Political Optimization Algorithm with a Hybrid Deep Learning Assisted Malicious URL Detection Model

Abstract

With the enhancement of the Internet of Things (IoT), smart cities have developed the idea of conventional urbanization. IoT networks permit distributed smart devices to collect and process data in smart city structures utilizing an open channel, the Internet. Accordingly, challenges like security, centralization, privacy (i.e., execution data poisoning and inference attacks), scalability, transparency, and verifiability restrict faster variations of smart cities. Detecting malicious URLs in an IoT environment is crucial to protect devices and the network from potential security threats. Malicious URL detection is an essential element of cybersecurity. It is established that malicious URL attacks mean large risks in smart cities, comprising financial damages, losses of personal identifications, online banking, losing data, and loss of user confidentiality in online businesses, namely e-commerce and employment of social media. Therefore, this paper concentrates on the proposal of a Political Optimization Algorithm by a Hybrid Deep Learning Assisted Malicious URL Detection and Classification for Cybersecurity (POAHDL-MDC) technique. The presented POAHDL-MDC technique identifies whether malicious URLs occur. To accomplish this, the POAHDL-MDC technique performs pre-processing to transform the data to a compatible format, and a Fast Text word embedding process is involved. For malicious URL recognition, a Hybrid Deep Learning (HDL) model integrates the features of stacked autoencoder (SAE) and bi-directional long short-term memory (Bi-LSTM). Finally, POA is exploited for optimum hyperparameter tuning of the HDL technique. The simulation values of the POAHDL-MDC approach are tested on a Malicious URL database, and the outcome exhibits an improvement of the POAHDL-MDC technique with a maximal accuracy of 99.31%.

1. Introduction

At present, there is a development of Internet of Things (IoT) mechanisms in sustainable smart environments [1]. The development of IoT devices has led to enhanced security vulnerabilities, creating general consumers as victims of various kinds of safety attacks by malicious Uniform Resource Locators (URLs), as any devices in a shared IoT system are dependent upon URLs [2]. Hackers often use phishing and spam to trick consumers by clicking malicious URLs, Trojans are embedded into computers, or the delicate data of victims may be leaked [1]. This malicious URL identification technology could assist users in finding malevolent URLs and stop users from malevolent URL attacks. Conventionally, studies on malicious URL recognition adopt blacklist-related techniques for detecting malicious URLs [2]. This technique has several exclusive benefits. It consists of a lower false-positive rate, has a high speed, and is easy to realize. Yet, today, domain generation algorithms (DGA) can produce thousands of diverse malicious field names on a daily basis, which could be identified effectively by classical blacklist-related approaches [3]. To detect malicious URLs, research scholars use an ML approach. However, such techniques should derive the features manually, and hackers can devise such attributes to avoid being recognized [4]. Confronted with the current complicated network, devising a more potentially malevolent URL identification method is a focus of study.

Aggressors can use vulnerable sites to execute malicious intent [5]. For instance, attackers inject cross-site scripting into susceptible sites to acquire the sensitive data of the target or execute phishing. Many solutions have been devised to identify these websites precisely. Such solutions are script-based, URL-related, and web content-related [6]. URL-based identification and content-related detection are the most used methods, while some research was performed on script-based identification. URL-related detection is a superior choice, as it can be a safe and proactive method for distinguishing machines; it can find malicious URLs before the user visits them [7]. Furthermore, identifying malicious URLs has the potential for resource-limited and real-time detection applications such as mobile and IoT devices. Different methods were recommended to find harmful content and malicious websites by extracting attributes from their URLs [8]. Many approaches depend on humans to derive features, whereas specific solutions make use of deep learning (DL) approaches for feature automation. Various sets of features have been used and derived for identifying host information features such as host sponsor and country name, domain features, namely .tk and .com, and lexical features, such as counting of the dots in the URL length and URL [9]. Hackers may utilize evasive approaches to bypass security countermeasures [10]. Hence, any attributes derived from such URLs are misleading since the aggressor could use them to conceal malevolent patterns and the malevolent intent of websites.

This research concentrates on the proposal of a Political Optimization Algorithm with a Hybrid Deep Learning Assisted Malicious URL Detection and Classification for Cybersecurity (POAHDL-MDC) technique. The presented POAHDL-MDC technique identifies whether malicious URLs occur or not. To accomplish this, the POAHDL-MDC technique follows pre-processing to transform it to a compatible format, and a Fast Text word embedding process is involved. For malicious URL detection, Hybrid DL (HDL) model integrates the features of SAE and Bi-LSTM. Finally, POA can be used for the optimal hyperparameter tuning of the HDL technique. The simulation results of the POAHDL-MDC methodology can be tested on a benchmark database. In short, the main contributions are given below.

• An automated POAHDL-MDC model comprising pre-processing, word embedding, HDL recognition, and POA-based hyperparameter tuning is proposed for malicious URL classification. To the best of our knowledge, the POAHDL-MDC methodology has never existed in other studies.
• The HDL classification method combines the strengths of SAE and BiLSTM models to improve the exactness of malicious URL classification.
• Hyperparameter optimization of the HDL model employing the POA model, utilizing cross-validation, aids in enhancing the forecast results of the HDLPOA-MDC technique for unseen data.

The rest of the paper is classified as follows. Section 2 produces related works, and Section 3 offers the proposed model. Then, Section 4 offers the result analysis, and Section 5 concludes the paper.

2. Related Works

Patgiri et al. [11] developed a new malicious URL detection method named DL and Bloom Filter (deepBF). DeepBF is obtainable twofold. The authors primarily devised a learned Bloom Filter using a 2D Bloom Filter. The authors experimentally determined the optimal non-cryptography string hash function. Afterwards, the authors devised a malicious URL recognition system utilizing DL. To find malicious URLs, the authors implemented the evolutionary CNN. Wanda and Jie [12] devised a deep learning using a new convolutional neural network (CNN) called URL Deep. Rather than utilizing classical CNNs, the authors employed Dynamic CNNs. It could allow the same signal on a similar CNN channel. URL Deep’s graph was dynamically upgraded after all layers of the network were analyzed.

In [13], an enhanced DL-related phishing detection method was developed by incorporating the strengths of a deep neural network (DNN) and a variational autoencoder (VAE). In the structure presented, the VAE model automatically extracted the basic features of the raw URL by rebuilding the original input URL to enhance phishing URL detection. The aim of Angadi and Shukla’s [14] study was to accumulate a list of significant attributes exploited to classify and detect malicious URLs. This study suggests lexical aspects and host-based URLs for increasing the efficacy of classifiers to detect malicious URLs. Utilizing ML classifiers called RF and AdaBoost techniques, Benign and Malicious URLs are categorized. In [15], the authors introduced a complete prototype of malicious URL detection through ML techniques. Specifically, the authors designed a technique utilizing the AdaBoost approach and tried a precise method of making Malicious URL exposure from an ML perspective.

In [16], the authors assessed many existing DL-oriented character-level-embedding approaches for malicious URL detection. The authors devised DeepURLDetect (DURLD), where raw URLs were encrypted through character-level embedding for transforming and using performance development. To capture different kinds of data in the URL, the authors utilized hidden layers in the DL structure to derive features in character level embedded and used a nonlinear activation function. Alsaedi et al. [17] targeted the enhancement of the recognition exactness of malicious URL recognition by developing and devising a cyber-threat intelligence-related malicious URL identification method through two-step ensemble learning. This study introduced a two-step ensemble-learning approach that combined the RF technique to pre-classify with multilayer perceptron (MLP) for decision-making.

While recent DL models have received significant attention in cybersecurity, the application of metaheuristic algorithms for optimizing hyperparameters of DL methods needs to be explored further. There is a great need to fine-tune hyperparameter values of DL models in cybersecurity tasks, which are computationally intensive and require substantial computational resources. The use of metaheuristics can optimize the DL models to eliminate the human trial and error approach. Addressing these study gaps can lead to the development of more effective and efficient DL-based cybersecurity solutions that are fine-tuned using metaheuristic algorithms, ultimately enhancing overall security posture in an increasingly digital and connected world. Some of the recently developed metaheuristic algorithms are the number hummingbird algorithm (AHA), atom search optimization, sine cosine algorithm (SCA), equilibrium optimizer (EO), the Giant Trevally Optimizer, and the Remora Optimization technique.

3. The Proposed Model

In this study, we present a unique POAHDL-MDC method for programmed recognition and classification of malicious URLs. The POAHDL-MDC approach has several stages of operations, namely pre-processing, Fast Text word embedding, HDL-based malicious URL detection, and POA-based hyperparameter tuning. Figure 1 signifies the workflow of the POAHDL-MDC methodology.

Figure 1. Workflow of the POAHDL-MDC approach.

3.1. Pre-Processing

In this stage, with the help of the natural language processing (NLP) text pre-processing method, the URL is pre-processed by eradicating symbols. As URLs are crawled from websites, unnecessary texts such as punctuation, HTML codes, and symbols are eliminated to enhance classifier performance and minimize feature complexity. The gathered text data are transformed to lowercase and normalized. The normalization procedure is twofold. Initially, the text in the unstructured dataset is transformed into a structured word vector. Then, the feature vector scarcity is diminished by eliminating unwanted words and words decreased by rooting words to their original form. The normalization begins with tokenization, after the elimination of stemming, stop words, and lemmatization. Lastly, the words are transformed to their corresponding numerical formats. Stemming is a transforming procedure that converts the words into their roots, for instance, eradicating “ing” from the word and “s” from the plural words. Lemmatization converts the words using a lexical knowledge base into the base form by rooting verbs, for example, ‘took’ to ‘take’.

3.2. Word Embedding Using Fast Text

In this work, the Fast Text technique is employed for the word embedding process. ‘Word embedded’ refers to a distributional representation of words, but all the words are mapped to a shared lower dimension space, and all the words are connected to a d-dimension vector [18]. In various word embedding, fastText does not ignore the word morphology. This approach is dependent upon continuous skip grams. Currently, every word can be determined as a character $n$-gram. Yet $n=3$, the word rapid is as follows:

$$<qu,qui,uic,ick,ck>$$

This technique maintains subword data and evaluates valid words embedded in out-of-vocabulary words. Therefore, it offers a vector to hidden words in the trained word embedding.

For learning word representation, fastText, followed by continuous skip grams established by the author, can be easier and work well with a smaller training data count. However, this model disregards the internal world infrastructure. The fastText presents various scoring functions for preserving the subword data.

To provide the word $w$, the group of $n$ grams performing in $w$ is $N_w\subset \{1,N\},$ whereas $N$ denotes the dictionary size of $n$-grams. The vector representation $Z_g$ is allocated to every $n$-gram $n$. Therefore, the drive scoring function develops:

$$s\left(w,c\right)={\displaystyle \sum _{n\in N_w}^{}}{Z}_g^T{V}_c$$

(1)

where $c$ denotes the context word, and $V_c$ signifies the context vector.

3.3. Malicious URL Detection Using HDL

The HDL model is employed for automated malicious URL detection. The auto-encoder (AE) refers to an unsupervised neural network mechanism that learns the hidden features of an inputted dataset, names the encoding (coding) function, while applying the learned newest feature to recreate the original input dataset, and names the decoding function [19]. AE has $one$ hidden layer (HL). Significantly, the input and output layers of the AE are equivalent.

The sigmoid function is applied as $s_{f^1}$ and $s{f}^2$, where $1={\left[x_{11},x_{12},\dots ,x_{1dl}\right]}^T\in R^{ld1},b_1\in R^{ld1},x_2={\left[x_{21},x_{22},\dots ,x_{2dl}\right]}^T\in R^{2dr},b_2\in R^{2dr}h=$ $[h_1,h_2,\cdots ,h_{dh}{]}^T\in R^{dh}$, where $h$ denotes the connection vector between $x_1$ and $x_2;b_1$ and $b_2$ represent the deviation vector.

$$h=f_1\left(x1\right)=sf1\left(W_{1^{X}1}+b_1\right)$$

(2)

$$x_2=f_2\left(h\right)={\mathrm{s}}_{\mathrm{f}2}\left(W_{2}h+b_2\right)$$

(3)

$$\begin{gathered} J(W,b)=J(w1,w2,b_1,b_2) \\ ={\displaystyle \sum _{i=1}^N}\Vert x_2-x_1\Vert /2N={\displaystyle \sum _{i=1}^N}\Vert g_{\theta }\left(x_2\right)-x_1\Vert /2N \end{gathered}$$

(4)

SAE represents the superposition of more than one $AEs$. Once the initial AE is implemented, successive AEs are implemented in order until the $N$-$\mathrm{t}\mathrm{h},$ and the resultant output is the SAE superimposition outcome. Equation (7) signifies the variable that all AE disseminates to the following layer.

LSTM is a common kind of recurrent neural network (RNN) and is better suited for modeling time-series data, namely humidity, day-to-day air temperature, seawater salinity, air pressure, and other data attained by text buoys due to their design characteristics. In recent times, a new NN, named LSTM, has been implemented. The three major arithmetical structures in LSTM define that it achieves LSTM based on RNN.

The forgetting door is a way of selecting forget, and is given as follows:

$$f_t=\sigma \left(W_f\cdot \left[h_{t-1},x_t\right]+b_f\right)$$

(5)

where $f_t$ denotes outcome attained by forgetting gates, and $W_f$ shows the vector that defines the input weight; $b_f$ represents the bias vector; $h_{t-1}$ indicates the HL at the final moment; the present input $x_i;\sigma$ denotes the activation function:

$$\begin{gathered} W_f\cdot [h_{t-1},x_i]=[W_f]\cdot \left[\begin{array}{c}{h}_{t-1}\\ x_t\end{array}\right] \\ =\left[W_{fh}{W}_{fx}\right]\left[\begin{array}{c}{h}_{t-1}\\ x_t\end{array}\right]=W_{fh}{h}_{t-1}+W_{fx}{x}_t \end{gathered}$$

(6)

The input gate chooses the data that must be memorized, and it can be represented as follows:

$$\left\{\begin{array}{l}{i}_t=\sigma (W_i\cdot [h_{t-1},x_t]+b_i)\\ c_t=f_t\cdot c_{t-1}+i_t\cdot \mathrm{t}\mathrm{a}\mathrm{n}h(W_c\cdot [h_{t-1},x_t]+b_c)\end{array}\right.$$

(7)

where $h_{t-1}$ denotes resultant output at the final moment. $I_t$ denotes the value of the input gate, $c_t$ and $c_{t-1}$ show the activation and cell state at the final moment, $W_i$ represents weight in the input gate; ${andW}_c$ denotes the forget gate’s weight. $b_i$ shows the input gate’s bias vector; $b_c$ represents the forget gate’s bias vector.

The output gate can be represented as:

$$\left\{\begin{array}{l}{o}_t=\sigma (W_0\cdot [h_{t-1},x_t]+b_o)\\ h_t=0_t\cdot \mathrm{t}\mathrm{a}\mathrm{n}h\left(c_t\right)\end{array}\right.$$

(8)

In Equation (8), $h_t$ represents the outcome of the output gate, $O_t$ denotes the vector, and $b_o$ shows the offset vector. $W_o$ indicates the weights.

LSTM predicts the outcome at a later time, depending on the timing data of the previous time. For certain issues, the present production is relevant to the prior and future states. The principles of LSTM linking two networks remain unchanged. The forward LSTM obtains the previous dataset of input series, and the backward LSTM obtains the future dataset of input:

$$\left\{\begin{array}{c}\overrightarrow{h_{rf}}=\overrightarrow{LSTM}(W_1{h}_{t-1},W_2{x}_t,c_{t-1})\\ \overrightarrow{h_{tb}}=\overrightarrow{LSTM}(W_3{h}_{t+1},W_4{x}_t,c_{t+1})\\ H_t\left[\overrightarrow{h_{rf}},\overrightarrow{h_{tb}}\right]\end{array}\right.$$

(9)

The hidden layer $H_t$ of BLSTM at $t$ time involves forward $h_{rf}$ and backward $h_{tb};W_1,$ $W_2,$ $W_3$ and $W_4$ are correspondingly the represent weight coefficients; $x_t$ shows the input at $t$ time; $ht$ denotes the hidden state at time $t$.

The data transmission process accomplishes the fusion of two approaches in the HDL model: a partially supervised fine-tuning network, presenting the evaluation index, $E_o$, and fine-tuning the weight over the backpropagation technique, especially SAE-implemented unsupervised learning and supervised fine-tuning. In the trained method, the input dataset is mapped towards the HL over the first layer AE using Equations (2)–(4). Then, the AE is superimposed, and the whole network is well-trained until the final $AE$. The fine-tuning of the whole model by Equation (10) is implemented by applying backpropagation (BP) to attain a better weight.

$$E_o=\frac{1}{2}{\displaystyle \sum _{i=1}^{N_i}}(A_i-F_i)/N$$

(10)

where $N$ characterizes the number of samples, $A_i$ shows the actual value, and $F_i$ indicates the forecasted value. Based on the SAE output, training the BLSTM network makes predictions for the prediction, training, and testing groups. The outcome can be attained afterwards by passing the comparison of the assessment conditions.

3.4. Hyperparameter Tuning

At the final stage, a POA is employed for optimum hyperparameter tuning of the HDL technique. The POA is a novel meta-heuristic system motivated by political processes like constituency allocation, party formation, party switching, inter-party elections, election campaigns, and government development [20]. POA includes five stages, given below. The party formation and constituency allotment stages take place when the population is initialized, and the residual stages are initialized to run in the loop.

The search agent in the POA includes $n$ political parties as shown in Equation (11), where all the parties $\left(p{r}_i\right)$ have $n$ members, as shown in Equation (12). $p_i^{{\mathrm{r}}^{\mathrm{j}}}$ refers to the $j$-$\mathrm{t}\mathrm{h}$ members of $i$-$\mathrm{t}\mathrm{h}$ party, which can be treated as a candidate solution where $p_i^{{\mathrm{r}}^{\mathrm{j}}}$ denotes a vector of length $d$ as shown in Equation (13), where $d$ represents the number of decision variables belonging to the optimizer problems. Consequently, the size of populations is the square of $n,$ as shown in Equation (14). Also, $n$ constituencies exist, as shown in Equation (15). The $j$-$\mathrm{t}\mathrm{h}$ members in each party contest the election from the $j$-$\mathrm{t}\mathrm{h}$ constituencies $C_j$, as modeled by Equation (16).

$$pr=\left\{p{r}_1,p{r}_2,p{r}_3,\dots ,p{r}_n\right\}$$

(11)

$$p{r}_i=\left\{p{r}_i^1,p{r}_i^2,p{r}_i^3,\dots ,p{r}_i^n\right\}$$

(12)

$$p{\mathrm{r}}_i^{\mathrm{j}}={\left[{pr}_{i,1}^j,\cdot p{r}_{i,2}^j,p{r}_{i,3}^j,{pr}_{i,d}^j\right]}^T$$

(13)

$$populationSize=n^2$$

(14)

$$Co=\left\{C{o}_1,C{o}_2,C{o}_3,\dots ,C{o}_n\right\}$$

(15)

$$C{o}_j=\left\{{\mathrm{p}\mathrm{r}}_1^j,{pr}_2^{\mathrm{j}}.,{pr}_3^j,p{r}_n^j\right\}$$

(16)

Election demonstrates how the election procedure is simulated. The best member in every party is named leader, $i$-$\mathrm{t}\mathrm{h}$ parties are represented as $p{r}_i^{*}$ and the set having the party leader is signified as $p{r}^{*},$ demonstrated in Equation (17). After the election, the constituency winner becomes a parliamentarian. The best member from all the constituencies is regarded as the constituency winner. $C{o}^{*}$ shows the constituency winners or parliamentarians’ group, whereas $C{o}_j^{*}$ signifies the parliamentarian or winner of the $j$-$\mathrm{t}\mathrm{h}$ constituencies, as shown below.

$$p{r}^{*}=\left\{p{r}_1^{*},p{r}_2^{*},p{r}_3^{*},\dots ,p{r}_n^{*}\right\}$$

(17)

$$C{o}^{*}=\left\{C{o}_1^{*},C{o}_2^{*},C{o}_3^{*},\dots ,C{o}_n^{*}\right\}$$

(18)

In an election campaign, every candidate solution location is upgraded based on the constituency winner $\left(C{o}_j^{*}\right)$ and the party leader $\left(p{r}_i^{*}\right)$ is allocated by applying Equations (19) and (20) according to the best candidate in the prior iteration. Once the candidate’s fitness increases, Equation (19) is exploited. Otherwise, Equation (20) is used. In all scenarios, every candidate’s location is firstly upgraded based on the parliamentarian $C{o}_j^{*}$ and the party leader $p{r}_i^{*}.$ $t$ shows the iteration index, $r$ denotes the random variable within $[0,1]$, and $m^{*}$ first possesses the value of $k$-$\mathrm{t}\mathrm{h}$ dimensions of the leader of $i$-$\mathrm{t}\mathrm{h}$ parties $p{r}_{i,k}^{*}$, then parliamentarian $c{o}_{j,k}^{*}.$

$$p{r}_{i,k}^j\left(t+1\right)=\left\{\begin{array}{l}{m}^{*}+r\left(m^{*}-p{r}_{i,k}^j\left(t\right)\right)ifp{r}_{i,k}^j\left(t-1\right)\\ \le p{r}_{i,k}^j\left(t\right)\le m^{*}orp{r}_{i,k}^j\left(t-1\right)\ge p{r}_{i,k}^j\left(t\right)\ge m^{*}\\ m^{*}+\left(2r-1\right)\left|m^{*}-p{r}_{i,k}^j\left(t\right)\right|ifp{r}_{i,k}^j\left(t-1\right)\\ \le m^{*}\le p{r}_{i,k}^j\left(t\right)orp{r}_{i,k}^j\left(t-1\right)\ge m^{*}\ge p{r}_{i,k}^j\left(t\right)\\ m^{*}+\left(2r-1\right)\left|m^{*}-p{r}_{i,k}^j\left(t-1\right)\right|if{m}^{*}\\ \le p{r}_{i,k}^j\left(t-1\right)\le p{r}_{i,k}^j\left(t\right)\mathrm{o}\mathrm{r}{m}^{*}\ge p{r}_{i,k}^j\left(t-1\right)\ge p{r}_{i,k}^j\left(t\right)\end{array}\right.$$

(19)

$$p{r}_{i,k}^j\left(t+1\right)=\left\{\begin{array}{l}{m}^{*}+\left(2r-1\right)\left|m^{*}-p{r}_{i,k}^j\left(t\right)\right|ifp{r}_{i,k}^j\left(t-1\right)\le p{r}_{i,k}^j\left(t\right)\\ \le m^{*}orp{r}_{i,k}^j\left(t-1\right)\ge p{r}_{i,k}^j\left(t\right)\ge m^{*}\\ p{r}_{i,k}^j+r(p{r}_{i,k}^j\left(t\right)-p{r}_{i,k}^j\left(t-1\right)ifp{r}_{i,k}^j(t-1)\le m^{*}\\ \le p^{f_k\left(\mathcal{J}\right)}orp{\parallel }_k\left(r-1\right)\ge m^{*}\ge p{r}_{i,k}^j\left(t\right)\\ m^{*}+\left(2r-1\right)\left|m^{*}-p{r}_{i,k}^j\left(t-1\right)\right|if{m}^{*}\\ \le p{r}_{i,k}^j\left(t-1\right)\le p{r}_{i,k}^j\left(t\right)\mathrm{o}\mathrm{r}{m}^{*}\ge p{r}_{i,k}^j\left(t-1\right)\ge p{r}_{i,k}^j\left(t\right)\end{array}\right.$$

(20)

In politics, the party-switching phase takes place concurrently with the election campaign stage, but in $PO,$ this phase takes place after the election campaign stage. A parameter called party switching rate $\lambda$ may be determined, that starts with the maximal value, ${\lambda }_{\mathrm{m}ax}$, then declines linearly to $0$, where the user tunes ${\lambda }_{max}$. All the party members $p{d}_{\iota }$ are selected with a certain probability, $\lambda$, to be switched with an arbitrary party $p_{er}$, where it substitutes the minimum fit member in that party. This phase is implemented to balance exploration and exploitation.

The constituency winners, along with the party leaders, are determined after the government formation. The entire parliamentarian $C{o}_j^{*}$ upgrades its location based on the randomly selected constituency winner $C{o}_r^{*}$ based on Equation (21), and if this location update results in some improvement in the fitness of $C{o}_j^{*},$ the location and fitness of $C{o}_j^{*}$ are upgraded. Now, $a$ in Equation (21) is a random integer within $[0,1]$. Remember, $C{o}_j^{*}$ is upgraded to $C{o}_{j_{new}}^{*}$ only if the fitness of $C{o}_{j_{new}}^{*}$ is superior to the fitness of $C{o}_j^{*}.$

$$C{o}_{j_{new}}^{*}=C{o}_r^{*}+\left(2a-1\right)\left|C{o}_r^{*}-C{o}_j^{*}\right|$$

(21)

Fitness selection is a considerable factor influencing the behavior of the POA method. The hyperparameter selection procedure contains a solution-encoding model to measure the effectiveness of candidate solutions. In this study, POA refers to exactness as the main criterion to plan the fitness function, expressed below:

$$Fitness=max\left(P\right)$$

$$P=\frac{TP}{TP+FP}$$

(22)

where TP and FP signify true positive and false positive values, respectively.

4. Results and Discussion

The developed technique is simulated by employing the Python 3.6.5 tool. The presented method is tested on PC i5-8600k, GeForce 1050Ti 4GB, 16GB RAM, 250GB SSD, and 1TB HDD. The experimental outcome of the POAHDL-MDC methodology can be assessed by employing a Malicious URL database [21,22,23] comprising 651,191 URLs with four class labels, as represented in Table 1. A set of measures is utilized in order to test the classification outcomes accuracy ($acc{u}_y$), sensitivity ($sen{s}_y$), specificity ($spe{c}_y$), and F-score ($F_{score}$).

Table 1. Details on the dataset.

Classes	Number of URLs
Benign	428,103
Defacement	96,457
Phishing	94,111
Malware Link	32,520
Total No. of URLs	651,191

Sensitivity: estimates the proportion of positive samples accurately categorized.

$$\mathrm{S}\mathrm{e}\mathrm{n}\mathrm{s}\mathrm{i}\mathrm{t}\mathrm{i}\mathrm{v}\mathrm{i}\mathrm{t}\mathrm{y}=\frac{\mathrm{T}\mathrm{P}}{\mathrm{T}\mathrm{P}+\mathrm{F}\mathrm{N}}$$

(23)

Specificity: scales the proportion of negative samples exactly classified.

$$\mathrm{S}\mathrm{p}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{f}\mathrm{i}\mathrm{c}\mathrm{i}\mathrm{t}\mathrm{y}=\frac{\mathrm{T}\mathrm{N}}{\mathrm{T}\mathrm{N}+\mathrm{F}\mathrm{P}}$$

(24)

Accuracy scales the proportion of correctly classified samples (positives and negatives) against total samples (number of samples classified).

$$\mathrm{A}\mathrm{c}\mathrm{c}\mathrm{u}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{y}=\frac{\mathrm{T}\mathrm{P}+\mathrm{T}\mathrm{N}}{\mathrm{T}\mathrm{P}+\mathrm{T}\mathrm{N}+\mathrm{F}\mathrm{P}+\mathrm{F}\mathrm{N}}$$

(25)

F-score: extends the number of true positives separated by the number of true positives plus the number of false positives.

$$\mathrm{F-score}=\frac{2\mathrm{T}\mathrm{P}}{2\mathrm{T}\mathrm{P}+\mathrm{F}\mathrm{P}+\mathrm{F}\mathrm{N}}$$

(26)

The confusion matrices of the POAHDL-MDC methodology on malicious URL recognition are shown in Figure 2. The outcome highlights that the POAHDL-MDC method identifies four types of malicious URLs.

Figure 2. Confusion matrices of the POAHDL-MDC method (a,b) 80% of the TR set and 20% of the TS set and (c,d) 70% of the TR set and 30% of the TS set.

In Table 2 and Figure 3, the results of the POAHDL-MDC method, with an 80:20 ratio of TR/TS sets, are displayed. The table values signify an enhanced solution of the POAHDL-MDC system. For example, with 80% of the TR set, the POAHDL-MDC techniques attain an average $acc{u}_y$ of 98.96%, $pre{c}_n$ of 95.75%, $sen{s}_y$ of 95.36%, $spe{c}_y$ of 99.12%, and an $F_{score}$ of 95.55%. Also, with 20% of the TS set, the POAHDL-MDC algorithm gains an average $acc{u}_y$ of 98.94%, $pre{c}_n$ of 95.78%, $sen{s}_y$ of 95.24%, $spe{c}_y$ of 99.12%, and an $F_{score}$ of 95.50%.

Table 2. Classifier outcome of the POAHDL-MDC method on 80% of TR set and 20% of TS set.

Class	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{S}\mathit{e}\mathit{n}{\mathit{s}}_{\mathit{y}}$	$\mathit{S}\mathit{p}\mathit{e}{\mathit{c}}_{\mathit{y}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
Training Phase (80%)
Benign	98.71	99.01	99.03	98.09	99.02
Defacement	98.91	96.28	96.36	99.35	96.32
Phishing	99.25	97.07	97.75	99.50	97.41
Malware Link	98.97	90.63	88.31	99.52	89.45
Average	98.96	95.75	95.36	99.12	95.55
Testing Phase (20%)
Benign	98.73	99.03	99.03	98.16	99.03
Defacement	98.89	96.17	96.41	99.33	96.29
Phishing	99.21	96.73	97.81	99.44	97.26
Malware Link	98.93	91.20	87.73	99.54	89.43
Average	98.94	95.78	95.24	99.12	95.50

Figure 3. Classifier outcome of the POAHDL-MDC technique on 80% of the TR set and 20% of the TS set.

In Table 3 and Figure 4, the classifier results of the POAHDL-MDC method with 70:30 of TR/TS sets are displayed. The result signifies a greater result for the POAHDL-MDC technique. For example, with 70% of the TR set, the POAHDL-MDC algorithm gains an average $acc{u}_y$ of 99.28%, $pre{c}_n$ of 97.04%, $sen{s}_y$ of 97.76%, $spe{c}_y$ of 99.43%, and an $F_{score}$ of 97.40%. Additionally, with 30% of the TS set, the POAHDL-MDC technique gains an average $acc{u}_y$ of 99.31%, $pre{c}_n$ of 97.21%, $sen{s}_y$ of 97.82%, $spe{c}_y$ of 99.45%, and an $F_{score}$ of 97.51%.

Table 3. Classifier result of the POAHDL-MDC model on 70% of the TR set and 30% of the TS set.

Class	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{S}\mathit{e}\mathit{n}{\mathit{s}}_{\mathit{y}}$	$\mathit{S}\mathit{p}\mathit{e}{\mathit{c}}_{\mathit{y}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
Training Phase (70%)
Benign	99.02	99.45	99.06	98.94	99.25
Defacement	99.33	98.04	97.42	99.66	97.73
Phishing	99.27	96.76	98.26	99.44	97.50
Malware Link	99.51	93.93	96.30	99.67	95.10
Average	99.28	97.04	97.76	99.43	97.40
Testing Phase (30%)
Benign	99.04	99.46	99.08	98.97	99.27
Defacement	99.34	98.07	97.51	99.66	97.79
Phishing	99.32	96.84	98.48	99.46	97.65
Malware Link	99.53	94.49	96.20	99.70	95.34
Average	99.31	97.21	97.82	99.45	97.51

Figure 4. Classifier outcome of the POAHDL-MDC technique on 70% of the TR set and 30% of the TS set.

Figure 5 inspects the $acc{u}_y$ of the POAHDL-MDC algorithm on the $trai{n}_g$ and $va{l}_d$ procedures on the test database. The result implies that the POAHDL-MDC technique gains superior $acc{u}_y$ values above maximal epochs. Additionally, the enhanced $va{l}_d$ $acc{u}_y$ over $trai{n}_g$ $acc{u}_y$ demonstrates that the POAHDL-MDC algorithm obtains better results on the test database.

Figure 5. Accuracy curve of the POAHDL-MDC methodology.

The loss curve of the POAHDL-MDC model at the time of $trai{n}_g$ and $va{l}_d$ is shown on the test database in Figure 6. The result represents the POAHDL-MDC approach gains nearby values of $trai{n}_g$ and $va{l}_d$ loss. It could be detected that the POAHDL-MDC system obtains results efficiently on the test database.

Figure 6. Loss curve of the POAHDL-MDC algorithm.

A comprehensive PR analysis of the POAHDL-MDC model applied to the test dataset is illustrated in Figure 7. The figure infers that the POAHDL-MDC system outcomes have greater values of PR. Also, the POAHDL-MDC algorithm has superior PR values in four classes.

Figure 7. PR curve of the POAHDL-MDC approach.

In Figure 8, an ROC curve for the POAHDL-MDC model is revealed for the test database. The result reveals that the approach improves ROC values. Further, the POAHDL-MDC approach exhibits greater ROC values in all four classes.

Figure 8. ROC curve of the POAHDL-MDC approach.

In Table 4 and Figure 9, a clear comparison of the POAHDL-MDC system with existing approaches is made [17]. The results highlight that the LR and RF approaches accomplish the lowest outcome.

Table 4. Comparative outcome of the POAHDL-MDC methodology with other systems [17].

Methods	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{y}}$	$\mathit{S}\mathit{e}\mathit{n}{\mathit{s}}_{\mathit{y}}$	$\mathit{S}\mathit{p}\mathit{e}{\mathit{c}}_{\mathit{y}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
POAHDL-MDC	99.31	97.82	99.45	97.51
Sequential DL	98.58	97.32	98.80	96.96
Naïve Bayes	98.33	94.71	97.75	94.54
Logistic Reg.	95.22	96.66	98.08	95.75
Decision Tree	98.40	95.06	95.24	94.13
Random Forest	95.33	97.31	95.23	96.56
Conv. NN	98.92	96.98	97.53	94.66

Figure 9. $Acc{u}_y$ outcome of the POAHDL-MDC approach with existing methods.

At the same time, sequential DL, NB, DT, and CNN techniques achieve closer outcomes. But the POAHDL-MDC technique gains outperforming results with a maximum $acc{u}_y$ of 99.31%, $sen{s}_y$ of 97.82%, $spe{c}_y$ of 99.45%, and $F_{score}$ of 97.51%. These outcomes confirm the superior solution of the POAHDL-MDC model over other current approaches. The improved URL detection results of the POAHDL-MDC technique are based on the inclusion of POA-based hyperparameter tuning. An application of POA selects optimum hyperparameter values of the HDL technique. Hyperparameters are not learned at the time of training but set earlier to training. They have an essential effect on the performance of the technique, as picking optimal values leads to improved exactness. By use of POA-based hyperparameter tuning, the POAHDL-MDC technique gains superior outcomes by concentrating on the most appropriate features and choosing optimal settings for the algorithm. These results guaranteed enhanced behavior of the POAHDL-MDC method when compared to existing models.

5. Conclusions

In this study, we proposed a new POAHDL-MDC methodology for the automated recognition and classification of malicious URLs. To accomplish this, the POAHDL-MDC approach initially performed data pre-processing to change the data to a compatible format, and a Fast Text word embedding process was involved. For malicious URL detection, the HDL model integrating the features of SAE and Bi-LSTM models was utilized. Lastly, POA was employed for optimum hyperparameter tuning of the HDL methodology. The simulation value of the POAHDL-MDC technology was verified on a benchmark database, and the outcome revealed better results for the POAHDL-MDC methodology for various measures. In future, a hybrid metaheuristic-based feature selection process could be designed to reduce the high dimensionality problem and thereby enhance the detection rate. In addition, future work could examine a combination of many data modalities, such as text, network traffic, and user behavior, into DL models. In addition, new approaches such as attention-based models, graph neural networks, or transformer-based models could be used for capturing complex patterns in URLs and their associated features.