A Hybrid Deep Learning and Anomaly Detection Framework for Real-Time Malicious URL Classification
Berkani Khaled, Zeraoulia Rafik
TL;DR
This work tackles the challenge of real-time malicious URL detection by proposing a hybrid framework that fuses hashing-based n-gram features, SMOTE balancing, Isolation Forest anomaly filtering, and a lightweight neural network. The system processes threat feeds and synthetic benign URLs with statistical and character-level features, achieving 96.4% accuracy and 97.3% ROC-AUC while delivering ~20 ms per URL predictions and ~45 s training on CPU. It outperforms CNN and SVM baselines and offers a scalable, multilingual Tkinter GUI for real-time threat assessment. The approach demonstrates strong generalization, robustness to obfuscated URLs, and practical deployment potential in multilingual environments.
Abstract
Malicious URLs remain a primary vector for phishing, malware, and cyberthreats. This study proposes a hybrid deep learning framework combining \texttt{HashingVectorizer} n-gram analysis, SMOTE balancing, Isolation Forest anomaly filtering, and a lightweight neural network classifier for real-time URL classification. The multi-stage pipeline processes URLs from open-source repositories with statistical features (length, dot count, entropy), achieving $O(NL + EBdh)$ training complexity and a 20\,ms prediction latency. Empirical evaluation yields 96.4\% accuracy, 95.4\% F1-score, and 97.3\% ROC-AUC, outperforming CNN (94.8\%) and SVM baselines with a $50\!\times$--$100\!\times$ speedup (Table~\ref{tab:comp-complexity}). A multilingual Tkinter GUI (Arabic/English/French) enables real-time threat assessment with clipboard integration. The framework demonstrates superior scalability and resilience against obfuscated URL patterns.