PhishAID Detection Categories

Rule-Based Phishing Detection Framework

PhishAID uses a structured, rule-based detection framework designed to identify phishing websites through explainable and deterministic checks. The rules are grouped into logical categories based on the nature of the phishing indicators they evaluate.

Each rule contributes to a cumulative risk score, which is used to classify a website as Legitimate, Suspicious, or Phishing. This approach ensures transparency and interpretability in every verdict.

Category A — URL & Transport-Level Rules

These rules analyze the structural and transport-layer characteristics of URLs. Many phishing websites exhibit anomalies in protocol usage, domain structure, or hosting patterns that can be detected without inspecting page content.

Rule 1 – HTTPS Usage: Checks whether the website uses a secure HTTPS protocol.
Rule 2 – Raw IP Detection: Identifies URLs that use direct IP addresses instead of domain names.
Rule 3 – URL Length: Flags excessively long URLs commonly used to hide malicious intent.
Rule 4 – @ Symbol: Detects misuse of the “@” symbol to obscure the true destination.
Rule 5 – Subdomain Depth: Evaluates abnormal nesting of subdomains.
Rule 6 – Suspicious TLD: Identifies domains using commonly abused top-level domains.
Rule 7 – Certificate Age: Uses SSL certificate age as a proxy for domain trustworthiness.
Rule 8 – Hyphen Usage: Detects excessive or misleading hyphenated domain names.
Rule 9 – URL Shorteners: Flags shortened URLs that obscure the final destination.
Rule 10 – Login Keywords: Identifies URLs containing sensitive authentication-related terms.

Category B — Identity Deception

Identity deception rules focus on techniques used by attackers to impersonate trusted brands, organizations, or services through visual or lexical tricks.

Rule 21 – Unicode / Homoglyph Detection: Identifies look-alike characters used to mimic trusted domains.
Rule 22 – Typosquatting: Detects domains that closely resemble popular brands using edit-distance logic.

Category C — Structural Anomaly

Structural anomaly rules examine the internal structure and layout of a website to identify cloning or imitation of legitimate pages.

Rule 18 – Clone Phishing: Detects similarity between the target website and known legitimate domains using heuristic comparisons.

Category D — Semantic Intent

Semantic intent rules analyze the implied purpose of a URL or page content to detect urgency-driven or fear-based phishing tactics.

Rule 30 – Semantic Phishing Intent: Identifies suspicious phrases commonly associated with phishing attempts using heuristics (non-AI).

Reserved Rules and Future Expansion

Rules 11–17, 19, 20, 23, 25, 27–29 are part of the PhishAID framework but are currently reserved for future implementation. These rules require more advanced engineering, content analysis, or external data sources.

Reserving these rules allows PhishAID to evolve in phases while maintaining a stable and explainable core detection engine in its current implementation.

Framework Design Philosophy

The rule framework prioritizes explainability over black-box accuracy. Every triggered rule can be independently verified and justified, making the system suitable for academic research, regulatory analysis, and cybersecurity education.