# **Phishing Website Detection Feature Extraction**


# **1. Objective:**
The objective of this notebook is to collect data & extract the selctive features form the URLs.



# **2. Collecting the Data:**



## **2.1. Phishing URLs:**

In [2]:
#importing required packages for this module
import pandas as pd

In [3]:
#loading the phishing URLs data to dataframe
data0 = pd.read_csv("online-valid.csv")
data0.head()

Unnamed: 0,phish_id,url,phish_detail_url,submission_time,verified,verification_time,online,target
0,8750113,https://validar-suporte-autorizar.com/validate...,http://www.phishtank.com/phish_detail.php?phis...,2024-09-09T08:09:16+00:00,yes,2024-09-09T08:12:55+00:00,yes,Other
1,8750109,https://www.deuteros.site/c/9aad3f2b-9b94-4018...,http://www.phishtank.com/phish_detail.php?phis...,2024-09-09T08:06:24+00:00,yes,2024-09-09T08:12:55+00:00,yes,Other
2,8750108,https://firebasestorage.googleapis.com/v0/b/le...,http://www.phishtank.com/phish_detail.php?phis...,2024-09-09T08:05:36+00:00,yes,2024-09-09T08:12:55+00:00,yes,Other
3,8750105,https://allegrolokalnie.56485.shop/?id=I6Jo61H...,http://www.phishtank.com/phish_detail.php?phis...,2024-09-09T08:01:44+00:00,yes,2024-09-09T08:03:49+00:00,yes,Allegro
4,8750104,https://managehosting-rinnovare.computer-servi...,http://www.phishtank.com/phish_detail.php?phis...,2024-09-09T07:59:39+00:00,yes,2024-09-09T08:03:49+00:00,yes,Other


In [9]:
data0['phish_detail_url'].head(1)

0    http://www.phishtank.com/phish_detail.php?phis...
Name: phish_detail_url, dtype: object

In [4]:
data0.shape

(83925, 8)

So, the data has thousands of phishing URLs. But the problem here is, this data gets updated hourly. Without getting into the risk of data imbalance, I am considering a margin value of 10,000. Here, we are taking 5000 phishing URLs & 5000 legitimate URLs. 

Thereby, picking up 5000 samples from the above dataframe randomly.

In [5]:
#Collecting 5,000 Phishing URLs randomly
phishurl = data0.sample(n = 5000, random_state = 12).copy()
phishurl = phishurl.reset_index(drop=True)
phishurl.head()

Unnamed: 0,phish_id,url,phish_detail_url,submission_time,verified,verification_time,online,target
0,8728627,https://l.ead.me/bfKYMj,http://www.phishtank.com/phish_detail.php?phis...,2024-08-23T12:16:48+00:00,yes,2024-08-23T12:23:08+00:00,yes,Other
1,8337699,https://almardoof.com/Webmail/65/Webmail/webma...,http://www.phishtank.com/phish_detail.php?phis...,2023-10-19T23:39:11+00:00,yes,2023-10-19T23:43:12+00:00,yes,Other
2,8269010,https://utua.com.br/gt-emp-bam-vivienda-p2?utm...,http://www.phishtank.com/phish_detail.php?phis...,2023-08-22T17:56:59+00:00,yes,2023-08-22T18:03:38+00:00,yes,Other
3,8476378,http://vecr.pages.dev,http://www.phishtank.com/phish_detail.php?phis...,2024-03-04T20:48:52+00:00,yes,2024-03-04T21:03:31+00:00,yes,Other
4,8721705,https://settingsencodingdevolopmentwebmainserv...,http://www.phishtank.com/phish_detail.php?phis...,2024-08-19T19:07:24+00:00,yes,2024-08-19T19:13:19+00:00,yes,Other


In [6]:
phishurl.shape

(5000, 8)

As of now we collected 5000 phishing URLs. Now, we need to collect the legitimate URLs.

## **2.2. Legitimate URLs:**

From the uploaded *Benign_list_big_final.csv* file, the URLs are loaded into a dataframe.

In [7]:
#Loading legitimate files 
data1 = pd.read_csv("1.Benign_list_big_final.csv")
data1.columns = ['URLs']
data1.head()

Unnamed: 0,URLs
0,http://1337x.to/torrent/1110018/Blackhat-2015-...
1,http://1337x.to/torrent/1122940/Blackhat-2015-...
2,http://1337x.to/torrent/1124395/Fast-and-Furio...
3,http://1337x.to/torrent/1145504/Avengers-Age-o...
4,http://1337x.to/torrent/1160078/Avengers-age-o...


As stated above, 5000 legitimate URLs are randomaly picked from the above dataframe.

In [8]:
#Collecting 5,000 Legitimate URLs randomly
legiurl = data1.sample(n = 5000, random_state = 12).copy()
legiurl = legiurl.reset_index(drop=True)
legiurl.head()

Unnamed: 0,URLs
0,http://graphicriver.net/search?date=this-month...
1,http://ecnavi.jp/redirect/?url=http://www.cros...
2,https://hubpages.com/signin?explain=follow+Hub...
3,http://extratorrent.cc/torrent/4190536/AOMEI+B...
4,http://icicibank.com/Personal-Banking/offers/o...


In [9]:
legiurl.shape

(5000, 1)

# **3. Feature Extraction:**

In this step, features are extracted from the URLs dataset.

The extracted features are categorized into


1.   Address Bar based Features
2.   Domain based Features
3.   HTML & Javascript based Features



### **3.1. Address Bar Based Features:**

Many features can be extracted that can be consided as address bar base features. Out of them, below mentioned were considered for this project.


*   Domain of URL
*   IP Address in URL
*   "@" Symbol in URL
*   Length of URL
*   Depth of URL
*   Redirection "//" in URL
*   "http/https" in Domain name
*   Using URL Shortening Services “TinyURL”
*   Prefix or Suffix "-" in Domain

In [10]:
# importing required packages for this section
from urllib.parse import urlparse,urlencode
import ipaddress
import re

#### **3.1.1. Domain of the URL**
Here, we are just extracting the domain present in the URL. This feature doesn't have much significance in the training. May even be dropped while training the model.

In [11]:
# 1.Domain of the URL (Domain) 
def getDomain(url):  
  domain = urlparse(url).netloc
  if re.match(r"^www.",domain):
	       domain = domain.replace("www.","")
  return domain

#### **3.1.2. IP Address in the URL**

Checks for the presence of IP address in the URL. URLs may have IP address instead of domain name. If an IP address is used as an alternative of the domain name in the URL, we can be sure that someone is trying to steal personal information with this URL.

If the domain part of URL has IP address, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).



In [12]:
# 2.Checks for IP address in URL (Have_IP)
def havingIP(url):
  try:
    ipaddress.ip_address(url)
    ip = 1
  except:
    ip = 0
  return ip


#### **3.1.3. "@" Symbol in URL**

Checks for the presence of '@' symbol in the URL. Using “@” symbol in the URL leads the browser to ignore everything preceding the “@” symbol and the real address often follows the “@” symbol. 

If the URL has '@' symbol, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [13]:
# 3.Checks the presence of @ in URL (Have_At)
def haveAtSign(url):
  if "@" in url:
    at = 1    
  else:
    at = 0    
  return at

#### **3.1.4. Length of URL**

Computes the length of the URL. Phishers can use long URL to hide the doubtful part in the address bar. In this project, if the length of the URL is greater than or equal 54 characters then the URL classified as phishing otherwise legitimate.

If the length of URL >= 54 , the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [14]:
# 4.Finding the length of URL and categorizing (URL_Length)
def getLength(url):
  if len(url) < 54:
    length = 0            
  else:
    length = 1            
  return length

#### **3.1.5. Depth of URL**

Computes the depth of the URL. This feature calculates the number of sub pages in the given url based on the '/'.

The value of feature is a numerical based on the URL.

In [15]:
# 5.Gives number of '/' in URL (URL_Depth)
def getDepth(url):
  s = urlparse(url).path.split('/')
  depth = 0
  for j in range(len(s)):
    if len(s[j]) != 0:
      depth = depth+1
  return depth

#### **3.1.6. Redirection "//" in URL**

Checks the presence of "//" in the URL. The existence of “//” within the URL path means that the user will be redirected to another website. The location of the “//” in URL is computed. We find that if the URL starts with “HTTP”, that means the “//” should appear in the sixth position. However, if the URL employs “HTTPS” then the “//” should appear in seventh position.

If the "//" is anywhere in the URL apart from after the protocal, thee value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [16]:
# 6.Checking for redirection '//' in the url (Redirection)
def redirection(url):
  pos = url.rfind('//')
  if pos > 6:
    if pos > 7:
      return 1
    else:
      return 0
  else:
    return 0

#### **3.1.7. "http/https" in Domain name**

Checks for the presence of "http/https" in the domain part of the URL. The phishers may add the “HTTPS” token to the domain part of a URL in order to trick users.

If the URL has "http/https" in the domain part, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [17]:
# 7.Existence of “HTTPS” Token in the Domain Part of the URL (https_Domain)
def httpDomain(url):
  domain = urlparse(url).netloc
  if 'https' in domain:
    return 1
  else:
    return 0

#### **3.1.8. Using URL Shortening Services “TinyURL”**

URL shortening is a method on the “World Wide Web” in which a URL may be made considerably smaller in length and still lead to the required webpage. This is accomplished by means of an “HTTP Redirect” on a domain name that is short, which links to the webpage that has a long URL. 

If the URL is using Shortening Services, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [18]:
#listing shortening services
shortening_services = r"bit\.ly|goo\.gl|shorte\.st|go2l\.ink|x\.co|ow\.ly|t\.co|tinyurl|tr\.im|is\.gd|cli\.gs|" \
                      r"yfrog\.com|migre\.me|ff\.im|tiny\.cc|url4\.eu|twit\.ac|su\.pr|twurl\.nl|snipurl\.com|" \
                      r"short\.to|BudURL\.com|ping\.fm|post\.ly|Just\.as|bkite\.com|snipr\.com|fic\.kr|loopt\.us|" \
                      r"doiop\.com|short\.ie|kl\.am|wp\.me|rubyurl\.com|om\.ly|to\.ly|bit\.do|t\.co|lnkd\.in|db\.tt|" \
                      r"qr\.ae|adf\.ly|goo\.gl|bitly\.com|cur\.lv|tinyurl\.com|ow\.ly|bit\.ly|ity\.im|q\.gs|is\.gd|" \
                      r"po\.st|bc\.vc|twitthis\.com|u\.to|j\.mp|buzurl\.com|cutt\.us|u\.bb|yourls\.org|x\.co|" \
                      r"prettylinkpro\.com|scrnch\.me|filoops\.info|vzturl\.com|qr\.net|1url\.com|tweez\.me|v\.gd|" \
                      r"tr\.im|link\.zip\.net"

In [19]:
# 8. Checking for Shortening Services in URL (Tiny_URL)
def tinyURL(url):
    match=re.search(shortening_services,url)
    if match:
        return 1
    else:
        return 0

#### **3.1.9. Prefix or Suffix "-" in Domain**

Checking the presence of '-' in the domain part of URL. The dash symbol is rarely used in legitimate URLs. Phishers tend to add prefixes or suffixes separated by (-) to the domain name so that users feel that they are dealing with a legitimate webpage. 

If the URL has '-' symbol in the domain part of the URL, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [20]:
# 9.Checking for Prefix or Suffix Separated by (-) in the Domain (Prefix/Suffix)
def prefixSuffix(url):
    if '-' in urlparse(url).netloc:
        return 1            # phishing
    else:
        return 0            # legitimate

### **3.2. Domain Based Features:**

Many features can be extracted that come under this category. Out of them, below mentioned were considered for this project.

*   DNS Record
*   Website Traffic 
*   Age of Domain
*   End Period of Domain

Each of these features are explained and the coded below:

In [21]:
!pip install python-whois




[notice] A new release of pip available: 22.2.2 -> 24.2
[notice] To update, run: python.exe -m pip install --upgrade pip


In [22]:
# importing required packages for this section
import re
from bs4 import BeautifulSoup
import whois
import urllib
import urllib.request
from datetime import datetime

#### **3.2.1. DNS Record**

For phishing websites, either the claimed identity is not recognized by the WHOIS database or no records founded for the hostname. 
If the DNS record is empty or not found then, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [23]:
# 11.DNS Record availability (DNS_Record)
# obtained in the featureExtraction function itself

#### **3.2.2. Web Traffic**

This feature measures the popularity of the website by determining the number of visitors and the number of pages they visit. However, since phishing websites live for a short period of time, they may not be recognized by the Alexa database (Alexa the Web Information Company., 1996). By reviewing our dataset, we find that in worst scenarios, legitimate websites ranked among the top 100,000. Furthermore, if the domain has no traffic or is not recognized by the Alexa database, it is classified as “Phishing”.

If the rank of the domain < 100000, the vlaue of this feature is 1 (phishing) else 0 (legitimate).

In [24]:
# 12.Web traffic (Web_Traffic)
def web_traffic(url):
  try:
    #Filling the whitespaces in the URL if any
    url = urllib.parse.quote(url)
    rank = BeautifulSoup(urllib.request.urlopen("http://data.alexa.com/data?cli=10&dat=s&url=" + url).read(), "xml").find(
        "REACH")['RANK']
    rank = int(rank)
  except TypeError:
        return 1
  if rank <100000:
    return 1
  else:
    return 0

#### **3.2.3. Age of Domain**

This feature can be extracted from WHOIS database. Most phishing websites live for a short period of time. The minimum age of the legitimate domain is considered to be 12 months for this project. Age here is nothing but different between creation and expiration time.

If age of domain > 12 months, the vlaue of this feature is 1 (phishing) else 0 (legitimate).

In [25]:
# 13.Survival time of domain: The difference between termination time and creation time (Domain_Age)  
def domainAge(domain_name):
  creation_date = domain_name.creation_date
  expiration_date = domain_name.expiration_date
  if (isinstance(creation_date,str) or isinstance(expiration_date,str)):
    try:
      creation_date = datetime.strptime(creation_date,'%Y-%m-%d')
      expiration_date = datetime.strptime(expiration_date,"%Y-%m-%d")
    except:
      return 1
  if ((expiration_date is None) or (creation_date is None)):
      return 1
  elif ((type(expiration_date) is list) or (type(creation_date) is list)):
      return 1
  else:
    ageofdomain = abs((expiration_date - creation_date).days)
    if ((ageofdomain/30) < 6):
      age = 1
    else:
      age = 0
  return age

#### **3.2.4. End Period of Domain**

This feature can be extracted from WHOIS database. For this feature, the remaining domain time is calculated by finding the different between expiration time & current time. The end period considered for the legitimate domain is 6 months or less  for this project. 

If end period of domain > 6 months, the vlaue of this feature is 1 (phishing) else 0 (legitimate).

In [26]:
# 14.End time of domain: The difference between termination time and current time (Domain_End) 
def domainEnd(domain_name):
  expiration_date = domain_name.expiration_date
  if isinstance(expiration_date,str):
    try:
      expiration_date = datetime.strptime(expiration_date,"%Y-%m-%d")
    except:
      return 1
  if (expiration_date is None):
      return 1
  elif (type(expiration_date) is list):
      return 1
  else:
    today = datetime.now()
    end = abs((expiration_date - today).days)
    if ((end/30) < 6):
      end = 0
    else:
      end = 1
  return end

## **3.3. HTML and JavaScript based Features**

Many features can be extracted that come under this category. Out of them, below mentioned were considered for this project.

*   IFrame Redirection
*   Status Bar Customization
*   Disabling Right Click
*   Website Forwarding

Each of these features are explained and the coded below:

In [27]:
# importing required packages for this section
import requests

### **3.3.1. IFrame Redirection**

IFrame is an HTML tag used to display an additional webpage into one that is currently shown. Phishers can make use of the “iframe” tag and make it invisible i.e. without frame borders. In this regard, phishers make use of the “frameBorder” attribute which causes the browser to render a visual delineation. 

If the iframe is empty or repsonse is not found then, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [28]:
# 15. IFrame Redirection (iFrame)
def iframe(response):
  if response == "":
      return 1
  else:
      if re.findall(r"[<iframe>|<frameBorder>]", response.text):
          return 0
      else:
          return 1

### **3.3.2. Status Bar Customization**

Phishers may use JavaScript to show a fake URL in the status bar to users. To extract this feature, we must dig-out the webpage source code, particularly the “onMouseOver” event, and check if it makes any changes on the status bar

If the response is empty or onmouseover is found then, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).

In [29]:
# 16.Checks the effect of mouse over on status bar (Mouse_Over)
def mouseOver(response): 
  if response == "" :
    return 1
  else:
    if re.findall("<script>.+onmouseover.+</script>", response.text):
      return 1
    else:
      return 0

### **3.3.3. Disabling Right Click**

Phishers use JavaScript to disable the right-click function, so that users cannot view and save the webpage source code. This feature is treated exactly as “Using onMouseOver to hide the Link”. Nonetheless, for this feature, we will search for event “event.button==2” in the webpage source code and check if the right click is disabled.

If the response is empty or onmouseover is not found then, the value assigned to this feature is 1 (phishing) or else 0 (legitimate).




In [30]:
# 17.Checks the status of the right click attribute (Right_Click)
def rightClick(response):
  if response == "":
    return 1
  else:
    if re.findall(r"event.button ?== ?2", response.text):
      return 0
    else:
      return 1

### **3.3.4. Website Forwarding**
The fine line that distinguishes phishing websites from legitimate ones is how many times a website has been redirected. In our dataset, we find that legitimate websites have been redirected one time max. On the other hand, phishing websites containing this feature have been redirected at least 4 times. 




In [31]:
# 18.Checks the number of forwardings (Web_Forwards)    
def forwarding(response):
  if response == "":
    return 1
  else:
    if len(response.history) <= 2:
      return 0
    else:
      return 1

## **4. Computing URL Features**

Create a list and a function that calls the other functions and stores all the features of the URL in the list. We will extract the features of each URL and append to this list.

In [32]:
#Function to extract features
# def featureExtraction(url,label):

#   features = []
#   #Address bar based features (10)
#   features.append(getDomain(url))
#   features.append(havingIP(url))
#   features.append(haveAtSign(url))
#   features.append(getLength(url))
#   features.append(getDepth(url))
#   features.append(redirection(url))
#   features.append(httpDomain(url))
#   features.append(tinyURL(url))
#   features.append(prefixSuffix(url))
  
#   #Domain based features (4)
#   dns = 0
#   try:
#     domain_name = whois.whois(urlparse(url).netloc)
#   except:
#     dns = 1

#   features.append(dns)
#   features.append(web_traffic(url))
#   features.append(1 if dns == 1 else domainAge(domain_name))
#   features.append(1 if dns == 1 else domainEnd(domain_name))
  
#   # HTML & Javascript based features (4)
#   try:
#     response = requests.get(url)
#   except:
#     response = ""
#   features.append(iframe(response))
#   features.append(mouseOver(response))
#   features.append(rightClick(response))
#   features.append(forwarding(response))
#   features.append(label)
  
#   return features

import requests
from urllib.parse import urlparse
import whois

def featureExtraction(url, label):
    features = []

    # Address bar based features (10)
    try:
        features.append(getDomain(url))
        features.append(havingIP(url))
        features.append(haveAtSign(url))
        features.append(getLength(url))
        features.append(getDepth(url))
        features.append(redirection(url))
        features.append(httpDomain(url))
        features.append(tinyURL(url))
        features.append(prefixSuffix(url))
    except Exception as e:
        print(f"Error processing address bar features for URL {url}: {e}")
        features.extend([None] * 9)  # Append None for the failed features

    # Domain based features (4)
    dns = 0
    try:
        domain_name = whois.whois(urlparse(url).netloc)
        features.append(dns)
        features.append(web_traffic(url))
        features.append(domainAge(domain_name))
        features.append(domainEnd(domain_name))
    except Exception as e:
        print(f"Error processing domain features for URL {url}: {e}")
        features.extend([1, 1, 1])  # Append default values in case of failure

    # HTML & JavaScript based features (4)
    try:
        response = requests.get(url, timeout=10)
        features.append(iframe(response))
        features.append(mouseOver(response))
        features.append(rightClick(response))
        features.append(forwarding(response))
    except requests.exceptions.RequestException as e:
        print(f"Error fetching HTML for URL {url}: {e}")
        features.extend([None] * 4)  # Append None for the failed features

    features.append(label)
    
    return features

### **4.1. Legitimate URLs:**

Now, feature extraction is done on legitimate URLs.

In [33]:
legiurl.shape

(5000, 1)

In [34]:
#Extracting the feautres & storing them in a list
legi_features = []
label = 0

for i in range(0, 50):
  url = legiurl['URLs'][i]
  legi_features.append(featureExtraction(url,label))

Error processing domain features for URL http://graphicriver.net/search?date=this-month&length_max=&length_min=&price_max=&price_min=&rating_min=&sales=&sort=sales&term=&view=list: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://ecnavi.jp/redirect/?url=http://www.cross-a.net/x.php?id=1845_3212_22061_26563&m=1004&pid=%user_id%: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://hubpages.com/signin?explain=follow+Hubs&url=%2Fhub%2FComfort-Theories-of-Religion: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://extratorrent.cc/torrent/4190536/AOMEI+Backupper+Technician+%2B+Server+Edition+2.8.0+%2B+Patch+%2B+Key+%2B+100%25+Working.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error fetching HTML for URL http://extratorrent.cc/torrent/4190536/AOMEI+Backupper+Technician+%2B+Server+Edition+2.8.0+%2B+Patch+%2B+Key+%2B+100%25+Working.html: HTTPCo

2024-09-09 14:58:21,925 - whois.whois - ERROR - Error trying to connect to socket: closing socket - [Errno 11001] getaddrinfo failed


Error processing domain features for URL http://kienthuc.net.vn/diem-thi/diem-chuan-dh-cong-nghe-giao-thong-van-tai-nam-2014-482407.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://thenextweb.com/in/2015/04/16/india-wants-a-neutral-web-and-facebooks-internet-org-cant-be-a-part-of-it/gtm.js: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://tobogo.net/cdsb/board.php?board=greet&bm=view&no=5716&category=&auth=&page=1&search=&keyword=&recom=: <urlopen error [Errno 11001] getaddrinfo failed>
Error fetching HTML for URL http://tobogo.net/cdsb/board.php?board=greet&bm=view&no=5716&category=&auth=&page=1&search=&keyword=&recom=: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
Error processing domain features for URL http://akhbarelyom.com/news/newdetails/411395/1/%D9%85%D8%AD%D8%A7%D9%81%D8%B8-%D8%A7%D9%84%D8%A8%D8%AD%D9%8A%D8%B1.html: <urlopen erro

2024-09-09 14:59:53,086 - whois.whois - ERROR - Error trying to connect to socket: closing socket - [Errno 11001] getaddrinfo failed


Error processing domain features for URL http://allegro.pl/listing/listing.php?id=122233&order=m&string=%7Bstring%7D&bmatch=seng-ps-mp-p-sm-isqm-2-e-0402: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://allegro.pl/listing/listing.php?id=20782&order=m&p=2&string=%7Bstring%7D&bmatch=seng-v10-p-sm-isqm-2-o-0113: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://tinnhanh360.net/-ong-tay-de-thuong-ban-do-choi-dao-ha-noi-gay-ngac-nhien-thich-thu.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error fetching HTML for URL http://tinnhanh360.net/-ong-tay-de-thuong-ban-do-choi-dao-ha-noi-gay-ngac-nhien-thich-thu.html: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
Error processing domain features for URL http://metro.co.uk/2014/08/15/big-brother-2014-shock-twist-ashleigh-coyle-comes-second-4834723/: <urlopen error [Errno 11001] getaddrinfo failed>
E

2024-09-09 15:00:36,975 - whois.whois - ERROR - Error trying to connect to socket: closing socket - [Errno 11001] getaddrinfo failed


Error processing domain features for URL http://motthegioi.vn/tai-chinh-bat-dong-san/tu-17-nguoi-mua-nha-dat-phai-cong-them-hang-loat-chi-phi-187472.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error fetching HTML for URL http://motthegioi.vn/tai-chinh-bat-dong-san/tu-17-nguoi-mua-nha-dat-phai-cong-them-hang-loat-chi-phi-187472.html: HTTPConnectionPool(host='motthegioi.vn', port=80): Max retries exceeded with url: /tai-chinh-bat-dong-san/tu-17-nguoi-mua-nha-dat-phai-cong-them-hang-loat-chi-phi-187472.html (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x000001C005AED970>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed'))
Error processing domain features for URL http://spankbang.com/4ze1/video/brunette+with+big+boobs+fucked+in+a+cellar+public+agent: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://torcache.net/torrent/FECDCFB88429EDAE6184E26D63EDD5A1AB2B1736.torrent?title=[kick

In [35]:
#converting the list to dataframe
feature_names = ['Domain', 'Have_IP', 'Have_At', 'URL_Length', 'URL_Depth','Redirection', 
                      'https_Domain', 'TinyURL', 'Prefix/Suffix', 'DNS_Record', 'Web_Traffic', 
                      'Domain_Age', 'Domain_End', 'iFrame', 'Mouse_Over','Right_Click', 'Web_Forwards', 'Label']

legitimate = pd.DataFrame(legi_features, columns= feature_names)
legitimate.head()

Unnamed: 0,Domain,Have_IP,Have_At,URL_Length,URL_Depth,Redirection,https_Domain,TinyURL,Prefix/Suffix,DNS_Record,Web_Traffic,Domain_Age,Domain_End,iFrame,Mouse_Over,Right_Click,Web_Forwards,Label
0,graphicriver.net,0,0,1,1,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0
1,ecnavi.jp,0,0,1,1,1,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0
2,hubpages.com,0,0,1,1,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0
3,extratorrent.cc,0,0,1,3,0,0,0,0,0,1,1,1,,,,,0.0
4,icicibank.com,0,0,1,3,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0


In [36]:
# Storing the extracted legitimate URLs fatures to csv file
legitimate.to_csv('legitimate.csv', index= False)

### **4.2. Phishing URLs:**

Now, feature extraction is performed on phishing URLs.

In [37]:
phishurl.shape

(5000, 8)

In [38]:
#Extracting the feautres & storing them in a list
phish_features = []
label = 1
for i in range(0, 50):
  url = phishurl['url'][i]
  phish_features.append(featureExtraction(url,label))

Error processing domain features for URL https://l.ead.me/bfKYMj: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://almardoof.com/Webmail/65/Webmail/webmail.php: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://utua.com.br/gt-emp-bam-vivienda-p2?utm_source=clevertap&amp;utm_medium=email&amp;utm_campaign=gt-utua-ct-email-emp&amp;utm_content=gt-utua-ct-email-emp-ag&amp;utm_term=gt-utua-ct-email-emp-ag-1014: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://vecr.pages.dev: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://settingsencodingdevolopmentwebmainservicesmain04.pages.dev/: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://metmaskkxtension.gitbook.io/us: <urlopen error [Errno 11001] getaddrinfo failed>


2024-09-09 15:04:12,365 - whois.whois - ERROR - Error trying to connect to socket: closing socket - [Errno 11001] getaddrinfo failed


Error processing domain features for URL https://posindonesia.help/: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://pub-ff5752ccfa0b41cf82911a1040a060a1.r2.dev/index.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://myetherwallet-login.webflow.io: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://docs.google.com/drawings/d/1XZO94lkJQwyjPThH_t7zu4BHXElRXbPUEa_MZRpzVQg: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://index--kucoin.gitbook.io/us: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://wise-login-a.serv00.net/default_folder: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL http://www-6cb5ea99.bid-a-model.com/?id=yvesgoethals.be: <urlopen error [Errno 11001] getaddrinfo failed>
Error fetching H

2024-09-09 15:06:25,430 - whois.whois - ERROR - Error trying to connect to socket: closing socket - timed out


Error processing domain features for URL https://q-r.to/bfIPFk: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://ledgrlivewdwnload.gitbook.io/us: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://pub-6f8a4dc83b8743fb9fb01e7f6f8b84fe.r2.dev/index.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://l.ead.me/bfLXYH: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://pub-3a7b7ca4ea944c9180e188aad1408d36.r2.dev/USER16052024UNIQUE0810051605202420240516100805_1718111476489.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://pub-7adbd246ff1b4521aa5a8d1c904cacf8.r2.dev/index.html: <urlopen error [Errno 11001] getaddrinfo failed>
Error processing domain features for URL https://online.attservices.workers.dev/: <urlopen error [Errno 11001] getaddrinfo f

In [39]:
#converting the list to dataframe
feature_names = ['Domain', 'Have_IP', 'Have_At', 'URL_Length', 'URL_Depth','Redirection', 
                      'https_Domain', 'TinyURL', 'Prefix/Suffix', 'DNS_Record', 'Web_Traffic', 
                      'Domain_Age', 'Domain_End', 'iFrame', 'Mouse_Over','Right_Click', 'Web_Forwards', 'Label']

phishing = pd.DataFrame(phish_features, columns= feature_names)
phishing.head()

Unnamed: 0,Domain,Have_IP,Have_At,URL_Length,URL_Depth,Redirection,https_Domain,TinyURL,Prefix/Suffix,DNS_Record,Web_Traffic,Domain_Age,Domain_End,iFrame,Mouse_Over,Right_Click,Web_Forwards,Label
0,l.ead.me,0,0,0,1,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,1.0
1,almardoof.com,0,0,0,4,0,0,0,0,0,1,1,1,1.0,0.0,1.0,0.0,1.0
2,utua.com.br,0,0,1,1,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,1.0
3,vecr.pages.dev,0,0,0,0,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,1.0
4,settingsencodingdevolopmentwebmainservicesmain...,0,0,1,0,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,1.0


In [40]:
# Storing the extracted legitimate URLs fatures to csv file
phishing.to_csv('phishing.csv', index= False)

## **5. Final Dataset**

In the above section we formed two dataframes of legitimate & phishing URL features. Now, we will combine them to a single dataframe and export the data to csv file for the Machine Learning training done in other notebook. 

In [41]:
#Concatenating the dataframes into one 
urldata = pd.concat([legitimate, phishing]).reset_index(drop=True)
urldata.head()

Unnamed: 0,Domain,Have_IP,Have_At,URL_Length,URL_Depth,Redirection,https_Domain,TinyURL,Prefix/Suffix,DNS_Record,Web_Traffic,Domain_Age,Domain_End,iFrame,Mouse_Over,Right_Click,Web_Forwards,Label
0,graphicriver.net,0,0,1,1,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0
1,ecnavi.jp,0,0,1,1,1,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0
2,hubpages.com,0,0,1,1,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0
3,extratorrent.cc,0,0,1,3,0,0,0,0,0,1,1,1,,,,,0.0
4,icicibank.com,0,0,1,3,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,0.0


In [42]:
urldata.tail()

Unnamed: 0,Domain,Have_IP,Have_At,URL_Length,URL_Depth,Redirection,https_Domain,TinyURL,Prefix/Suffix,DNS_Record,Web_Traffic,Domain_Age,Domain_End,iFrame,Mouse_Over,Right_Click,Web_Forwards,Label
95,outlook-105459.weeblysite.com,0,0,0,0,0,0,0,1,0,1,1,1,0.0,0.0,1.0,0.0,1.0
96,home-104190.weeblysite.com,0,0,0,0,0,0,0,1,0,1,1,1,0.0,0.0,1.0,0.0,1.0
97,metamaskiextusion.webflow.io,0,0,0,0,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,1.0
98,web-dappfix-bgv.pages.dev,0,0,0,0,0,0,0,1,0,1,1,1,0.0,0.0,1.0,0.0,1.0
99,attmailwiwiw.weebly.com,0,0,0,0,0,0,0,0,0,1,1,1,0.0,0.0,1.0,0.0,1.0


In [43]:
urldata.shape

(100, 18)

In [44]:
# Storing the data in CSV file
urldata.to_csv('Final_data.csv', index=False)

## **6. Conclusion**

With this the objective of this notebook is achieved. We finally extracted 18 features for 10,000 URL which has 5000 phishing & 5000 legitimate URLs.