| import re
|
| import joblib
|
| import pandas as pd
|
| import numpy as np
|
| from urllib.parse import urlparse
|
| from typing import Dict, Any
|
|
|
| _SUSPICIOUS_TOKENS = [
|
| "login", "verify", "secure", "update", "bank", "pay", "account", "webscr"
|
| ]
|
| _IPV4_PATTERN = re.compile(r"(?:\d{1,3}\.){3}\d{1,3}")
|
|
|
| _BRAND_NAMES = [
|
| "facebook","paypal","google","amazon","apple","microsoft",
|
| "instagram","netflix","bank","hsbc","linkedin","yahoo","outlook"
|
| ]
|
| _SUSPICIOUS_TLDS = {"zip","xyz","top","ru","kim","support","ltd","work","gq","tk","ml"}
|
|
|
| try:
|
| from rapidfuzz import fuzz
|
| def _sim(a: str, b: str) -> float:
|
| return fuzz.ratio(a, b) / 100.0
|
| except Exception:
|
| import difflib
|
| def _sim(a: str, b: str) -> float:
|
| return difflib.SequenceMatcher(None, a, b).ratio()
|
|
|
|
|
| def _ensure_scheme(u: str) -> str:
|
| return u if re.match(r'^[a-zA-Z][a-zA-Z0-9+.\-]*://', u) else 'http://' + u
|
|
|
|
|
| def _get_hostname(u: str) -> str:
|
| try:
|
| host = urlparse(_ensure_scheme(u)).hostname or ''
|
| try:
|
| host = host.encode('ascii').decode('idna')
|
| except Exception:
|
| pass
|
| return host.lower()
|
| except Exception:
|
| return ''
|
|
|
|
|
| def _get_sld(host: str) -> str:
|
| parts = host.split('.')
|
| if len(parts) >= 2:
|
| return parts[-2]
|
| return host
|
|
|
|
|
| def _get_tld(host: str) -> str:
|
| parts = host.split('.')
|
| return parts[-1] if len(parts) >= 2 else ''
|
|
|
|
|
| def _shannon_entropy(s: str) -> float:
|
| if not s:
|
| return 0.0
|
| counts = {}
|
| for ch in s:
|
| counts[ch] = counts.get(ch, 0) + 1
|
| probs = np.array(list(counts.values()), dtype=float)
|
| probs /= probs.sum()
|
| return float(-(probs * np.log2(probs)).sum())
|
|
|
|
|
| def _clean_for_brand(s: str) -> str:
|
| return re.sub(r'[^a-z]', '', re.sub(r'\d+', '', s.lower()))
|
|
|
|
|
| def _engineer_features(url_series: pd.Series) -> pd.DataFrame:
|
| s = url_series.astype(str)
|
| out = pd.DataFrame(index=s.index)
|
|
|
|
|
| out["url_len"] = s.str.len().fillna(0)
|
| out["count_dot"] = s.str.count(r"\.")
|
| out["count_hyphen"] = s.str.count("-")
|
| out["count_digit"] = s.str.count(r"\d")
|
| out["count_at"] = s.str.count("@")
|
| out["count_qmark"] = s.str.count("\?")
|
| out["count_eq"] = s.str.count("=")
|
| out["count_slash"] = s.str.count("/")
|
| out["digit_ratio"] = (out["count_digit"] / out["url_len"].replace(0, np.nan)).fillna(0)
|
| out["has_ip"] = s.str.contains(_IPV4_PATTERN).astype(int)
|
| for tok in _SUSPICIOUS_TOKENS:
|
| out[f"has_{tok}"] = s.str.contains(tok, case=False, regex=False).astype(int)
|
| out["starts_https"] = s.str.startswith("https").astype(int)
|
| out["ends_with_exe"] = s.str.endswith(".exe").astype(int)
|
| out["ends_with_zip"] = s.str.endswith(".zip").astype(int)
|
|
|
|
|
| host = s.apply(_get_hostname)
|
| sld = host.apply(_get_sld)
|
| tld = host.apply(_get_tld)
|
|
|
| out['host_len'] = host.str.len().fillna(0)
|
| sub_count = host.str.count(r'\.') - 1
|
| out['subdomain_count'] = sub_count.fillna(0).clip(lower=0).astype(int)
|
| out['tld_suspicious'] = tld.isin(list(_SUSPICIOUS_TLDS)).astype(int)
|
| out['has_punycode'] = host.str.contains('xn--', na=False).astype(int)
|
|
|
| out['sld_len'] = sld.str.len().fillna(0)
|
| sld_digit_count = sld.str.count(r'\d')
|
| out['sld_digit_ratio'] = (sld_digit_count / out['sld_len'].replace(0, np.nan)).fillna(0)
|
| out['sld_entropy'] = sld.apply(_shannon_entropy).astype(float)
|
|
|
|
|
| sld_clean = sld.apply(_clean_for_brand)
|
|
|
| def _max_brand_sim(name: str) -> float:
|
| if not isinstance(name, str) or not name:
|
| return 0.0
|
| best = 0.0
|
| for b in _BRAND_NAMES:
|
| sc = _sim(name, b)
|
| if sc > best:
|
| best = sc
|
| return float(best)
|
|
|
| out['max_brand_sim'] = sld_clean.apply(_max_brand_sim).astype(float)
|
| out['like_facebook'] = sld_clean.apply(lambda x: 1 if _sim(x, 'facebook') >= 0.82 else 0).astype(int)
|
|
|
| OFFICIAL_DOMAINS = {
|
| 'facebook': ['facebook.com'],
|
| 'paypal': ['paypal.com'],
|
| 'google': ['google.com'],
|
| 'amazon': ['amazon.com'],
|
| 'apple': ['apple.com'],
|
| 'microsoft': ['microsoft.com'],
|
| 'instagram': ['instagram.com'],
|
| 'netflix': ['netflix.com'],
|
| 'hsbc': ['hsbc.com'],
|
| 'linkedin': ['linkedin.com'],
|
| 'yahoo': ['yahoo.com'],
|
| 'outlook': ['outlook.com']
|
| }
|
|
|
| def _normalize_leet(name: str) -> str:
|
| if not isinstance(name, str):
|
| return ''
|
| table = str.maketrans({'0':'o','1':'l','3':'e','4':'a','5':'s','7':'t','2':'z','8':'b'})
|
| return name.translate(table)
|
|
|
| def _best_brand(name: str):
|
| if not isinstance(name, str) or not name:
|
| return '', 0.0
|
| best_b, best_s = '', 0.0
|
| for b in _BRAND_NAMES:
|
| sc = _sim(name, b)
|
| if sc > best_s:
|
| best_b, best_s = b, sc
|
| return best_b, float(best_s)
|
|
|
| def _get_etld1(h: str) -> str:
|
| parts = h.split('.') if isinstance(h, str) else []
|
| if len(parts) >= 2:
|
| return parts[-2] + '.' + parts[-1]
|
| return h
|
|
|
| etld1 = host.apply(_get_etld1)
|
| brand_best_and_sim = sld_clean.apply(_best_brand)
|
| brand_best = brand_best_and_sim.apply(lambda x: x[0])
|
| brand_best_sim = brand_best_and_sim.apply(lambda x: x[1])
|
|
|
| out['is_official_brand_domain'] = [
|
| 1 if bb and et in OFFICIAL_DOMAINS.get(bb, []) else 0
|
| for bb, et in zip(brand_best, etld1)
|
| ]
|
|
|
| out['brand_digit_insertion'] = ((sld_clean == brand_best) & (sld.str.contains(r'\d'))).astype(int)
|
|
|
| sld_leet_norm = sld.apply(_normalize_leet).apply(_clean_for_brand)
|
| def _max_brand_sim_leet(name: str) -> float:
|
| if not isinstance(name, str) or not name:
|
| return 0.0
|
| best = 0.0
|
| for b in _BRAND_NAMES:
|
| sc = _sim(name, b)
|
| if sc > best:
|
| best = sc
|
| return float(best)
|
| out['max_brand_sim_leet'] = sld_leet_norm.apply(_max_brand_sim_leet).astype(float)
|
| out['like_brand_leet'] = (out['max_brand_sim_leet'] >= 0.88).astype(int)
|
|
|
| def _contains_brand_extra(name: str) -> int:
|
| if not isinstance(name, str) or not name:
|
| return 0
|
| for b in _BRAND_NAMES:
|
| if name != b and b in name:
|
| return 1
|
| return 0
|
| out['sld_contains_brand_extra'] = sld_clean.apply(_contains_brand_extra).astype(int)
|
|
|
| out['brand_impersonation'] = (
|
| ((brand_best_sim >= 0.88) | (out['like_brand_leet'] == 1) | (out['sld_contains_brand_extra'] == 1))
|
| & (out['is_official_brand_domain'] == 0)
|
| ).astype(int)
|
|
|
| out['sld_has_hyphen'] = sld.str.contains('-', na=False).astype(int)
|
| out['sld_has_digits'] = (sld.str.count(r'\d') > 0).astype(int)
|
|
|
| return out
|
|
|
|
|
| def load_bundle(path: str) -> Dict[str, Any]:
|
| """Load the saved joblib bundle produced by the notebook.
|
|
|
| Returns a dict with keys: model, feature_cols, url_col, label_col, model_type
|
| """
|
| bundle = joblib.load(path)
|
| required = {"model", "feature_cols", "url_col", "label_col", "model_type"}
|
| missing = required - set(bundle.keys())
|
| if missing:
|
| raise ValueError(f"Bundle missing keys: {missing}")
|
| return bundle
|
|
|
|
|
| def predict_url(url: str, bundle: Dict[str, Any], threshold: float = 0.5) -> Dict[str, Any]:
|
| """Predict phishing probability for a single URL using the saved bundle.
|
|
|
| Applies a rule-based typosquatting guard to catch cases like face123book.com
|
| even if the model probability is low.
|
| """
|
| url_col = bundle["url_col"]
|
| feature_cols = bundle["feature_cols"]
|
| trained_feature_cols = bundle.get("trained_feature_cols")
|
| model_type = bundle.get("model_type", "xgboost_bst")
|
| model = bundle["model"]
|
|
|
| row = pd.DataFrame({url_col: [url]})
|
| feats_full = _engineer_features(row[url_col])
|
| desired_cols = list(trained_feature_cols) if trained_feature_cols is not None else list(feature_cols)
|
| feats = feats_full.reindex(columns=desired_cols, fill_value=0)
|
|
|
| if model_type == "xgboost_bst":
|
| import xgboost as xgb
|
| dmat = xgb.DMatrix(feats)
|
| proba = float(model.predict(dmat)[0])
|
| elif model_type == "cuml_rf":
|
| try:
|
| import cudf
|
| gfeats = cudf.DataFrame.from_pandas(feats)
|
| proba = float(model.predict_proba(gfeats)[:, 1].to_pandas().values[0])
|
| except Exception as e:
|
| raise RuntimeError("cudf/cuml required for this bundle but not available") from e
|
| else:
|
| proba = float(model.predict_proba(feats)[:, 1][0])
|
|
|
|
|
| def _bool(feature: str, default: int = 0) -> int:
|
| return int(feature in feats_full.columns and bool(feats_full.iloc[0].get(feature, default)))
|
|
|
| def _float(feature: str, default: float = 0.0) -> float:
|
| return float(feats_full.iloc[0].get(feature, default)) if feature in feats_full.columns else default
|
|
|
| like_brand = (
|
| _bool('brand_impersonation') == 1 or
|
| _bool('like_brand_leet') == 1 or
|
| _float('max_brand_sim_leet') >= 0.90 or
|
| _float('max_brand_sim') >= 0.90 or
|
| _bool('sld_contains_brand_extra') == 1
|
| )
|
| risky_host = (
|
| _bool('is_official_brand_domain') == 0 and
|
| (
|
| _bool('sld_has_digits') == 1 or
|
| _bool('sld_has_hyphen') == 1 or
|
| _bool('tld_suspicious') == 1 or
|
| _bool('has_punycode') == 1
|
| )
|
| )
|
| rule_triggered = bool(like_brand and risky_host)
|
|
|
| pred = int(proba >= threshold)
|
| if rule_triggered and pred == 0:
|
| pred = 1
|
| proba = max(proba, 0.9)
|
|
|
| result = {
|
| "url": url,
|
| "phishing_probability": proba,
|
| "predicted_label": pred,
|
| "backend": model_type,
|
| }
|
| if rule_triggered:
|
| result["rule"] = "typosquat_guard"
|
| return result
|
|
|
|
|
| if __name__ == "__main__":
|
|
|
| try:
|
| bundle = load_bundle("models/rf_url_phishing_xgboost_bst.joblib")
|
| print(
|
| predict_url(
|
| "www.face123book.com",
|
| bundle=bundle,
|
| )
|
| )
|
| except FileNotFoundError:
|
| print("Bundle not found in current directory. This is expected inside the source repo.")
|
|
|
|
|
|
|
