关键词: 钓鱼网页, 集成学习, 规则匹配, 钓鱼网页混淆技术

Abstract: In view of the fake HTTPS websites commonly used by phishing attackers and other obfuscation techniques, this paper draws on the current mainstream methods of detecting phishing websites based on machine learning and rule matching, RMLR and PhishDef, and adds features such as web page text keywords and web page sub-links. The Nmap-RF classification method is proposed. Nmap-RF is an integrated phishing website detection method based on rule matching and random forest method. The website is pre-filtered according to the webpage protocol, and if it is determined to be a phishing website, the subsequent feature extraction step is omitted. Otherwise, the text keyword confidence, the page sub-link confidence, the phishing vocabulary similarity and the page PageRank are taken as key features. The common URL, Whois, DNS information and web page tag information are used as auxiliary features, and are judged by the random forest classification model. Experiments show that the Nmap-RF integration method can detect phishing pages in an average of 9~10 μs, and can filter out 98.4% of illegal pages. The average total accuracy is 99.6%.

Key words: phishing websites, ensemble learning, rule matching, phishing obfuscation techniques