Each phishing mail in the Multipart Internet Mail Extension (MIME) format is parsed in to an html file to extract structural features; An HTML parser is then used to convert the html file into plain text, which in turn is used to extract the named entity features and Topic Modelling features. A Topic Modelling feature is extracted using GibbsLDA [9] and the Named Entities are extracted using the CRF Classifier. A total of 61 features are used to detect a phishing email here. The accuracy of the detection model is evaluated using different machine learning classification algorithms.

Raw email data are typically present in the MIME format. In this paper, words and hyperlinks present in the body of the email are used to extract the features. Thus, the body text with the hyperlink is extracted using the parser. The two types of parsers used are the MIME parser and HTML parser.

MIME parser: -The Apache James Mime4 [10] is used in the development of the parser for extracting the content from e-mail message streams in plain Multipart Internet Mail Extension (MIME) format. It only deals with the structure of the message stream and has been designed to be extremely tolerant towards messages violating these standards. Structural features are extracted from the parsed document.

HTML Parser: -MIME messages containing HTML documents are included as multipart/HTML subpart in the email body. When the MIME parser detects a HTML subpart, it invokes the HTML parser to separate the text, style-sheets, hyperlinks and scripts. This output is given to the CRF Classifier for Topic Modelling.

The NER tags series of words in a text that should be the names of stuffs (nouns), such as individual and corporation names, or genetic material and protein names. The Conditional Random Field (CRF) is used to extract such named entities from the text of the email using the NER software written by Stanford’s Natural Language Processing Group [11] . Ramanathan [12] gives a detailed usage of the Named Entity Recognition for phishing detection.

Conditional Random Fields

Conditional Random Fields (CRFs), used in machine learning for structured prediction, are a class of statistical modelling methods.

Given vector of input variables and a vector of output variables a model (discriminative) asses the conditional probability P(Y/X), and a generative model approximates the P(Y,X). The CRF is a discriminative model, undirectional that does not include a model of P(X). Lafferty [13] , defined the probability of a particular label sequence Y, given that the observation sequence X is a normalized product of latent functions, denoted as

where states the transition feature function and the tags at sites i and i − 1 in the tag sequence; is a state feature function of the tag at site i and the observation sequence; and are parameters to be estimated from the training data.

The probabilities of a tag sequence Y given an observation [14] sequence X to be written as

Z(X) is called the Normalization Factor. The log-likelihood of CRF, is given by

Conditional Random Fields Classifier (CRF Classifier)

Stanford’s NER [11] software is published with a pre-trained model that has been trained on CoNLL, MUC6, MUC7, and ACE datasets. The CoNLL 2003 English training is the data-set used in this work. The CRF Named Entity Labeller component identifies and labels each word to one of three entities, namely, location, organization, and person. The output from the CRF Named Entity Labeller is used for extracting the Named Entity, which is the first set of features used for phishing detection. Figure 2 shows the Named Entity Recognition result, in which it labels the Sites, Corporate and individual.

Topic Modelling

The LDA [5] is a Natural Language Processing (NLP) method which is used to extract Topics from the collection of documents. They are modelled via a hidden Dirichlet random variable that specifies probability distribution on a latent, low-dimensional Topic space. Documents are represented as random mixtures over latent Topics and each Topic is represented by distribution over words.

Given α and β are the parameters, the joint distribution of a Topic mixture which is given by θ, a set of N words w, and a set of N Topics z is given by:

where is θ_i for the unique i such that z_n = 1. The marginal distribution of a document is obtained by Integrating on θ and summing on z, which is expressed as follows:

The probability of the corpus, D is obtained by taking the product of marginal probabilities of single documents, and is expressed as follows:

The parameters α and β are corpus level parameters. The document level variables θ_d are sampled once per document. The word level variables w_dn and z_dn are sampled once for each word in the document. Several algorithms have been developed to solve LDA that requires estimation of the posterior probability distribution of hidden Topic variables.

GibbsLDA

Topic Modelling is implemented by using JGibbLDA [9] . The parameter inference process requires less computational time than parameter estimation, JGibbLDA with the focus on inferring hidden/latent Topic Structures of unseen data upon the model estimated using GibbLDA++. This component consists of the following sub components.

The email extracted from the HTML parser is given to the Topic Modelling module after the pre-processing of the text document; a Term Document Frequency (TDF) matrix is created. This TDF matrix is used to train the LDA Model. LDA requires the number of Topics, K, to be initialized; in addition, LDA requires Dirichlet parameters, α, parameter of the Dirichlet prior to the per-document Topic distributions, and β, parameter of the Dirichlet prior on the per-topic word distributions, to be specified in advance.

The LDA Topic Probability Extractor extracts word/topic and topic/document distribution probabilities computed by the LDA model inference sub-component. Topic/Document distribution probabilities are used as the second set of features to build the classifier. By using these probability distributions instead of actual words, the classifier is expected to be quite robust in detecting phishing attacks. Table 1 shows the topic distribution in a given email.

Emails have different Structural features, in which 10 of these structural features are used in this paper as the third set of features for detecting phished emails. Table 2 shows the extracted structural features.

The targeted URL from the email is extracted and is checked for the legitimate site. All the images from the original site and the targeted sites are used for the similarity measures. All the images are resized into 300 × 300

pixels and are segmented into 25 RGB triplets as shown in the Figure 3. Each segment has a 30 × 30 pixel size and 25 × 3 feature vector is created. The similarity is calculated by using the Euclidean distance.

The distance from feature vector A to feature vector A will be zero. The maximum dissimilarity is calculated as the equation number 7.

where D is the dissimilarity value. This dissimilarity value is also used as the one of the features to detect the phished mails. Figure 4 and Figure 5 shows the targeted page in the mail and its original page. The dissimilarity measure between two pages is as shown in Table 3.

Multiple learning systems try to exploit the local different behavior of the base learners to enhance the accuracy of the overall learning system. Multiple classifiers are a set of classifiers whose individual predictions are combined in some way to classify new examples. Combining classifiers solves three problems, and Figure 6 shows the classifier combining steps.

The Prediction model is used to predict class label (Phished/Legitimate) of the given mail based on the training set which is constructed from the publicly available email corpus. The features that are extracted from the given mail are used to construct the ARFF file, which is the input to the prediction model and the output is the class label. Three classifiers are used to construct the prediction model; they are Random Forest (RF), Support Vector Machine (SVM) and LogitBoost. Each classifier predicts the category to which the mail belongs, and finally a decision is taken based on the majority voting algorithm. The Fk in the figure represents the feature sets; the public email corpus is used to collect the features and is used to train the classifiers. When a new mail arrives, the prediction model is capable of detecting a class label based on the training set.

The majority voting algorithm is shown in Figure 7, the parameters to the algorithm are Classifiers (C) and class Labels (L). The algorithm returns the majority class label.

The data used for the evaluation of the proposed system has been obtained from the data sets available in the public domain [15] - [17] . The data set contains 5260 emails in all, and this includes both phished and legitimate mails. The composite mixture of the phished and legitimate mails is given as the data set (Table 4), and the features are extracted. These features are used as the input to the classifiers, for measuring their performance.

The CRF Classifier (Stanford NER, 2013) is trained using the CoNLL 2003 English training data. Topic modelling is done by using the JGibbLDA with the following parameters, Dirichlet prior on the per-document Topic distributions (α), Dirichlet prior on the per-topic word distribution (β), Number of Topics (k) and Number of iterations (i), as shown in Table 5. Structural features were also extracted from the email. All 61 features were used to construct the ARFF file, which is the input file format of the WEKA. The k-fold cross validation was used to build the classifier, with a “k” value of 10. Thus 90% of the data is used to build the model, and the remaining 10% used as testing data.

The classification performance of the phishing detection is evaluated using the standard measures of performance described as follows. True Positive (TP) means the actual and predicted categories are positive and False Positive (FP) means the predicted value should have the negative classified instead of positive. Other performance metrics used in classifications are accuracy, precision, recall and F-measure. Receiver Operating Characteristic (ROC) represents the different trade-off between false positives and false negatives

where PM indicates phished mail and LM indicates legitimate mail.

Results obtained from experimental setup are shown in Table 6, where the TPR and FPR for all the classifiers using the different data sets are shown. Each classifier algorithm gives dissimilar results for different datasets (Table 4). From the results it has been identified that the Multi-classifier gives good results when compared to a classifiers individual performance.

Figure 8 shows the accuracy of the Multi-Classifier and individual classifiers for phishing email detection. Evaluation of the figure gives a clear picture of the performance, and helps conclude that the Multi-Classifica- tion based methodology has a higher accuracy when compared to the others. In every data set, it gives an accuracy of above 96% and it reaches 99%. SVM, Random Forest and LogiBoost gives an accuracy of above 93%, but the Multi-classifier reaches above 96%.

Comparison of classifiers based on the Precision (P) and Recall (R) is shown in the Table 7. In all the data sets the Multi-classification gives a higher recall rate when compared to the individual classifiers. Figure 6

shows the comparison of all classifiers based on the Precision. While considering the precision, it is found that the multi-classifier out performs the individual classifier.

Comparison of classifiers based on the Precision (P) and Recall (R) is shown in the Table 7. In all data sets the multi-classification gives a higher recall rate when compared to the individual classifiers. Figure 9 shows the comparison of all classifiers based on the Precision. While considering the precision, it is found that the multi-classifier out performs the individual classifier.

Finally, the performance of classifiers SVM, LogitBoost and Random Forest is compared, using the area under Receiver Operator Characteristics (ROC) curve. From the results it is clear that multi classifier prediction outperforms the individual classifier performances. Figure 10 shows the ROC for individual classifiers and Figure 11 shows the ROC for Multi classifiers.

Considering all the experimental results, the Multi-Classifier withstands scrutiny with respect to the detection of phishing mails, and is capable of overcoming the flaws of using classifiers separately.