**2. Online user decision support system protection against phishing attack using deep learning algorithm**

This section contains a review of the literature on the topic under study, namely phishing detection schemes. It also discusses the focus of the research by critiquing the relevant existing research methods and summarising their findings as well as their strengths and weaknesses. It then discusses appropriate provision for the phishing detection problems and how to resolve them.

Big data has enabled machine learning algorithms to discover more fine-grained patterns and to make more accurate and timely predictions than ever before [10]. Deep learning techniques are used for object identification in images, the transcription of voice into text, matching news items and products with user interests and presenting relevant search results [11]. Deep learning architectures are composed of non-linear operations in multiple levels, such as neural networks (NNs) with hidden layers, or of complicated relational methods in reusable approaches [13]. The deep learning concept started with the study of artificial NNs [14], and it has become an active research area in recent years. In a standard neural network (NN), neurons are used to produce real-value activations, and with the adjustment of weights, the scheme behaves as required. Moreover, training the ANN with backpropagation makes it useful with gradient descent algorithms which have played a vital role in the model in the past decades. Although training accuracy is high with back-propagation, when it is applied to testing data, its performance might not be satisfactory [15].

Yi et al. (2018) designed two sets of features for web-phishing interaction features and original content. They also developed a scheme based on a deep belief network (DBN). The test, which included using real IP flows from an Internet service provider (ISP), indicated that the proposed DBN-based model was able to achieve an approximately 90% true positive rate. Also, in the area automotive proposed in [16] in which a deep NN was used to assist the driver in the aspect of traffic light classification, the techniques were used to develop a system to assist in driving. Currently, machine learning is continuously demonstrating its effectiveness in an extensive range of applications. The most common form of machine learning, whether deep or not, is supervised learning [12]. Also, Le et al. (2018) proposed a solution called URLNet, which is an end-to-end deep-learning framework for learning non-linear malicious URLs by detecting it from the URL. They applied a CNN to both the words and characters of the URL features to learn the URL embedding in a jointly optimised framework. This approach allowed their model to capture several types of semantic data, which would not have been possible using existing schemes. They also presented advanced word-embeddings to solve the problem of too many rare words being observed in a classification task [17]. They conducted their experiments on a large-scale dataset and demonstrated that their proposed method gave a strong performance that was better than that of an existing method. The approach has two branches; the first branch has a character-level CNN where character-level embedding is used to represent the URL. The second branch contains a word-level CNN where word-level embedding is used to represent the URL. Thus, word-embedding itself is a mixture of character-level embedding and individual word-embedding. Their approach works in such a manner that it does not require any expertise.

Below are some of the advantages of deep learning algorithms [15]:

**Unsupervised Learning**: It has robustness by getting most of its connecting structure in other to observe data, which is crucial in other to limit an enormous number of tasks and if the upcoming tasks are not known on time.


However, there are some challenges associated with deep learning algorithms regarding the issue of the data used [18], as follows:

1.**Unbalanced data**: This is an issue that occurs in learning and mostly happens during classification if there are more features of some class than others. This issue can be resolved by using some techniques that focus on the data level or the classifier level.


Due to the growth in cyberspace technology, computer users have a significant role to play in making the Internet a safer place for everyone because cyber-attacks are targeted at achieving either financial or social gain [19] to the detriment of the user. On the other hand, some people undertake phishing activities for fun and a sense of accomplishment rather than for financial or social gain, but can also have adverse consequences for the user [1].

Phishing awareness has been improved through the development and use of online game training and email-based training to combat phishing attacks [20]. The use of legislation is a direct measure to reduce phishing by tracking and arresting those who are involved in this criminal activity. The US was the first nation to use laws to combat illegal cyber activities, and many cyber attackers have been arrested and arraigned. The main issue with this approach is the effectiveness of the laws as it is challenging to trace phishing attacks. Fraudulent websites naturally migrate quickly from one server to another. Also, an average phishing website is online for less than 48 hours [21]. Hence phishing attacks are committed very quickly and, subsequently, the criminals who commit these attacks also quickly disappear into cyberspace. The other issue is that many laws are applied only when the damage has been done, and the online user has already been defrauded as a result of phishing attacks. A great deal of background knowledge and experience of phishing and an enormous amount of related information was gained during this development. The use of high-quality datasets in phishing detection classification plays a significant role in building phishing model classifiers [22].

#### **2.1 Long short-term memory (LSTM)**

The LSTM algorithm Long short-term memory is based on the recurrent neural network (RNN), which is used to recognise the occurrence of patterns in time series and which also uses error flow in its analysis. However, the LSTM architecture was developed to overcome the shortfalls in RNN, which is a highly non-linear recurrent network with multiple gates and propagative feedback [23]. An LSTM layer contains a set of recurrently connected blocks, known as memory blocks. These blocks can be a look-alike version of memory chips in a digital system. Hence, each of the blocks includes one or more repeatedly connected memory cells and contains three multiplicative units, namely, the input, forget gate and the output, which provide non-stop analogues of the read, write and reset functions for the block cells [24]. The LSTM network has achieved excellent results in character recognition applications [23]. It has also been used extensively in the analysis of handwriting recognition, speech recognition and polyphonic music modelling, where the results have shown that its usage leads to an improvement in standard detection analysis with variance in the parameter [25]. It has also been used in language modelling to analyse speech in a speech recognition system, where it was found to show an improvement in confusion over the RNN [24].

#### **2.2 Convolutional neural network (CNN)**

In recent years, the convolutional neural network (CNN) has seen massive adoption in computer vision applications [26]. In the area of object recognition, CNN has also been used for feature extraction [27]. The CNN belongs to the family of multilayer NNs that are developed for use with two-dimensional data, such as videos and images [28]. CNN is one of the most prominent deep-learning methods where numerous layers are trained using a rigorous methodology.

As mentioned above, CNN has also been shown to be highly effective in computer vision applications [18] and is, therefore, commonly used for that purpose. The CNN contains an input layer, convolution layer, pooling layer, fully connected layer, and output layer. The input layer holds the raw image values; the convolutional layer computes the output of the node that is connected to local regions in the input layer; the pooling layer performs a down-sampling process along the threedimensional dimensions; the fully connected layer calculates the session scores, and the output layer produces the results. Currently, three main techniques are used in CNN for image classification:


#### **2.3 Developing the IPDSS anti-phishing tool**

This section presents the development of the online plugin model of the IPDSS. The development of the tool was performed based on traditional feature engineering, plus the classification algorithm methodology presented in previous section. Features were created based on the URLs, image features and website elements. The CNN and LSTM classifier were trained using one million URLs and over 10,000 images to build the model. A Toolbar concept was developed using a deep learning (DL) algorithm against legitimate, suspicious and phishing websites. The results showed that a voice-generating user warning interface with a green colour status and a text showing a warning was generated within 25 seconds before the page loaded to give the user a warning.

Due to the advances in technology and the adoption of new techniques, phishers have been able to improve their forged websites so that they now have high similarity with legitimate sites in terms of content. In tests, the current state-of-the-art solutions have been able to obtain 70–98% accuracy (see **Table 1**) in identifying

*Intelligent Decision Support System DOI: http://dx.doi.org/10.5772/intechopen.95252*


#### **Table 1.**

*Test results for IPDSS by toolbar application.*

legitimate website. However, these solutions must perform well in the real world, so there needs to be a significant improvement of 0.5% or higher [29]. Moreover, their level of accuracy in identifying suspicious websites should be higher still, and their accuracy in detecting phishing websites should be even higher [30].

The IPDSS scheme extractor algorithm is used to extract the necessary elements from the website's user is visiting. The extracted features were used to compare with knowledge model to determine whether the websites are phishing, suspicious or legitimate. The three modules user warning interface has:


## **2.4 Testing the IPDSS anti-phishing toolbar**

To evaluate the toolbar concept, it was tested on 2600 websites including legitimate, suspicious and phishing websites. First, it was tested on 1000 phishing websites. The LSTM-CNN algorithm runs in the background as a knowledge module. When a URL is typed into the address bar (**Figure 1**), the algorithm inspects whether the requested website is a phishing link by comparing the current URL


**Figure 1.** *Application interface for legitimate URL check.*

against the stored features in the deep learning classification algorithm. If a match is detected, and it is a phishing site, in order to alert the user a red colour status with a voice-operated user warning interface is activated and a text is generated showing that the status of the URL is "phishing".

The above procedure was repeated up to 1000 times with different URLs, so all the phishing URLs were tested. The performance of the toolbar in each case was observed and recorded, and besides, screenshots were taken to validate the results. An example of a screenshot of a phishing website result is shown in **Figure 1**. This part of the experimental effort was carried out over 8 hours per day for five consecutive days. As regards the time-based assessment of the toolbar's ability to detect a phishing website, the voice-generating user warning interface with a red colour status and a text showing an alert were generated within 25 seconds to warn the user before the page loaded.

The toolbar also evaluated on 100 suspicious URLs. As previously mentioned, the LSTM-CNN algorithm runs in the background as a knowledge module. The same procedure is followed as in the testing of the toolbar on phishing websites that described in the previous section, but in this test, the algorithm checks whether the URL requested is a suspicious website by relating the newly typed URL against the stored features in the IPDDS. If a match is detected, and it looks like the URL is a suspicious website, the user warning interface included in the model shows an amber colour status and, besides, a text description is generated stating that the URL is "suspicious" (**Figure 2**) in order to alert the user to exercise caution. This process was repeated 500 times on all 100 URLs and the performance was observed and recorded (**Table 1**). An example of a screenshot of suspicious website results shown in **Figure 2**. This task required 8 hours per day over two days to perform because the finding shows that there is a little and a reasonable number of suspicious online websites which make this challenging task as they are short-lived. As regards the time-based assessment of the toolbar's performance in identifying a suspicious website, the voice-generating user warning interface with an amber colour status and a text showing a warning were generated within 25 seconds to alert the user before the page loaded.

The IPDSS was also tested on 1500 legitimate URLs. As stated above, the LSTM-CNN algorithm runs in the background as a knowledge module. The same procedure as that used to test the toolbar's performance on phishing and suspicious


**Figure 2.** *Application interface for suspicious URL check.*

*Intelligent Decision Support System DOI: http://dx.doi.org/10.5772/intechopen.95252*

**Figure 3.** *Application interface for phishing URL check.*

websites was used, but in this instance, the algorithm checks whether the URL that has been requested is a legitimate website by relating the newly typed URL in text box against the stored features in the IPDDS. If no match is found, then it is a legitimate website, and the user warning interface displays a green colour status (**Figure 3**). At this point, it is safe for the user to continue in their task with peace of mind that the site to which they are submitting their confidential information is legitimate.

In the experiment, this procedure was repeated 600 times with validation dataset consisting of URLs so that most the URLs were tested to validate the performance of the toolbar and in each case, the result was observed and recorded (**Table 1**). **Figure 3** shows an example of a screenshot of one of the results produced by the toolbar for a legitimate site. As regards the time-based assessment of the toolbar's ability to detect a legitimate website, the voice-generating user warning interface with a green colour status and a text showing the result was generated within 25 seconds before the page loaded.

Overall, the toolbar was able to achieve an average accuracy of 93.28%, as shown in **Table 1**. Then in **Table 1** column 4 roll 2, shows the performance of the phishing detection with 93.8% true positives and in column 5 roll 2, 6.2% true negative this has taken into consideration using 1000 phishing URLs with an accuracy of 93.5% in column 3 roll 2. Also, the toolbar achieved 94.5% accuracy shown on column 3 roll 3, with 94.8% true positives column 4 roll 3 and 5.2% true negative in column 5 roll 3 when tested on 100 suspicious datasets. Meanwhile, when the plugin is tested on 1500 legitimate websites, the phishing detection toolbar achieved 91.8% accuracy column 3 roll 4, was recorded with true positives of 92% column 4 roll 4 and 8% real negative in column 5 roll 4. However, accuracy varies from a minimum of 91% to a maximum of 94%, which caused significant variation in the accuracy results across the testing datasets.
