Phishing detection and zero trust security using advanced neural architectures and noise injection

Abstract

Phishing attacks have developed very complex making the use of cultured detection technologies significant for the protection of sensitive information. The research presents a new framework for detecting phishing founded on the convolutional LSTM (ConvLSTM) network and neural ordinary differential equations (Neural ODEs) thereby refining detection robustness and accuracy. It joins a number of advanced methods like Gaussian noise injection for enhancing the simplification ability of the model and a hybrid Particle Swarm Optimization (PSO) and Sailfish Optimization (SFO) method for effective feature selection. In addition, it confirms safe decisions and regularly reviewing phishing risks by means of a genetic algorithm to improve the Zero Trust Implementation Framework. The optional model performs very well with F1 scores above 99 and recall, accuracy, and precision above 99. Associated to existing methods the proposed model performs significantly better reducing false positives and false negatives and contribute a higher degree of phishing detection accuracy. Future developments to the system will contain multi-modal data integration actual flexibility intelligible AI, and more scalability to handle important applications. Increasing the dataset to include changing phishing techniques could further improve detection services and support the system’s resistance to new threats.

Keywords

Phishing detection neural ODEs particle swarm optimization (PSO)convolutional LSTM (ConvLSTM)sailfish optimization (SFO)gaussian noise injectiongenetic algorithm

1. Introduction

A fundamental feature of cybersecurity is phishing detection, as it focuses on detecting and uncertain fraudulent efforts to obtain private information through illegal means. Attackers have been known to frequently create phishing websites or furnace deceptive looking emails in command to deceive people into close-fitting private info. Several techniques against this have developed like algorithmic machine learning that studies websites content as well as web addresses and URL structures to spot the difference in malicious and legally operating websites. Advanced detection is essential along with prevention since today’s phishing can be quite expanded and spread around web, email, and most highly social networks.

Recent research has focused on the use of deep learning and neural network architectures to enhance phishing detection capabilities. Using certain characteristics of URLs, email headers, and online content, feature-based phishing detection detects phishing attempts. However, it may not be able to identify new strategies or disguised URLs. By identifying new strategies and gathering contextual data, behaviour-based phishing detection leverages machine learning to forecast future behaviour. In this study, Mishra and Soni¹ developed a CNN model that detected these phishing attempts with an accuracy of 98.74%, thereby showing the possibility of deep learning in seeing risks that haven’t been noticed before.

Advanced phishing attacks require more complex detection techniques. One of the methods stated here is Phish Defense. Phish defense is the term for a collection of security measures or tools, such as specialized software or algorithms made to recognize fraudulent URLs, emails, or websites, intended to detect and stop phishing attacks. This technique works deep RNNs to look at the textual content of a URL. It is, therefore possible to detect phishing efforts without any specific need for characteristics of any external nature thereby growing the speed and effectiveness of detection.² Phishing attempts have changed over time, become increasingly complex and challenging to identify. They use social media insights and personal information to target people or organizations. To safeguard sensitive data, businesses need to have strong detection systems in place.

It was proposed to combine theory with deep learning in yet another innovative manner. In a very novel method³ presented a cyber describes system combining CNN and LSTM architectures with the African Vulture Optimization Algorithm. The hybrid model presented remarkable sensitivity and accuracy in phishing attempt detection presented that deep learning and optimization techniques can be useful in the field of cybersecurity.

A modified 1D CNN is employed by the Phish Guard model for actual phishing webpage detection. Usually a protection system or service, Phish Guard monitors and stops phishing attempts in real time, frequently using threat intelligence feeds, heuristics, or machine learning to spot questionable behaviour. Therefore, outdoes benchmark models while providing reasonable predictions which is energetic for system transparency and user confidence. A review of various neural network-based deep learning algorithms for phishing detection by Sahingoz et al.⁴ highlights the importance of incessant invention to fight against the continually moving phishing techniques.

Other than the architecture, noise injection methods to improve the flexibility and simplification of the models have also been considered. Controlled noise at the training point may avoid overfitting improve the model’s resistance to combative inputs and improve the facility of the models to be put to greater effect in practical cases. Zero Trust Security is a complete security architecture founded on the idea that no entity, whether within or outside the network, should ever be trusted by default. Access to resources must be granted only after each request, whether from an internal or external source, has been authenticated, approved, and regularly checked. This would give a versatile protection against phishing attacks with the help of the Zero Trust Security model combined with well-cultivated neural architectures and noise injection techniques. This would therefore be supporting the idea of ”never trust, always verify” with confirming continuous validation and monitoring of every request for access.

1.1. Problem statement

The cultured phishing attacks today target not only persons but also businesses through fraudulent means masquerading as an effort to feat human weaknesses. Serious cybersecurity dangers arise from the detail that current detection systems fail frequently to retain step with evolving phishing strategies including zero-day attacks and advanced elusion techniques. Even though neural network topologies and machine learning techniques are showing promising results further work should be carried out to enhance actual detection and make the system more robust against aggressive inputs for more reliable operations. Advanced neural structures noise injection techniques and a zero-trust security frame must be combined in order to exceed these limitations and offer robust yet adaptable protection against phishing attacks.

1.2. Objectives

(1)
To improve neural architectures that exactly detect phishing attacks by evaluating URLs and website contented.
(2)
The model’s robustness is increased by using noise injection methods to spread performance against antagonistic inputs
(3)
To recover the sensitivity and accuracy of phishing detection by using deep learning and optimization algorithms.
(4)
Zero Trust Security should be used for constant verification and admission request monitoring in order to decrease the risk of phishing.

2. Literature survey

Phishing detection studies due to more sophisticated attacks against the weaknesses of humans. As Basit et al.⁵ note, these usually include four phases setting up fake websites that resemble authentic ones sending cruel links via several modes of communication attractive victims to visit those sites and then robbing them of private access information with bank account or login passwords fact common cases in point. Phishing attacks have become more cultured and now target sensitive information via social media, web platforms, and emails.⁶

Many advanced detection techniques have been established to overcome these threats. For example, the hybrid deep learning model by utilizing character embedding along with NLP structures for measuring deep character connections and correlations.⁷ This type of model fuses deep learning with linearly limited attention to boost online security along with exploiting the precision of existing systems. Another model that was proposed by Asiri et al.⁸ was a novel advanced deep learning model that combined feedback and iterative reinstruction for updating models against the ever-changing phishing tactics including attacks. The performance gains of 5 to 5 in terms of accuracy, precision, and F1 scores introduced the idea of a dynamic real-time detection method. Aslam et al.⁹ proposed AntiPhishStack a two-phase stacked generalization method to address the disadvantages of traditional phishing detection systems. The stacked LSTM network two-layered formation and fused character level TF-IDF features allowed AntiPhishStack to reach a remarkable 96.04% accuracy on benchmark datasets. One-Hot Encoding and TF-IDF are less effective than AP Encoding at detecting phishing attacks because of their inability to capture meaningful relationships between tokens and their adaptive token representations, which enhance model performance without requiring the computational costs of high-dimensional representations. Its reliable methodology is based on meta-XGBoost classifiers and k-fold cross-validation, which are very caring for phishing detection. Farooq¹⁰ considerably better the detecting facilities by combining ANN and LSTM networks. After training on a secondary dataset their model efficiently improves the detection of bogus websites demonstrating the promise of machine learning and deep learning in resisting phishing threats.

Naga Sushma Allur¹¹ developed a hybrid deep-learning model for phishing detection that combines stacked autoencoders and SVM classifiers for improved accuracy and fewer false positives. Similar to AI-powered security systems, this model enhances real-time detection of phishing attempts, ensuring higher precision. Our approach builds upon this by incorporating advanced neural architectures and noise injection, further improving robustness and generalisation.

Thirusubramanian Ganesan¹² developed an AI-driven system for detecting financial fraud in IoT environments, utilising advanced algorithms like anomaly detection and clustering. The system enhances real-time fraud detection by distinguishing between legitimate and fraudulent activities, similar to approaches used in phishing detection. Our research applies a similar AI-powered approach, combining advanced neural architectures for detection with noise injection for enhanced robustness. Like Ganesan’s fraud detection system, this approach improves real-time analysis, decision-making, and security, ensuring adaptive learning and continuous monitoring for phishing threats in a Zero Trust framework.

Based on these findings,¹³ established a unique model that develops the LSTM GRU algorithm to identify phishing URLs with remarkable accuracy of 98.89, significantly outperforming existing methods. The reason it is highly efficient and very scalable is because it needs less time for testing, training, and storage. Dharini et al.¹⁴ published a multimodal method that joint URL structure analysis and ML methods. Their two-level detection method exceeded other recognized classifiers like XGBoost, Decision Tree, and Logistic Regression with a maximum accuracy of 96 using a Random Forest Classifier. Level 1 consisted of parsing URL components and assessing domain-specific features while Level 2 contained of using machine learning models.

Gupta et al.¹⁵ presented a hybrid deep learning and big data approach to overcome the drawbacks of conventional phishing detection methods. Their approach which associations deep learning and big data for robust phishing detection finds a high accuracy rate of 92 percentage by using Conv2d layers successively to analyse incoming traffic using the Cuckoo optimization algorithm. Shafin¹⁶ developed SLA-FS, a feature selection framework using reasonable techniques like Local Interpretable Model-agnostic Explanations (LIME) and Shapley Additive explanations (SHAP). This framework improves the accuracy of machine learning models by selecting the most relevant features and it has shown its flexibility and precision with an improvement of 0.65% for RF and 0.41% for XGB on an existing phishing dataset.

3. Methodologies

Figure 1 represents the phishing identification using the PhlUSIIL dataset. The Zero Trust Security architecture guards against phishing attempts by constantly verifying network requests. It guarantees that URLs, emails, and websites correspond with authenticated sources and imposes stringent access constraints, thus reducing any harm. If any questionable components are found, they are marked for more attention. Regardless of the network’s location, zero-trust security forbids faith in any entity. It entails ongoing request verification according to behaviour, context, and identity, which is consistent with phishing detection. Every request is validated by the Zero Trust Implementation Framework, guaranteeing that no entity can penetrate security measures. In the preprocessing stage tokenization is useful along with Gaussian Noise Injection for added robustness. Using BiLSTM, the related features are extracted. Then, from these extracted features the most relevant features are selected using PSO $+$ SFO hybrid optimization. In PSO, the fitness function evaluates how well a particle performs in maximizing phishing detection accuracy or minimizing classification error, for example. It assesses how CNN hyperparameters, such as learning rate and filter count, enhance the model’s capacity to recognize phishing URLs or domains. SFOs, like PSOs, use a fitness function to assess the quality of solutions, especially in phishing detection. The fitness function finds domain-based characteristics that are most suggestive of phishing and optimizes feature selection. The fitness function evaluates these characteristics’ performance in terms of detection efficiency and accuracy. The Zero Trust Implementation Framework is optimized using a genetic algorithm which assurances that conclusions are taken in a safe manner. The phishing attacks are classified using ConvLSTM and neural ODEs. ConvLSTM, a powerful phishing detection tool, combines the advantages of CNNs and LSTM networks. It can adjust to changing methods since it records both temporal and geographical data. Neural ODEs are useful for identifying adaptive phishing strategies. By enabling models to forecast future attack behaviours based on observed dynamics, they improve their capacity to foresee attackers’ adaptive tactics. Finally, the performance of the system is assessed by using standard metrics like accuracy and F1 score. The proposed method confirms higher model correctness and effectiveness by optimizing feature selection using PSO and SFO. Furthermore, the incorporation of Gaussian noise improves the robustness of the model against phishing attacks by enhancing its ability to simplify noisy practical data

3.1. Data collection

The PhIUSIIL dataset is used to see phishing-related data for the phishing detection process. The PhIUSIIL dataset gathers phishing instances, including URLs, domains, email content, and online traffic statistics. Its features, such as its size, diversity, and kind, represent a variety of phishing attempts, including new and developing assaults, and guarantee that its model can effectively generalize to data that hasn’t been seen before. The data is then pre-processed and tokenized to create analysable tokens. In order to increase the model’s resistance and robustness against aggressive inputs Gaussian noise is included during training. There are many genuine and phishing URLs in the PhIUSIIL dataset, which is utilized in a phishing detection system. In order to distinguish between phishing and legal URLs, the dataset is balanced. It contains a variety of URL types, such as malicious redirection, look-alike sites, and social engineering-based phishing, to illustrate typical phishing attack methods. BiLSTM networks are then used to excerpt features including contextual and sequential relations. It utilizes PSO in the optimization of the features in order to maximize the important features. This provides a zero-trust security framework which is optimally evolved through the use of evolutionary algorithms to guarantee endless monitoring and verification. Deep learning models continuous-time processes using Ordinary Differential Equations (ODEs). Neural ODEs are useful in phishing detection because they can adapt to the temporal features of phishing methods and simulate the ongoing evolution of phishing assault patterns. For the purposes of verifying that the system has a positive response to threats sophisticated models including ConvLSTM and Neural ODEs are applied for classification of the threat. It measures performance using parameters such as accuracy and precision.

Figure 1.

Architectural diagram for phishing detection and zero trust security.

(1)

Dataset Representation

Each URL entry in the collection is represented by a vector of features and a label.

\begin{aligned} X = {(x_{1}, y_{1}), (x_{2}, y_{2}), \dots, (x_{n}, y_{n})} \end{aligned}

(1)

x_{i}

Feature vector representing properties of the

i

-th URL.

y_{i}

Label indicating the type of URL

y_{i} = 1

for phishing,

y_{i} = 0

for legitimate.

(2)

Features

Each URL has multiple measurable features. Let $x_{i} = [f_{1}, f_{2}, \dots, f_{d}]$ were, $f_{1}, f_{2}, \dots, f_{d} :$ Features of the URL including URL-based domain based and content-based.

(3)

Goal of Phishing Detection

The goal is to find a function $h$ the detection model that maps feature $x_{i}$ to the predicted label ${\hat{y}}_{i}$

\begin{aligned} h (x_{i}) = {\hat{y}}_{i} \end{aligned}

(2)

y_{i} = 1

indicates a phishing URL and

y_{i} = 0

indicates a legitimate URL.

3.2. Preprocessing

To identify phishing patterns Preprocessing, along with AP encoding, involves the conversion of unstructured data into numerical representations organized from the raw input data. AP Encoding is a technique that helps with huge datasets with different token distributions by using adaptive algorithms to enhance token representation. Nevertheless, it has computational issues, particularly when processing in real time, and it takes more time to modify the encoding for every input character. After splitting up the input data in the form of URLs. AP encoding maps each token to a number based on its position or frequency. AP encoding is a versatile technique for identifying intricate phishing patterns, such as dynamic attempts or disguised URLs. Recording token associations in various sequences improves contextual comprehension, but it may also become more computationally intensive, which makes it less appropriate for sparse datasets and real-time systems. This systematic approach helps the deep learning models to identify the phishing patterns better by highlighting sequential connections in the data. The procedure improves computational efficiency as well as pattern recognition.

3.2.1. Input data

\begin{aligned} X = {x_{1}, x_{2}, \dots, x_{N}} \end{aligned}

(3)

were

x_{k}

is the

k

-th raw data sample

3.2.2. Tokenization

\begin{aligned} S_{k} = Tokenize (x_{k}) = {s_{k 1}, s_{k 2}, \dots, s_{k M}} \end{aligned}

(4)

were

s_{k j}

is the

j

-th token of the

k

-th sample

3.2.3. AP encoding

\begin{aligned} e_{k j} = a + (j - 1) d \end{aligned}

(5)

were, The encoded value

e_{k j}

for the

j

-th token of the

k

-th sample is calculated as

e_{k j} = a + (j -

d

, were

a

is the initial value

d

is the common difference and

j

is the token’s position in the sequence. This formula ensures systematic encoding based on token order.

3.2.4. Feature vector construction

Combine the encoded values of all tokens into a feature vector for each sample

\begin{aligned} V_{k} = {e_{k 1}, e_{k 2}, \dots, e_{k M}} \end{aligned}

(6)

3.2.5. Output feature set

\begin{aligned} V = {V_{1}, V_{2}, \dots, V_{N}} \end{aligned}

(7)

were

V

is the set of feature vectors for all samples ready for model input.

3.3. Gaussian noise injection

This approach adds Gaussian noise, or random noise with a normal distribution, to model weights or training data. It enhances generalization by keeping the model from overfitting to certain data patterns, which can strengthen the phishing detection model’s resistance to attackers’ evolving strategies. Preprocessing for phishing detection using encoding converts unprocessed data like URLs and email messages into numerical representations for deep learning models. Techniques like one-hot encoding and word embeddings convert the tokens into feature vectors after tokenization divides the data into expressive units like words and characters. Gaussian noise injection improves model generalization by strengthening its resistance to changes in input data, which is important for phishing detection. This makes adaptive phishing techniques easier to spot. The model’s variance, which affects its robustness and rate of convergence, can vary from 0.1 to 0.5. This prepared representation draws attention to movements and anomalies expressive of phishing. Regulating data leads to development in the correct model and compatibility with computational methods.

Step 1: Input Data

Let the input dataset be a matrix $X$ ,

\begin{aligned} X = [\begin{array}{cccc} x_{11} & x_{12} & \dots & x_{1 n} \\ x_{21} & x_{22} & \dots & x_{2 n} \\ ⋮ & ⋮ & ⋱ & ⋮ \\ x_{m 1} & x_{m 2} & \dots & x_{m n} \end{array}] \end{aligned}

(8)

were,

X

Input features with

m

samples and

n

features per sample.

Step 2: Gaussian Noise

Generate a noise matrix $G$ , were each section $g_{i j}$ is experimented from a Gaussian distribution

\begin{aligned} g_{i j} \sim N (μ, σ^{2}) \end{aligned}

(9)

Gaussian Noise Injection is signified as

g \sim N (μ, σ^{2})

, were

μ

is the mean and

σ^{2}

is the modification of the Gaussian distribution. Model generalization is aided by Gaussian noise injection; nevertheless, its strength should be moderated to avoid over-robustness and hinder the ability to learn certain patterns. For instance, a moderate amount of noise with a variation of 0.2 and a mean of 0 might enhance generalization.

The noise matrix $G$ has the same dimensions as $X (m \times n)$ .

Step 3: Add Noise to the Input Data

Add the noise matrix $G$ to the original dataset $X$

\begin{aligned} X^{noisy} = X + G \end{aligned}

(10)

The noisy dataset is given as $X^{noisy} = X + G$ , where $X$ is the original dataset and $G$ is the noise matrix made from a Gaussian distribution. This adds controlled chance to the data attractive model robustness. Each feature in the dataset is disturbed by Gaussian noise.

Step 4: Control Noise Intensity

To control the impact of noise introduce a scaling factor $α$

\begin{aligned} X^{noisy} = X + α G \end{aligned}

(11)

$α$ A small positive constant to adjust the intensity of the noise.

3.4. Feature selection

Feature selection, initiated on combined PSO $+$ SFO optimization in phishing detection, improves the performance of the model by exclusive features that are not related and were the most relevant ones. The PSO $+$ SFO hybrid strategy combines the exploration and exploitation capabilities of PSO and SFO and is a potent technique for feature selection and optimization. It works especially well in big, complicated feature spaces, like phishing detection, where high dimensionality and feature interaction are typical. This global study can be more simplified with SFO optimization, which assists from these subsets by abusing the sailfish behavior that is sardine hunting PSO goals to reproduce particle movement through following optimal replies to discover some interesting subsections of features. The ultimate objective of the PSO $+$ SFO feature selection procedure is to maximize the model’s accuracy by choosing the most pertinent characteristics. Metrics such as Information Gain, Mutual Information, or Chi-Square are used to evaluate the contribution of features to phishing detection. The hybrid plan will balance examination and exploitation, namely PSO and SFO. This balance helps to avoid being stuck in local optima and improves robustness, lowers computational difficulty, and boosts discovery accuracy by absorbing more on key traits. It works well with phishing detection, as large and noisy datasets are common. he hybrid PSO $+$ SFO feature selection method employs Sailfish Optimization for local optimization and Particle Swarm Optimization for global exploration. Particularly in phishing detection, where intricate feature interactions are common, this method improves feature relevance and selection accuracy. Both algorithms’ advantages are combined for effective feature selection.

3.4.1. Hybrid interactions of PSO and SFO optimization

Figure 2 represents the flowchart of the hybrid use of Particle Swarm Optimization (PSO) and Sailfish Optimization (SFO) for phishing detection. The process begins by initializing PSO particles and SFO agents. Fitness is evaluated for each candidate solution based on a phishing detection fitness function. PSO updates the particles’ positions and velocities based on personal and global best solutions, while SFO updates their positions using the predator-prey dynamic. SFO uses a predator-prey model to improve performance, in which the ”predator” looks for the best features, and the ”prey” represents possible solutions (features). This comparison aids the algorithm in concentrating on choosing the most pertinent features for phishing detection, increasing detection accuracy and decreasing overfitting by removing unnecessary information. The hybrid step combines the strengths of both algorithms, where PSO guides SFO and SFO refines PSO solutions. This process iterates until a termination condition is met, resulting in the optimal solution for phishing detection.

3.4.2. Particle swarm optimization

In order to maximize a fitness function particle that represent possible solutions travel across a search space in the typical PSO algorithm. In mathematical terms this is represented as

Figure 2.

Flowchart of hybrid interactions of PSO and SFO optimization.

Position update for each particle $i$

\begin{aligned} X_{i} (t + 1) - X_{i} (t) + V_{i} (t + 1) \end{aligned}

(12)

Velocity update for each particle $i$

\begin{aligned} V_{i} (t + 1) = ω V_{i} (t) + c_{1} r_{1} (P_{i} - X_{i} (t)) + c_{2} r_{2} (G - X_{i} (t)) \end{aligned}

(13)

were:

ω

is the inertia weight,

c_{1}, c_{2}

are cognitive and social acceleration coefficients, and

r_{1}, r_{2}

are random values in

[0, 1] . P_{i}

represents the personal best position of particle

i

, and

G

is the global best position across all particles.

3.4.3. Sailfish optimization algorithm

SFO mimics the group dynamics and predatory behavior of sailfish. The relationship between sardines and sailfish serves as the basis for the position updates.

Position update for sailfish

\begin{aligned} X_{i} (t + 1) - X_{i} (t) + α (X_{best} - X_{i} (t)) \end{aligned}

(14)

were,

α

is a control parameter that represents the influence of the best solution on the optimization process.

X_{best}

denotes the position of the best sailfish in the current population. It guides other agents (sailfish and sardines) toward the optimal solution during the optimization process.

Prey position update

\begin{aligned} X_{sardine} (t + 1) - X_{sardine} (t) - β (X_{sardine} (t) - X_{sailfish} (t)) \end{aligned}

(15)

were

β

controls the prey’s evasion dynamics.

3.5. Feature extraction

Figure 3 shows the sequential and contextual patterns from textual data, such as emails, URLs, or site content, can be recovered for feature extraction in the context of phishing detection. The first step is to generate the numerical representation of the input text, such as word or character embeddings. BiLSTM then analyses the sequence both forward and backward to obtain the context of the past and the future. Due to their capacity to recognize both forward and backward dependencies in sequential input, BiLSTM networks are perfect for phishing detection. They are able to comprehend the connection between tokens and the context from earlier tokens, offering important information about the general meaning of an email or URL. This makes it possible to detect phishing attempts more precisely. Combining the hidden states of forward and backward LSTMs produces an all-encompassing feature representation, which then goes to classifiers or fully linked layers for the detection of phishing. Due to the twofold size of the hidden information, concatenation in token representation models can result in increased memory use and computational complexity. Inference speed, temporal complexity, and system scalability may all be impacted, particularly for big coins. For real-time detection, careful handling of this trade-off is essential. This technique improves detection by efficiently catching trends like phony URL architecture or dubious email content.

Figure 3.

Architecture diagram of BiLSTM using in feature extraction.

3.5.1. Input representation

Given a sequence of input text as $X = {x_{1}, x_{2}, \dots, x_{T}}$ , were $x_{t}$ represents the input at time step t.

The input is typically embedded into a vector space

\begin{aligned} E = {e_{1}, e_{2}, \dots, e_{T}}, e_{t} = Embedding (x_{t}) \end{aligned}

(16)

3.5.2. Forward LSTM

The forward LSTM processes the input sequence from $t = 1$ to $T$

\begin{aligned} \vec{h_{t}} = LSTM (e_{t}, \vec{h_{t - 1}}) \end{aligned}

(17)

were:

$∙$ $h_{t}$ : Forward hidden state at time step $t$ .

$∙$ LSTM: Backward LSTM function.

The forward LSTM captures the context from the past up to the current time step.

3.5.3. Backward LSTM

The backward LSTM processes the input sequence in reverse, from $t = T$ to 1

\begin{aligned} h_{t}^{\leftarrow} = {LSTM}^{\leftarrow} (e_{t}, h_{t + 1}^{\leftarrow}) \end{aligned}

(18)

were:

$∙$ $h_{t}^{\leftarrow}$ : Backward hidden state at time step $t$ .

$∙$ LSTM: Backward LSTM function.

The backward LSTM captures the context from the future back to the current time step.

3.5.4. Concatenation

For each time step $t$ , the hidden states from the forward and backward LSTMs are concatenated

\begin{aligned} h_{t} = [h_{t}^{\vec{}}; h_{t}^{\leftarrow}] \end{aligned}

(19)

were:

$∙$ Concatenation operator.

$∙$ $h_{t}$ : Final hidden state at time step $t$ , combining both past and future context.

3.5.5. Output layer

The concatenated hidden states are passed to a dense layer or classifier for phishing detection.

\begin{aligned} y = σ (W_{h} \cdot h + b) \end{aligned}

(20)

were,

W_{h}

is the weight matrix for the output layer, and

h

represents the combined hidden states. The output is computed as

σ (W_{h} \cdot h + b)

, where

σ

is the sigmoid activation for binary classification.

3.5.6. Loss function

The output $y$ is compared with the ground truth $y_{true}$ using a binary cross-entropy loss. For binary classification problems, such as phishing vs. genuine, Binary Cross-Entropy is used to train a model. With a probability value ranging from 0 to 1, it evaluates the model’s performance and is therefore perfect for phishing detection. Model correctness and precision are guaranteed by its mathematically based and understandable assessment.

\begin{aligned} L = - \frac{1}{N} \sum_{i = 1}^{N} [y_{true} \log (y) + (1 - y_{true}) \log (1 - y)] \end{aligned}

(21)

were

N

is the total number of training samples.

3.6. Zero trust implementation framework

This framework focuses on checking each request and interaction in a system based on the principle that no entity is intrinsically trustworthy. Unlike traditional methods, which allow access without further verification, Zero Trust ensures secure interactions through granular access control and live monitoring. This approach ensures that even if an attacker accesses a portion of the network, their access is restricted, hence minimizing possible harm from assaults. Strong authentication, least privilege access, and continuous verification are the core ideas. It utilizes real-time monitoring, URL scanning, and email filtering for detecting phishing as it involves detecting dangerous links or behaviors. AI/ML-based threat intelligence is aggregated to dynamically react and adapt to new phishing tactics. The Zero Trust approach reduces the attack surface and the probability of successful phishing attempts by implementing strict access controls and authenticating people and devices at every turn.

3.6.1. Optimization for zero trust using genetic algorithm

Genetic Algorithm performs optimization for zero trust in phishing detection by finding the best settings for access control regulations, authentication systems, and phishing threat response tactics. The GA is an optimization method in the Zero Trust Implementation Framework based on natural selection. It enhances the efficiency of security policy enforcement and phishing detection by selecting ideal setups, conducting ongoing verification, and adapting to phishing trends. GA iteratively creates solutions to increase detection accuracy while reducing false positives by mimicking natural selection processes like crossover and mutation. This method will allow the dynamic adjustment of Zero Trust parameters so that it identifies and prevents phishing attempts without jeopardizing the system’s security and performance.

3.6.2. Problem definition

The goal is to optimize Zero Trust parameters for phishing detection by maximizing detection accuracy ( $A$ ) and minimizing false positives ( $F P$ ). The optimization problem can be represented as

\begin{aligned} Maximize: F = w_{1} \cdot A - w_{2} \cdot F P \end{aligned}

(22)

were

3.6.3. Genetic algorithm representation

a) Chromosome Each chromosome represents a potential solution, such as configurations of Zero Trust policies.

\begin{aligned} C = {x_{1}, x_{2}, \dots, x_{n}} \end{aligned}

(23)

were

x_{i}

are decision variables.

b) Population

A set of chromosomes

\begin{aligned} P = {C_{1}, C_{2}, \dots, C_{m}} \end{aligned}

(24)

were

m

is the population size.

3.6.4. Fitness function

Evaluate the fitness of each chromosome using the phishing detection metrics

\begin{aligned} F (C) = w_{1} \cdot A (C) - w_{2} \cdot F P (C) \end{aligned}

(25)

Were, The fitness function

F = w_{1} \cdot A - w_{2} \cdot F P

evaluates a solution by balancing detection accuracy

(A)

and false positives using weights

w_{1}

and

w_{2}

3.6.5. Output

The best chromosome $(C^{*})$ is the optimal Zero Trust configuration

\begin{aligned} C^{*} = \arg max_{C \in P} F (C) \end{aligned}

(26)

Figure 4.

Classification of BiLSTM.

3.7. Classification

Figure 4 represents a ConvLSTM-based architecture for phishing detection. Each input layer represents features processed independently. These features are passed through ConvLSTM layers to extract spatial-temporal dependencies. The outputs are flattened to a 1D vector representation. The flattened vectors are then concatenated to form a unified feature representation. Finally, the concatenated features are passed through a fully connected layer for classification into phishing or legitimate classes represented at the output layer. This approach integrates temporal and spatial patterns for improved detection.

3.7.1. Input processing

Feed the feature sequence $X_{t}$ into the ConvLSTM layer. Computation: ConvLSTM uses gates (forget, input, output) and updates the cell state $C_{t}$ and hidden state $H_{t}$ to capture spatial and temporal patterns.

\begin{aligned} H_{t} = σ (Conv (X_{t}) + Conv (H_{t - 1})) \end{aligned}

(27)

3.7.2. Feature extraction

The final hidden state $H_{T}$ is flattened into a vector to capture the learned features. Pass the flattened vector through a fully connected (dense) layer and a sigmoid activation

\begin{aligned} P (phishing) = σ (W_{dense} H_{T} + b_{dense}) \end{aligned}

(28)

Output ”phishing” if $P ($ phishing $) > 0.5$ ; otherwise, output ”legitimate.”

3.7.3. NEURALODes

In NeuralODEs, time-dependent changes in features are represented as a continuous system of ODEs, describing dynamic and evolving behaviors. Neural ODEs are often applied in phishing detection, where time-varying patterns in variables, such as network behavior, domain changes, or URL activity, can be detected. Neural ODEs work with regularly sampled data and adapt in learning typical behaviors, detecting abnormalities that could be associated with phishing. The computation of hidden states by the NeuralODE provides a reliable method for modeling changing threats, which are used to perform binary categorization into phishing or legal categories.

3.7.4. Dynamic behavior modelling

The patterns of phishing often reflect time-dependent, dynamic behaviors such as sudden surges in user activity or structural changes to URLs (like obfuscated parameters). NeuralODEs make use of a system of ODEs that can continuously learn the temporal development of these changing properties. This will effectively detect phishing by capturing typical and unusual trends.

\begin{aligned} g (t) = g (t_{0}) + \int_{t_{0}}^{t} F (g (τ), τ, α) d τ \end{aligned}

(29)

The state at time $t, g (t)$ , evolves according to the function $F$ , which captures the dynamics of feature changes, with $α$ representing the parameters of the ODE model. This relationship models the system’s behavior over time.

3.7.5. Anomaly detection

NeuralODEs learn normal behavior patterns by computing hidden states $g (t)$ continuously over time. These states are then used to classify sequences as phishing or legitimate.

3.7.6. Output layer

$∙$ The final state $g (T)$ (at the end of the time window) is passed to a dense layer for classification

\begin{aligned} P (phishing) = σ (V g (T) + c) \end{aligned}

(30)

$∙$ $V$ : Weight matrix,

$∙$ $c :$ Bias term,

$∙$ $σ$ : Sigmoid activation for binary classification.

4. Result and discussion

4.1. Confusion matrices

This confusion matrix evaluates a phishing detection model’s performance. The model correctly identified 2427 No phishing cases True Negatives and 3550 Phishing cases True Positives. It made only 12 false alarms False Positives predicting Phishing when it was not and missed 11 phishing cases False Negatives. The darker blue colours highlight higher counts showing the model is highly accurate with minimal errors in both categories. Figure 5 shows the excellent phishing detection performance.

Figure 5.

Confusion matrices.

4.2. Model evaluation

Figure 6(a) shows the training and validation accuracy of a model over epochs. The training accuracy steadily improves and stabilizes near 99-100%, indicating the model learns well. The validation accuracy closely follows the training accuracy, suggesting good generalization to unseen data with minimal overfitting. Both lines converge after around 10 epochs, demonstrating stable and effective model performance.

Figure 6.

(a) Training and validation accuracy (b) Training and validation loss.

Figure 6(b)shows the training loss and validation loss over epochs. Both losses decrease steadily, indicating that the model is learning and improving its predictions. The validation loss closely follows the training loss signifying good generalization to unseen data with minimal overfitting. Around epoch 10, the losses stabilize, showing that the model has reached optimal learning. The absence of significant divergence between the two lines confirms that the model is neither underfitting nor overfitting. Overall, the model demonstrates effective training and strong performance.

Figure 7 compares the ROC curve performance of three models Convolutional, Decision Tree (DT), and Random Forest (RF). The x-axis represents the False Positive Rate, while the y-axis represents the True Positive Rate. The Convolutional model performs the best with an AUC of 0.998, followed by DT with 0.988, and RF with 0.925. AUC values closer to 1 indicate better classification performance, and all three models perform significantly better than random guessing (AUC $= 0.5$ ). The curves closer to the top-left corner show higher accuracy.

Figure 8 shows the Precision-Recall Curve evaluates the trade-off between Precision and Recall. The blue curve remains close to the top-right corner, indicating the model maintains high precision and recall simultaneously. The AUC value of 0.99 signifies near-perfect performance, with minimal false positives and negatives. This curve shows the model is highly effective especially for scenarios where correctly identifying positives is crucial.

Figure 7.

Receiver operating curve.

Figure 8.

Precision recall curve.

4.3. Performance analysis of proposed work

The model performs very well across multiple metrics. With 99.75 percentage accuracy, it correctly expects most examples. The model has efficiently recognized positive cases and compact false positives as seen by its precision at 99.78 percent and recall at 99.85 percent. Excellent mix between recall and precision may be seen by the F1 score of 99.81. Furthermore, FPV 0.00497 and FNR 0.00387 are very low, meaning that there is very little wrong classification, and Kappa 99.64 and Jaccard 99.70, further supports outstanding performance by the model shown in Table 1.

Figure 9 illustrates the model’s performance metrics, all nearing 100%, indicating exceptional results. Accuracy reflects the model’s overall correctness, while Precision and Recall demonstrate its ability to minimize false positives and false negatives, respectively. The F1-Score shows a perfect balance between precision and recall, confirming robust performance. The Jaccard Index measures strong agreement between predicted and actual labels, and Cohen’s Kappa shows near-perfect agreement, accounting for chance. Overall, the model performs excellently across all metrics, indicating reliable and effective classification.

Figure 9.

Model performance metrics.

Table 1.

Performance analysis of proposed work.

Metric	Value
Accuracy	99.7536276
Precision	99.78301472
Recall	99.85347763
F1 score	99.80822562
Jaccard	99.70107111
kappa	99.6371668
FPV	0.004971365
FNR	0.003865224

In Figure 10 two performance metrics FPV and FNR are compared. The FNR describes the rate of positive amounts incorrectly classified as negatives while the rate of negative examples incorrectly categorized as positives is defined by FPV which is higher by just a few percent. The model does well with minimal wrong classification at both very low values. A slightly higher FPV specifies a rather greater rate of false alarms, while a lower FNR recommends that the model is improved at detecting true positives. In general, these error rates are balanced by the model.

Figure 10.

Performance metrics of FPV&FNR.

4.4. Comparative analysis

a) Accuracy

The comparison shows the accuracy performance of several methods. The recommended approach which combines ConvLSTM with neural ODEs attains the maximum accuracy of 99.75, while Alshingiti et al.¹⁸ used CNN and LSTM-CNN to get 99.2 accuracy. Rathee¹⁹ achieve 98.5 accuracy with an SVM model, but Wang et al.¹⁷ use RCNN and achieve 95.6 accuracy. Lastly, Akour et al.²⁰ use KNN to obtain 94 accuracies. These results demonstrate how various learning approaches work differently on the task at hand shown in Table 2.

Table 2.
Comparative performance metrics.

Study Technique used accuracy Precision Recall F1 score

Proposed method ConvLSTM, neural Odes 99.75% 99.78% 99.85% 99.81%

Wang et al.¹⁷ RCNN 95.6% 97.33% 93.78% 95.52%

Alshingiti et al.¹⁸ CNN, LSTM-CNN 99.2% 98.8% 97.6% 98.2%

Rathee¹⁹ SVM 98.50% 97.66% 99.41% 99.27%

Akour et al.²⁰ KNN 94% 94% 94% 94%

Study	Technique used	accuracy	Precision	Recall	F1 score
Proposed method	ConvLSTM, neural Odes	99.75%	99.78%	99.85%	99.81%
Wang et al.¹⁷	RCNN	95.6%	97.33%	93.78%	95.52%
Alshingiti et al.¹⁸	CNN, LSTM-CNN	99.2%	98.8%	97.6%	98.2%
Rathee¹⁹	SVM	98.50%	97.66%	99.41%	99.27%
Akour et al.²⁰	KNN	94%	94%	94%	94%

b) Precision

In considering the various methods used in different studies for deep learning-related tasks numerous methodologies are exposed. Although this method used ConvLSTM and neural ODEs, another study used RCNN,¹⁷ CNN coupled with LSTM-CNN,¹⁸ SVM,¹⁹ and KNN²⁰ to attain the results. The fact that different plans scored between 94 and 99.78 makes clear how well a given method is working at its purpose.

c) Recall

A diversity of deep learning approaches and their corresponding recall values are extended done contrast. The proposed method that makes use of ConvLSTM and neural ODEs achieves a recall of 99.85 other studies account lower remember rates. Alshingiti et al.¹⁸ obtain 97.6 recall using CNN and LSTM-CNN, and Wang et al.¹⁷ get 93.78 using RCNN. Other methods like SVM¹⁹ and KNN²⁰ which have standards of 99.41 and 94 respectively prove the approaches to be actual in various applications.

d) F1 score

The performance of each deep learning technique is displayed by comparing its F1 score. With the use of neural ODEs and ConvLSTM the recommended approach attains an outstanding F1 score of 99.81. Using CNN and LSTM-CNN,¹⁸ get an F1 score of 98.2, while Wang et al.¹⁷ use RCNN and acquire an F1 score of 95.52. Rathee¹⁹ use SVM to acquire a 99.27 F1 score while²⁰ use KNN to achieve a 94 score. These findings demonstrate the variety of methods and their suitability for various settings Figure 11.

This bar chart comparisons the performance of four studies on the following four measures F1 Score, Accuracy, Precision, and Recall. Each measure has four bars that agree to a different study. Wang et al.,¹⁷ Alshingiti et al.,¹⁸ Akour et al.,²⁰ and the recommended method. The graph displays percentages of performance the higher bars are the better performances. Of course, the graph shows how each study performs in contrast to the others for each measure.

Figure 11.

Comparative analysis.

5. Conclusion and feature enhancement

The proposed phishing detection framework using ConvLSTM and Neural ODEs has been highly effective. Besides a Zero Trust Implementation Framework for safe decision-making, it incorporates strong feature selection methods such as hybrid PSO $+$ SFO optimization and Gaussian noise injection. The model performs better than current techniques and provides good generalization with low misclassification. Further, to increase the system’s effectiveness, multi-model data, explainable AI, real-time adaptability, and high-volume scalability can be added. Adding a variety of phishing techniques in the dataset to strengthen the detection capabilities is another possibility. Increased adversarial robustness is another possibility.

Footnotes

ORCID iDs

Omar Sedqi Kareem

Mehmet Umut Salur

Adnan Burhan Rajab

Author contributions

Nashwan Adnan OTHMAN- Methodology, Project Administration, Manuscript editing; Omar Sedqi Kareem, Zardasht Abdulaziz Abdulkarim SHWANY- Software, Validation; Younus Ameen Muhammed, Mehmet Umut SALUR- Visualization, Manuscript Review and editing; Adnan Burhan Rajab- Design Framework, Resources, Validation.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data availability statement

All data generated or analyzed during this study are included in the manuscript.

References

Mishra

Soni

. Smishing detector: a security model to detect smishing through SMS content analysis and URL behavior analysis. Futu Gener Comput Syst 2024; 108: 803–815.

Rangapur

Kanakam

Dhanvanthini

. Phish-Defence: phishing detection using deep recurrent neural networks. arXiv preprint arXiv:2110.13424, 2021, https://doi.org/10.48550/arXiv.2110.13424.

Elberri

Tokeşer

Rahebi

, et al. A cyber defense system against phishing attacks with deep learning game theory and LSTM-CNN with african vulture optimization algorithm (AVOA). Int J Inform Sec 2024; 23: 2583–2606.

Sahingoz

Buber

Kugu

. DEPHIDES: deep learning based phishing detection system. IEEE Access 2024; 12: 8052–8070. https://doi.org/10.1109/ACCESS.2024.3145678

Basit

Zafar

Liu

, et al. A comprehensive survey of AI-enabled phishing attacks detection techniques. Telecommun Syst 2021; 76: 139–154.

Bhargava

Yablonovitch

. Lowering HAMR near-field transducer temperature via inverse electromagnetic design. IEEE Trans Magn 2015; 51: 1–7.

Kamble

Mishra

. Securing cyberspace: unveiling phishing attacks through deep neural networks for enhanced detection. In: 2024 International conference on advancements in smart, secure and intelligent computing (ASSIC), 2024, pp. 1–5. IEEE. https://doi.org/10.1109/ASSIC53656.2024.00010.

Asiri

Xiao

Alzahrani

. Towards improving phishing detection system using human in the loop deep learning model. In: Proceedings of the 2024 ACM southeast conference, 2024, pp. 77–85. https://doi.org/10.1145/3453140.3453145.

Aslam

Manzoor

, et al. AntiPhishStack: LSTM-based stacked generalization model for optimized phishing URL detection. Symmetry 2024; 16: 248.

10.

Farooq

. Phishing website detection using a combined model of ANN and LSTM. arXiv preprint arXiv:2404.10780, 2024. https://doi.org/10.48550/arXiv.2404.10780.

11.

Naga

. Phishing website detection based on multidimensional features driven by deep learning: Integrating stacked autoencoder and SVM Doctoral dissertation, 2020.

12.

Thirusubramanian

. Machine learning-driven AI for financial fraud detection in IoT environments. Int J HRM and Organ Behav 2020; 8: 1–16.

13.

Subhashini

Banerjee

Kumar

, et al. Deep learning-based phishing website detection. TELKOMNIKA (Telecomm Comput Electr Control) 2024; 22: 113–121.

14.

Dharini

Sudarsan

EPV

Praveen

, et al. Enhanced phishing detection: Integrating random forest classifier and domain analysis for proactive cybersecurity. In: 2024 8th International conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), 2024, pp. 633–643. IEEE. https://doi.org/10.1109/I-SMAC49090.2024.00097.

15.

Gupta

Gaurav

, et al. Deep learning and big data integration with cuckoo search optimization for robust phishing attack detection. In: ICC 2024-IEEE International conference on communications, 2024, pp. 1322–1327. IEEE. https://doi.org/10.1109/ICC46855.2024.9981234.

16.

Shafin

. An explainable feature selection framework for web phishing detection with machine learning. Data Science and Management. 2024, https://doi.org/10.1016/j.dsm.2024.01.001.

17.

Wang

Zhang

Luo

, et al. PDRCNN: precise phishing detection with recurrent convolutional neural networks. Sec Commun Netw 2019; 2019: 2595794.

18.

Alshingiti

Alaqel

Al-Muhtadi

, et al. A deep learning-based phishing detection system using CNN, LSTM, and LSTM-CNN. Electronics 2023; 12: 232.

19.

Rathee

. Malware profiling and classification using machine learning algorithms (Doctoral dissertation, Dublin Business School). 2024, https://doi.org/10.48550/arXiv.2404.10780.

20.

Akour

Aburayya

Authority

, et al. Using classical machine learning for phishing websites detection from URLs. J Manag Inform Decis Sci 2021; 24: 1–15.