# Detect Phishing URLs
### Capstone 3 - Data Wrangling and EDA
Michael Garber

#### High-Level Steps
1. Data Wrangling
    1. Data Collection
    2. Data Organization
    3. Data Definition
    4. Data Cleaning
1. Exploratory Data Analysis


#### Data Wrangling

##### Data Collection
URL Data
- https://www.kaggle.com/datasets/hassaanmustafavi/phishing-urls-dataset

TLD (Top-level Domain) Data
- https://www.iana.org/domains/root/db

In [6]:
# Please Install KaggleHub if you don't already have it
%pip install kagglehub

Note: you may need to restart the kernel to use updated packages.


In [7]:
# Please Installtldextract if you don't already have it
%pip install tldextract

Note: you may need to restart the kernel to use updated packages.


In [8]:
# Import Packages
import pandas as pd
import kagglehub
import os
import shutil
from urllib.parse import urlparse
import tldextract
import ipaddress

In [9]:
# Download Data
kPath = kagglehub.dataset_download("hassaanmustafavi/phishing-urls-dataset")

In [10]:
# build source file path
fileName = 'url_dataset.csv'
srcFilePath = os.path.join(kPath, fileName)
dataDir = os.path.join(os.pardir, 'data', 'raw', fileName)

# Move File to project folder
shutil.copy(srcFilePath, dataDir)

'..\\data\\raw\\url_dataset.csv'

In [11]:
# Create pandas dataframe - urlData
urlData = pd.read_csv(dataDir)

In [12]:
# Create pandas dataframe - TLDs (Top-level Domains)
tldDir = '../data/raw/TLDs.csv'
tldNames = pd.read_csv(tldDir)

# TLDs source...
# https://www.iana.org/domains/root/db

In [13]:
# check dataframe urlData - # or rows
print(urlData.shape)

(450176, 2)


In [14]:
# check dataframe tldNames - # or rows
print(tldNames.shape)

(1591, 3)


##### Data Organization
Project file structure based on the cookiecutter data science template. \
[https://drivendata.github.io/cookiecutter-data-science/](https://drivendata.github.io/cookiecutter-data-science/)

Folder structure tree (GitHub) \
[https://github.com/mdgarber/DetectPhishURL/blob/7dd7d38c001590b4629f8810906a3724ab107fd5/DetectPhishURL/README.md](https://github.com/mdgarber/DetectPhishURL/blob/7dd7d38c001590b4629f8810906a3724ab107fd5/DetectPhishURL/README.md)

##### Data Definition

- Column names
- Data types
- Description of the columns
- Counts and unique values
- Ranges of values
- Calc Summary statistics

In [17]:
# Data types, unique values, range of index
urlData.info(verbose=True)

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 450176 entries, 0 to 450175
Data columns (total 2 columns):
 #   Column  Non-Null Count   Dtype 
---  ------  --------------   ----- 
 0   url     450176 non-null  object
 1   type    450176 non-null  object
dtypes: object(2)
memory usage: 6.9+ MB


Description of the columns
- url - The web address to be analyzed.
- type - The classification of the URL (phishing or legitimate).

In [19]:
# increase pandas dataframe column width - full size
pd.set_option('display.width', None)

In [20]:
# Value counts for URLs
pd.DataFrame(urlData['url' ].value_counts())

Unnamed: 0_level_0,count
url,Unnamed: 1_level_1
https://www.google.com,1
https://www.tabheaven.com/gales-eric-tabs.html,1
https://www.tabs-database.com/justin-mcroberts-chords.html,1
https://www.tabpower.com/a806.html,1
https://www.tabor.edu/alumni/directory?decade=1960,1
...,...
https://www.billboard.com/artist/anita-pointer/discography/songs/23169,1
https://www.billboard.com/artist/andy-kim/chart-history/21881,1
https://www.billboard.com/artist/alvino-rey/discography/compilations/9479?sort=alphabet,1
https://www.billboard.com/artist/3x-krazy/discography/albums/142659,1


- These URLs above are all unique ^

In [22]:
pd.DataFrame(urlData['type' ].value_counts()).head()

Unnamed: 0_level_0,count
type,Unnamed: 1_level_1
legitimate,345738
phishing,104438


In [23]:
# describe dataframe
urlData.describe()

Unnamed: 0,url,type
count,450176,450176
unique,450176,2
top,https://www.google.com,legitimate
freq,1,345738


Data Definition Summary

- Column names
    - **url**
        - Data types
            - series of string
        - Description of the column 
            - The web address to be analyzed.
        - Counts and unique values 
            - 450176 (all unique)
        - Ranges of values 
            - all unique URLs
    - **type**
        - Data types 
            - series of string
        - Description of the column
            - The classification of the URL (phishing or legitimate).
        - Counts and unique values
            - legitimate    345738
            - phishing      104438
        - Ranges of values
            - phishing
            - legitimate
            
- Calc Summary statistics
    - N/A ... text data

##### Data Cleaning

- this dataset is mostly clean  =)
- identify invalid URLs (those that urllib couldn't parse) and remove

#### Exploratory Data Analysis

- create new features from parsed URLs
- do value counts on the new url parts
- check correlations of the url parts to the target variable

In [27]:
# view the data head - URLs
urlData.head(10)

Unnamed: 0,url,type
0,https://www.google.com,legitimate
1,https://www.youtube.com,legitimate
2,https://www.facebook.com,legitimate
3,https://www.baidu.com,legitimate
4,https://www.wikipedia.org,legitimate
5,https://www.reddit.com,legitimate
6,https://www.yahoo.com,legitimate
7,https://www.google.co.in,legitimate
8,https://www.qq.com,legitimate
9,https://www.amazon.com,legitimate


In [28]:
# view the data head - only phish
urlData[urlData['type'] == 'phishing'].head(10)

Unnamed: 0,url,type
345738,http://atualizacaodedados.online,phishing
345739,http://webmasteradmin.ukit.me/,phishing
345740,http://stcdxmt.bigperl.in/klxtv/apps/uk/,phishing
345741,https://tubuh-syarikat.com/plugins/fields/files/,phishing
345742,http://rolyborgesmd.com/exceword/excel.php?.ra...,phishing
345743,http://ongelezen-voda.000webhostapp.com/inlogg...,phishing
345744,http://www.valenzaceramic.com/home/webapps/e52...,phishing
345745,http://membership-issue.forteimpex.com/dk2mmm=...,phishing
345746,http://membership-issue.forteimpex.com/dk2mmm=...,phishing
345747,http://chronopost-service-enligne.net/56123s/r...,phishing


##### TLD Data
> "Top level domains" ...to be integrated with url data set

In [30]:
# view the data (to be used as metadata for URLs)
tldNames

Unnamed: 0,Domain,Type,TLD Manager
0,.aaa,generic,"American Automobile Association, Inc."
1,.aarp,generic,AARP
2,.abarth,generic,Not assigned
3,.abb,generic,ABB Ltd
4,.abbott,generic,"Abbott Laboratories, Inc."
...,...,...,...
1586,.zippo,generic,Not assigned
1587,.zm,country-code,Zambia Information and Communications Technolo...
1588,.zone,generic,"Binky Moon, LLC"
1589,.zuerich,generic,Kanton Zürich (Canton of Zurich)


In [112]:
# describe tldNames
tldNames.describe()

Unnamed: 0,Domain,Type,TLD Manager
count,1591,1591,1591
unique,1591,6,754
top,.aaa,generic,"Binky Moon, LLC"
freq,1,1246,196


In [114]:
# get the different TLD types
tldNames['Type'].value_counts()

Type
generic               1246
country-code           316
sponsored               14
test                    11
generic-restricted       3
infrastructure           1
Name: count, dtype: int64

> **Country code** appears to be the most useful/interesting type among TLD type

##### URL Parsing

In [32]:
# create function urlparse_try 
#    otherwise, parsing will fail on an invalid URL
def urlparse_try(url):
    try:
        return urlparse(url)
    except:
        return 'invalid URL'

In [33]:
# engineer new feature for EDA - parsedUrl
urlData['parsedUrl'] = urlData['url'].apply(urlparse_try)

In [34]:
# example of a parsed url
print('Example of a parsed url \n')
print(urlparse(urlData['url'][1]))

Example of a parsed url 

ParseResult(scheme='https', netloc='www.youtube.com', path='', params='', query='', fragment='')


Parsed URL parts
> scheme://netloc/path;parameters?query#fragment

> **URL Part Reference**

![Image](../references/URL_part_diagram.png)

- image from https://www.geeksforgeeks.org/components-of-a-url/


In [37]:
# find invalid URLs (urls that failed urllib parsing...those will cause errors during processing)
invalidUrlRows = urlData[urlData['parsedUrl'] == 'invalid URL']
pd.DataFrame(invalidUrlRows).head()

Unnamed: 0,url,type,parsedUrl
397556,http://ladiesfirst-privileges[.]com/656465/d56...,phishing,invalid URL


In [38]:
# remove invalid URLs (they will causes errors)
urlData = urlData.drop(invalidUrlRows.index)

In [39]:
# confirm 1 record removed
urlData.shape

(450175, 3)

> Engineer new features from parsedUrl

In [41]:
# scheme
urlData['urlPart_scheme'] = urlData['parsedUrl'].apply(lambda urlObj : urlObj.scheme)

In [42]:
# create feature - subdomain
urlData['subDomain'] = urlData['url'].apply(lambda url : tldextract.extract(url).subdomain)

# create feature - subdomain
urlData['domain'] = urlData['url'].apply(lambda url : tldextract.extract(url).domain)

# create feature - tld (top-level domain)
urlData['tld'] = urlData['url'].apply(lambda url : tldextract.extract(url).suffix)

In [43]:
# make try except for port because it fails when port # is NULL
# def retPort():
#     try:
#         urlObj.port
#     except:
#         None

In [44]:
# port - ***no port numbers in the data so removing this code***
# urlData['urlPart_port'] = urlData['parsedUrl'].apply(lambda urlObj : retPort())

#  create feature - path
urlData['urlPart_path'] = urlData['parsedUrl'].apply(lambda urlObj : urlObj.path)

# create feature - query
urlData['urlPart_query'] = urlData['parsedUrl'].apply(lambda urlObj : urlObj.query)

# create feature - fragement
urlData['urlPart_fragment'] = urlData['parsedUrl'].apply(lambda urlObj : urlObj.fragment)

In [119]:
urlData.head(1)

Unnamed: 0,url,type,parsedUrl,urlPart_scheme,subDomain,domain,tld,urlPart_path,urlPart_query,urlPart_fragment,isIPaddress
0,https://www.google.com,legitimate,"(https, www.google.com, , , , )",https,www,google,com,,,,False


In [347]:
tldNames.head(1)

Unnamed: 0,Domain,Type,TLD Manager
0,.aaa,generic,"American Automobile Association, Inc."


In [349]:
# remove initial period from tlds (as that will prevent merge/joining)
tldsNoPeriod = tldNames['Domain'].apply(lambda tld : tld[1:] if tld[0] == '.' else tld)

In [351]:
urlData['tld'].head(30)

0        com
1        com
2        com
3        com
4        org
5        com
6        com
7      co.in
8        com
9        com
10       com
11       com
12       com
13     co.jp
14       com
15       com
16       com
17       com
18    com.cn
19       com
20       com
21        cn
22        de
23     co.uk
24    com.br
25        fr
26        ru
27       com
28        ru
29       com
Name: tld, dtype: object

In [353]:
# create column for urlData.tld with period and part before period removed
urlData['tld_join'] = urlData['tld'].apply(lambda tld : tld[(tld.find('.') + 1):] if tld.find('.') != -1 else tld)

In [355]:
# add rows from TLD data set
urlData = pd.merge(urlData, tldNames, left_on=urlData.tld_join, right_on=tldsNoPeriod, how='left')

ValueError: cannot insert key_0, already exists

In [357]:
urlData.head(30)

Unnamed: 0,key_0,url,type,parsedUrl,urlPart_scheme,subDomain,domain,tld,urlPart_path,urlPart_query,urlPart_fragment,isIPaddress,tld_join,Domain,Type,TLD Manager
0,com,https://www.google.com,legitimate,"(https, www.google.com, , , , )",https,www,google,com,,,,False,com,.com,generic,VeriSign Global Registry Services
1,com,https://www.youtube.com,legitimate,"(https, www.youtube.com, , , , )",https,www,youtube,com,,,,False,com,.com,generic,VeriSign Global Registry Services
2,com,https://www.facebook.com,legitimate,"(https, www.facebook.com, , , , )",https,www,facebook,com,,,,False,com,.com,generic,VeriSign Global Registry Services
3,com,https://www.baidu.com,legitimate,"(https, www.baidu.com, , , , )",https,www,baidu,com,,,,False,com,.com,generic,VeriSign Global Registry Services
4,org,https://www.wikipedia.org,legitimate,"(https, www.wikipedia.org, , , , )",https,www,wikipedia,org,,,,False,org,.org,generic,Public Interest Registry (PIR)
5,com,https://www.reddit.com,legitimate,"(https, www.reddit.com, , , , )",https,www,reddit,com,,,,False,com,.com,generic,VeriSign Global Registry Services
6,com,https://www.yahoo.com,legitimate,"(https, www.yahoo.com, , , , )",https,www,yahoo,com,,,,False,com,.com,generic,VeriSign Global Registry Services
7,in,https://www.google.co.in,legitimate,"(https, www.google.co.in, , , , )",https,www,google,co.in,,,,False,in,.in,country-code,National Internet Exchange of India
8,com,https://www.qq.com,legitimate,"(https, www.qq.com, , , , )",https,www,qq,com,,,,False,com,.com,generic,VeriSign Global Registry Services
9,com,https://www.amazon.com,legitimate,"(https, www.amazon.com, , , , )",https,www,amazon,com,,,,False,com,.com,generic,VeriSign Global Registry Services


##### Is IP Address?

In [46]:
# check if netloc is an IP address function
def is_ip_address(netloc):
    try:
        ipaddress.ip_address(netloc)
        return True
    except ValueError:
        return False

In [47]:
# create feature - isIPaddress
urlData['isIPaddress'] = urlData['parsedUrl'].apply(lambda urlObj : is_ip_address(urlObj.netloc))

In [48]:
# new features - check head
urlData.head()

Unnamed: 0,url,type,parsedUrl,urlPart_scheme,subDomain,domain,tld,urlPart_path,urlPart_query,urlPart_fragment,isIPaddress
0,https://www.google.com,legitimate,"(https, www.google.com, , , , )",https,www,google,com,,,,False
1,https://www.youtube.com,legitimate,"(https, www.youtube.com, , , , )",https,www,youtube,com,,,,False
2,https://www.facebook.com,legitimate,"(https, www.facebook.com, , , , )",https,www,facebook,com,,,,False
3,https://www.baidu.com,legitimate,"(https, www.baidu.com, , , , )",https,www,baidu,com,,,,False
4,https://www.wikipedia.org,legitimate,"(https, www.wikipedia.org, , , , )",https,www,wikipedia,org,,,,False


In [49]:
# indices of all phish urls
isPhishIdx = urlData[urlData['type'] == 'phishing'].index

In [50]:
# Top phishing schemes
pd.DataFrame(urlData[['urlPart_scheme', 'type']].loc[isPhishIdx].value_counts()).head()

Unnamed: 0_level_0,Unnamed: 1_level_0,count
urlPart_scheme,type,Unnamed: 2_level_1
http,phishing,97947
https,phishing,6483
ftp,phishing,7


In [51]:
# Top phishing domains
pd.DataFrame(urlData[['domain', 'type']].loc[isPhishIdx].value_counts()).head()

Unnamed: 0_level_0,Unnamed: 1_level_0,count
domain,type,Unnamed: 2_level_1
google,phishing,1325
000webhostapp,phishing,978
mhcable,phishing,381
kf25zx,phishing,265
adnxs,phishing,255


In [52]:
# Top phishing subdomains
pd.DataFrame(urlData[['subDomain', 'type']].loc[isPhishIdx].value_counts()).head()

Unnamed: 0_level_0,Unnamed: 1_level_0,count
subDomain,type,Unnamed: 2_level_1
,phishing,69955
www,phishing,13014
sites,phishing,982
webmail,phishing,397
mail,phishing,177


In [53]:
# Top phishing TLDs
pd.DataFrame(urlData[['tld', 'type']].loc[isPhishIdx].value_counts()).head(10)

Unnamed: 0_level_0,Unnamed: 1_level_0,count
tld,type,Unnamed: 2_level_1
com,phishing,51092
net,phishing,5242
,phishing,4321
org,phishing,3540
ru,phishing,3523
com.br,phishing,3319
info,phishing,1827
com.au,phishing,1822
pl,phishing,1326
co.uk,phishing,1295


In [54]:
# % of IP address URLs that is phish
pd.crosstab(urlData['type'], urlData['isIPaddress'])

isIPaddress,False,True
type,Unnamed: 1_level_1,Unnamed: 2_level_1
legitimate,345738,0
phishing,101571,2866


> 100% of the IP address URLs were phishing in this data set

##### Correlation to Target

In [56]:
# relationship between http vs https (secure) and type (phish or not)

In [57]:
# relationship between top level domain and type (phish or not)
# 

In [58]:
# Export df to file
urlData.to_csv('../data/interim/urlData_raw.csv')

- the dataset is very simple and not well suited for statistical analysis in it's current form
- will parse the URLs and perform feature engineering in the next notebook for pre-processing

- play with the data a bit more for EDA
- look at relationship between target and
    - https and http urls
    - .com and .com.in (country specific domains)
    - any other initial analysis that can be done without extensive feature engineering (that will be done in next notebook)
    - resources
        - https://www.geeksforgeeks.org/components-of-a-url/
        - https://www.techtarget.com/whatis/definition/named-entity-recognition-NER   (from Kevin)

In [60]:
# TO DO
# -join the TLD columns
# -do additional EDA
#   -country specific domains    
#   -pivot table (or crosstab or groupby) on the biggest phisher combos
#   -correlations - heatmap