Machine learning models for phishing detection from TLS traffic

Abstract

Phishing is a fraudulent tactic for attackers to obtain victims personal information, such as passwords, account details, credit card details, and other sensitive information. Existing anti-phishing detection methods using at the application layer and cannot be applied at the transport layer. A novel machine learning (ML) based phishing detection technique from transport layer security (TLS) 1.2 and TLS 1.3 encrypted traffic without decryption is proposed in this paper. Our proposed model detects phishing URLs at the transport layer and classifies them as legitimate or phishing. The features are extracted from TLS 1.2 and TLS 1.3 traffic, and phishing detection is performed using ML algorithms based on the extracted features. The datasets for legitimate and phishing sites are created using features derived from TLS 1.2 and TLS 1.3 traffic. According to the experimental results, the proposed model effectively detects phishing URLs in encrypted traffic. The proposed model achieves an accuracy of 93.63% for Random Forest (RF), 95.07% for XGBoost (XGB), and the highest accuracy of 95.40% for Light GBM (LGBM). © 2023, The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature.