From: Development of anti-phishing browser based on random forest and rule of extraction framework
S.No | Features | Conditions | Result |
---|---|---|---|
1. | IP Address | Domain Part of URL contains IP Address | Phishing |
Domain Part of URL doesn’t contain IP Address | Legitimate | ||
2. | Length of URL | Length of URL below 54 | Legitimate |
Length of URL greater or equal to 54 | Suspicious | ||
Length of URL lesser or equal to 75 | Phishing | ||
3. | Shortening Services | Very Short URL | Phishing |
Normal URL | Legitimate | ||
4. | ‘@’ Symbol | Existence of ‘@’ character in URL | Phishing |
Absence of ‘@’ character in URL | Legitimate | ||
5. | Double slash forwarding | Position of Last ‘// in URL is below 7 | Phishing |
Position of Last ‘// in URL is above 7 | Legitimate | ||
6. | Prefix and Suffixes | Existence of ‘−’ character in Domain name | Phishing |
Absence of ‘−’ character in Domain name | Legitimate | ||
7. | Sub Domain | No. of Dots equal to one in Domain Part of URL | Legitimate |
No. of Dots equal to two in Domain Part of URL | Suspicious | ||
No. of Dots greater than two in Domain Part of URL | Phishing | ||
8. | SSL final Certificate | Using https by Trusted providers and Certificate Age should be greater than or equal to 1 Year | Legitimate |
Using https with Non-Trusted providers | Suspicious | ||
Using https by Non-Trusted providers and Certificate Age lesser than to 1 Year | Phishing | ||
9. | Domain registration length | Expiry date of Domains lesser or equal to 1 year | Phishing |
Expiry date of Domains greater than 1 year | Legitimate | ||
10. | Favicon | Favicon retrieved from External source | Phishing |
Favicon retrieved from Internal source | Legitimate | ||
11. | Non-Standard Ports | Port No. has Preferred Status | Phishing |
Port No. doesn’t have Preferred Status | Legitimate | ||
12. | “HTTPS” token | Domain section with HTTP token | Phishing |
Domain section without HTTP token | Legitimate | ||
13. | URL Requests | Percent of request URL lesser than 22% | Legitimate |
Percent of request URL is greater than or equal to 22% and lesser than 61% | Suspicious | ||
Percent of request URL is greater than 61% | Phishing | ||
14. | URL with anchor | Percent of request URL lesser than 31% | Legitimate |
Percent of request URL is greater than or equal to 31% and lesser than 67% | Suspicious | ||
Percent of request URL is greater than 67% | Phishing | ||
15. | Tags containing Links | Percent of Links in “Meta”,” Link” and “Script lesser than 17% | Legitimate |
Percent of Links in “Meta”,” Link” and “Script” is greater than or equal to 17% and lesser than 81% | Suspicious | ||
Percent of Links in “Meta”,” Link” and “Script” is greater than 81% | Phishing | ||
16. | Server Form Handler-SFH | “Is Empty” or “about: blank” in SFH | Phishing |
SFH forwards to another Domain | Suspicious | ||
SFH doesn’t contain “Is Empty” or “about: blank” or doesn’t forwards to another domain | Legitimate | ||
17. | Submitting to email | “mail()” services usage | Phishing |
Non-usage of “mail()” | Legitimate | ||
18. | Abnormal URL | URL without Hostname | Phishing |
URL with Hostname | Legitimate | ||
19. | Webpage Redirect | Page redirect is lesser than or equal to one | Phishing |
Page redirect is greater than or equal to two and less than four | Suspicious | ||
Page redirect is greater than four | Legitimate | ||
20. | On mouse over | Change in status bar with mouse over | Phishing |
No Change in status bar with mouse over | Legitimate | ||
21. | Mouse right clicks | Disabled Right Click | Phishing |
Enabled Right Click | Legitimate | ||
22. | Browser Pop up | Browser Popups with text boxes | Phishing |
Browser Popups without text boxes | Legitimate | ||
23. | Iframe | Webpage with usage of iframe | Phishing |
Webpage without the use of iframe | Legitimate | ||
24. | Age of domain | Domain age greater than 6 months | Phishing |
Domain age lesser than 6 months | Legitimate | ||
25. | DNS Record | Domain without DNS record | Phishing |
Domain with DNS record | Legitimate | ||
26. | Web traffic | webpage rank less than or equal to 100,00 | Legitimate |
webpage rank greater than 100,00 | Suspicious | ||
webpage rank greater than 100,000 | Phishing | ||
27. | Page Rank | Page Rank less than 0.2 | Phishing |
Page Rank greater than 0.2 | Legitimate | ||
28. | Google Index | Webpage without google index | Phishing |
Webpage with google index | Legitimate | ||
29. | Links pointing to page | No. of Links Pointing to Webpage is zero | Phishing |
No. of Links Pointing to Webpage is less than or equal to two | Suspicious | ||
No. of Links Pointing to Webpage is greater than two | Legitimate | ||
30. | Statistical analysis report | Host having topmost Phishing IP Addresses | Phishing |
Host without topmost Phishing IP Addresses | Legitimate |