PhishSim: Aiding Phishing Website Detection with a Feature-Free Tool

TL;DR

This paper introduces PhishSim, a feature-free, compression-based method for detecting phishing websites that outperforms previous techniques with high accuracy and low false positives, suitable for real-time deployment.

Contribution

The paper presents a novel feature-free approach using Normalized Compression Distance and prototype selection for adaptive, efficient phishing detection without feature extraction.

Findings

Achieved 98.68% AUC in phishing detection

High TPR of around 90% with 0.58% FPR

Processing time of approximately 0.3 seconds

Abstract

In this paper, we propose a feature-free method for detecting phishing websites using the Normalized Compression Distance (NCD), a parameter-free similarity measure which computes the similarity of two websites by compressing them, thus eliminating the need to perform any feature extraction. It also removes any dependence on a specific set of website features. This method examines the HTML of webpages and computes their similarity with known phishing websites, in order to classify them. We use the Furthest Point First algorithm to perform phishing prototype extractions, in order to select instances that are representative of a cluster of phishing webpages. We also introduce the use of an incremental learning algorithm as a framework for continuous and adaptive detection without extracting new features when concept drift occurs. On a large dataset, our proposed method significantly outperforms previous methods in detecting phishing websites, with an AUC score of 98.68%, a high true positive rate (TPR) of around 90%, while maintaining a low false positive rate (FPR) of 0.58%. Our approach uses prototypes, eliminating the need to retain long term data in the future, and is feasible to deploy in real systems with a processing time of roughly 0.3 seconds.