsensical words, it used a character-level TF-IDF method with a maximum feature count of 5000.

Furthermore, we have measured the URL strings as character sequences by employing the idea from the literature [51]. This idea provides the advantage that the proposed model can train the URL character sequences as natural features that do not need prior feature knowledge to be learned by our proposed model. Our proposed AntiPhishStack model uses the stack generalization model to extract the local URL features from the URL character sequences, and finally, the URL will be classified by designing a meta classifier for final prediction.

3.3. Stack Generalization Model

The stack generalization model is divided into 2 phases, as illustrated in the flow model (Figure 1).

3.3.1. Phase I

Based on the characteristics mentioned above, existing machine learning models are utilized directly to distinguish phishing and legitimate web pages. This paper proposes a stacking model (illustrated in Figure 3) for this purpose by merging various machine learning models, including support vector machine (SVM), naïve Bayes (NB), decision tree (DT), logistic regression (LR), K-nearest neighbors (KNN), sequential minimal optimization (SMO), and XGBoost.

The training set is split into $Z$ copies, with $Z-1$ copies utilized for training and one copy used for testing. The training process will not be terminated until each basic model has predicted the samples. This suggested system employed k-fold cross-validation to avoid overfitting for this training set and each fold of the train part that might be predicted using out-of-fold.

This suggested model uses a value of three to ten for k-fold cross-validation; after all, it delivers output using a test set. Following the temporary prediction (TP) acquisition, the mean prediction is obtained, which is strengthened by the test dataset validation. This time, it is comprehensive, with a fold approach required for estimating all figures on all folds utilized.

3.3.2. Phase II

The train segment is put to a two-layer neural network architecture of LSTM once the features from the training dataset have been loaded. Because there are dependencies on immediately preceding entries in sequential phishing webpage data, LSTM is better suited to simulate phishing detection in this investigation. Meanwhile, it is explicitly designed to avoid the long-term dependency problem by storing the feature information in its memory cell. It can remove or add information to these call states and is regulated by structures called gates. These gates and corresponding operations/functions are presented in [52], while Phase II of the integrated stack generalized model is illustrated in Figure 4.

In the first gate (Forget gate), the information from the current input $x_t$ and the previous hidden state $h_t$ is passed through the sigmoid activation function. If the output value of the feature is closer to 0, it means forget, and closer to 1 means to retain. The second gate, the input gate, decides what relevant feature (phishing or benign) can be added from the current step. The third gate, the control gate, decides which values will be updated (either 0 or 1), for which a $tanh$ layer creates a vector of ${\hat{\mathrm{C}}}_{\mathrm{t}}$. The last gate, the output gate, determines the value of the next hidden state [53].

At time $t$, the LSTM cell′s components are modified as follows:

• Forgotten information from the cell state, determined by the Sigmoid layer of the Forgotten Gate, with the current layer′s input $x_t$ and the previous layer′s output $h_t-1$ as input, and the cell state output at time $t-1$ is Eq. (5),

  $$f_t=\left(W_f.\left[h_{t-1},x_t\right]+b_f\right)$$

  (5)
• Save information in the cell state, which consists mostly of three parts:

• The Sigmoid layer′s results are $i_t$ entering the gate as information to be updated;
• The $tanh$ layer′s freshly generated vector $C_t$ is being added to the cell state. The previous cell state $C_{t-1}$ is multiplied by $f_t$ to forget the information and the new party information $i_{t }{\ast \hat{\mathrm{C}}}_{\mathrm{t}}$ is totaled to create a cell state update.

  $$i_t=\left(W_i.\left[h_{t-1},x_t\right]+b_i\right)$$

  (6)

  $$\widehat{C_t}=\tan h\left(W_c.\left[h_{t-1},x_t\right]+b_c\right)$$

  (7)

  $$C_t=f_t\ast C_{t-1}+i_t\ast {\hat{\mathrm{C}}}_t$$

  (8)
• The output gate decides the output data. To process the cell state, first, the Sigmoid layer is used to identify which part of the information should be produced, and then use $tanh$ to process the cell state. The output value is the product of the two elements of the information.

  $$o_t=\left(W_o\left[h_{t-1},x_t\right]+b_o\right)$$

  (9)

  $$h_t=o_t\ast \tan h\left(C_t\right)$$

  (10)

The sigmoid function is one of them; $h_{t-1}$ represents the hidden state of the $t-1$ instant; $bb$ represents the bias of each gate; $i_t,f_t, o_t$ and $C_t$ are the input gate, forget gate, output gate, and unit status, respectively. For the connection, $W_f, W_i$ and $W_o$ are represented as a weight matrix. The three gates of LSTM cells govern the flow of information and hence define the cell′s state. The gradient vanishing problem may be efficiently handled with LSTM.

Figure 4. Phase II of the proposed stack generalization model.

Figure 4. Phase II of the proposed stack generalization model.

The suggested model, in this instance, comprises two LSTM layers. The first LSTM layer outputs a sequence as one input above the LSTM layer. As explained previously, the internal design of both LSTM layers is the same. It also tried the LSTM cell rather than another GRU cell since the network with the LSTM cell outperformed the network with the GRU cell. This study constructs an LSTM network with a hidden vector of 128 elements. After the first LSTM layer, a dropout layer is added. Dropout is designed to reduce overfitting and enhance the model′s generalization [54]. The LSTM′s last layer generates a vector hi, which is supplied as the input to a fully linked multilayer network. Each layer has an activation function. The rectified linear unit (ReLU) activation function is used for each layer, and the exponential activation function is used for the output layer. Because the data set is binary, a nonlinear activation function is used to solve the binary classification issue. For hidden layers of neurons, the ReLU function was employed, while for the output layer of neurons, the sigmoid function was used.

After the training process, the parameters are changed or tweaked to assess the wrong predictions and ensure the predictions are correct as possible with optimization. Optimizer mold and design the model for the most accurate and possible prediction with the parameters (or weight). The value that the weights are updated in the training process is called the learning rate, a configurable hyperparameter to train deep neural networks with a small value within the 0.0 – 1.0 range. However, the learning rate varies due to overfitting [52]; thus, our model can predict accurately with the given dataset. Still, it is not appropriate for new or real-world data. We used the regularization technique to overcome the overfitting errors by fitting the functions appropriately on the training sets. It helps to attain optimal optimization solutions. These optimizers modify the neural network′s attributes, i.e., weights and learning rates, to improve the accuracy.

Thus, we have utilized the following five adaptive optimizers to generalize the LSTM networks to overcome the overall loss and improve the accuracy. The selection of these optimizers is also given below:

• AdaDelta: This optimizer is based on the learning rate per dimension to address instead of the learning rate by parameter. It can solve the continual decay of learning rates by training and based on manually selected learning rates.
• Adam: It utilizes the prediction of the first and second moments to adapt the learning rate for the neural networks. It uses the momentum concept for adding a part of previous gradients to the current one. It is a faster optimizer and requires fewer parameters for tuning.
• RMSprop: Root means square propagation optimizer avoids the oscillations in the vertical direction and can increase the learning rate with feasible steps in the horizontal direction.
• AdaGard: It deals explicitly with individual features for different learning rates for different weights of sparse datasets to get a high learning rate. It can avoid the manual tuning of the learning rate for individual features.

SGD (Stochastic Gradient Descent): Gradient descent optimizer has a drawback for large datasets. A variant of gradient descent, SGD, is generalized to make neural networks learn faster on the large-scale dataset.

These optimizers are implemented based on the packages and function calls in the Pytorch framework. For instance, we utilized $torch.optim.x$, where $x$ indicates the name of the optimizer, i.e., Adam or SGD, etc. The model will then be compiled using these adaptive optimizers. The model is trained to avoid overfitting by utilizing several epochs and early stopping strategies. By assessing the model using the test set, the output is now accessible. The stack generalization technique was used in the dataset after the strategy was implemented.

4. Experiments

• For Positive Precision   $P=\frac{TP}{TP+FP}$
• For Negative Precision  $N=\frac{TN}{TN+FN}$
• For Positive Recall   $PR=\frac{TP}{TP+FN}$
• For Negative Recall   $NR=\frac{TN}{TN+FP}$

5. Results & Evaluations

5.1. Feature Evaluation with Classifiers

This experiment evaluates both feature sets (URLF and CLF) from DS1 and DS2 by applying different machine learning classifiers. The fundamental goal of this experiment is to determine the best classifiers for both features in phase 1. The future evaluations of these classifiers are given in Figure 5 and Table 3. Imbalanced classes exist in real-time datasets, which creates the problem of classification. To tackle this problem, F-Measure is utilized due to the crucial values of false negatives and false positives. We refrained from using oversampling techniques such as the Synthetic Minority Over-sampling Technique (SMOTE) due to the potential risk of overfitting.

Figure 5 reveals a sense of symmetry, showcasing that SVM and NB exhibit maximum AUC, accuracy, precision, recall, and F-measure in DS1. These results show that SVM maintains an average accuracy of 91.1% and an 88.6% F-measure, while NB achieves an average accuracy of 87.295% and a 79.32% F-measure. However, some classifiers experience minimal accuracy. For instance, KNN records an average accuracy of 57.3% and a 51.25% F-measure, while LR demonstrates 67.46% accuracy and a 71.87% F-measure. The observed lower accuracy is primarily attributed to the independent protectors employed by these classifiers. Beyond the classifiers, the URLF feature in SVM symmetrically stands out with the highest accuracy, reaching 91.78%.

Table 3 shows that the same classifiers have maximum accuracy to different extents in DS2. The results show SVM has an average of 92.09% accuracy and 93.64% F-measure, while NB has averaged 88.225% accuracy and 91.725% F-measure. Meanwhile, KNN and LR were found to have the lowest accuracy and F-measure. These lowest accuracies are due to the normal future distribution that is assumed by those classifiers.

Table 3. Classification results for proposed model on DS2.

Table 3. Classification results for proposed model on DS2.

Models	Features	Precision	Recall	F-measure	AUC	Accuracy
SVM	URLF	88.72	98.62	93.4	91.34	92.46
	CLF	91.11	96.85	93.88	89.99	91.72
NB	URLF	86.26	98.18	91.84	91.07	90.08
	CLF	86.03	97.96	91.61	78.68	86.37
DT	URLF	74.58	73.66	74.12	71.89	71.23
	CLF	50.47	99.84	67.05	69.41	73.68
LR	URLF	80.61	99.92	89.23	85.37	76.24
	CLF	69.62	81.25	74.98	74.02	71.82
KNN	URLF	78.24	66.93	72.14	70.56	70.34
	CLF	78.38	66.86	72.16	71.21	68.91
SMO	URLF	86.03	97.21	91.28	91.4	89.64
	CLF	78.42	98.68	87.39	87.24	83.21

As a comparative analysis of these features from both datasets (DS1 and DS2), Figure 6 presents the bar graph, indicating the accuracy of the comparison of all machine learning used in this work. It can be easily distinguished that the classifier performances on DS2 are slightly better than on DS1 for the given features. However, some classifiers have minimum accuracy due to those features that are inefficient enough to discriminate between phishing and benign features. It might be possible that fishers are using modern technologies to receive online users and websites.

5.4. Comparative Analysis

The significance of our proposed model has been described and illustrated in previous subsections. Furthermore, we have compared our model′s performance with prior studies. Table 7 demonstrates the comparative analysis of existing studies by considering the applied approaches and algorithms WRT years.

It should be noted that there is some existing literature with higher performance than our proposed work; however, we have only compared those works that were nearly based on the stack generalization method, and these studies are tested in our same environment to ensure a fair comparison. It is evident that the proposed model′s performance outperformed the available studies to a different extent. For example, the current study [36] in 2021 proposed a generalized stack model for phishing detection by integrating URL features with CNN and XGB algorithms, and it reported 89.31% accuracy. In contrast, our proposed AntiPhishStack model received 96.04% accuracy by generalizing the URLs and character-level TF-IDF features.

Table 7. The proposed model′s performance compared with the prior studies.

Table 7. The proposed model′s performance compared with the prior studies.

References	Year	Applied approaches	Dataset	Algorithms/ networks	Observed accuracy (%)
[26]	2018	Web-based phishing using URLs features	UCI phishing dataset	Random forest	92.9
[21]	2019	BiLSTM for URL feature extraction and CNN for classification	Alexa and PhishTank	R-CNN	95.6
[45]	2020	Hybrid multimodel solution for networks	UNSW NB-15, UGR’16	Ensemble four ML	92.9
[36]	2021	Integrated phishing URLs detection with CNN	PhishTank and Alex	CNN + XGB	89.31
Proposed model	2022	Stack generalized model for URLs & TF-IDF features.	Alexa, Yandex, PhishTank	LSTM and XGBoost	96.04

6. Conclusions

References

1. Huang, Y.; Yang, Q.; Qin, J.; Wen, W. Phishing URL Detection via CNN and Attention-Based Hierarchical RNN. In Proceedings of the 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE); pp. 112–119. [CrossRef]
2. Rachna Dhamija, D.T. Why Phishing Works. In Proceedings of the SIGCHI conference on Human Factors in computing systems; 2006; pp. 581–590. [Google Scholar] [CrossRef]
3. Miao, Q.G.; Liu, J.C.; Cao, Y.; Song, J.F. Malware detection using bilayer behavior abstraction and improved one-class support vector machines. International Journal of Information Security 2016, 15, 361–379. [Google Scholar] [CrossRef]
4. Rahman, S.S.M.M.; Gope, L.; Islam, T.; Alazab, M. IntAnti-Phish: An Intelligent Anti-Phishing Framework Using Backpropagation Neural Network. In Studies in Computational Intelligence; 2021; Volume 919, pp. 217–230. [Google Scholar] [CrossRef]
5. Abutair, H.Y.A.; Belghith, A. Using Case-Based Reasoning for Phishing Detection. In Proceedings of the ANT/SEIT 2017. [CrossRef]
6. Jeet, R.; Kumar, P.A.R. A survey on interest packet flooding attacks and its countermeasures in named data networking. International Journal of Information Security 2022, 21, 1163–1187. [Google Scholar] [CrossRef]
7. Pompon, R.; Walkowski, D.; Boddy, S.; Levin, M. 2018 phishing and fraud report: attack speak during the holidays. 2018. Available online: https://www.f5.com/labs/articles/threat-intelligence/2018-phishing-and-fraud-report--attacks-peak-during-the-holidays.
8. Oleg Viktorov, S.i.A.A.-S. Detecting Phishing Emails Using Machine Learning Techniques. Doctoral dissertation, Middle East University, 2017. [Google Scholar]
9. Blogs, M.C. New research forecasts the staggering cost of cybercrime. Vol. 2024.
10. APWG. Phishing Attack Trends Reports; May 15, 2019.
11. Do, N.Q.; Selamat, A.; Krejcar, O.; Yokoi, T.; Fujita, H. Phishing Webpage Classification via Deep Learning-Based Algorithms: An Empirical Study. Applied Sciences 2021, 11, 9210. [Google Scholar] [CrossRef]
12. Ozawa, S.; Ban, T.; Hashimoto, N.; Nakazato, J.; Shimamura, J. A study of IoT malware activities using association rule learning for darknet sensor data. International Journal of Information Security 2020, 19, 83–92. [Google Scholar] [CrossRef]
13. Mimura, M.; Ito, R. Applying NLP techniques to malware detection in a practical environment. International Journal of Information Security 2022, 21, 279–291. [Google Scholar] [CrossRef]
14. Cui, Q.; Jourdan, G.-V.; Bochmann, G.V.; Couturier, R.; Onut, I.-V. Tracking Phishing Attacks Over Time. In Proceedings of the 26th International Conference on World Wide Web; International World Wide Web Conferences Steering Committee: Perth, Australia, 2017; pp. 667–676. [Google Scholar] [CrossRef]
15. Shirazi, H.; Bezawada, B.; Ray, I. "Kn0w Thy Doma1n Name": Unbiased Phishing Detection Using Domain Name Based Features. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies; Association for Computing Machinery: Indianapolis, Indiana, USA; pp. 69–75. [CrossRef]
16. Dong, Z.; Kapadia, A.; Blythe, J.; Camp, L.J. Beyond the lock icon: real-time detection of phishing websites using public key certificates. In Proceedings of the 2015 APWG Symposium on Electronic Crime Research (eCrime), 26-29 May 2015; pp. 1–12. [Google Scholar] [CrossRef]
17. Mohammad, R.M.A. An ensemble self-structuring neural network approach to solving classification problems with virtual concept drift and its application to phishing websites. Doctoral dissertation, University of Huddersfield, 2016. [Google Scholar]
18. Woogue, P.D.P.; Pineda, G.A.A.; Maderazo, C.V. Automatic web page categorization using machine learning and educational-based corpus. Int. J. Comput. Theory Eng. (Singapore) 2017, 9, 427–432. [Google Scholar] [CrossRef]
19. Yang, P.; Zhao, G.; Zeng, P. Phishing Website Detection Based on Multidimensional Features Driven by Deep Learning. IEEE Access 2019, 7, 15196–15209. [Google Scholar] [CrossRef]
20. Hoi, H.L.a.Q.P.a.D.S.a.S.C.H. URLNet: Learning a URL Representation with Deep Learning for Malicious URL Detection. arXiv 2018, arXiv:1802.03162. [Google Scholar] [CrossRef]
21. Wang, W.; Zhang, F.; Luo, X.; Zhang, S. PDRCNN: Precise Phishing Detection with Recurrent Convolutional Neural Networks. Security and Communication Networks 2019, 2019, 2595794. [Google Scholar] [CrossRef]
22. Raghunath, K.M.K.; Kumar, V.V.; Venkatesan, M.; Singh, K.K.; Mahesh, T.R.; Singh, A. XGBoost Regression Classifier (XRC) Model for Cyber Attack Detection and Classification Using Inception V4. Journal of Web Engineering 2022, 21, 1295–1321. [Google Scholar] [CrossRef]
23. Zhang, W.; Ren, H.; Jiang, Q.; Zhang, K. Exploring Feature Extraction and ELM in Malware Detection for Android Devices. In Advances in Neural Networks – ISNN 2015; Springer International Publishing: Cham, 2015; pp. 489–498. [Google Scholar] [CrossRef]
24. Sahingoz, O.K.; Buber, E.; Demir, Ö.; Diri, B. Machine learning based phishing detection from URLs. Expert Syst. Appl. 2019, 117, 345–357. [Google Scholar] [CrossRef]
25. Rao, R.S.; Vaishnavi, T.; Pais, A.R. CatchPhish: detection of phishing websites by inspecting URLs. Journal of Ambient Intelligence and Humanized Computing 2020, 11, 813–825. [Google Scholar] [CrossRef]
26. Hutchinson, S.; Zhang, Z.; Liu, Q. Detecting Phishing Websites with Random Forest. In Machine Learning and Intelligent Communications; Springer International Publishing: Cham, 2018; pp. 470–479. [Google Scholar] [CrossRef]
27. Adebowale, M.A.; Lwin, K.T.; Hossain, M.A. Deep Learning with Convolutional Neural Network and Long Short-Term Memory for Phishing Detection. In Proceedings of the 2019 13th International Conference on Software, Knowledge, Information Management and Applications (SKIMA), 26-28 August 2019; pp. 1–8. [Google Scholar] [CrossRef]
28. Acquisti, A.; Adjerid, I.; Balebako, R.; Brandimarte, L.; Cranor, L.F.; Komanduri, S.; Leon, P.G.; Sadeh, N.; Schaub, F.; Sleeper, M.; et al. Nudges for Privacy and Security: Understanding and Assisting Users’ Choices Online. ACM Comput. Surv. 2017, 50, Article 44. [Google Scholar] [CrossRef]
29. El-Alfy, E.-S.M. Detection of Phishing Websites Based on Probabilistic Neural Networks and K-Medoids Clustering. Comput. J. 2017, 60, 1745–1759. [Google Scholar] [CrossRef]
30. Jain, A.K.; Gupta, B.B. PHISH-SAFE: URL Features-Based Phishing Detection System Using Machine Learning. In Cyber Security; Springer: Singapore, 2018; pp. 467–474. [Google Scholar] [CrossRef]
31. Tan, C.L.; Chiew, K.L.; Sze, S.N. Phishing Webpage Detection Using Weighted URL Tokens for Identity Keywords Retrieval. In 9th International Conference on Robotic, Vision, Signal Processing and Power Applications; Springer: Singapore, 2017; pp. 133–139. [Google Scholar] [CrossRef]
32. Aamir, M.; Zaidi, S.M.A. DDoS attack detection with feature engineering and machine learning: the framework and performance evaluation. International Journal of Information Security 2019, 18, 761–785. [Google Scholar] [CrossRef]
33. Ahmad, I.; Yao, C.; Li, L.; Chen, Y.; Liu, Z.; Ullah, I.; Shabaz, M.; Wang, X.; Huang, K.; Li, G.; et al. An efficient feature selection and explainable classification method for EEG-based epileptic seizure detection. Journal of Information Security and Applications 2024, 80, 103654. [Google Scholar] [CrossRef]
34. Rasool, A.; Tao, R.; Marjan, K.; Naveed, T. Twitter Sentiment Analysis: A Case Study for Apparel Brands. Journal of Physics: Conference Series 2019, 1176, 022015. [Google Scholar] [CrossRef]
35. Wang, Z.; Wang, D. Recurrent deep stacking networks for supervised speech separation. In Proceedings of the 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP); pp. 71–75. [CrossRef]
36. Yang, R.; Zheng, K.; Wu, B.; Wu, C.; Wang, X. Phishing Website Detection Based on Deep Convolutional Neural Network and Random Forest Ensemble Learning. Sensors 2021, 21, 8281. [Google Scholar] [CrossRef]
37. Rao, R.S.; Pais, A.R. Two level filtering mechanism to detect phishing sites using lightweight visual similarity approach. Journal of Ambient Intelligence and Humanized Computing 2020, 11, 3853–3872. [Google Scholar] [CrossRef]
38. Moghimi, M.; Varjani, A.Y. New rule-based phishing detection method. Expert Systems with Applications 2016, 53, 231–242. [Google Scholar] [CrossRef]
39. Kim, J.; Ban, Y.; Ko, E.; Cho, H.; Yi, J.H. MAPAS: a practical deep learning-based android malware detection system. International Journal of Information Security 2022, 21, 725–738. [Google Scholar] [CrossRef]
40. Rahman, S.S.M.M.; Rafiq, F.B.; Toma, T.R.; Hossain, S.S.; Biplob, K.B.B. Performance Assessment of Multiple Machine Learning Classifiers for Detecting the Phishing URLs. In Data Engineering and Communication Technology; Springer: Singapore, 2020; pp. 285–296. [Google Scholar] [CrossRef]
41. Javeed, D.; Gao, T.; Khan, M.T.; Ahmad, I. A Hybrid Deep Learning-Driven SDN Enabled Mechanism for Secure Communication in Internet of Things (IoT). Sensors (Basel) 2021, 21. [Google Scholar] [CrossRef] [PubMed]
42. Yuan, H.; Yang, Z.; Chen, X.; Li, Y.; Liu, W. URL2Vec: URL Modeling with Character Embeddings for Fast and Accurate Phishing Website Detection. In Proceedings of the 2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom); pp. 265–272. [CrossRef]
43. Goodfellow, I.; Bengio, Y.; Courville, A. Deep learning; MIT press, 2016. [Google Scholar] [CrossRef]
44. Schmidhuber, J. Deep learning in neural networks: An overview. Neural networks 2015, 61, 85–117. [Google Scholar] [CrossRef]
45. Rajagopal, S.; Kundapur, P.P.; Hareesha, K.S. A Stacking Ensemble for Network Intrusion Detection Using Heterogeneous Datasets. Security and Communication Networks 2020, 2020, 4586875. [Google Scholar] [CrossRef]
46. Riyaz, S.; O′la, A.-L. A Modified Stacking Ensemble Machine Learning Algorithm Using Genetic Algorithms. In Artificial Intelligence: Concepts, Methodologies, Tools, and Applications, Information Resources Management, A., Ed.; IGI Global: Hershey, PA, USA, 2017; pp. 395–405. [Google Scholar] [CrossRef]
47. Dhull, A.; Singh, A.; Singh, K.K. An intelligent technique for pattern-based clustering of continuous-valued datasets. Cluster Computing-the Journal of Networks Software Tools and Applications 2022, 25, 3231–3248. [Google Scholar] [CrossRef]
48. Tang, Y.; Chen, Y.; Zhou, D. Measuring Uncertainty in the Negation Evidence for Multi-Source Information Fusion. Entropy 2022, 24, 1596. [Google Scholar] [CrossRef]
49. Xiang, G.; Hong, J.; Rose, C.P.; Cranor, L. CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites. ACM Trans. Inf. Syst. Secur. 2011, 14, Article 21. [Google Scholar] [CrossRef]
50. Kamyab, M.; Tao, R.; Mohammadi, M.H. Sentiment Analysis on Twitter: A text Mining Approach to the Afghanistan Status Reviews. In Proceedings of the 2018 International Conference on Artificial Intelligence and Virtual Reality; Association for Computing Machinery: Nagoya, Japan, 2018; pp. 14–19. [Google Scholar] [CrossRef]
51. Zhang, X.; Zhao, J.; LeCun, Y. Character-level convolutional networks for text classification. In Proceedings of the 28th International Conference on Neural Information Processing Systems - Volume 1; MIT Press: Montreal, Canada, 2015; pp. 649–657. [Google Scholar]
52. Ahmad, I.; Wang, X.; Javeed, D.; Kumar, P.; Samuel, O.W.; Chen, S. A Hybrid Deep Learning Approach for Epileptic Seizure Detection in EEG signals. IEEE Journal of Biomedical and Health Informatics 2023, 1–12. [Google Scholar] [CrossRef]
53. Kamyab, M.; Liu, G.H.; Adjeisah, M. ACR-SA: attention-based deep model through two-channel CNN and Bi-RNN for sentiment analysis. Peerj Computer Science 2022, 8. [Google Scholar] [CrossRef]
54. Wang, Z.; Kim, S.; Joe, I. An Improved LSTM-Based Failure Classification Model for Financial Companies Using Natural Language Processing. Applied Sciences-Basel 2023, 13. [Google Scholar] [CrossRef]
55. Available online: https://github.com/YC-Coder-Chen/Tree-Math/blob/master/XGboost.md.
56. Chen, T.Q.; Guestrin, C.; Assoc Comp, M. XGBoost: A Scalable Tree Boosting System. Proceedings of 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), San Francisco, CA, 13-17 August; pp. 785–794. [CrossRef]
57. Rasool, A.; Tao, R.; Kamyab, M.; Hayat, S. GAWA–A Feature Selection Method for Hybrid Sentiment Classification. IEEE Access 2020, 8, 191850–191861. [Google Scholar] [CrossRef]
58. Indrasiri, P.L.; Halgamuge, M.N.; Mohammad, A. Robust Ensemble Machine Learning Model for Filtering Phishing URLs: Expandable Random Gradient Stacked Voting Classifier (ERG-SVC). Ieee Access 2021, 9, 150142–150161. [Google Scholar] [CrossRef]
59. Haggag, M.; Tantawy, M.M.; El-Soudani, M.M.S. Implementing a Deep Learning Model for Intrusion Detection on Apache Spark Platform. Ieee Access 2020, 8, 163660–163672. [Google Scholar] [CrossRef]