This repository presents a complete workflow for phishing detection leveraging GraphSAGE, a type of Graph Neural Network (GNN), with temporal modeling, causal sampling, and robustness testing.
Phishing attacks often involve subtle patterns that can be better detected using relational and temporal data. This project converts phishing datasets into graphs and applies a GNN model that:
- Respects causal constraints in message passing.
- Incorporates temporal windowing for realistic data flow.
- Tests robustness through noise injection.
- Programming Language: Python
- Graph Processing: PyTorch Geometric
- Machine Learning: PyTorch, Scikit-learn
- Data Handling: pandas, numpy
- Visualization: matplotlib
- Load and clean phishing data from
phish.xlsx - One-hot encode categorical features
- Scale numerical features
- Combine features for each URL
- Create a similarity graph using cosine similarity
- Connect each node to k=5 nearest neighbors
- Partition data into time windows of 10 samples
- Generate PyG
Dataobjects for each time window
- Custom model using
SAGEConv,BatchNorm,Dropout - Enforces causal message passing (no future info leakage)
- Add Gaussian noise to node features
- Randomly flip labels to simulate real-world inconsistencies
- Trained with Binary Cross-Entropy loss and Adam optimizer
- Evaluated using AUC-ROC score and ROC curve visualization
The model achieved strong performance on phishing detection:
| Metric | Value |
|---|---|
| Accuracy | 86.36% |
| Precision | 86.32% |
| Recall | 86.36% |
| F1-Score | 86.14% |
| AUC-ROC | 0.9023 |
- Training Loss and Accuracy Over Epochs (Causal GraphSAGE): Visualizes the convergence of the model during causal training, showing decreasing loss and increasing accuracy over epochs.
- Confusion Matrix: Provides a detailed breakdown of true positives, true negatives, false positives, and false negatives from the final evaluation, illustrating the model's classification accuracy for each class.
- ROC Curve: Illustrates the model's trade-off between True Positive Rate and False Positive Rate across various classification thresholds, with the AUC-ROC score quantifying overall performance.
- Training Loss - Phishing Noise Training: Depicts the loss reduction during the training phase where noise was intentionally injected, demonstrating the model's ability to learn effectively despite data imperfections.
- Overall Training Loss/Accuracy: Shows the general learning progression of the model, likely from an initial training phase, with loss decreasing and accuracy increasing.
- Visual Interface: The dashboard helps to visualize the data fed to the global (fusion classifier) and attack - specific models for viewing class probabilities, graph plot visualization and accuracy metrics, confidence scores of both models and the probable reason behind the respective model's classification.
The project relies on the following key libraries:
Python 3.x torch (PyTorch) torch-geometric (PyG) torch-scatter pandas numpy scikit-learn matplotlib gradio
git clone https://github.com/spk-22/Phish-Guardpip install -r requirements.txt
# (Or manually install: torch, torch-geometric, scikit-learn, pandas, numpy, matplotlib)
# Ensure torch-geometric, torch-scatter, and torch-sparse versions are compatible with your PyTorch version.python phish.pystreamlit run web_app.pyThis pipeline is ideal for cybersecurity researchers and engineers looking to detect phishing attempts using relational and temporal patterns within data. The AUC-ROC score of 0.9023 signifies excellent discriminative power, even when trained on noisy data, indicating the model's strong ability to differentiate between phishing and legitimate attempts.