An Optimized Stacking Ensemble Model for Phishing Websites Detection

: Security attacks on legitimate websites to steal users’ information, known as phishing attacks, have been increasing. This kind of attack does not just affect individuals’ or organisations’ websites. Although several detection methods for phishing websites have been proposed using machine learning, deep learning, and other approaches, their detection accuracy still needs to be enhanced. This paper proposes an optimized stacking ensemble method for phishing website detection. The optimisation was carried out using a genetic algorithm (GA) to tune the parameters of several ensemble machine learning methods, including random forests, AdaBoost, XGBoost, Bagging, GradientBoost, and LightGBM. The optimized classiﬁers were then ranked, and the best three models were chosen as base classiﬁers of a stacking ensemble method. The experiments were conducted on three phishing website datasets that consisted of both phishing websites and legitimate websites—the Phishing Websites Data Set from UCI (Dataset 1); Phishing Dataset for Machine Learning from Mendeley (Dataset 2, and Datasets for Phishing Websites Detection from Mendeley (Dataset 3). The experimental results showed an improvement using the optimized stacking ensemble method, where the detection accuracy reached 97.16%, 98.58%, and 97.39% for Dataset 1, Dataset 2, and Dataset 3, respectively.


Introduction
One of the most dangerous cybercrimes is phishing, where the user's information and credentials are stolen using fake emails or websites that are sent to the target and look like legitimate ones. Phishing attacks have been increasing over the years, and affect many internet users. In this type of attack, the phisher selects any organisation as a target, and then develops a phishing website that is similar to the organisation's legitimate website. The phisher then sends several spam emails or posts these links using social media or any communication medium to many internet users, who may click on these links and be redirected to the phishing website [1].
Phishing is one type of social engineering attack that targets many organisations' websites on the internet. It can also attack internet of things (IoT) environments, in which the devices are highly interconnected, and these threats can affect organizations' privacy and data. IoT sensors are considered to be an easy medium for attackers. According to [2], attackers sent several spam emails, and it was found that refrigerators, televisions, and routers were among the 25% of devices that hosted them. In addition, hackers in the IoT environment may not need to send a virus or Trojan, as they can use the software in the thingbots for spreading spam emails without the user knowing, as this may not affect the functionality of IoT devices [3]. Many methods have been introduced to make the IoT environment more secure, but there is currently no effective method for detecting phishing emails [1,4]. Several studies have been conducted in order to propose approaches and methods for detecting phishing websites for the IoT environment. For instance, Wei et al. [5] introduced a lightweight deep learning method in order to provide a phishing detection sensor that could work in real time with energy-saving features. If using this proposed system, there is no need to install anti-phishing software on every IoT device. However, the designed sensor is only needed for one location (such as an office) between the devices and the router. In addition, this model can be directly installed on the router because of its high efficiency.
Deep learning methods have been widely investigated for detecting phishing websites. For instance, Somesha et al. [6] applied several models for phishing detection, which included convolution neural network (CNN), deep neural network (DNN), and long shortterm memory (LSTM) models. The applied models obtained a good detection rate, with an accuracy of 99.57% for LSTM. These models used only one third-party service feature, in order to make the model robust and efficient. In another study, Ali and Ahmed [7] introduced a hybrid intelligence method for predicting phishing websites, in which a genetic algorithm (GA) was utilized to identify the optimal weights for website features and select the most important ones. These features were used to train deep neural networks to predict the phishing URLs. The results showed that the proposed approach obtained significant improvements in terms of accuracy, specificity, sensitivity, and other metrics compared to other state-of-the-art methods.
In a different approach, several machine learning methods were used to detect the phishing websites. For instance, Chiew et al. [8] introduced a framework based on feature selection and machine learning methods for detecting phishing, named hybrid ensemble feature selection. In this method, the primary feature subsets were obtained using the cumulative distribution function gradient, and these subsets were used to obtain the secondary feature subsets using a data perturbation ensemble. The proposed model used only 20.8% of the original features, and obtained an accuracy of 94.6% using the Random Forests method. Similarly, Rao and Pais [9] introduced an efficient model based on feature selection and machine learning; in order to improve the limitations of the currently used phishing detection methods, they obtained the heuristic features from the websites' URLs, source codes, and third-party services. Eight machine learning methods were used to evaluate the proposed model, and Random Forests obtained the best accuracy (99.31%). In addition, Ali and Malebary [10] proposed a novel phishing detection model by utilizing the particle swarm optimization method in order to weight the websites' features, which helped to identify the importance of their contributions towards differentiating the phishing websites from legitimate ones. The results showed that this model led to outstanding enhancements in terms of accuracy and other performance metrics for several machine learning methods.
This paper proposes a model which is known as an optimized ensemble classification model for detecting phishing websites. A genetic algorithm (GA) is used to optimize the performance of several ensemble classifiers. Then, the best optimized classifiers are used as base classifiers for the stacking ensemble method. The method includes three main phases: training, ranking, and testing. In the training phase, random forests, AdaBoost, XGBoost, Bagging, GradientBoost, and LightGBM are trained without applying an optimization method. These classifiers are then optimized using the genetic algorithm, which selects the optimal values of parameters for several ensemble models. The optimized classifiers are then ranked and used as base classifiers for the stacking ensemble method. Finally, new websites are collected and used as a testing dataset in order to predict the final class label of these websites. The rest of this paper is organized as follows: Section 2 gives an overview of the related work. Section 3 provides details about the materials and methods. Section 4 presents the experimental results, which are analysed, discussed, and compared with related works. The paper concludes with a summary of the outcomes of the proposed method and suggestions for future work.

Recognizing Phishing Attacks in the IoT
There are serious issues regarding the security of the IoT web, as there are billions of devices (network objects and sensors) that are connected to the internet [11]. Thus, there is a strong need to protect these IoT data from various types of attacks, including phishing. Gupta et al. [1] illustrated how advanced infrastructures such as the internet of things (IoT) are considered a target for phishing attacks. Tsiknas et al. [12] reviewed the main cyber threats to the industrial internet of things (IIoT), and found that they originate from five types of attacks: phishing, ransomware, system attacks, supply chain, and protocol. According to Tsiknas et al. [12], for critical infrastructure such as the IoT, phishers apply compromised attacks-an advanced method that combines social engineering and includes zero-day malware and other features that are designed on remote websites and then attack IIoT systems. The malicious attacker uses the front-end level for accessing the IIoT.
Several methods have been proposed to detect phishing websites in the IoT environment. Parra et al. [13] proposed a cloud-and deep-learning-based framework that includes two mechanisms: a distributed convolutional neural network, and cloud-based temporal long short-term memory. The first mechanism was used for detecting phishing as an IoT microsecurity device, while the second mechanism was used on the back end to detect notnet attacks and ingest CNN embeddings for detecting distributed phishing attacks on several IoT devices. The experimental results showed that the first mechanism could obtain a detection accuracy of 94.3% running the CNN model, and an F-1 score of 93.58% for phishing attacks.
Mao et al. [14] discussed the main security issues in smart internet of things (IoT) systems, and found that phishing is one of the most common types of attacks. In order to detect these phishing websites, they developed an automated page-layout-based method that includes machine learning methods. The method is based on aggregation analysis for obtaining the page layout similarity, which helps in detecting phishing websites. Four ML methods were applied in these experiments, and the results obtained showed enhanced accuracy.
The security issues in the IoT were discussed in detail by Virat et al. [15], who argued that the main challenge with IoT security is that its devices are not intelligent, which makes the task of solving these issues difficult, requiring appropriate detection methods. In addition, Deogirikar and Vidhate [16] surveyed various vulnerabilities that put the IoT as a technology in danger. They reviewed various IoT attacks and discussed their efficiency and damage level in the IoT, and concluded that extensive research is required in order to come up with effective solutions.
In addition, deep learning methods were also investigated for protecting internet of things (IoT) devices against several attacks, such as distributed denial-of-service (DDoS), phishing, and spamming campaigns. In [17], a stacked deep learning method was introduced to detect malicious traffic attacks affecting IoT devices. This proposed method showed a good ability to detect benign and malicious traffic data, and obtained a higher detection rate in real time compared with other methods.

Machine-Learning-Based Detection Methods
Artificial intelligence (AI) and machine learning (ML) have been widely used as detection methods for several cyber security issues. For phishing website detection, several AI-and ML-based methods with good detection performance have been proposed. For instance, Alsariera et al. [18] proposed new schemes based on AI that considered new Electronics 2021, 10, 1285 4 of 18 methods for the mitigation of phishing. They introduced four meta-learning techniques based on the extra-tree-based classifier and applied them to phishing website datasets. The experimental results showed that the proposed models obtained an accuracy of 97%, and reduced the false positive rate to 0.028. Jain and Gupta [19] proposed a new method for detecting phishing websites based on the hyperlinks located in the websites' HTML code. This method combines several novel features of hyperlinks, and divides them into 12 types for training ML models. This method was applied to a phishing website dataset using several ML classifiers. The experimental results showed that the proposed model obtained 98.4% accuracy using a logistic regression classifier. This method is a client-side solution, which does not require any third-party support. Feng [20] introduced a new a model for phishing website detection using a neural network. The Monte Carlo technique was used in the training phase, and in the testing phase the accuracy reached 97.71% while the false positive rate reached 1.7%, indicating that the proposed model is capable of detecting phishing websites effectively compared to other machine learning methods.
Aburub and Hadi [21] used association rules to detect phishing websites. They used a dataset containing 10,068 instances of legitimate and phishing websites, and applied the phishing multi-class association rule method, which was compared to other associative classification methods. The experimental results showed that the proposed methods obtained an acceptable detection rate. Similarly, other ML-based methods have been applied utilizing feature selection methods [22,23], ensemble classifiers [24], hybrid methods of deep learning and machine learning [25], and other methods.
As can be shown from the previous studies on detecting phishing websites, the effectiveness of the detection still needs to be enhanced. For instance, Azeez et al. [26] mentioned that the current applied methods to handle phishing websites are not sufficient. Thus, they introduced the PhishDetect method, which identifies phishing attacks by using URL consistency features. This proposed method checks the PhishTank database in order to verify whether the URL exists, then considers it to be a phishing website if not. This method requires updating the PhishTank database frequently. In addition, Azeez et al. [27] proposed a system for detecting malicious URLs on Twitter. This study examined the correlation of URL redirect chains obtained from Twitter, and then a naive Bayes classifier was used on these data, with an accuracy of 90%. An interesting comparative study was conducted by Osho et al. [28] to investigate the performance of several machine learning methods for the detection of phishing websites. They found that the random forests method outperforms the existing methods, and achieves an accuracy of 97.3%.
However, some proposed methods were applied to small-or medium-sized datasets, while other proposed methods were applied to only one dataset (websites or emails). Therefore, there is a need to conduct further analysis on detecting phishing websites using more datasets with many benign and malicious websites.

Materials and Methods
In this section, the proposed genetic-algorithm-based ensemble classifier approach for improving phishing website detection is presented and explained. Figure 1 presents the methodology that we followed in this study. The methodology consists of three main phases: the training, ranking, and testing phases. In the training phase, random forests, AdaBoost, XGBoost, Bagging, GradientBoost, and LightGBM were trained without optimization. The reason behind this is twofold: on the one hand, to obtain a general insight into the performance of ensemble classifiers before optimizing them, and on the other hand, to explore which of the phishing websites' characteristics is most useful. The aforementioned classifiers were then optimized using the genetic algorithm. Here, the genetic algorithm was used for selecting the optimal values of model parameters in order to improve the overall accuracy of the proposed model. Later, in the ranking phase, the optimized classifiers were ranked and used as a base classifier for the ensemble classifierthe stacking method. In the testing phase, new websites were collected and used as testing data. Figure 1 refers to this phase as the detection phase, as these steps will be applied to any website in future in order to detect whether it is a benign or malicious website. In order to extract the features of the websites, we followed the methodology presented in [29]. A set of benign and malicious websites was collected from the malware and phishing blacklist of the PhishTank database of verified phishing pages [30]. In order to extract the same features as those used in the training dataset (HTML-and JavaScript-based features, address-barbased features, domain-based features, and abnormality-based features), a Python script was written using the Beautiful Soup, ipaddress, urllib, request, and Whois libraries. Later, all of these features were fed into the classifiers in order to predict the final class label of the website. data. Figure 1 refers to this phase as the detection phase, as these steps will be applied to any website in future in order to detect whether it is a benign or malicious website. In order to extract the features of the websites, we followed the methodology presented in [29]. A set of benign and malicious websites was collected from the malware and phishing blacklist of the PhishTank database of verified phishing pages [30]. In order to extract the same features as those used in the training dataset (HTML-and JavaScript-based features, address-bar-based features, domain-based features, and abnormality-based features), a Python script was written using the Beautiful Soup, ipaddress, urllib, request, and Whois libraries. Later, all of these features were fed into the classifiers in order to predict the final class label of the website.

The Dataset and Experimental Design
The experimental part of this work was conducted on three publicly available datasets-the Phishing Websites Data Set from UCI (Dataset 1) [31], the Phishing Dataset for Machine Learning from Mendeley (Dataset 2) [32], and Datasets for Phishing Websites Detection from Mendeley (Dataset 3) [33]. To conduct the experiment, the script was written in Python 3.6 using an Anaconda environment on the 64-bit Windows 10 operating system. Dataset 1 consists of 44% phishing websites (4898) and 56% legitimate websites (6157). Since the dataset is quite imbalanced, the oversampling technique was used to increase the size of the minority class. The dataset contains 30 features, which can be categorized into four groups: (1) 12 address-bar-based features, (2) 5 HTML-and JavaScriptbased features, (3) 6 abnormality-based features, and (4) 7 domain-based features. Table 1 presents the names of these features and the Python library used for extracting each one in the testing phase.

The Dataset and Experimental Design
The experimental part of this work was conducted on three publicly available datasetsthe Phishing Websites Data Set from UCI (Dataset 1) [31], the Phishing Dataset for Machine Learning from Mendeley (Dataset 2) [32], and Datasets for Phishing Websites Detection from Mendeley (Dataset 3) [33]. To conduct the experiment, the script was written in Python 3.6 using an Anaconda environment on the 64-bit Windows 10 operating system. Dataset 1 consists of 44% phishing websites (4898) and 56% legitimate websites (6157). Since the dataset is quite imbalanced, the oversampling technique was used to increase the size of the minority class. The dataset contains 30 features, which can be categorized into four groups: (1) 12 address-bar-based features, (2) 5 HTML-and JavaScript-based features, (3) 6 abnormality-based features, and (4) 7 domain-based features. Table 1 presents the names of these features and the Python library used for extracting each one in the testing phase. In addition, Dataset 2 includes 48 features extracted from 5000 phishing websites and 5000 legitimate websites, while Dataset 3 includes 111 features extracted from 30,647 phishing websites and 58,000 legitimate websites. More descriptions about these datasets can be obtained from [32,33].
In order to evaluate the performance of the proposed ensemble model, the following performance measures were used: classification accuracy, precision, recall (the detection rate), F1 score, false positive rate (FPR), and false negative rate (FNR). These measures are commonly used by researchers to evaluate the performance of phishing website detection systems [10]. In order to precisely assess the proposed method, all of the conducted experiments including optimized and non-optimized classifiers were validated using 10-fold cross-validation. The results of each fold were also normalized. P = (95.37/(95.37 + 1.2), R = 95.37/(95.37 + 4.63).

Results and Discussion
This section describes the experimental results for each technique, before presenting and discussing comparisons with the related works.

Experimental Results of the Ensemble Classifiers without Optimization
As mentioned earlier, a set of ensemble classifiers was trained using 10-fold crossvalidation. We first conducted the experiment without involving the optimization using the GA. The performance of the classifiers with default configurations is presented in Tables 2-4 for Dataset 1, Dataset 2, and Dataset 3, respectively. For Dataset 1, the random forests classifier yielded the best performance compared with the other classifiers in terms of accuracy, precision, recall, and F-score; it achieved 97.02% accuracy. The Bagging classifier also achieved good accuracy, with 96.73%, followed by the LightGBM classifier, with accuracy of 96.53%. The remaining classifiers obtained accuracy between 93% and 94.61%. Meanwhile, in Dataset 2, the LightGBM classifier obtained the best performance compared to other classifiers in terms of accuracy, precision, recall and F-score. The random forests classifier obtained the second best performance using all evaluation measures for this dataset. Similarly to Dataset 1, the performance of Random Forests obtained the best results for Dataset 3 in terms of accuracy, recall, and F-score, as shown in Table 4.  Figure 2 shows the false positive rate (FPR) and false negative rate (FNP) for Dataset 1. It was notable that RF had the best FPR and FNP, with 0.05 and 0.02, respectively. The LightGBM classifier was the second best classifier in terms of FPR (0.068), followed by the GradientBoost classifier (0.07). In terms of FNR, the Random Forests classifier also yielded the lowest value (0.02), followed by AdaBoost and Bagging. Although the AdaBoost classifier had a lower FNR (0.032), its FPR values were higher than those of the LightGBM classifier, which means that there is a probability of raising a false alarm, in which a positive result is given when the true value is negative. Similarly, as shown in Figures 3 and 4 GradientBoost classifier (0.07). In terms of FNR, the Random Forests classifier also yielded the lowest value (0.02), followed by AdaBoost and Bagging. Although the AdaBoost classifier had a lower FNR (0.032), its FPR values were higher than those of the LightGBM classifier, which means that there is a probability of raising a false alarm, in which a positive result is given when the true value is negative. Similarly, as shown in Figures 3 and  4, the RF model obtained the best FPR and FNP for Dataset 2 and Dataset 3.

Experimental Results of the GA-Based Ensemble Classifiers
Although all of the classifiers showed good performance, there is still a need to adjust many of their parameters in order to achieve better evaluation scores. Adjusting such parameters for each classifier is relatively cumbersome. In this study, a genetic algorithm was used for tuning the classifiers' parameters. GAs have shown good results in the field of algorithm parameter searching [34]. We conducted the experiments using different parameters to configure the GA (which were used in our previous works and other studies),

Experimental Results of the GA-Based Ensemble Classifiers
Although all of the classifiers showed good performance, there is still a need to adjust many of their parameters in order to achieve better evaluation scores. Adjusting such parameters for each classifier is relatively cumbersome. In this study, a genetic algorithm was used for tuning the classifiers' parameters. Gas have shown good results in the field of algorithm parameter searching [34]. We conducted the experiments using different parameters to configure the GA (which were used in our previous works and other studies), and the best ones were used in this study, as shown in Table 5. Since there are many parameters to adjust, Table 6 shows the list of adjusted parameters of each classifier and the optimized parameters found by the GA. Among all of the parameters, finding the optimal number of estimators and learning rate are the most critical parameters, which impact most highly on the performance of the classifier. XGBoost and GradientBoost gained a considerable improvement compared to the default parameters, as shown in Table 7. Meanwhile, the performance of both the LightGBM classifier and Random Forests was decreased.     To explore this further in Dataset 1, the confusion matrices of Random Forests, XG-Boost, Gradient Boost, and LightGBM are shown in Figures 5-8, respectively. Table 8  To explore this further in Dataset 1, the confusion matrices of Random Forests, XGBoost, Gradient Boost, and LightGBM are shown in Figures 5-8, respectively. Table 8 lists the results of the other performance measures.     In Figure 6b and Figure 7b, we can note that the GA-XGBoost and GA-GradientBoost classifiers gained the most benefit from the optimization for Dataset 1. They correctly detected 95.94% of phishing website instances as "phishing website" class, which represents the TP measure, and incorrectly detected 4.06% of these instances as "legitimate" class, which represents the FP measure. In addition, they detected 98.4% of legitimate website instances as "legitimate" class, which represents the TN measure, and incorrectly detected  In Figure 6b and Figure 7b, we can note that the GA-XGBoost and GA-GradientBoost classifiers gained the most benefit from the optimization for Dataset 1. They correctly detected 95.94% of phishing website instances as "phishing website" class, which represents the TP measure, and incorrectly detected 4.06% of these instances as "legitimate" class, which represents the FP measure. In addition, they detected 98.4% of legitimate website instances as "legitimate" class, which represents the TN measure, and incorrectly detected In Figures 6b and 7b, we can note that the GA-XGBoost and GA-GradientBoost classifiers gained the most benefit from the optimization for Dataset 1. They correctly detected 95.94% of phishing website instances as "phishing website" class, which represents the TP measure, and incorrectly detected 4.06% of these instances as "legitimate" class, which represents the FP measure. In addition, they detected 98.4% of legitimate website instances as "legitimate" class, which represents the TN measure, and incorrectly detected 1.96% of these instances as "phishing website" class, which represents the FN measure. We can conclude that both classifiers (GA-XGBoost and GA-GradientBoost) achieved a high TP rate and a low FP rate. After conducting the training phase for the ensemble classifiers on Dataset 1, the performances of these classifiers were ranked, and the three best models were: GA-GradientBoost, GA-XGBoost, and GA-Bagging. These models were used in the next step as base classifiers (base learner) of a stacking ensemble method. For Dataset 1, the classifiers that were used as meta-learners were Random Forests, GradientBoost, and Support Vector Machine (SVM).
The same experiments were conducted on Dataset 2 and Dataset 3. The performance of GA-based ensemble classifiers after optimization is shown in Tables 9 and 10. The results indicate that some classifiers (such as GA-Random Forests, GA-AdaBoost, and GA-XGBoost) show improvements in terms of accuracy, precision, recall, and F-score for Dataset 2, while all of the classifiers show improvements for Dataset 3 using all measures.      Table 11 shows the mean rank calculated for all classifiers for all three datasets. The results were obtained by 10-fold cross-validation before and after applying GA optimization. The results show that most of the models with the highest mean accuracy values were produced when the GA was used. Among all of the selected classifiers, GA-XGB is a good choice for use as a base classifier for the stacking ensemble method. Table 12 shows the testing results for the detection accuracy of the proposed model using 10-fold cross-validation for Dataset 1, Dataset 2, and Dataset 3. As shown in Table 12 above, the proposed optimized stacking ensemble model obtained good improvements in terms of phishing website detection accuracy for all datasets. The proposed optimized stacking ensemble obtained the best performance when the optimized ensemble classifiers (GA-GradientBoost, GA-XGBoost, and GA-Bagging) were used as base learners, and SVM was used as meta-learner. The achieved accuracy reached 97.16%, 98.58%, and 97.39% for Dataset 1, Dataset 2, and Dataset 3, respectively, which surpasses the other ensemble methods in the previous phase. Table 13 presents a comparison of the results obtained (using Dataset 1) with the preliminary settings, where the base classifiers were trained using the default settings of hyperparameters, and the improvements obtained after applying the GA and adjusting the hyperparameters of the classifiers. It also summarizes the mean accuracy and variance values of each classifier. The results also show that the mean of the GradientBoost classifier using GA optimization exceeded the means of all of the other classifiers, before and after applying the optimization. In addition to the basic statistical measures listed above, we measured the statistical significance of the results before and after applying optimization. Hence, the paired two samples were used for the mean t-test. The null hypothesis, h_0, for this comparison is that the mean accuracy values achieved before and after applying GA optimization to the classifiers are the same. The p values suggest that the null hypothesis can be rejected in four cases (out of six), which means that the improvement is significant in most of the cases (see Table 14). Similarly, the statistical analysis was conducted on the other datasets. It was found that the improvements obtained by AdaBoost, XGBoost, and GradientBoost with GA optimization were significant using Dataset 2, while for Dataset 3, the improvements obtained by all GA-based ensemble classifiers (except Random Forests) were significant.

Statistical Analysis and Comparison with Previous Studies
In addition, the Friedman test results showed a significant difference in accuracy, of (X 2 = 51.96, d f = 9, p = 2.82 × 10 −7 ) for the first data set, and (X 2 = 48.16, d f = 9, p = 1.83 ×10 −5 ) and (X 2 = 41.26, d f = 9, p = 2.68 ×10 −5 ) for the second and third datasets, respectively. This indicates that it is safe to reject the null hypothesis when a model performed the same. In addition, we can conclude that at least one model has different performance values. Therefore, we conducted the Nemenyi post-hoc.
The comparative analysis of all of the models using their mean ranks was carried out. The calculated values of critical difference for the datasets were CD = 4.9493, CD = 4.4094, and CD = 3.283 for the first, second, and third datasets, respectively. Figures 9-11 show the critical difference diagrams where the models with statistically similar values of performance are connected to one another.  Figure 10 shows the results of the statistical comparison of all of the models against one another by their mean ranks using Dataset 2 (higher ranks, such as 1.9 for LGB, correspond to higher values). Classifiers (only the three classifiers that have the highest values) that are not connected by a bold line of length equal to the CD have significantly different mean ranks (Confidence level of 95%).  Figure 11 shows the results of the statistical comparison of all of the models against one another by their mean ranks using Dataset 3 (higher ranks, such as 1.5 for GA-XGB, correspond to higher values). Classifiers (only the three classifiers that have the highest value) that are not connected by a bold line of length equal to the CD have significantly different mean ranks (Confidence level of 95%).   Figure 10 shows the results of the statistical comparison of all of the models against one another by their mean ranks using Dataset 2 (higher ranks, such as 1.9 for LGB, correspond to higher values). Classifiers (only the three classifiers that have the highest values) that are not connected by a bold line of length equal to the CD have significantly different mean ranks (Confidence level of 95%).  Figure 11 shows the results of the statistical comparison of all of the models against one another by their mean ranks using Dataset 3 (higher ranks, such as 1.5 for GA-XGB, correspond to higher values). Classifiers (only the three classifiers that have the highest value) that are not connected by a bold line of length equal to the CD have significantly different mean ranks (Confidence level of 95%). In addition, a comparison was conducted with the previous studies that used the same phishing websites (Dataset 1 and Dataset 2), which is presented in Table 15. As Dataset 3 was only recently prepared, it was not used in the previous studies. The evaluation metrics were accuracy, precision, and recall. The results show that the proposed opti- Figure 11. Critical difference diagram of Dataset 3 for the Nemenyi test. Figure 9 shows the results of the statistical comparison of all of the models against one another by their mean ranks using Dataset 1 (higher ranks, such as 1.8 for GA-GB, correspond to higher values). Classifiers (only the three classifiers that have the highest values) that are not connected by a bold line of length equal to the CD have significantly different mean ranks (Confidence level of 95%). Figure 10 shows the results of the statistical comparison of all of the models against one another by their mean ranks using Dataset 2 (higher ranks, such as 1.9 for LGB, correspond to higher values). Classifiers (only the three classifiers that have the highest values) that are not connected by a bold line of length equal to the CD have significantly different mean ranks (Confidence level of 95%). Figure 11 shows the results of the statistical comparison of all of the models against one another by their mean ranks using Dataset 3 (higher ranks, such as 1.5 for GA-XGB, correspond to higher values). Classifiers (only the three classifiers that have the highest value) that are not connected by a bold line of length equal to the CD have significantly different mean ranks (Confidence level of 95%).
In addition, a comparison was conducted with the previous studies that used the same phishing websites (Dataset 1 and Dataset 2), which is presented in Table 15. As Dataset 3 was only recently prepared, it was not used in the previous studies. The evaluation metrics were accuracy, precision, and recall. The results show that the proposed optimized stacking ensemble method outperformed the other recent and related works [7,10] in using the accuracy and recall performance measures for Dataset 1, and outperformed [35] in using the accuracy, precision and recall measures for for Dataset 2.

Conclusions
This paper has proposed an optimized stacking ensemble model for detecting phishing websites. In the optimisation method, a genetic algorithm, was used to find the optimized values for the parameters of several ensemble learning methods. The proposed model includes three phases: the training, ranking, and testing phases. In the training phase, several ensemble learning methods were trained without applying the optimization method (GA); these included Random Forests, AdaBoost, XGBoost, Bagging, GradientBoost, and LightGBM. These classifiers were then optimized using a GA that selects the optimal values of model parameters and improves their overall accuracy. In the ranking phase, the best three ensemble methods were selected and used as base classifiers for a stacking ensemble method. The stacking method also used three classifiers as meta-learners: RF, GB, and SVM. Finally, in the testing phase, new websites were collected and used as a testing dataset in order to predict the final class label of these websites (phishing or legitimate). The experimental results showed that the proposed optimized stacking ensemble method obtained superior performance compared to other machine-learning-based detection methods; the obtained accuracy reached 97.16%. A statistical analysis was conducted, which showed that the obtained improvements were statistically significant. In addition, the proposed methods were compared with recent studies that used the same phishing dataset, and it was reported that the proposed method surpassed those used in these studies. As phishing attacks are more dangerous in internet of things (IoT) environments-because IoT devices are an easy medium for attackers, who can simply use the software in the thingbots for spreading spam emails without the user knowing-a light detection method will be proposed in future work to be applied to IoT environments. In addition, deep learning methods will be investigated in order to improve the detection rate of phishing websites, and more phishing datasets will be used.  Data Availability Statement: Data are available in [31][32][33].