Advancing Malicious Website Identification: A Machine Learning Approach Using Granular Feature Analysis

TL;DR

This paper develops a machine learning model utilizing 77 granular features to classify websites into nine categories with nearly 96% accuracy, emphasizing feature importance and incremental performance gains.

Contribution

Introduces a comprehensive feature set and dataset for malicious website classification, demonstrating improved accuracy with incremental feature inclusion and analyzing feature importance.

Findings

Model achieved 95.89% accuracy in classifying 9 website types.

Adding more feature subsets improved model performance.

URL embedding and content features are most relevant.

Abstract

Malicious website detection is an increasingly relevant yet intricate task that requires the consideration of a vast amount of fine details. Our objective is to create a machine learning model that is trained on as many of these finer details as time will allow us to classify a website as benign or malicious. If malicious, the model will classify the role it plays (phishing, spam, malware hosting, etc.). We proposed 77 features and created a dataset of 441,701 samples spanning 9 website classifications to train our model. We grouped the proposed features into feature subsets based on the time and resources required to compute these features and the performance changes with the inclusion of each subset to the model. We found that the performance of the best performing model increased as more feature subsets were introduced. In the end, our best performing model was able to classify websites into 1 of 9 classifications with a 95.89\% accuracy score. We then investigated how well the features we proposed ranked in importance and detail the top 10 most relevant features according to our models. 2 of our URL embedding features were found to be the most relevant by our best performing model, with content-based features representing half of the top 10 spots. The rest of the list was populated with singular features from different feature categories including: a host feature, a robots.txt feature, a lexical feature, and a passive domain name system feature.