Definition 1 (cf.[27]):

A function $A:[{0,1}]^{n}\to [{0,1}]$ , $n \in \mathbb {N}$ , $n\geq 2$ is called an aggregation function (aggregation operator) if it is increasing in each variable, i.e.

View Source\begin{equation*} (\forall _{1 \leq i \leq n} x_{i} \leq y_{i}) \Rightarrow A(x_{1}, {\dots },x_{n}) \leq A(y_{1}, {\dots },y_{n}), \tag {1}\end{equation*}

Definition 2 ([27]):

Let $n \geq 2$ . Aggregation function $A : {[{0,1}]}^{n} \rightarrow {[{0,1}]}$ is a mean (averaging function) if it is idempotent, i.e.

View Source\begin{equation*} \forall _{x \in {[{0,1}]}} A(x,\ldots,x) = x.\end{equation*}

Proposition 3:

For every mean A we have

View Source\begin{equation*} \forall {x \in \mathbb {R}^{n}} \underset {1 \leq k \leq n}{\min } x_{k} \leq A(x_{1},\ldots,x_{n}) \leq \underset {1 \leq k \leq n}{\max } x_{k}. \tag {2}\end{equation*}

A. Convex Combination of Aggregation Functions

Let $A:[{0,1}]^{n} \to [{0,1}]$ denote aggregation function and $p \in [{0,1}]$ be a corresponding parameter. The following aggregations were applied in the experiments. These are linear combinations of known means. The parameter p allows us to obtain families of aggregation functions related to the given formula.

• maximum$A_{mx}(x_{1},\ldots,x_{n})=\max \limits _{1\leq k \leq n}x_{k}$

• arithmetic-min average

  $$\begin{equation*} A_{armn}^{(p)}(x_{1},\ldots,x_{n})=\frac {p}{n}\sum \limits _{k=1}^{n} x_{k}+ (1-p) \min \limits _{1\leq k \leq n}x_{k},\end{equation*}$$ View Source\begin{equation*} A_{armn}^{(p)}(x_{1},\ldots,x_{n})=\frac {p}{n}\sum \limits _{k=1}^{n} x_{k}+ (1-p) \min \limits _{1\leq k \leq n}x_{k},\end{equation*}

• geometric-min average

  $$\begin{equation*} A_{gmmn}^{(p)}(x_{1},\ldots,x_{n})=\frac {p}{n}\sqrt [n]{\prod \limits _{k=1}^{n} x_{k}}+ (1-p) \min \limits _{1\leq k \leq n}x_{k},\end{equation*}$$ View Source\begin{equation*} A_{gmmn}^{(p)}(x_{1},\ldots,x_{n})=\frac {p}{n}\sqrt [n]{\prod \limits _{k=1}^{n} x_{k}}+ (1-p) \min \limits _{1\leq k \leq n}x_{k},\end{equation*}

• product-min aggregation

  $$\begin{equation*} A_{prmn}^{(p)}(x_{1},\ldots,x_{n})=p\prod \limits _{k=1}^{n} x_{k} + (1-p) \min \limits _{1\leq k \leq n}x_{k}\end{equation*}$$ View Source\begin{equation*} A_{prmn}^{(p)}(x_{1},\ldots,x_{n})=p\prod \limits _{k=1}^{n} x_{k} + (1-p) \min \limits _{1\leq k \leq n}x_{k}\end{equation*}

The family $A_{gmmn}^{(p)}$ for $p \in \{0.05; 0.1\}$ gives averaging aggregation functions (means) which have values close to the minimum aggregation function and for $p=1$ it yields the geometric mean.

The family $A_{prmn}^{(p)}$ gives for $p \in \{0.05; 0.1\}$ aggregation functions which have values close to the minimum aggregation function but less than minimum and for $p=1$ it yields the product.

The chosen aggregation functions yield the best results in our experiments. As we see in most of the cases their values are close to the minimum aggregation function.

B. Uninorms

Aggregations function mentioned in the previous subsection are in most of the cases averaging aggregation functions. As example of aggregations that are not averages, at least in most cases, we can consider uninorms.

They appeared for the first time using the term uninorm in [28] studied in [29] with the idea of allowing certain kind of aggregation operators combining the maximum and the minimum, depending on an element $e\in (0,1)$ . We will assume the basic theory of t-norms and t-conorms. The definitions, notations and results on them can be found in [30]. We will just give in this place some basic facts about uninorms. More details can be found in [31], [32], [33], [34], [35].

The general structure of the uninorm can be represented by the following theorems (cf. Figure 1).

FIGURE 1.

The structure of uninorms.

Show All

Theorem 5 ([34]):

If a uninorm U has a neutral element $e\in (0,1)$ , then there exist a t-norm T and a t-conorm S such that

$$\begin{align*} U(x,y)=\begin{cases} \displaystyle eT\left ({{\frac {x}{e},\frac {y}{e}}}\right) & \text {if}~ ~(x,y)\in [0,e]^{2}, \\ \displaystyle e+(1-e)S\left ({{\frac {x-e}{1-e},\frac {y-e}{1-e}}}\right) & \text {if}~~(x,y)\in [e,1]^{2}. \end{cases}\end{align*}$$ View Source\begin{align*} U(x,y)=\begin{cases} \displaystyle eT\left ({{\frac {x}{e},\frac {y}{e}}}\right) & \text {if}~ ~(x,y)\in [0,e]^{2}, \\ \displaystyle e+(1-e)S\left ({{\frac {x-e}{1-e},\frac {y-e}{1-e}}}\right) & \text {if}~~(x,y)\in [e,1]^{2}. \end{cases}\end{align*} Moreover $$\begin{equation*} \min \leq U \leq \max \text { in}~ A(e)=[0,e)\times (e,1]\cup (e,1]\times [0,e)\end{equation*}$$ View Source\begin{equation*} \min \leq U \leq \max \text { in}~ A(e)=[0,e)\times (e,1]\cup (e,1]\times [0,e)\end{equation*} and $U(0,1), U(1,0)\in \{ 0,1\}$ .

Due to the properties of uninorms, we can easily extend them to n-arguments. The most well-known classes of uninorms are listed below.

• Uninorms in ${\mathcal {U}}_{\min }$ (respectively ${\mathcal {U}}_{\max }$ ), those given by minimum (respectively maximum) in $A(e)$ , that were characterized in [34]. As an example, we can provide a family of uninorms of the form:

  $$\begin{align*} U_{\min }(x_{1},\ldots,x_{n}) = \begin{cases} \displaystyle \max (x_{1},\ldots,x_{n}) & \text {if}~~x_{1},\ldots,x_{n}\geq e, \\ \displaystyle \min (x_{1},\ldots,x_{n}) & \text {otherwise} \end{cases}\end{align*}$$ View Source\begin{align*} U_{\min }(x_{1},\ldots,x_{n}) = \begin{cases} \displaystyle \max (x_{1},\ldots,x_{n}) & \text {if}~~x_{1},\ldots,x_{n}\geq e, \\ \displaystyle \min (x_{1},\ldots,x_{n}) & \text {otherwise} \end{cases}\end{align*}

• Idempotent uninorms, those such that $U(x,x)=x$ for all $x\in [{0,1}]$ . They are characterized using a separating function in [35]. If we use a linear function as the separating function on $[0, e]$ , we obtain the following family of idempotent uninorms:

  $$\begin{align*} & U_{id}(x_{1}, {\dots },x_{n}) \\ & = \begin{cases} \displaystyle \min \limits _{1\leq k \leq n}x_{k} & \text {if}~~\max \limits _{1\leq k \leq n}x_{k}-1 \leq \frac {e-1}{e}\min \limits _{1\leq k \leq n}x_{k}, \\ \displaystyle \max \limits _{1\leq k \leq n}x_{k} & \text {otherwise} \end{cases}\end{align*}$$ View Source\begin{align*} & U_{id}(x_{1}, {\dots },x_{n}) \\ & = \begin{cases} \displaystyle \min \limits _{1\leq k \leq n}x_{k} & \text {if}~~\max \limits _{1\leq k \leq n}x_{k}-1 \leq \frac {e-1}{e}\min \limits _{1\leq k \leq n}x_{k}, \\ \displaystyle \max \limits _{1\leq k \leq n}x_{k} & \text {otherwise} \end{cases}\end{align*}

• Representable uninorms, those that have additive generators. They were introduced in [34] and next were characterized as those uninorms that are continuous in the domain $[{0,1}]^{2}\setminus \{(0,1),(1,0)\}$ (cf. [36]) and also as those uninorms that are strictly increasing and continuous in the open unit square (cf. [37]):

  $$\begin{align*} & U_{rep}(x_{1},\ldots,x_{n}) \\ & = \begin{cases} \displaystyle 0 \quad \text { if}~~x_{i}=0 \ \text {for some} \ i, \\ \displaystyle \frac {\prod _{i=1}^{n} \left ({{\frac {1}{e}-1}}\right)x_{i}}{\prod _{i=1}^{n} \left ({{\frac {1}{e}-1}}\right)x_{i} + \left ({{\frac {1}{e}-1}}\right)\prod _{i=1}^{n} (1-x_{i})} \quad \text { else.} \end{cases}\end{align*}$$ View Source\begin{align*} & U_{rep}(x_{1},\ldots,x_{n}) \\ & = \begin{cases} \displaystyle 0 \quad \text { if}~~x_{i}=0 \ \text {for some} \ i, \\ \displaystyle \frac {\prod _{i=1}^{n} \left ({{\frac {1}{e}-1}}\right)x_{i}}{\prod _{i=1}^{n} \left ({{\frac {1}{e}-1}}\right)x_{i} + \left ({{\frac {1}{e}-1}}\right)\prod _{i=1}^{n} (1-x_{i})} \quad \text { else.} \end{cases}\end{align*}

Using Łukasiewicz t-norm and its generator, we obtain the following operation

View Source\begin{equation*} U_{L}(x_{1},x_{2},\ldots,x_{n}) = \min \left ({{1,\max \left ({{0,\sum _{i=1}^{n} x_{i} -(n-1)e}}\right)}}\right).\end{equation*}

Descriptions of other classes can be found in [38], [39], [40], [41]. In the experiments, we applied the uninorms from the above examples for $e = 0.6$ , $e=0.8$ and $e=0.95$ , respectively. If the value e is close to 1, then the values of these uninorms are close to the minimum aggregation function.

Examples of uninorms and other aggregation functions, applied in the experiments are listed in Table 2.

TABLE 1 The Most Important Features (Descending Order)

TABLE 2 Abbreviations Used in the Description of the Results

A. Datasets in Literature

Phishing Dataset for Machine Learning: Feature Evaluation[42] contains data collected from January to May 2015 and from May to June 2017. Dataset contains 10,000 samples. Dataset is balanced as ratio phishing URLs data to non phishing URL is equal 1:1. Each sample is defined by 48 features. Half of the features are extracted from phishing URL and the other half from website linked to URL. Dataset is ready to import to Weka library, but it does not contain URL itself neither webpage content.

Phishing URL detection framework based on Similarity Index and Incremental Learning - PhiUSIIL dataset[3] is a comprehensive collection of phishing and legitimate URLs. It contains 34,850 legitimate (26%) and 100,945 phishing (74%) URLs, described by 53 features, including 49 numerical and 4 categorical attributes. These features were extracted from URL structures, domain characteristics, and web page content, with detailed algorithms for feature extraction outlined in [3]. Approximately 6% of the URLs represent subpages within larger domains, highlighting the dataset’s diversity.

This dataset does not include timestamps due to its aggregation from multiple sources lacking temporal metadata. While this limits its use in time-based analyses, it remains suitable for static evaluations, particularly in contexts where incremental learning models are applied. The absence of timestamps does, however, challenge the principle of adapting algorithms to evolving phishing URL characteristics over time.

The PhiUSIIL dataset has been utilized in related works, such as [25], where it supported the development of models for phishing URL detection. Its extensive size and rich feature set make it a valuable benchmark for such research.

The PhiUSIIL [3] algorithm uses features extracted from URLs, HTML code (by visiting websites and analyzing their content), and generates new features from existing data. The results presented in the paper [3] indicate that this algorithm improves phishing detection accuracy, especially when used in a pre-training approach. The PhiUSIIL algorithm in the fully incremental training procedure obtained an accuracy of 99.24% and 99.79% in the pre-training approach. In the paper [25], we used the PhiUSIIL dataset to study various issues, achieving impressive results. Our methodology was able to identify phishing links with 99.52% accuracy, indicating that the overwhelming majority of phishing links were correctly identified and flagged. Moreover, our methodology proved highly effective in minimizing the occurrence of false positives - only 0.42% of harmless links were misclassified as phishing links. This proves that our solution is very accurate and minimizes the risk of misclassifying legitimate links. In addition, our approach proved equally effective in identifying non-phishing links, achieving a classification accuracy of 99.58%. In general, the method has been demonstrated to be extremely effective in detecting phishing while simultaneously reducing the likelihood of false alarms.

The lack of clear timestamps in PhiUSIIL dataset allows only to mimic the phishing links characteristic changing over time, based on assumption that records with lower indexes were collected earlier than those with bigger indexes. However it is hard to decide which links should be present in which part. Because of that fact, results achieved with the use of this dataset are auxiliary. In this contribution, we study the Freshmail dataset only, since this dataset is the only available which is suitable for the presented approach.

Web page phishing detection[43] was created to benchmark algorithms created to detect phishing. The dataset is medium as it consists of 11,430 URLs with 87 extracted features and is balanced (1:1 phishing to non-phishing ratio). We can divide features into 3 classes:

• 56 extracted from the structure and syntax of URL

• 24 extracted from the content of their correspondent pages

• 7 are extracted by querying external services

Phishing Site URLs[44] is a large unbalanced dataset. URLs in this dataset were collected from websites that offer malicious links. In total dataset consist of 507,195 URLs where most of them are good links - 72%, while the percentage of phishing emails is approximately 28%. There is no extracted features, dataset has only two columns where in the first we have URL and in the second column there is a label.

Datasets for Phishing Websites Detection[45] is unique as it have dedicated web application to create and export phishing data. Authors provide us two medium sized versions of dataset. The main difference between these two is a difference in non phishing links count. Smaller dataset contains 27,998 non phishing links while larger contains 58,000. Both datasets have 30,647 phishing URL instances. Each instance is described by 111 attributes. However, this dataset does not contain phishing URLs - only numeric features are available.

PhishStorm dataset[46], introduced and evaluated in the paper titled “PhishStorm: Detecting Phishing with Streaming Analytics”, comprises 96,018 unique URLs. The dataset is balanced, containing 48,009 legitimate URLs and 48,009 phishing URLs. Each entry in the dataset is identified by a “domain” column, representing the URL, and a “label” column, indicating whether the URL is legitimate (0) or phishing (1). Additionally, for each URL, there is a set of 12 features introduced in the paper [46].

B. Freshmail Dataset

FreshMail, a Polish enterprise, focuses on offering extensive e-mail marketing support and operates a well-known e-mail marketing platform. Each month, countless marketers worldwide utilize this service to dispatch over a billion e-mails. As they advance the SendGuard initiative, FreshMail aims to harness intelligent data analysis to advise marketers, while crafting an e-mail campaign, on whether it should reach all recipients. Furthermore, within the SendGuard project, FreshMail is dedicated to devising strategies for forecasting phishing e-mails to automatically filter them before sending.

Freshmail has furnished us with a dataset comprising 2,564,973 instances and 19 features. Within this dataset, 2,383,902 instances correspond to non-phishing links, while the remaining 181,071 are phishing links. The features were selected on the basis of expert assessment and their impact on the classification of links as phishing. The process of features selecting was an additional preparatory step for the research that is the main thread of this article.

At the beginning we decided to generate as many features as possible describing the properties of links based their shallow analysis. As the links were collected over many months, in-depth analysis was not possible, as in many cases the addresses in the links were already out of date. For the shallow analysis, the links were divided into parts: full_domain, path, port, query, scheme, subdomain and tld_domain and attributes were generated for each part. In addition to typically statistical attributes such as number of underscores, number of digits, number of capital letters, etc., we generated attributes indicating the presence of characters pretending to be letters of the Latin alphabet, attributes containing information on the presence of company/domain names and some keywords. For the keywords and company/domain names, we searched for both exact matches and words that differed by 1 or 2 using Levenshtein distance. Finally, each link was represented by 112 attributes.

In the first stage of feature selection, features were analyzed for the variety of values they accepted. Features that took the same value for all or almost all links were rejected. The set of attributes was thus reduced to 77. For these attributes a correlation matrix was determined. Attributes that were highly correlated with others were removed from the set. The threshold for the correlation coefficient for highly correlated attributes was set at 0.75 (absolute value).

Further reduction was carried out using link classifier models. Model learning and testing was carried out on a set of 500,000 links from 2020 (split: 80% teaching set, 20% testing set). In addition, model validation was performed on a set of 2021 links (250,000). The aim of such an approach was to show how classification accuracy changes for younger links, which may exhibit slightly different characteristics, e.g. a different link shortening method used. The first approach used attribute standardization and random forest based models. For the reference model containing all 77 conditional attributes, an accuracy of 0.978 was obtained on the test set and 0.895 on the validation set. In subsequent steps, the set of conditional attributes was reduced to 50, 30, 25, and 19 attributes, respectively. For the latter set, accuracy 0.975 was obtained on the test set and 0.861 on the validation set. The most important features are shown in Table 1.

The second approach dropped the standardization of attributes and focused on decision trees. We wanted to generate a model easily interpretable for humans. It was an attempt to answer the question: why can we classify links based on this particular set of 19 features?

The lack of attribute standardization has already produced better results than before, accuracy of 0.967 on the test set and 0.924 on the validation set, respectively. It is worth mentioning that the random forest without attribute standardization achieved accuracy of 0.975 on the test set and 0.938 on the validation set, respectively (and F1-score 0.97 on the test set and 0.92 on the validation set). This showed a relatively small decrease in performance on younger links.

Unfortunately, even the simplest models in the form of decision trees (for example a tree with a maximum depth of 6 and using only 11 attributes) did not allow an easy interpretation of the unambiguous influence of individual features on the decision. There were cases where the key information deciding whether a link belonged to a particular class was the number of characters in the domain. Finally, the proposed set of 19 features was accepted by Freshmail experts and these features were used for further research.

The method of obtaining this kind of features based on originally textual URL is called URL-based feature extraction method [4]. Additionally, each URL is accompanied by the date of its first occurrence within the system. The dataset spans a total duration of 120 days.

Among the evaluated datasets, the FreshMail dataset uniquely fulfills the criteria essential for our experiments. The principal factor is its capacity to accurately mirror the company’s operational processes, involving continuous analysis of email content. In practical terms, this implies that a classifier developed on historical data—such as data spanning several days—necessitates regular retraining, a process inherently linked to the availability of dates within the dataset. The absence of temporal data precludes the consideration of this dynamic aspect of the process, thereby hindering the faithful replication of the company’s operational conditions.

The data was organized by the date of URL occurrence and divided into 12 parts, each containing data from 10 days. The first part, covering the first 10 days, was divided into a training and validation set in a 60%-40% ratio. These sets were used to create the proposed model (see Alg. 2). The next 10 days (from day 10 to day 20) were used as a test set to evaluate the model. In the next iteration, the data from days 10–20 were split into training and validation sets, and the data from days 20–30 served as the test set. This process was repeated until day 120, with the last part (days 110-120) reserved exclusively for testing. The entire procedure is described in Alg. 1 and illustrated in the diagram in Fig. 2.

FIGURE 2.

Dataset preparation. The d denotes one period dataset, which is divided into train (t) and validation (v) dataset (cf. [25]).

Show All

A. Base Models

The following models were utilized with the standard parameters from the scikit-learn library. While these parameters can be optimized to potentially enhance predictive performance, particular attention should be given to the BernoulliNB model. This model is designed to handle binary features, and its default binarization threshold is set to 0.0, which may require adjustment depending on the dataset characteristics.

B. State of the Art Models

Recently, among traditional machine learning algorithms, the neural network, especially CNN, LSTMs and deep feed forward networks are popular choice for phishing link detection [7], [8]. In [7] the CNN was reported as having the highest accuracy among various other machine learning approaches. Because of that fact, we considered the neural networks as state of the art (SOTA) models.

In the research, neural network models such as feed forward, convolutional (CNN) and LSTM were utilized. The number of examined models of type feed forward was two. The first one, named ff_1 included a single hidden layer consisting of 200 neurons (Fig. 8a). The second one, labeled ff_2 included three hidden layers (each consisting of 200 neurons) and one dropout layer (Fig. 8b). In the case of 2D convolutional neural network abbreviated as cnn, one additional feed forward layer was used, to receive $16\times 16$ data shape. Convolutional layer used $3\times 3$ kernel to generate 8 channels. Feed forward layer was used as the last layer with 200 neurons. GELU was used as an activation function (Fig. 6a). In the case of 1D convolutional neural network (abbreviated as cnn_1d), convolutional layer used kernel with size of 3 to generate 32 channels. Feed forward layer was used as the last layer with 544 neurons. GELU was used as an activation function (Fig. 6b).

FIGURE 3.

Heatmap when desired TPR was set to 0.995.

Show All

FIGURE 4.

False Positive instances when desired TPR was set to 0.9.

Show All

FIGURE 5.

False Positive instances when desired TPR was set to 0.999.

Show All

FIGURE 6.

CNN networks architectures.

Show All

FIGURE 7.

lstm_1 architecture.

Show All

FIGURE 8.

Feed forward networks architectures.

Show All

LSTM model (abbreviated as lstm_1) has 20 hidden dimensions (Fig. 7). Learning rate in the first iteration was set to 0.0001, in next iterations learning rate was changed to 0.00005. The deep Feed Forward model was an exception, because learning rate was decreasing by 0.00009 each training iteration. First Feed Forward model were trained for 300 epochs, second one for 50 epoch, while LSTM and convolutional models were trained for 100 epochs. The structures of the neural networks can be found in Appendix. The loss function was binary cross-entropy. Each of the models were trained by Adam optimizer.

The learning process of neural networks was adopted to the incremental learning approach. In the case of online learning we trained models on $t_{1}$ . Next weights of models were updated using $t_{2}$ and following datasets. It is worth noting that the neural networks were tuned in the same fashion as the proposed model (cf. Section IV-D).

Neural networks models could also be prone to overfitting. Various techniques to prevent overfitting of neural networks are proposed, including early stopping, regularization, dropout, and network pruning [50], [51], [52], [53].

In this study, a Dropout layer was applied in one of the neural networks to prevent overfitting. Specifically, the ff_2 network included a Dropout layer with a value of 0.1. Additionally, a manual early stopping technique was used, which involved analyzing the loss function plots and adjusting the number of training epochs accordingly. Based on this analysis, the lstm_1, cnn_1d, and cnn_2d networks were trained for 100 epochs, while the ff_2 network was trained for 50 epochs. The ff_1 network achieved the best results when trained for 300 epochs.

C. Proposed Model

The fitting procedure requires training n base models, which are those mentioned in Section IV-A. We propose a heterogeneous ensemble model that employs aggregation functions and uninorms. The fitting procedure requires training n base models, as described in Section IV-A. While we have used the models mentioned in that section, exploring other groups of models in future work is a promising direction.

For prediction, aggregation functions and uninorms play a central role. Each of the n models produces a confidence score indicating the likelihood that a given sample is phishing. For an individual sample, this results in a vector of confidence scores denoted as $w_{1}, {\dots }, w_{n}$ , where n is the number of constituent classifiers. Then to reduce dimensionality and obtain one confidence level we use aggregation functions mentioned in the first part of the manuscript on scores vector. These are averaging functions and functions which are lower than minimum or uninorms which are examples of the hybrid aggregation functions (see Alg. 2 lines from 1 to 17).

D. Model Tuning

The dataset parts $d_{i}$ are divided into $t_{i}$ (training) and $v_{i}$ (validation) subsets. As previously mentioned, the $t_{i}$ subsets were used for training and updating the models. Since the data is imbalanced, we propose a method to tune the model to achieve a desired true positive rate (TPR). The procedure is as follows:

1. Define the desired true positive rate, $\text {TPR}_{\text {target}}$ , for example, $\text {TPR}_{\text {target}} = 0.9$ .

2. Fit or update the model using the $t_{i}$ subset of the dataset.

3. Apply the model to the $v_{i}$ validation subset, which outputs a confidence level for each instance, indicating the likelihood that a given link URL is a phishing URL.

4. Gradually increase the threshold value g, starting from 0. After each adjustment, evaluate the true positive rate for the validation subset.

5. Stop increasing g when the obtained TPR exceeds $\text {TPR}_{\text {target}}$ , and save the corresponding value of g as the optimal threshold.

The algorithm finds the optimal threshold t by performing an exhaustive search of candidate values in the range of 0.01 to 0.99, with a step of 0.01. If the result obtained with the chosen strategy is greater than or equal to the chosen threshold t, the link is classified as phishing. Otherwise, it is classified as ordinary. Then, the resulting decisions are compared with the actual results from the validation set $validation_{i}$ , and the True Positive Rate is calculated based on the confusion matrix. The optimal threshold is called the smallest value t for which the True Positive Rate in the validation set is higher than or equal to the set value g (see Alg. 2 lines from 17 to 32).

E. Experiments Description

Since the Freshmail dataset has more than 1,000 instances the stratified k-fold cross-validation is not recommended while hold-out validation is preferred [54]. The hold-out validation was actually completed by adding a validation dataset, used to threshold adjusement.

Experiments were performed as follows. We collected data from 10 days ($d_{1}$ ). Then all samples were shuffled and in stratified manner divided $d_{1}$ into $t_{1}$ and $v_{1}$ (according to Alg. 1). Then all models were fitted with $t_{1}$ part of data. List of all used models is provided in Table 2.

After training, we utilize the dataset $v_{1}$ to determine the threshold g, as described in Section IV-D. Subsequently, our model is deployed to predict whether emails are phishing or not over a period of 10 days using dataset $d_{2}$ . During this time, users report whether emails are phishing, and specialists analyze the reports. By the end of this period, the dataset $d_{2}$ becomes labeled.

Using this labeled data, we evaluate the performance of our framework during this period by comparing the model’s predictions against the specialists’ decisions. We compute various classification quality measures to assess performance. With the evaluation of $d_{2}$ complete, we prepare to enhance our model.

We split $d_{2}$ into $t_{2}$ (training) and $v_{2}$ (validation) subsets, following the same approach used for $d_{1}$ . The model is then updated using the $t_{2}$ subset, and an optimal threshold g is determined using $v_{2}$ .

Over the next 10-day period, a new dataset, $d_{3}$ , is collected. The model is used to predict whether emails are phishing, and user feedback and specialist analysis are gathered, similar to the previous period. Measures of classification are computed again to assess performance.

The strategies employed by attackers can evolve over time; for instance, phishing links during the New Year may differ from those used at other times of the year. In addition, attackers are constantly developing new methods to circumvent filters that detect phishing links. Therefore, the detection model should be gradually improved, while maintaining knowledge of previous attacks. The process described in Alg. 2 is repeated by incrementally training the model using $train_{1}$ data for initial matching, as mentioned earlier. Subsequently, the $train_{2}$ to $train_{k}$ data sets and their corresponding validation sets are used to further refine the model over time, each time finding a different optimal threshold t. The key point is that the model, optimized on period i data, should be tested on period $i+1$ data. Accordingly, the model’s predictions are then verified on data sets $d_{2}$ to $d_{k}$ . The algorithm’s prediction procedure is described in detail in Alg. 3.

To evaluate the global classification quality for a given classifier with a fixed parameter t, we use a confusion matrix, which uses the following terminology:

• TP (True Positives) - elements from the phishing class that were correctly classified as phishing.

• TN (True Negatives, true negative) - elements from the normal class that have been correctly classified as normal.

• FP (False Positives) - elements from the normal class that have been misclassified as phishing.

• FN (False Negatives) - elements from the phishing class that have been misclassified as normal.

We can put the above information in the table, where the rows contain elements from the phishing class and normal class, respectively, while the columns contain elements classified by the classifier into the phishing class and normal class, respectively.

Each of these elements is crucial in evaluating the performance of the classifier, enabling further analysis of classification errors and optimization of the model in the context of minimizing false positives and improving phishing detection.

The accuracy calculated for the test objects from the phishing class is called sensitivity (TPR - true positive rate or recall), and the accuracy calculated for the test objects from a normal class we call specificity (TNR - true negative rate). In addition, we will consider FPR - false positive rate. Using the above notion we can calculate mentioned parameters according to the following formula:

• $TPR=\frac {TP}{P}=\frac {TP}{TP+FN}$

• $TNR=\frac {TN}{N}=\frac {TN}{TN+FP}$

• $FPR=\frac {FP}{N}=\frac {FP}{FP+TN}$

For all test datasets, the individual values of true positive (TP), true negative (TN), false negative (FN), and false positive (FP) were determined, and a global confusion matrix was subsequently constructed. Based on the confusion matrix, the global true positive rate (TPR), false positive rate (FPR), and true negative rate (TNR) were calculated. It should be noted that TNR is equal to 1 - TPR. This methodology enables the determination of not only a quality measure but also remember the number of false positives (FPs).

To assess the obtained results we also used the HMRS measure [26] which is given by the following equation:

View Source\begin{equation*} HMRS=\frac {H M\left ({{R E C \cdot \frac {P}{M}, S~E L \cdot \frac {N}{M}}}\right)}{H M\left ({{\frac {P}{M}, \frac {N}{M}}}\right)}\end{equation*}

F. Measuring the Potential of Model Overfitting

In the context of the proposed model, there is an assumption that potential for overfitting is greatest at the level of the underlying estimators. This is due to the fact that the proposed model does not adjust the parameters of the aggregations utilized, or the aggregations lack parameters that can be adjusted. The threshold tuning method presented in Algorithm 2 can be regarded as a tuning of the model’s hyperparameters, making it also susceptible to overfitting. However, it should be noted that the learning data is unbalanced, and for such data, threshold moving is a popular and recommended technique [55]. In addition, the proposed algorithm is used as a detector, which has some very specific application: it should be calibrated to generate a relatively small number of false positives. This is achieved through the implementation of a sliding threshold, which optimizes a preferred quality measure (min TPR).

For PassiveAggressiveClassifier and Stochastic Gradient Descent Classifier models it is possible to apply popular techniques to counteract overfitting, i.e. early stopping and regularization (cf. [51]). Bernoulli Naive Bayes is an estimator for which such techniques cannot be applied.

In order to ascertain the presence of overfitting at the level of the underlying models, the following experiments were conducted: each base classifier was trained individually, with the model first being taught using period $d_{1}$ and then sequentially incrementally trained on data $d_{2}$ , $d_{3}$ , and so on. Each period d was divided into training data t and validation data v. The model was first trained on the $t_{1}$ data, and a measure of HMRS quality was calculated. Then, the value of this measure was checked on the $v_{1}$ (i.e., data from the same time period, but unknown to the model during learning). Finally, the value of this measure was calculated on the test data (from the next period $d_{2}$ ). The model was then incrementally trained on $t_{2}$ , followed by validation on $v_{2}$ data and testing on test data from $d_{3}$ , and so on. This methodology made it possible to verify that the quality measure obtained on the training data does not drop significantly on the validation and test data (if such a decrease occurred, it would clearly indicate that the model was overfitted).

The outcomes of the experiments revealed that, on the HMRS metric there is mostly no significant reduction in quality on the test data, and at times, the quality even surpassed that of the training data (this means that the models do not adjust too much to the training data, because they retain the ability to separate decision classes). However, certain model parameters led to underfitting, characterized by premature termination of learning and a substantial decline in classification quality compared to other results.

In summary, in our opinion, sufficient techniques were used to counteract model overtraining, which was further confirmed empirically. The additional tests performed show that our model does not overtrain to a significant degree. Using regularization techniques which are standard parameters of the scikit learn library and checking the results on separate datasets in our opinion effectively reduced the risk of overfitting.