A dual-phase deep learning framework for advanced phishing detection using the novel OptSHQCNN approach

Motivation and our research contributions

Phishing attacks pose a significant threat to internet users, resulting in financial losses, data breaches, and reputational damage. Despite the increasing complexity of these attacks, many detection systems struggle to accurately identify phishing websites due to outdated methods that cannot keep up with evolving online threats. This study aims to address these challenges by using advanced deep learning techniques, such as OptSHQCNN and optimized feature extraction, to improve phishing detection accuracy. By integrating state-of-the-art algorithms and reliable datasets, the research seeks to enhance the efficiency and scalability of phishing detection systems, mitigating the risks associated with these cyber threats.

The major key contributions of this research are as follows,

• To extract primary features, the convolutional block attention module (CBAM) is utilized to efficiently capture significant characteristics from URLs and webpage code for accurate phishing detection.

• The red kite optimization algorithm (RKOA) is used to select the most essential features, minimizing the feature set and improving the computational efficiency of the model.

• To classify phishing websites, a novel shallow hybrid quantum-classical convolutional neural network (SHQCNN) approach is introduced, leveraging their strengths for enhanced detection capabilities.

• The shuffled shepherd optimization algorithm (SSOA) is utilized to fine-tune the parameters presented in the SHQCNN approach.

• For URL encoding in the post-deployment phase, Optimized Bidirectional Encoder Representations from Transformers (OptBERT) is utilized to facilitate high-quality feature extraction that supports accurate predictions.

Organization of this research: This study is structured as follows. The relevant literature and the identified research gap are discussed in “Review of Existing Related Works”. “Overview of Proposed Methodology” explains the proposed multiple classes URL-classification method. The experimental design, findings, and comparative evaluation are covered in “Result and Discussions”. The work is finally concluded and possible future research areas are highlighted in “Conclusion and Future Scope”.

Research gap

The growing complexity of phishing attempts is threatening cybersecurity. Phishing is an increasing threat to people and companies alike. It is an approach that blends technology with social engineering. Phishing primarily attempts to obtain sensitive information, including financial or personal information, secretly, putting a person’s privacy and economic stability at risk. One common hacker technique is email spoofing, which involves sending bogus emails with fake sender addresses. In an effort to deceive recipients into clicking on bogus links or disclosing personal information, these emails usually pretend to be from trustworthy sources. Phishing attempts that are shared on social media platforms have a more significant effect and reach.

Identity theft is one problem that might arise from this, in addition to financial losses. Despite defences, phishing attempts are becoming more frequent. Traditional systems, especially those that rely on static blocklists, are unable to keep up with the ever-evolving tactics of attackers. Since advanced tactics like domain generation algorithms (DGA) make detection even more challenging, new approaches to anti-phishing activities are needed. Current methods frequently focus on specific aspects of phishing, including text analysis in emails or URLs. There is a severe shortage of comprehensive models that consider the various elements of phishing schemes, including attachments, URLs, sender information, images, and textual content.

Overview of proposed methodology

The two-stage deep learning approach is used in the proposed phishing detection methodology. The dataset is preprocessed during the pre-deployment stage, which includes cleaning and balancing, and then features are extracted using the CBAM model. The most pertinent features are chosen by RKOA and utilized to train a classifier.

Optimized Bidirectional Encoder Representations from Transformers (OptBERT) are used to encode URLs in the post-deployment phase, which improves the feature extraction procedure. To ascertain if the URL is legitimate or phishing, the classifier makes use of the information that was extracted. The approach combines optimization methods with deep learning models to produce superior performances. The overall framework of the proposed methodology is shown in Fig. 1.

Preprocessing

To ensure that the model is trained on high-quality data, we begin with data preprocessing, which includes handling invalid and irrelevant features, as well as dealing with missing values. Additionally, the class imbalance issue, where phishing URLs are underrepresented, is tackled using the auxiliary classifier generative adversarial network (ACGAN). ACGAN generates synthetic phishing URLs, enhancing the minority class and improving model robustness. During this phase, the following issues are addressed:

• Dealing with “invalid” features: The feature qty_questionmark_domain, which shows how many question marks are in the name of the domain, is one instance of a feature that is considered invalid. An underscore, comma, semicolon, or question mark are among the symbols prohibited in domain names under the DNS RFC. The dataset had 16 incorrect characteristics.

• Handling ‘irrelevant’ features: One property that may be easily statistically deduced from other features is the qty_hyphen_url characteristic, which displays the number of hyphens (-) symbols. This feature is legitimate, but four more features count how many hyphens are in the domain, folder, file, and parameter. This feature is, therefore, unnecessary. After closely examining the features and applying our domain knowledge, we identified and eliminated 19 unnecessary characteristics.

• Dealing with cases where “missing values” occur: Some values were absent from specific instances.

Data imbalance

Using the auxiliary classifier generative adversarial network (ACGAN), we addressed the problem of class imbalance in the phishing dataset, where legitimate URLs significantly outnumber phishing ones. Though they were first taken into consideration, conventional rebalancing approaches like random oversampling and SMOTE either added redundancy or were unable to recognize the intricate patterns present in phishing URLs. ACGAN, on the other hand, provides a more advanced approach by producing superior synthetic samples for the minority class (phishing URLs). The generator and the discriminator are its two primary parts. The generator learns to create synthetic phishing URLs conditioned on class labels, while the discriminator classifies both real and fake samples, assigning class labels. This conditional structure allows the generator to produce diverse, semantically meaningful synthetic data, enhancing the representation of phishing URLs in the dataset.

In an adversarial setting, the generator and discriminator are updated alternately during the training phase. In particular, the discriminator separates created samples from real data and provides input to help the generator improve while the generator creates synthetic samples from random noise. ACGAN enhances the model’s capacity to identify phishing websites by maintaining the structural patterns common to phishing URLs, in contrast to conventional techniques. With a batch size of Z and a learning rate of Y, the model was trained across 200 epochs. We evaluated using standard classification metrics, paying particular attention to F1-score, precision, and recall for the minority phishing class. By lowering overfitting and boosting the model’s resilience, the use of ACGAN significantly increased recall and F1-score for phishing URLs, increasing the model’s efficacy in phishing detection. To balance the dataset, we used the self-paced ensemble and auxiliary classifier generative adversarial network (SPE-ACGAN) method. This section initially introduces every module’s operating concept and the overall framework of SPE-ACGAN as proposed in this article. Details of the algorithm’s implementation and the datasets utilized in the proposed algorithm are then provided.

SPE-ACGAN

We reproduced the training instances from two dimensions in order to account for the imbalance of the network traffic training samples in NIDS. The majority class’s sample size is reduced by utilizing SPE, while the minority class’s sample size is increased by employing ACGAN.

SPE

The fundamental idea behind SPE, a structure for unbalanced categorization, is to provide a concept of categorization hardness and coordinate data difficulty by creating an original undersampled dataset using self-paced undersampling. Figure 2 depicts the SPE procedure. The input, the unbalanced dataset, is first split into a majority set (N) and a minority set (P) by SPE. Subsequently, every instance in N is sorted at random into k bins based on its categorical hardness; every group has a total categorized hardness. To finish the resampling, the procedures above are repeated until the number of majority class samples matches the number of minority class instances or reaches the predetermined number.

SPE maintains the overall category difficulty of each bin constant in order to produce a balanced dataset. A “categorical hardness function,” such as Absolute Error, MSE, and Cross Entropy, is used to determine the hardness value. Equation (1) provides the categorical hardness of this specimen (x) for each model:

(1) $${\mathcal{H}}_x=\mathcal{H}\left(x,y,F\right).$$

While $B_l$ represents the grade of hardness of the ${\mathcal{l}}^{\mathrm{t}\mathrm{h}}$ box, Eq. (2) provides the hardness grade:

(2) $$B_l=\left\{\left(x,y\right)|{\displaystyle \frac{l-1}{k}\le {\mathcal{H}}_x=\mathcal{H}\left(x,y,F\right)\le {\displaystyle \frac{l}{k}}}\right\}\mathcal{H}(\cdot )\in \left(0,1\right).$$

ACGAN

Figure 3 illustrates the structure of ACGAN, which is primarily made up of Generation (G) and Discrimination (D). This is how ACGAN operates: The network creates an arbitrary set of noise values z in order for ACGAN to function.

The discriminator D trained by X_ren determines whether the generated X_fake is actual data, and if it is virtual data, what is the likelihood of belonging to every category, accordingly. The generator G converts the noise data z into X_fake of the appropriate group based on the input of the specified category. The loss function determines the error. The parameters are to be updated by the generator G.

Overall model architecture

The two steps of the SPE-ACGAN resampling approach are carried out by SPE and ACGAN, correspondingly. The minority class samples are first oversampled and then fed into ACGAN to boost the amount of minority class data. The majority class samples are then undersampled and fed into SPE to decrease the amount of majority class instances. Figure 4 illustrates the process of the SPE-ACGAN resampling approach.

Feature selection

By concentrating on the most essential data, choosing pertinent features improves DL model accuracy and lowers computing complexity. By removing redundant or unnecessary features, effective feature selection enhances model interpretability and defends against overfitting. For the best feature selection in this position, the RKOA can be applied. RKOA is a novel meta-heuristic method that mimics the social life of red kites (RKs). Typically, the RKs build their nests close to areas with lakes and woods that are suitable for hunting. In order to avoid being stuck in the local optimum, the meta-heuristic approach must first traverse the issue of exploring space fit. It then employs the best performance from the last iterations as it gradually progresses from the exploration to the exploitation stages. RKOA follows three crucial stages that are specified:

The first stage is where birds are primarily found: According to Eq. (3), the RK’s position is first set arbitrarily during this stage as:

(3) $$Po{s}_{i,j}\left(t\right)=lb+rand\times \left(ub-lb\right),i=1,2,\dots .,n\mathrm{a}\mathrm{n}\mathrm{d}j=1,2,\dots ,d.$$

In this case, n indicates the size of the population, d indicates the problem’s dimensions, and rand represents the randomized integer between zero and one. $Po{s}_{i,j}\left(t\right)$ is the i^th location of the RKs at iteration t, while lb and ub define the lower and upper limits, respectively.

The selection of the phase of the second leader: Eq. (4) is used to determine the leader:

(4) $$\overrightarrow{Best\left(t\right)}=\overrightarrow{Po{s}_i\left(t\right)}\mathrm{i}\mathrm{f}{\mathrm{f}}_i\left(t\right)<{\mathrm{f}}_{\mathrm{b}\mathrm{e}\mathrm{s}\mathrm{t}}\left(t\right)$$

wherein the spot of the optimal bird from iteration t is represented by $\overrightarrow{Best\left(t\right)}$. $\overrightarrow{Po{s}_i\left(t\right)}$ gives the spot of i^th RK from the iteration t, $f_i\left(t\right)$ shows the values of the bird estimation function during the iteration t, and best(t) shows the value of the assessing function of the best birds from the iteration.

The third stage: By considering a lowering co-efficient ( $D$) according to Eq. (5), it can be inferred that RKs must proceed gradually from the exploration to the exploitation stages.

(5) $$D=\left(\exp {\left({\displaystyle \frac{t}{t-max}(){\displaystyle \frac{t}{t-max}}}\right)}^{-10}\right).$$

The maximal iteration is denoted by $t-max$, where $t$ represents the current iteration. The birds use Eqs. (6) and (7) to improve their positions:

(6) $$\overrightarrow{Po{s}_i^{new}\left(t+1\right)}=\overrightarrow{Po{s}_i\left(t\right)}+\overrightarrow{Po{s}_{mi}\left(t+1\right)}$$ (7) $$\begin{array}{rl}\overrightarrow{P_{mi}\left(t+1\right)}=& D\left(t\right)\times \overrightarrow{P_{mi}\left(t\right)}+\overrightarrow{SC\left(t\right)}\mathrm{\Theta }\left(\overrightarrow{Po{s}_{rws}\left(t\right)}-\overrightarrow{Po{s}_i\left(t\right)}\right)\\ & +\overrightarrow{UC\left(t\right)}\mathrm{\Theta }\left(\overrightarrow{Best\left(t\right)}-\overrightarrow{Po{s}_i\left(t\right)}\right).\end{array}$$

The novel position of birds is indicated by $\overrightarrow{Po{s}_i^{new}\left(t+1\right)}$. It is then necessary to confirm the boundaries of the searching space in the upgrade position; this could be done by using Eq. (8),

(8) $$\overrightarrow{Po{s}_i^{new}\left(t+1\right)}=max\left(min\left(\overrightarrow{Po{s}_i^{new}\left(t+1\right)}+ub\right),lb\right).$$

After improving the estimation function, a new temporary position is swapped. They represent the voice of all bird’s unity and danger, and they may be achieved using the relationship below:

$$\{\begin{array}{cc}\overrightarrow{SC\left(t+1\right)}& =\overrightarrow{r_1}\\ \overrightarrow{UC\left(t+1\right)}& =\overrightarrow{r_2}\end{array}\mathrm{i}\mathrm{f}\mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d}\le 0.5$$

(9) $$\{\begin{array}{cc}\overrightarrow{SC\left(t+1\right)}& =\overrightarrow{r_3}\\ \overrightarrow{UC\left(t+1\right)}& =\overrightarrow{r_1}\end{array}\mathrm{i}\mathrm{f}\mathrm{O}\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{w}\mathrm{i}\mathrm{s}\mathrm{e}.$$

In the RKOA, the neighbour position is chosen at random by employing a roulette wheel based on the current positions of all the birds, and the best solution is still being discovered. According to its position and randomly selected neighbour, the RK explores new spaces as it advances based on a single factor. The RKOA approach presents weighted recognition of all the objective relevance by combining the objectives into a single objective equation. In this instance, an FF is being implemented to combine both FS aims, as shown in Eq. (10). The selected features are shown in Table 2.

(10) $$Fitness\left(X\right)=\alpha \cdot E\left(X\right)+\beta \ast \left(1-{\displaystyle \frac{\left|R\right|}{\left|N\right|}}\right).$$

Phishing classification

A state-of-the-art method that combines the advantages of classical and quantum computing is the shallow hybrid quantum-classical convolutional neural network (SHQCNN), which is used for phishing classification and detection. Using classical layers for robust learning and quantum principles to handle intricate data patterns, SHQCNN facilitates effective feature extraction and classification. This hybrid approach is very effective in mitigating online threats because it improves detection accuracy, scalability, and adaptability to changing phishing strategies.

Quantum logic gates in phishing classification

The hybrid quantum-classical CNN is employed for classification, where the quantum component is utilized for feature encoding and data transformation, while the classical CNN handles the final classification. We can take advantage of both the demonstrated effectiveness of CNNs in image-based classification tasks and the benefits of quantum computing in processing high-dimensional data due to this combination. Although quantum networks are usually used in situations where quantum relationships are present in the data, we presented a hybrid quantum-classical CNN model for URL classification in this work. However, this method offers a promising technique to improve the model’s processing capabilities for high-dimensional, complex URL data, which is why we chose it. Even though traditional CNNs are excellent at identifying patterns, they might not be able to comprehend the complex linkages seen in phishing URLs properly. Quantum computing, leveraging quantum superposition and entanglement, can potentially improve the model’s ability to represent these complex features, offering a novel advantage in feature extraction and classification tasks.

A real quantum simulation was not carried out in our experimental setup. Instead, a hybrid architecture was employed to construct the quantum component, which was utilized for both data transformation and feature encoding. To make the method is computationally viable, the quantum component was simulated using traditional computer frameworks. With the help of the quantum-processed characteristics, the classical CNN then managed the final classification. This hybrid method increases the accuracy of phishing detection and improves model generalization, particularly in adversarial situations. This technique shows how quantum methods can enhance cybersecurity, especially for complex tasks like phishing URL identification, even though they are still in the early stages of development. A key component of quantum computing is quantum logic gates, which allow for the extraction of quantum information by altering the amplitude values of qubits. These gates, which facilitate operations like swapping and changing quantum states, include the Hadamard gate and the controlled-NOT gate. Like classical circuits, quantum circuits, which are made up of gates and qubits, carry out operations from left to right.

By incorporating quantum gates for optimal data processing, quantum circuits can improve computing efficiency in phishing classification. The method lowers complexity while increasing performance by building circuits with many measurement units and connecting quantum outputs to classical systems.

Variable quantum circuit

The symmetry and localization of variable quantum circuits (VQCs) allow for efficient construction by encoding input states into quantum actions. VQCs are designed to minimize parameters and maximize expressive capacity in the era of noisy intermediate-scale quantum (NISQ).

Despite being linear by nature, VQCs use entanglement or coupling to simulate the nonlinear operation of artificial neural networks. This allows for noise reduction and improves performance in multiple categorization tasks. VQCs can enhance data representation and reduce noise in phishing categorization, enabling more precise detection and classification.

Proposed SHQCNN

Implementation and achievements

By combining quantum and classical layers, the proposed strategy provides flexibility in the placement of quantum circuits at different phases. In order to efficiently implement quantum algorithms, data must be converted into a quantum state for kernel encoding. In contrast to conventional techniques that necessitate O(N) space complexity, the SHQCNN projects data onto higher-dimensional feature spaces via kernel coding, which improves dataset distinguishability. By lowering computational complexity and increasing feature separability, this preprocessing technique improves phishing classification.

• (1)

  We determined the initial dataset’s mean value and variance. (13) $$u={\displaystyle \frac{1}{D}\sum _{d=1}^D{X}^d}$$ (14) $$\sigma ={\displaystyle \frac{1}{D}\sum _{d=1}^D\left(X^d-u\right).}$$

• The zero-mean normalization is applied to them. It has zero unit variance and zero mean. It will follow the typical distribution in this manner.

• (2)

  To lessen the impact of edge strength, we normalized eigenvectors to the unit length $\phi (x^{\mathrm{\prime }})$.

• (3)

  Equation (15) is the product state of $N^{\mathrm{\prime }}=\lceil (N/2)\rceil$ qubits to which we mapped vectors $x^{\mathrm{\prime }}$. (15) $$x^{\prime }\to U_{\phi }\left(x^{\prime }\right)\left|0{⟩}^{\otimes N^{\prime }}={\otimes }_{j=1}^{N^{\prime }}\left[\begin{array}{c}\mathrm{c}\mathrm{o}\mathrm{s}\left({\theta }_j\right)\\ \mathrm{s}\mathrm{i}\mathrm{n}\left({\theta }_j\right)\end{array}\right]={\otimes }_{j=1}^{N^{\prime }}{R}_y\left(2{\theta }_j\right)\right|0⟩.$$The kernel coding approach, in summary, employs a feature map $x^{\mathrm{\prime }}\to U_{\phi }\left(x^{\mathrm{\prime }}\right)$ into a vector space of greater dimension. Since N classical data may be encoded using this encoding approach using approximately $\lceil (N/2)\rceil$ qubits, the spatial complexity is O(N/2).

Variable quantum circuit

Inspired by previous developments, the variable quantum circuit (VQC) minimizes circuit depth while approximating nonlinear functions for NISQ processors. The generator in the SHQCNN model consists of VQC, which is made up of entanglement layers and rotation layers. The circuit’s central component, these gates, enable qubit rotations and interactions. Through the use of VQC, the model effectively encodes and analyzes data, improving its capacity to classify phishing attempts.

(16) $$RY\left(\theta \right)=\left(\begin{array}{cc}\cos (\theta /2)& \sin (\theta /2)\\ -i\mathrm{s}\mathrm{i}\mathrm{n}\left(\theta /2\right)& \left(\theta /2\right)\end{array}\right)$$

(17) $$RZ\left(\theta \right)=\left(\begin{array}{cc}{e}^{-i\theta /2}& 0\\ 0& e^{i\theta /2}\end{array}\right)$$

VQC uses RY and RZ gates to rotate quantum states on the Bloch sphere, changing the phases and probability amplitudes accordingly. VQC, which forms the basis of SHQCNN, approximates goal functions and encodes input states. In contrast to deep circuits, VQC simplifies implementation by utilizing symmetry and locality from real-world datasets. This design preserves the computing economy while improving accuracy in multi-class situations such as phishing categorization.

Multi-output and optimization in SHQCNN

The proposed paradigm scales circuits to lower depth and parameters while introducing a quantum multi-output layer to handle high-dimensional input qubits effectively. This layer maintains the integrity of every characteristic while fusing data and performing parallel measurements. To increase classification accuracy and extract hidden characteristics, these results are fed into the CNN. SSOA is used to optimize the model, striking a balance between the speed of stochastic approaches and the stability of classical gradient descent. This ensures effective and reliable phishing categorization training.

Theoretical and feasibility analysis of SHQCNN

To efficiently extract and classify information, the SHQCNN combines three fully connected layers with a quantum convolutional layer. A ReLU activation layer adds nonlinearity to improve the feature mapping procedure, while the convolutional layer uses several weight matrices for comprehensive and varied extraction of features. By using dynamically shifting weight matrices, SHQCNN improves generalization and reduces overfitting, in contrast to classic CNNs that are prone to overfitting because of fixed weight progression. In addition, contrasted with conventional models, the quantum convolution layer, when implemented with VQC, allows for more accuracy, fewer layers, and lower complexity. This structure ensures robust classification performance and effective feature extraction.

Hyperparameter tuning using the shuffled shepherd optimization algorithm

In the proposed classification model, the optimal value for the hyperparameter is chosen using the SSOA strategy. By effectively identifying the ideal parameter configurations, the SSOA for hyperparameter tuning ensures optimal performance. In phishing detection tasks, SSOA achieves better accuracy, faster convergence, and less overfitting by striking a balance between exploration and exploitation.

Shuffled shepherd optimization procedure

The hyperparameters of the shallow hybrid quantum-classical convolutional neural network (SHQCNN) are fine-tuned using the SSOA, which enhances the model’s performance by finding the optimal hyperparameter set. The main goal of this part is to increase the application of the SSOA meta-heuristic approach. In SSOA, a “sheep” is any potential multivariate solution. The values of the aim function are used to group the sheep. Some sheep are called “shepherds,” and the sheep with the best goal function are called “horses” in the herd. For this reason, every shepherd may own a certain number of sheep and horses. In an attempt to herd the sheep toward the horse, the shepherd changes positions by leaping onto either the horse or one of the sheep. There are two reasons for this: (i) changing to a different, possibly better member encourages investigation, and (ii) changing to a various, possibly worse member leads to exploitation. A hierarchy is created in the algorithm when the shepherd’s site is modified, and the new objective function is not worse than the old one.

A summary of the SSOA procedure is provided below.

• (1)

  SSOA parameters are set to $\alpha ,\beta ,\beta$ max, itermax, h, and s. Where ‘iter max’ is the maximum number of permitted iterations, ‘h’ is the overall amount of flocks, and ‘s’ is the total sum of sheep.

• (2)

  The starting point in m-dimensional search space is determined by Eq. (4). (18) $$X_i^0=X_{\mathrm{m}\mathrm{i}\mathrm{n}}+\mathrm{r}\mathrm{a}\mathrm{n}{\mathrm{d}}^{\circ }\left(X_{\mathrm{m}\mathrm{a}\mathrm{x}}-X_{\mathrm{m}\mathrm{i}\mathrm{n}}\right),\mathrm{i}=1,2,\cdots ,\mathrm{n}\left(4\right).$$While $X_i^0$ represents the i^th sheep’s initial key vector, $X_{\mathrm{m}\mathrm{a}\mathrm{x}}$ as well as $X_{\mathrm{m}\mathrm{i}\mathrm{n}}$ the boundaries of the design space, rand is a vector with components that are between (0, 1), the total of its machinery equals the sum of its design variables, and n denotes the sum of sheep (n = h s). As well as the multiplier “>” that operates element by element.

• (3)

  After determining the objective function of every sheep, the flock is ordered from highest to lowest. To expand your herd, move the sheep around. One sheep is in each flock, and the first sheep are selected at random and dispersed among the flocks. Next, assemble the second set of h sheep. Whenever every flock of sheep has a chosen leader, this process is repeated.

• (4)

  In a flock, identify every sheep. The best of the herd are called horses, while the selected sheep are called shepherds. Select a sheep flock and a horse at random; each shepherd’s step size can be determined by (19) $$\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{p}\mathrm{s}\mathrm{i}\mathrm{z}{\mathrm{e}}_i=\beta \times \mathrm{r}\mathrm{a}\mathrm{n}{\mathrm{d}}^{\circ }\left(X_d-X_i\right)+a\times \mathrm{r}\mathrm{a}\mathrm{n}{\mathrm{d}}^{\circ }\left(X_j-X_i\right).$$

• Assuming that $X_i$, and $X_j$ are in an m-dimensional search space, rand is a random vector whose elements are in the interval (0, 1), and the number of procedures is determined from the total number of the aspects of the solution vectors; they are calculated using Eqs. (20) and (21). (20) $$\alpha ={\alpha }_{\circ }-{\displaystyle \frac{{\alpha }_{\circ }}{\mathrm{i}\mathrm{t}\mathrm{e}{\mathrm{r}}_{\mathrm{m}\mathrm{a}\mathrm{x}}}\times \mathrm{i}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}}$$ (21) $$\beta ={\beta }_{\circ }+{\displaystyle \frac{{\beta }_{\mathrm{m}\mathrm{a}\mathrm{x}}-{\beta }_{\circ }}{\mathrm{i}\mathrm{t}\mathrm{e}{\mathrm{r}}_{\mathrm{m}\mathrm{a}\mathrm{x}}}\times \mathrm{i}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}.}$$

• The step size’s initial phase is zero since the first sheep in a herd are unable to have a greater offspring than itself, and the size is also zero since the final sheep in the herd cannot have a worse offspring than itself.

• (5)

  Using Eq. (22), every sheep’s temple is determined: (22) $$X_i^{\mathrm{t}\mathrm{e}\mathrm{m}\mathrm{p}\mathrm{l}\mathrm{e}}=X_i^{\mathrm{o}\mathrm{l}\mathrm{d}}+\mathrm{s}\mathrm{t}\mathrm{e}\mathrm{p}\mathrm{s}\mathrm{i}\mathrm{z}{\mathrm{e}}_i.$$

• While the sheep’s location is altered due to an ancient objective function. However, the shepherd’s position remains unchanged. For communication reasons, the flocks could be merged once every sheep’s location has been updated.

The optimization method repeats step 3 as many times as permitted, which is the termination criterion. Using the SSOA, hyperparameter adjustment was done to maximize the performance of the proposed SHQCNN model. In order to ensure stable convergence and avoid overfitting, a well-defined and constrained search space was created for the essential hyperparameters. In particular, the number of filters per convolutional layer varied from 16 to 128; batch sizes were chosen from discrete values {16, 32, and 64}; dropout rates were varied from 0.1 to 0.5; and kernel sizes were selected from {3, 5, 7}. The learning rate was investigated within the continuous range of 0.0001 to 0.01. Every hyperparameter was encoded according to its type: discrete and categorical parameters were represented as index-based integers and subsequently decoded during evaluation, whilst continuous parameters were normalized to the [0, 1] range. To cut down on pointless computation, the optimizer was run for 200 iterations with early stopping enabled. This precise setup greatly enhanced the suggested phishing detection model’s increased effectiveness and resilience.

Cloud-based deployment (post deployment)

Feature extraction using CBAM

Lexical patterns, domain attributes, and embedded character sequences are among the syntactic and semantic aspects that the system collected and found to be pertinent to phishing identification. This created a structured representation of unstructured URL data that might be used for learning. We employ the CBAM to extract pertinent features from URLs. This module concentrates on the most crucial elements of the URL structure and web page code, improving the model’s capacity to differentiate between authentic and phishing websites. This module lessens the influence of unimportant features while allowing the network to focus on the most important ones. CBAM is a powerful yet computationally effective method that selectively focuses on pertinent information in both spatial and channel dimensions to improve feature extraction. The spatial attention module (SAM), which finds the spatial regions of interest by pooling along the channel axis, and the channel attention module (CAM), which highlights the significance of particular feature channels by examining global max and average pooling operations, are integrated sequentially.

These modules work together to give CBAM the ability to identify “what” information is essential and “where” it is. CBAM iteratively applies attention techniques to the feature maps, minimizing redundant or irrelevant features. Because of this feature, CBAM is a valuable tool for phishing detection, where it is necessary to pay close attention to essential patterns in the data’s structure and content in order to differentiate between authentic and fraudulent URLs. The detection performance is greatly enhanced by the combination of spatial and channel attention, which guarantees reliable and effective feature extraction.

Following classifier testing, the model was stored using the joblib Python package. The deployment web service that would generate predictions using the saved model was then constructed. An overview of the server-side operation following deployment is displayed in Fig. 5.

As illustrated in Fig. 5, the client initiates the process by submitting an HTTP request to the web service that is currently operating. The format of the request is “http://serveraddress/?url=URL-to-inspect”, where URL-to-inspect is the URL that the system needs to check in order to mark it as “phishing” or “benign.” URI encoding must be used for all URLs sent to the server. The URL is taken out of the HTTP request and parsed once it reaches the web service. The URL is divided into the domain name, folder, file name, and other arguments throughout the parsing process. The first “/” indicates the end of the name of the domain after the protocol name (HTTP:// or HTTPS://) has been removed, and the last “/” indicates the beginning of the file name (if any), and any text that appears in between (if any) is regarded as the folder name. After that, two extracting feature units get the parsed URL. Features to be taken from the URL itself, like qty_dot_domain, are extracted by the first unit. The second unit makes contact with various services in order to gather the necessary information, which includes the following features:

URL length: The entire amount of characters in the URL is used to determine this attribute. Phishing websites frequently conceal their genuine identities or hazardous information by using abnormally long URLs. A URL’s length can serve as a reliable predictor of a website’s legitimacy or possible danger. Trusted websites frequently utilize short, straightforward URLs, but phishing sites typically employ longer, more complicated URLs to trick consumers.

Domain age: This feature shows how many days have passed since the domain was first registered. Newly registered domains are frequently used by phishing websites to evade detection by security measures. Because attackers often abandon domains rapidly, resulting in a cycle of registration and deactivation, a newly registered domain is frequently more suspect. Using programs like Python to query domain registration databases will yield this feature.

Presence of HTTPS: This feature determines whether the website communicates using HTTPS (Hypertext Transfer Protocol Secure). Phishing websites may not use HTTPS or may use it dishonestly with a phoney certificate, despite the fact that HTTPS guarantees encrypted interaction between the user and the website. Because some phishing sites employ HTTPS to look authentic, a missing or faulty HTTPS connection can, therefore, be a sign of a phishing website. However, this isn’t always the case.

Abnormal URL: Finding unusual patterns in the URL is how this characteristic is computed. Phishing websites sometimes disguise themselves by using techniques like misspelled words, extra character insertion, or domain name obfuscation. We can identify anomalies that point to phishing efforts by comparing the URL structure with well-known patterns of trustworthy websites. By including extra keywords or malicious redirection, this feature assists in identifying URLs that attempt to imitate well-known websites.

Special characters count: This feature keeps track of how many special characters (such as @, &, %, and #) are present in the URL. Phishing websites frequently use a lot of special characters to deceive automated detection systems or make the URL appear authentic. Since special characters are commonly used to obscure the genuine purpose of a website, a high number of them in the URL may be a sign of a phishing effort. This feature aids in identifying phishing efforts that employ techniques such as disguised links, excessive punctuation, or URL shortening.

The data is systematically fed into the trained classifier after all the characteristics have been acquired. The trained machine learning classifier then outputs its prediction as either “phishing” or “benign.” In order to prohibit phishing URLs, the client then retrieves this response. The missing feature would be given a value of -1 if any of the external parameters could not be found, such as a website that did not reply to PING requests or a missing domain age. The classifier was set up for testing on a cloud instance of Amazon Web Services (AWS).

A sample cloud server response to a benign URL and a phishing URL are displayed in Figs. 6 and 7, respectively. The server uses a straightforward RESTful call technique, as seen in Figs. 6 and 7, in which the URL to be examined is supplied to the server as an argument via the HTTP protocol. The reply is then sent in the plain text “phishing” or “benign.” To stop the user from clicking on phishing URLs, this response can be sent to a web browser plugin, email client plugin, or even a mobile text messaging plugin. On average, each URL took 11.5 μs to complete a request on the cloud.

Experimental setup

Each test was carried out on a Windows 10 computer that had an Intel Core i5 processor running at 2.60 GHz and 16 GB of RAM installed. Using TensorFlow and Keras as the main deep learning libraries, the suggested framework was put into practice using Python in the Anaconda3 environment. With a batch size of 64 and an initial learning rate of 0.001, the SSOA optimizer was used to train the model. With a patience of 200 epochs, early halting was implemented based on validation loss to avoid overfitting. A maximum of 100 epochs were used for the training process. Each dataset (ISCX-URL-2016, URL-Based Phishing Dataset, Mendeley_2020, and PhishStorm) was split into 80% training and 20% testing sets in order to assess the suggested method’s capacity for generalization. All baseline and proposed models consistently used this stratified splitting technique to ensure equitable performance comparisons under consistent experimental settings.

Description of the dataset

The ISCX-URL-2016, URL-Based Phishing Dataset, Mendeley_2020, and Phishstorm datasets were chosen due to their realistic representations of benign and phishing URLs, diversity, and extensive feature sets. They are sizable enough to ensure the efficient training and testing of deep learning models, cover a variety of phishing categories, and incorporate a broad spectrum of URL attributes. Additionally, these datasets provide comprehensive details that are necessary for accurate phishing detection, like WHOIS information and domain age.

• ISCX-URL-2016: This dataset includes 114,400 URLs categorized as phishing, spam, malware, or vandalism. It contains features like URL length, special characters, and linguistic properties, aiding in the identification of phishing websites.

• URL-Based Phishing dataset: From Kaggle, this dataset contains 11,054 records with 33 attributes, including URL structure and domain features. It helps distinguish between phishing and benign URLs.

• Mendeley_2020: Divided into small (58,645 instances) and large (88,647 cases) subsets, this dataset includes 111 features per URL, including domain age, DNS records, and WHOIS information, useful for identifying phishing websites.

Phishstorm: This dataset contains 60,000 benign and 95,541 phishing URLs. It includes features like brand names, URL tokens, and HTTPS usage, offering insights into phishing tactics.

Evaluation criteria

Several efficiency metrics, including false positive rate (FPR), accuracy (A), precision (P), recall (R), and F1-score, were used to assess the efficacy of the suggested strategy.

The accuracy shows the rate at which the model correctly classifies the input URLs after training. The calculation involves dividing the total number of true positive (TP) and true negative (TN) instances by the overall amount of FP, FN, TN, and TP instances.

(23) $$Acc={\displaystyle \frac{Tp+Tn}{Tp+Tn+Fp+Fn}}$$

From the overall number of correctly predicted instances, precision provides the TP rate. By achieving high accuracy, it is feasible to show the recommended model’s great efficiency.

(24) $$Prec={\displaystyle \frac{Tp}{Fp+Tp}}$$

The recall is the total amount of TP overall expected samples. The performance of the proposed model is shown by a higher R-value close to one.

(25) $$Rec={\displaystyle \frac{Tp}{Tp+Fn}}$$

To show the expected sample proportion, the FPR employs a phishing URL. For a superior performance strategy, a low FPR close to zero is therefore necessary.

(26) $$FPR={\displaystyle \frac{Fp}{Tn+Fp}}$$

The F1-score shows the harmonic mean of P and R.

(27) $$F1=2\times {\displaystyle \frac{Prec\times Rec}{Prec+Rec}}$$

Matthew’s correlation coefficient (MCC) is utilized for datasets of varying class sizes and is considered to be balanced. MCC offers a correlation coefficient among expected and actual results.

(28) $$MCC={\displaystyle \frac{TP\ast TN-FP\ast FN}{\sqrt{\left(TP+FP\right)\left(TP+FN\right)\left(TN+FP\right)\left(TN+FN\right)}}}$$

Figure 8 displays the distribution of the main features that were taken out of the dataset. The Histogram of Extracted Features reveals developments in the frequency of variables like URL length and special characters. This provides information about feature attributes that increase detection accuracy and aids in identifying criteria that differentiate benign URLs from phishing ones. It is easier to comprehend how these features affect the model’s performance due to the histogram.

The balanced data representation is shown in Fig. 9.

In order to qualitatively evaluate the selected URL variables, quantized DL variables for the primary phishing attack attributes that SOM reflects are displayed in Fig. 10. By assigning URLs to various sites based on each chosen rule, a qualitative depiction of the feasibility of the optimized collection of characteristics was produced.

The training and testing accuracy and loss of proposed datasets are shown in Fig. 11. We trained our proposed approach over 200 epochs. The learning rate was set as 0.01.

The performance of different methods on the Mendeley_2020 dataset is displayed in Table 4, and the graphical representation is shown in Fig. 12. With 99.36% accuracy, 99.24% precision, 99.18% recall, 99.21% F1-score and 99.28% MCC, the suggested approach outperforms models such as Random Forest (97.15% accuracy) and DNN+LSTM (98.98% accuracy). In comparison to other models like LightGBM and Gradient Boost, it consistently produces better outcomes across all measures, demonstrating its efficacy.

The ISCX-URL dataset is used in Table 5 to compare how well various strategies work. With 99.18% accuracy, 99.06% prec, 99.01% rec, 99.03% FS and 99.10%MCC, the suggested approach performs better than any other.

It outperforms models such as Sparse AE-DNN and AE-DNN and produces better results than PDSMV3-DCRNN (accuracy of 99.08%) and VAE-DNN (accuracy of 97.89%). This indicates that the proposed strategy offers the best accuracy and a well-balanced performance in terms of F1-score, precision, and recall. Figure 13 shows the differentiation of various methods using the ISCX-URL dataset.

The URL dataset is used in Table 6 to compare the effectiveness of different strategies. The proposed approach achieves the best results across all parameters, outperforming all current models with 99.12% accuracy, 99.04% precision, 99.02% recall, 99.03% F1-score and 99.08% MCC. While LR+SVC+DT (98.12% accuracy) and RF (96.77% accuracy) perform well, they are still inferior to the proposed approach. The proposed method is more effective in terms of precision and recall than SVM, which performs lowest with an accuracy of 71.8%. Figure 14 illustrates the distinction of various methods employing the URL dataset.

The performance of different methods on the Phishstorm dataset is contrasted in Table 7. According to all criteria, the proposed strategy performs best, achieving 99.17% accuracy, 99.10% recall, 99.06% precision, 99.08% F1-score and 99.12% MCC. With 97.10% and 95.05% accuracy, respectively, Texception Net and GA perform well in comparison, although they are still not as good as the proposed strategy. LSTM and CNN perform worse, especially in recall and precision. The performance of the Phishstorm dataset is shown in Fig. 15.

The performance of different optimization techniques is compared in Table 8 and Fig. 16, which demonstrates that the suggested optimizer performs better than the others across the board. In comparison to algorithms like Adam, Adamax, and SGD, it achieves the highest accuracy (99.28%), precision (99.16%), recall (99.24%), and F1-score (99.20%), demonstrating a greater capacity to create accurate, exact, and dependable predictions. This indicates that when it comes to handling the optimization process, the proposed optimizer provides superior overall performance.

Figure 17 shows distinctions both with and without the feature selection approach. The suggested feature selection method performs better when compared to current feature selection techniques.

Table 9 presents the performance of the proposed feature selection (RKOA) and optimization (SSOA) methods across four phishing detection datasets. The results demonstrate consistently high accuracy ranging from 99.12% to 99.36%, with low computational time between 9.01 ms and 13.25 ms. This highlights the effectiveness and efficiency of the proposed approach in selecting relevant features and optimizing the model.

The suggested feature extraction method is compared with the current feature extraction methods, including CNN, LSTM, CNN-LSTM, RNN, and CNN-BiLSTM. Figure 18 illustrates how the suggested model outperforms current models while producing better results.

Table 10 and Fig. 19 contrast the effectiveness of several strategies with the suggested technique in terms of the following essential metrics: F1-score, accuracy, precision, recall, MCC and false positive rate (FPR). With a low FPR (0.34%) and the maximum accuracy (99.72%), precision (99.76%), F1-score (99.54%) and MCC (99.58%), the suggested method is a very effective and dependable model. With a much lower FPR, this model offers a better balance than other models such as CNN Attention (99.31%) and faster region-based convolutional neural network (Faster RCNN) (99.68%), outperforming them in precision and recall as well as accuracy and F1-score. Models such as RNN+CNN and Bayes Net exhibit reduced accuracy and precision, underscoring the efficacy of the proposed strategy.

Table 11 highlights the training and inference times of the proposed model across different phishing datasets. Training time reflects how long the model takes to learn from each dataset, while inference time indicates the speed at which it predicts outcomes per sample. The results show that the model maintains low inference times under 1.1 ms, demonstrating its suitability for real-time phishing detection.

Ablation study

We performed ablation research by gradually deleting or replacing essential components in order to assess the contributions of each component in our phishing detection framework. The impact of each element on overall performance, including accuracy, precision, recall, and F1-score, is investigated in this study.

The incremental impact of different phishing detection pipeline components across four distinct datasets is shown in Table 12. The more steps that are added to the process, the more accurate it becomes. First, preprocessing produces high accuracy in every dataset. Performance is significantly improved by adding data imbalance treatment, underscoring the need to resolve class imbalances. Accuracy in feature extraction and selection keeps increasing, highlighting how important it is to choose the most pertinent features for phishing detection. Lastly, the most significant improvement and best accuracy are obtained with the addition of classification and URL encoding. This demonstrates how every stage helps to improve the model’s capacity to recognize phishing URLs with accuracy.

Discussions

A crucial cybersecurity tactic is phishing detection, which aims to spot and stop fraudulent efforts to steal private data by impersonating trustworthy organizations. As phishing websites and emails have become more prevalent, sophisticated detection methods like machine learning and deep learning are being used to protect users from economic and reputational damage.

Existing limitations

While applicable in certain situations, current phishing detection techniques have a number of significant drawbacks. The accuracy of phishing detection is increased by hybrid models such as DNN-LSTM, which combine character-based connections with high-level NLP characteristics. However, they are not appropriate for real-time applications due to their computational complexity. Similar to this, CNN-based methods have limited scalability since they rely on particular kernel variants, which limits their capacity to adapt to a variety of datasets despite being lightweight and successful in feature selection. Although they have domain-specific advantages, novel approaches like the binary bat algorithm and LBPS with BP neural networks struggle with generalizability and broader applicability. Moreover, hybrid feature-based techniques such as PDHF include delays that are inappropriate for time-sensitive situations while optimizing accuracy in the order of computing overhead.

Overcoming limitations with the proposed method

The novel two-stage methodology of the proposed OptSHQCNN architecture successfully addresses these issues. The robustness of feature selection is increased during the pre-deployment phase by thorough preprocessing, which removes invalid and unnecessary features, and the CBAM, which isolates crucial properties. The complexity seen in hybrid models is reduced using the RKOA, which guarantees a computationally effective selection of essential features. In order to improve scalability and applicability across a variety of datasets, OptBERT’s integration for URL encoding after deployment guarantees that the model preserves significant contextual information. By further optimizing classification and lowering computational costs, SHQCNN can be fine-tuned using SSOA to improve real-time performance.

A thorough validation process was carried out using four different benchmark datasets: ISCX-URL-2016, URL-Based Phishing Dataset, Mendeley_2020, and PhishStorm in order to guarantee the stability and generalizability of the proposed OptSHQCNN model. We are able to show the adaptability of our feature selection and optimization techniques in a variety of data settings because these datasets vary in terms of structure, source, and distribution. RKOA and SSOA integration maintained stability in classification metrics across datasets while also ensuring effective feature reduction. The framework also exhibits great potential for real-time implementation in browser-based and edge-security applications by reducing computing overhead and utilizing effective encoding with OptBERT, making it scalable to massive data quantities.

Benefits of the proposed method

Compared to current approaches, the OptSHQCNN framework has the following benefits:

• High accuracy and efficiency: Over 99% accuracy, precision, recall, and F1-score are attained by combining sophisticated feature extraction and selection approaches.

• Reduced computational complexity: The model’s operations are streamlined by optimization methods such as RKOA and SSOA, which qualifies it for real-time detection scenarios.

  Scalability and adaptability: The model may generalize over a variety of datasets by utilizing OptBERT for URL encoding, which overcomes the drawbacks of domain-specific methods.

• Effective feature selection: By ensuring that only the most pertinent features are taken into consideration, the CBAM model lowers noise and improves classification results.

• Broad applicability: The two-stage framework can be expanded to a number of real-world uses, including personal terminals, network edges, and browser plugins.

Proposed limitations

Our proposed method performs better than current approaches and produces outstanding outcomes, according to testing and evaluation. However, the suggested system does have several drawback. The model does not determine whether the website is live by looking at its URL, which affects the findings. In order to get around this restriction, we might need to enhance feature engineering and speed up the training process. This would enable us to confirm the website’s current status and increase the correctness of the training process.