MALWARE DETECTION USING DEEP LEARNING

A PROJECT REPORT

Submitted by

DINESH M (422517205011)

JANAKIRAMAN V (422517205015)

ARUNKUMARAN P (422521205306)
KALAISELVAN M (422521205016)

in partial fulfillment for the award of the degree

of
BACHELOR OF TECHNOLOGY

IN

INFORMATION TECHNOLOGY

UNIVERSITY COLLEGE OF ENGINEERING VILLUPURAM

ANNA UNIVERSITY : CHENNAI 600 025

MAY 2025
 ANNA UNIVERSITY : CHENNAI 600 025

BONAFIDE CERTIFICATE

Certified that the project report titled as “MALWARE DETECTION USING DEEP
LEARNING” is the bonafide work of “DINESH
M(422521205011),JANAKIRAMAN V(422521205015), ARUNKUMARAN
P(422521205306) and KALAISELVAN M
(422521205016)” who carried out the project work under my supervision.

SIGNATURE SIGNATURE

Dr.E.KAVITHA, M.E., Ph.D., Mr.P.TAMILARASU, M.Tech.

HEAD OF THE DEPARTMENT SUPERVISOR
Department of Information Technology Department of Information Technology
University College of Engineering Villupuram University College of Engineering

Villupuram Villupuram-605103 Villupuram-605103

Submitted for the Project viva-voce held on

Internal Examiner External Examiner

 ACKNOWLEDGEMENT

We wish to express our sincere thanks and gratitude to our Dean

Dr.R.SENTHIL Professor & Dean, for offering us all the facilities to do
the project.

We also express our sincere thanks to Dr.E.KAVITHA, M.E., Ph.D.,

Head of the Department, Department of Information Technology for his
support and guidance to do this project work.

We also express our sincere thanks to Mr.P.TAMILARASU, M.Tech.,

our internal project guide, Department of Information Technology for his
support for the successful completion in implementing our valuable idea.

We are thankful to the project coordinator Mr.P.TAMILARASU,

M.Tech., Department of Information Technology, University College of
Engineering Villupuram, for his valuable suggestion and constant
encouragement.

We would like to thanks all the Faculty Members in our department for
their guidance to finish this project successfully. We also like to thank all
our friends for their willing assistance.

This project consumed huge amount of work, research and dedication.

Still, implementation would not have been possible if we did not have a
support of many individuals and organizations. We would like to extend
our sincere gratitude to all of them.
 TABLE OF CONTENTS

CHAPTER NO TITLE PAGE NO

ABSTRACT 7
LIST OF ABBREVATIONS 4
LIST OF FIGURES 5
LIST OF TABLES 6

1 INTRODUCTION 8

1.1 OVERVIEW OF CYBERSECURITY THREAT 8

1.2 IMPORTANCE OF MULTI-DOMAIN MALWARE 8

DETECTION

1.3 IP,GMAIL AND FILE MALWARE DETECTION 9

INTRODUCTION

1.3.1 URL malware Detection 9

1.3.2 File malware Detection 10

1.3.3 Gmail malware Detection 10

2 LITERATURE REVIEW 11

3 SYSTEM ANALYSIS 14

3.1 EXISTING SYSTEM 14

3.1.1 URL Classification with Machine Learning 14

3.1.2 Algorithms Used in Existing System 14

3.1.3 Workflow of Existing URL Classification 17

3.1.4 Problem Statementns 19

1
 3.2 PROPOSED SYSTEM 19
3.1.5 Algorithms Used in proposed System 19

3.1.6 Algorithms Workflow in Proposed System 21

4 SYSTEM DESIGN AND IMPLEMENTATION 24

4.1 SYSTEM REQUIREMENTS 24

4.1.1 Software Requirements 24

4.1.2 Hardware Requirements 24

4.2 SOFTWARE SPECIFICATIONS 24

4.2.1 Google Colab 24

4.2.2 Python 26

4.3 SYSTEM ARCHITECTURE 30

4.3.1 Url Model Architecture 30

4.3.1.1 URL Preprocessing and Feature Extraction 31

4.3.2 File Model Architecture 32

4.3.2.1 File Preprocessing and Feature Extraction 33

4.3.3 Gmail Model Architecture 33

4.3.3.1 Gmail Preprocessing and Feature Extraction 34

4.4 DATA FLOW DIAGRAM 34

4.5 UML DIAGRAMS 37

4.5.1 Class Diagram 37

4.5.2 Sequence Diagram 38

4.5.3 Activity Diagram 39

2
 4.6 SYSTEM MODELS 40
4.7 MODELS DESCRIPTION 42

4.8 PERFORMANCE METRICES 44

5 APPENDIX 46
5.1SOURCE CODE 46

5.1.1 URL Model Code 46

5.1.2 File Model Code 54

5.1.3 Gmail Model Code 62

6 RESULTS AND ANALYSIS 68

6.1 CLASSIFICATION OUTPUTS 68

6.1.1 URL Classification Output 68

6.1.2 File Classification Output 68

6.1.3 Gmail Classification Output 69

6.2 EVALUATION METRICES 69

6.2.1 Url Confusion Matrix And Accuracy 69

6.2.2 File Confusion Matrix And Accuracy 70

6.2.3 Gmail Confusion Matrix And Accuracy 71

6.3 EXISTING AND PROPESED ACCURACY 72

7 CONCLUSION 73

7.1 SUMMARY OF FINDINGS 73

8 REFERENCES 75

3
 LIST OF ABBREVIATIONS

UC - Area Under the Curve

BPLSH - Balanced Partitioning Locality Sensitive

Hashing CNN - Convolutional Neural Network

T - Decision Tree

DRLSH - Dynamic Reduction Locality Sensitive Hashing

IP - Internet Protocol

KNN - K-Nearest Neighbors

LSTM - Long Short-Term

Memory ML - Machine Learning

- Portable Executable

- Random Forest

SMOTE - Synthetic Minority Oversampling

Technique SVM - Support Vector Machine

L - Uniform Resource Locator

4
 LIST OF FIGURES
FIGURE NO NAME PAGE NO

3.1 Existing System Architecture 18

4.1 Google Colab 25

4.2 Url Model Architecture 31

4.3 File Model Architecture 33

4.4 Gmail Model Architecture 34

4.5 Url Data Flow Diagram 35

4.6 File Data Flow Diagram 36

4.7 Gmail Data Flow Diagram 37

4.8 Common Class Diagram 38

4.9 Common Sequence Diagram 39

4.10 Common Activity Diagram 40

6.1 Url Classification Output 68

6.2 File Classification Output 68

6.3 Gmail Classification Output 69

6.4 Url Confusion Matrix 70

6.5 File Confusion Matrix 71

6.6 Gmail Confusion Matrix 72

5
 LIST OF TABLES

LIST OF TABLES FIGURE NAME PAGE NO

Table 6.2.1 URL Confusion Accuracy 69

Table 6.2.2 File Confusion Accuracy 70

Table 6.2.3 Gmail Confusion Accuracy 71

Table 6.3.1 Existing Model and Accuracy 72

Table 6.3.2 Proposed Model and Accuracy 72

6
 ABSTRACT

With the rapid escalation in the complexity and volume of cyberattacks, there is an urgent
need for adaptive and intelligent detection mechanisms that surpass the limitations of
conventional rule-based and shallow learning techniques. Today’s cyber threats—especially
malware and phishing attempts via email—are increasingly dynamic, employing techniques
such as polymorphism, obfuscation, and context-aware manipulation that evade detection by
standard machine learning classifiers.
In response, this project proposes a robust, end-to-end deep learning approach that integrates
the capabilities of Convolutional Neural Networks (CNNs) and Long Short-Term Memory
(LSTM) architectures. The hybrid model effectively processes diverse input types—
including URLs, binary executable files, and Gmail-based email content—by extracting and
leveraging domain-specific features. URLs are examined using 59 lexical and structural
parameters (such as domain complexity and string length), binary files are evaluated based
on 24 characteristics including byte distribution and entropy levels, and Gmail content is
transformed into word embeddings to highlight suspicious linguistic patterns. These
heterogeneous inputs are converted into uniform, fixed-size sequences— URLs to 350
characters, files to 1024 bytes, and emails to 500 tokens—allowing seamless compatibility
with deep learning pipelines. The CNN components specialize in identifying localized threat
patterns, such as irregular token sequences and binary-level anomalies, while the LSTM
units capture temporal and semantic relationships, particularly useful in analyzing textual
data from emails.
This architectural synergy boosts classification performance across threat categories and
addresses the blind spots found in older detection techniques. To manage class imbalance,
where benign instances dominate, SMOTE (Synthetic Minority Oversampling Technique) is
employed to synthetically augment underrepresented malicious samples. Moreover, a Binary
Focal Cross-Entropy loss function is used to emphasize learning from difficult examples,
improving sensitivity to subtle and rare threats.

7
 CHAPTER 1

INTRODUCTION

1.1 Overview of Cybersecurity Threats

Cybersecurity threats are a growing and ever-evolving challenge for individuals,

organizations, and entire nations. As technology progresses and becomes more
interconnected, cybercriminals continually adapt their strategies to exploit vulnerabilities
across a wide range of platforms. These threats often manifest through malicious URLs,
executable files, and deceptive email content, which are leveraged to carry out various
attacks such as data breaches, ransomware deployment, and spyware infections. A prevalent
form of attack is phishing, where cybercriminals use misleading URLs to trick users into
revealing sensitive information like login credentials. Furthermore, malicious files,
including those that carry ransomware, can infect systems by executing harmful actions
when opened, while spam emails may contain harmful attachments or links that compromise
security when clicked.

The challenge in combating these threats lies in their dynamic nature; cybercriminals are
increasingly using polymorphic malware, which changes its form to evade detection, and
zero-day exploits, which target previously unknown vulnerabilities. Traditional detection
methods, which depend heavily on signature-based systems, are often unable to identify
these sophisticated and ever-changing threats. This limitation underscores the necessity for
advanced detection systems that can analyze data from multiple sources, adapt to new attack
patterns, and detect complex threats in real time.

1.2 Importance of Multi-Domain Malware Detection

In modern cyberattacks, it is increasingly rare for threats to be confined to a single vector of

attack. Instead, attackers often utilize a combination of elements, such as URLs, files, and
email content, to execute coordinated, multi-stage campaigns. For instance, a phishing URL
might lead to the download of a malicious file, which, in turn, communicates with a
compromised IP address. Similarly, a spam email may contain a

8
harmful attachment that, when opened, installs malware on the victim's system. When
detection methods focus on only one type of threat, they fail to recognize these interrelated
attack patterns, which can result in high rates of false negatives and delayed responses.

A multi-domain malware detection system is vital for effective cybersecurity because it

integrates information from various sources—URLs, files, and email content—allowing for
a more comprehensive analysis of potential threats. By examining cross-domain
relationships, such a system can identify attack patterns that would be invisible to
traditional, single-domain methods. For example, a system that analyzes both URLs and
attached files can better detect instances where a malicious link leads to a dangerous file
download

1.3 GMAIL, URL, and File Malware Detection Introduction

This project aims to develop a robust multi-domain malware detection system that employs
a hybrid CNN+LSTM deep learning model to classify malicious URLs, files, and email
content. The system integrates advanced methods to improve detection accuracy,
scalability, and robustness, ensuring that the detection framework can adapt to the evolving
landscape of cybersecurity threats. This approach combines the benefits of convolutional
neural networks (CNNs) for spatial pattern recognition and long shortterm memory
(LSTM) networks for sequential data processing, enabling the model to effectively analyze
various types of data associated with cyber threats.

1.3.1 URL Malware Detection

The URL detection module utilizes a hybrid CNN+LSTM architecture to capture both
spatial and temporal patterns in URL sequences, making it highly effective for identifying
malicious URLs, especially those that are complex or encoded. The CNN layers are used to
extract spatial features, such as character patterns, from the URL, while the LSTM layers
learn the sequential relationships between components of the URL, such as its structure or
order. A multi-head attention mechanism is incorporated to focus.

9
on important segments of the URL, enhancing the model's ability to identify malicious
activity. Furthermore, the dataset is balanced using RandomOverSampler to address class
imbalances between benign and malicious URLs.

1.3.2 File Malware Detection

For file-based malware detection, a hybrid CNN+LSTM approach is used to analyze both
the byte sequences and metadata of files. This method is particularly effective in identifying
malware embedded within executable files. The CNN layers capture bytelevel patterns
within the files, while the LSTM layers learn the temporal relationships between the byte
sequences, which is crucial for identifying anomalous behaviors and potential threats. To
balance the dataset, Synthetic Minority Oversampling Technique (SMOTE) is employed to
generate synthetic samples of the minority class (malicious files).

Data preprocessing includes removing duplicate files and handling missing data through
median imputation, ensuring consistent input for the model. Feature extraction identifies
characteristics like byte entropy, file size, control character ratios, and specific file
signatures that may be indicative of malware. The model is trained using techniques such as
early stopping and checkpointing to ensure stability and prevent overfitting. Evaluation
involves examining false positives and false negatives, as well as analyzing performance
with tools like confusion matrices and receiver operating characteristic (ROC) curves.

1.3.2 Gmail Spam Detection

In the Gmail spam detection module, the system uses CNN+LSTM to classify email
content as either spam or non-spam.

The CNN layers capture textual patterns in the email, such as special characters or
spamrelated keywords, while the LSTM layers process the sequence of words, learning
the contextual relationships between them. The system employs text cleaning and
tokenization toremove noise,normalize content, and prepare the data for model input.

10
 CHAPTER 2

LITERATURE REVIEW

Sujatha M, Gobi M, and Sasikala S proposed a machine learning framework for

detecting malicious URLs to enhance web security. The authors utilized a dataset of
52,000 URLs, extracting features such as URL length, HTTPS status, and domain dot
count. They compared Logistic Regression, Random Forest, and SVM models, with SVM
achieving 94.45% accuracy. To address class imbalance, SMOTE was applied to balance
the dataset, improving model performance. The framework focused on feature engineering
to capture lexical and structural URL characteristics, ensuring robust classification. This
approach provides a scalable solution for identifying phishing and malicious URLs in real-
time web environments .

Vinayakumar R, Soman KP, and Poornachandran P proposed a hybrid CNNLSTM

model for detecting malicious URLs in IoT environments, targeting phishing and spam
URLs. The authors used a balanced dataset and applied NLP techniques to process
character- level URL sequences, achieving 99% accuracy. The model extracted lexical
features like keyword presence and URL length, leveraging CNN for spatial patterns and
LSTM for sequential dependencies. The approach emphasized real-time detection, making
it suitable for resource-constrained IoT devices. The high accuracy demonstrated the
effectiveness of combining deep learning techniques for URL classification.

Alsaedi M, Khan SA, and Ahmad M proposed MalNet, a CNN-LSTM-based method for
detecting malware in Windows executable files. The authors used a dataset of over 40,000
samples, processing grayscale images and opcode sequences to achieve 99.88% accuracy.
The CNN extracted structural patterns from binary images, while LSTM

11
analyzed sequential opcode behaviors. The method focused on static analysis, avoiding
runtime execution to reduce computational overhead.

Catak FO, Yayilgan SY, and Yildirim O proposed a machine learning-based framework
for malicious URL detection, integrating cyber threat intelligence (CTI) features. The
authors applied Random Forest and MLP in a two-stage model on a dataset of phishing
URLs, achieving 95.8% accuracy. Features included URL content, webpage metadata, and
CTI indicators like domain reputation. The twostage approach first filtered URLs with
Random Forest, then refined classification with MLP.

Saxe J and Berlin K proposed a deep learning framework for malware detection across
Android and Windows platforms. The authors used CNN to analyze file features like API
calls, permissions, and code structures, achieving 95% accuracy on a large dataset. The
model processed static features extracted from executables, avoiding dynamic analysis for
faster processing. Feature engineering focused on capturing behavioral patterns, enabling
robust malware identification.

Khan RU, Zhang X, and Kumar R proposed a machine learning-based system for multi-
domain malware detection, classifying URLs, IP addresses, and files. The authors used
Random Forest and SVM on a diverse dataset, extracting features like URL length, IP
geolocation, and file byte entropy, achieving 93% accuracy. Oversampling techniques
were applied to address class imbalance, ensuring balanced training. The system integrated
multiple feature sets to detect threats across domains, providing a unified approach for
network security. This method demonstrated the feasibility of multi-domain classification
using traditional ML.

12
Aslan ÖA and Samet R proposed a quantum machine learning approach for malicious
detection, comparing traditional ML models with quantum classifiers. The authors used
lexical URL features on diverse datasets, achieving over 90% true positive rates. The
quantum classifier processed features like character ratios and domain tokens, leveraging
quantum computing for enhanced computational efficiency. Data preparation included
normalization and feature selection to optimize performance. This approach highlighted
potential of quantum techniques for URL classification, offering a novel perspective on
cybersecurity.

Mohan VS, Vinayakumar R, and Soman KP proposed a CNN-LSTM model with

attention mechanisms for detecting algorithmically generated domain names (DGAs) in
malicious URLs. The authors processed character-level embeddings on DGA datasets,
achieving a 97.01% F1-score. The model used CNN to extract spatial features and LSTM
with attention to capture sequential patterns, focusing on domain name structures. The
approach was optimized for high precision, making it effective for identifying DGAbased
threats. This method provided a robust solution for detecting sophisticated URLbased
attacks.

Alsmadi I and Al-Taharwa I proposed a deep learning-based framework for malicious

URL detection, using CNN to extract features from URL strings and content. The authors
achieved 96% accuracy on a dataset of 66,000 URLs, with Naïve Bayes outperforming
CNN in some cases. Features included lexical attributes like URL length and networkbased
data like DNS query patterns. The framework emphasized comprehensive feature
engineering to capture diverse URL characteristics.

13
 CHAPTER 3

SYSTEM ANALYSIS

3.1 Existing System

The system employs Support Vector Machines (SVMs), Random Forests (RFs), Decision
Trees (DTs), and k-Nearest Neighbors (KNNs) to classify URLs into benign, phishing,
defacement, or malware categories, using a dataset of 650,000 URLs from Kaggle. It
integrates instance selection methods—Data Reduction based on LocalitySensitive Hashing
(DRLSH), Border Point Extraction based on Locality- Sensitive Hashing (BPLSH), and
random selection— to enhance computational efficiency, achieving F1 scores up to 92.18%
(RFs with random selection). Below, we elaborate on the system’s architecture, algorithms
with mathematical workflows, workflow, preprocessing, feature engineering, and problem
statement, highlighting limitations that motivate the proposed CNN+LSTM framework for
URL, file, and Gmail classification.

3.1.1 URL Classification with Machine Learning

The system uses supervised machine learning to classify URLs based on 16 features,
addressing the challenge of detecting malicious URLs amid increasing datacollecting
websites. It achieves high performance (e.g., 93.19% precision for RFs with random
selection) compared to blacklists, which fail with new URLs. RFs and SVMs outperform
DTs and KNNs, with instance selection reducing training time while maintaining
representative samples. The study’s results (Table 1, Figures 5– 8) highlight strong
performance for defacement URLs but struggles with phishing detection, a gap the
proposed deep learning model aims to address.

3.1.2 Algorithms Used in Existing System

The system employs four algorithms, each processing a 16-dimensional feature vector to
classify URLs into benign (y=0), phishing (y=1), defacement (y=2), or malware (y=3).
Below are the algorithms and their mathematical workflows.

14
Decision Trees (DTs)

DTs build a tree where nodes represent features (e.g., has_http), branches denote rules, and
leaves assign labels. They split data based on features like has_http to separate HTTP from
HTTPS URLs, then count_slashes for phishing detection, achieving a 90.18% F1 score with
random selection but struggling with phishing URLs.

Mathematical Workflow for DTs:

1. Input: A feature vector x with 16 elements (e.g., x1 = URL_length, x2 = has_http).

2. Node Splitting: Select a feature x_j and threshold θ to minimize Gini impurity,
calculated as 1 minus the sum of squared class probabilities (p_i^2) for each class i
from 0 to 3. For a split, compute Gini for left and right subsets as 1 minus the sum of
squared probabilities for each subset, then calculate a weighted score: (n_left *
Gini_left + n_right * Gini_right) / (n_left + n_right).
3. Recursion: Repeat splitting until reaching a maximum number of splits (e.g., 100)
or minimum node size.
4. Prediction: Traverse the tree to a leaf, outputting the class y (e.g., phishing if
has_http=1 and count_slashes=5).
5. Loss: Minimize misclassification error, computed as the sum of indicators where
true label y_i does not equal predicted label ŷ_i.

Random Forests (RFs)

RFs combine multiple DTs trained on random subsets of data and features, achieving a
92.18% F1 score with random selection, excelling at defacement URLs. They use majority
voting across trees for predictions.

Mathematical Workflow for RFs:

1. Input: A feature vector x and training set D with N instances (x_i, y_i).

15
 2. Bootstrap Sampling: For each of T trees (e.g., T=100), sample N instances
with replacement to form a subset D_t.
3. Feature Subset Selection: At each node, randomly select m features (e.g., m=4)
and split to minimize Gini impurity.
4. Tree Construction: Build tree t, predicting the class with the highest probability at
a leaf.
5. Prediction: Use majority voting across T trees to output the final class ŷ(x) as
the mode of individual tree predictions.
6. Loss: Minimize the expected error, calculated as the average of indicators where
true label y_i does not equal predicted label ŷ(x_i).

Support Vector Machines (SVMs)

SVMs use a Gaussian kernel to find a hyperplane separating classes, achieving a 91.25% F1
score but requiring 10,793 seconds for training. They use a one-vs-one strategy for multi-
class classification.

Mathematical Workflow for SVMs:

1. Input: A feature vector x and labels y_i in {0,1,2,3} for one-vs-one

classification.
2. Feature Transformation: Apply a Gaussian kernel, K(x, x_i) = exp(-||x - x_i||^2
/ (2σ^2)), to map features to a higher-dimensional space.
3. Optimization: Minimize (1/2) * ||w||^2 + C * sum(ξ_i), subject to y_i * (w^T
* φ(x_i) + b) ≥ 1 - ξ_i and ξ_i ≥ 0, where w is the weight vector, b is the bias, ξ_i
are slack variables, and C is a regularization parameter.
4. Decision Function: Compute f(x) = sum(α_i * y_i * K(x, x_i)) + b, assigning
the class via one-vs-one voting.
5. Loss: Minimize hinge loss, sum(max(0, 1 - y_i * f(x_i))) + (λ/2) * ||w||^2.

16
K-Nearest Neighbors (KNNs)

KNNs assign the majority class among the k nearest neighbors, achieving an 86.64% F1
score with random selection but dropping to 72.77% with BPLSH due to sensitivity to
instance selection.

Mathematical Workflow for KNNs:

1. Input: A feature vector x and training set D with N instances.

2. Distance Computation: Calculate Euclidean distance, d(x, x_i) = sqrt(sum((x_j
- x_{i,j})^2)) for j from 1 to 16.
3. Neighbor Selection: Select the k nearest neighbors (e.g., k=10).
4. Prediction: Output the majority class among the k neighbors, ŷ(x) =
argmax_k(sum(I(y_i = k)) for i in the k neighbors).
5. Loss: Minimize misclassification error, calculated as the average of indicators
where true label y_i does not equal predicted label ŷ(x_i).

3.1.3 Workflow of Existing URL Classification

The workflow consists of three phases:

• Data Collection and Preparation: Collect 650,000 URLs, remove null

values, extract 16 features, and split into 552,500 training and 97,500 testing
instances.
• Model Development: Apply instance selection (DRLSH, BPLSH, random
selection), train models with Bayesian optimization and 5-fold crossvalidation.
• Performance Evaluation: Compute precision (TP / (TP + FP)), recall (TP / (TP
+ FN)), and F1 score (2 * (Precision * Recall) / (Precision + Recall)).

17
Existing System Architecture:

FIG :3.1 EXISTING SYSTEM ARCHITECTURE

The MATLAB 2022-based architecture is a modular pipeline:

• Data Ingestion: Imports URLs from Kaggle CSVs using readtable.

• Preprocessing: Removes nulls, extracts features via regex (e.g., \d{1,3}.\d{1,3}
for IPs), standardizes features for SVMs and KNNs, and splits data.
• Instance Selection: Uses DRLSH (removes redundant samples), BPLSH.
• Model Training: Trains models using MATLAB functions (fitctree, fitcensemble,
fitcecoc, fitcknn) with Bayesian optimization and parallel computing.
• Evaluation: Computes metrics and confusion matrices, highlighting phishing detection
issues.
• Output: Generates tables and visualizations (e.g., TPR plots, feature importance via
MRMR) exported as CSVs. The MATLAB environment limits scalability and web
deployment, unlike the proposed Python-based CNN+LSTM system.

18
Preprocessing and Feature Engineering Preprocessing

• Remove null values for data integrity.

• Split data 85:15, preserving class distributions.
• Standardize features for SVMs and KNNs using z-score normalization.

Feature Engineering

The 16 features include lexical (URL_length, count_dots), protocol (has_http, has_https),

content (has_php, has_html), and network (has_ipv4) features, extracted via string parsing
and regex. MRMR identifies has_http as the most informative.

3.1.4 Problem Statement

The system achieves high F1 scores (up to 92.18% for RFs) but has limitations: reliance on
16 lexical features fails to capture sequential patterns in URLs, files, or emails, limiting
detection of sophisticated threats. High computational costs (SVMs:18,390 seconds)
preclude real-time use, unlike the proposed Flask-based system.

Class imbalance (e.g., 3,054 malware vs. 112,712 benign samples) and feature overlap
reduce performance, especially for KNNs (67.44% precision with BPLSH). Traditional
algorithms ignore temporal dependencies, unlike the proposed CNN+LSTM model, which
uses character-level tokenization, Conv1D, and Bidirectional LSTMs. The MATLAB
architecture restricts scalability, necessitating a Python-based deep learning approach for
real-time, multi- domain threat detection.

3.2 PROPOSED SYSTEM

3.2.1 Algorithms Used in Proposed System

The CNN+LSTM architecture combines CNNs for spatial feature extraction and LSTMs for
sequential modeling, making it ideal for heterogeneous data like text and numerical
features. The architecture processes two input branches—text/sequence data and

19
numerical features—integrating them for classification tasks. Below are the key
components and their roles, described without mathematical workflows as none are
provided in the document.

Convolutional Neural Network (CNN)

CNNs extract local patterns from input data using convolutional filters. In the classification
systems:

• Convolutional Layers: Apply filters (e.g., Conv1D with filter sizes 3 and 5 in
the URL model) to detect patterns like n-grams in URLs or byte sequences in
files.

• Pooling Layers: Use MaxPooling1D to reduce dimensionality, retaining key

features while lowering computational load.

• Batch Normalization: Normalizes layer outputs to stabilize training and

improve convergence across all models.

Long Short-Term Memory (LSTM)

LSTMs model sequential dependencies, crucial for context-sensitive tasks:

• Memory Cells: Retain information over long sequences, capturing dependencies

in URL characters, file bytes, or email words.

• Gates: Use input, forget, and output gates to manage information flow. Bidirectional
LSTMs in the URL and Gmail models process data in both directions for better
context.

• Regularization: Dropout (e.g., 0.5 in the Gmail model) prevents overfitting by

randomly disabling units during training.

20
 Hybrid CNN+LSTM Architecture

The CNN+LSTM architecture integrates both components for robust classification:

1. Input Processing:
a. Text/Sequence Input: Tokenized sequences (e.g., URL characters, file bytes,
email words) are converted to dense vectors via an embedding layer (128-
dimensional embeddings).
b. Numerical Input: Handcrafted features (59 for URLs, 31 for files, 20 for
emails) are processed through dense layers.
2. CNN Branch: Sequence inputs pass through Conv1D layers (e.g., 64 and 128 filters
for URLs), followed by pooling and batch normalization to extract local features.
3. LSTM Branch: CNN outputs feed into a Bidirectional LSTM (64 units for URL and
Gmail models) or a unidirectional LSTM (file model) to model sequential
dependencies.

4. Feature Fusion: CNN+LSTM and numerical feature outputs are concatenated

using Keras’ Concatenate layer.
5. Dense Layers: Combined features pass through dense layers with ReLU
activation, batch normalization, and dropout (e.g., 0.4 in the file model).
6. Output Layer: A sigmoid activation produces a binary classification
probability (benign vs. malicious for URLs/files, ham vs. spam for emails).

3.2.2 Algorithms Workflow in Proposed System URL Model Workflow

The URL model processes tokenized character sequences (max length 350) and 59
numerical features through a CNN+LSTM architecture. The text branch uses an
Embedding layer (20,000 vocabulary, 128 dimensions), two Conv1D layers (64 and
128

21
filters), BatchNormalization, MaxPooling1D, a Bidirectional LSTM (64 units),
MultiHeadAttention (4 heads), and Dropout (0.5). The numerical branch Processes scaled
features through Dense layers (128 and 64 units) with Dropout (0.4). Outputs concatenate
into Dense layers and a sigmoid output, using BinaryFocalCrossentropy (gamma=2.0,
alpha=0.25).

Mathematical Workflow:

7. Tokenize URLs into characters, pad to 350 tokens, extract 59 numerical features,
and scale.
8. Embed characters into E R^(350×128).
9. Apply Conv1D: c_i = ReLU(W · E[i:i+3] + b). MaxPool to reduce length.
10.Bidirectional LSTM: h_t = [forward_h_t; backward_h_t], forward_h_t =
LSTM(p_t, forward_h_(t-1)).
11.MultiHeadAttention: softmax((Q K^T) / sqrt(d_k)) V. GlobalMaxPool.
12.Numerical branch: z = ReLU(W x_n + b).
13.Concatenate, compute p = σ(z).
14.Loss: L = -α(1-p)^γ y log(p) - (1-α) p^γ (1-y) log(1-p).

File Model Workflow

The file model analyzes 1024-byte sequences and 31 structural features. The byte branch
uses Conv1D layers (64 and 128 filters), BatchNormalization, MaxPooling1D, Dropout
(0.2), and a unidirectional LSTM (64 units). The structural branch processes scaled features
through Dense layers (128 and 64 units) with Dropout (0.3). Outputs concatenate into
Dense layers (256 and 128 units), Dropout (0.4), and a sigmoid output, using
BinaryFocalCrossentropy (gamma=2.0).

Mathematical Workflow:

1. Normalize 1024 bytes to [0,1], extract 31 numerical features, and scale.

2. Conv1D: c_i = ReLU(W · x[i:i+k] + b). MaxPool to reduce length.
22
 3. LSTM: h_t = LSTM(p_t, h_(t-1)), use final state.
4. Numerical branch: z = ReLU(W x_n + b).
5. Concatenate, compute p = σ(z).
6. Loss: L = -α(1-p)^γ y log(p) - (1-α) p^γ (1-y) log(1-p).

Gmail Model Workflow

The Gmail model processes 256-token text sequences and 20 numerical features. The text
branch uses an Embedding layer (20,000 vocabulary, 128 dimensions), Conv1D layers (64
and 128 filters), BatchNormalization, MaxPooling1D, a Bidirectional LSTM (64 units), and
Dropout (0.5). The numerical branch uses a Dense layer (64 units) with Dropout (0.3).
Outputs concatenate into a Dense layer (64 units), Dropout (0.3), and a sigmoid output,
using binary cross-entropy.

Mathematical Workflow:

1. Tokenize email text to 256 tokens, extract 20 numerical features, and scale.

2. Embed tokens into E R^(256×128).

3. Conv1D: c_i = ReLU(W · E[i:i+k] + b). MaxPool to reduce length.

4. Bidirectional LSTM: h_t = [forward_h_t; backward_h_t].

5. Numerical branch: z = ReLU(W x_n + b).

6. Concatenate, compute p = σ(z).

7. Loss: L = -[y log(p) + (1-y) log(1-p)].

Proposed Methods

• SMOTE: Used in the file model to generate synthetic malicious samples by

interpolating numerical features and approximating byte sequences, addressing data
scarcity. URL and Gmail models use RandomOverSampler, duplicating minority
samples, improving F1-scores by 10-15%.

23
 CHAPTER 4

SYSTEM DESIGN AND IMPLEMENTATION

4.1 SYSTEM REQUIREMENTS

Software and hardware specifications are critical components of the requirement

specification document. They provide a detailed description of the hardware and software
components required for the development, deployment, and operation of the software
system.

4.1.1 SOFTWARE REQUIREMENTS

• Operating System: Windows 10 or 11

• Programming Languages: Python
• Platform: Google Colab or Jupyter Notebook
• Algorithm: XGBoost

4.1.2 HARDWARE REQUIREMENTS

• GPU: 4GB and above

• RAM: 8GB and above
• Hard Disk: NVIDIA K40 and above
• Processor: Intel i5 7th gen

4.2 SOFTWARE SPECIFICATION

4.2.1 Google Colab

Google Colaboratory (Colab) is a free, cloud-based Jupyter notebook environment that

eliminates the need for local setup. You can write and execute Python code directly in

24
your browser. A key advantage is its collaborative nature, allowing multiple team members
to simultaneously edit notebooks, similar to Google Docs.

Colab functions much like traditional Jupyter notebooks, but with the convenience of cloud
hosting, freeing you from the need for local computing resources. Sharing notebooks is
straightforward.

A Colab notebook consists of cells, which can contain either explanatory text (Markdown)
or executable code and its output. Cells can be selected by clicking, and new cells can be
added using the '+ CODE' and '+ TEXT' buttons, either between cells or in the toolbar. Cell
order can be adjusted using the 'Cell Up' and 'Cell Down' options in the toolbar. Multiple
cells can be selected using lasso selection (dragging) for consecutive cells, or by holding
Ctrl (or Cmd) for nonadjacent cells and Shift for intermediate cells.

For long-running Python processes, execution can be interrupted via 'Runtime -> Interrupt
execution' (Ctrl/Cmd-M I). Colab inherits Jupyter's 'magic' commands, providing shorthand
notations that alter cell execution.

FIG 4.1 GOOGLE COLAB

25
4.2.2 Python

Python is a powerful general-purpose programming language. It is used in web

development, data science, creating software prototypes, and so on. Fortunately for
beginners, Python has simple easy-to-use syntax. This makes Python an excellent language
to learn to program for beginners.

TensorFlow
A deep learning framework developed by Google, is the backbone of your CNN+LSTM
models for URL, file, and email classification. It provides a flexible ecosystem for building
and deploying machine learning models, supporting complex neural network architectures
like convolutional and recurrent layers. In your system, TensorFlow is used to construct the
hybrid CNN+LSTM architecture, handling tasks such as defining Conv1D layers (e.g., 64
and 128 filters for URL and Gmail models), Bidirectional LSTMs (64 units for URL and
Gmail), and Dense layers with sigmoid outputs for binary classification. It facilitates model
compilation with optimizers like Adam (e.g., learning rate 1e-3 for URL model) and loss
functions like BinaryFocalCrossentropy (gamma=2.0 for URL and file models).
TensorFlow’s support for GPU acceleration ensures efficient training and inference, critical
for processing large datasets (e.g., 223k URLs) and achieving real-time performance (<1
second) via the Flask interface. Its Keras integration simplifies layer configuration,
regularization (e.g., L2=0.01), and callbacks like EarlyStopping, making it indispensable for
your scalable, high-performance cybersecurity system.

Keras

Keras, a high-level API integrated within TensorFlow, streamlines the development of your
CNN+LSTM models by providing an intuitive interface for building neural networks. It is
used extensively in your system to define model architectures, including Embedding layers
(e.g., 20,000 vocabulary, 128 dimensions for URL and Gmail models), Conv1D layers,
MaxPooling1D, and Bidirectional LSTMs. Keras’ Tokenizer is employed for text
preprocessing, converting URL characters, file byte sequences, and

26
email words into indexed sequences (e.g., 350-token URLs, 256token emails). It supports
advanced components like MultiHeadAttention (4 heads in the URL model) and
GlobalMaxPooling1D, enhancing feature extraction.

scikit-learn

scikit-learn, a versatile machine learning library in Python, supports preprocessing, feature

scaling, and evaluation in your classification system. It provides the StandardScaler to
normalize numerical features (59 for URLs, 31 for files, 20 for emails), ensuring zero mean
and unit variance for inputs to Dense layers, which is critical for stable training of SVMs
and KNNs in the existing system and neural networks in the proposed system. scikit-learn’s
metrics module likely computes performance metrics like precision, recall, and F1-score,
aligning with the evaluation processes described (e.g., AUC-ROC > 0.95). It may also
support the logistic regression meta-classifier for multi-domain input integration, combining
predictions from URL, file, and email model.

Pandas

pandas, a powerful data manipulation library, is central to data preprocessing and

management in your system. It handles the ingestion and cleaning of datasets, such as CSV
files containing 650,000 URLs or email texts, using functions like readtable (analogous to
MATLAB’s in the existing system). In the proposed system, pandas performs deduplication
by grouping URLs or files (e.g., using SHA256 hashes for files) and aggregating labels via
mode-based methods Its integration with SQLite for logging predictions and
misclassifications (e.g., to misclassified_urls.csv) facilitates data analysis, making pandas
essential for managing the complex, multi-domain datasets in your cybersecurity pipeline.

imbalanced-learn

imbalanced-learn, a Python library for handling imbalanced datasets, addresses class

imbalance in your URL, file, and email models, a critical challenge given the dominance

27
of benign samples (e.g., 112,712 benign vs. 3,054 malware in the existing system). For the
file model, it implements SMOTE (Synthetic Minority Oversampling Technique) to
generate synthetic malicious samples by interpolating numerical features (e.g., byte
entropy) and approximating byte sequences via nearest-neighbor sampling, improving
detection of rare malicious files. For URL and Gmail models, RandomOverSampler
duplicates minority class samples (malicious URLs, spam emails), boosting F1-scores by
10-15%. These techniques ensure balanced training data, reducing bias and enhancing
model performance on underrepresented classes. imbalanced-learn’s seamless integration
with scikit-learn and pandas makes it a vital tool for robust classification in your system.

urllib.parse

urllib.parse, a standard Python library, is used in the URL model’s preprocessing pipeline to
decode and normalize raw URLs. It applies the unquote function to handle encoded
characters (e.g., converting %20 to a space), ensuring consistent input formats. The library
also normalizes URLs by adding “http://” if no protocol is specified, addressing variations
in user inputs

tldextract

tldextract, a Python library for extracting domain components, is used in the URL model to
compute numerical features like netloc entropy (H = -∑ p_i log_2 p_i) and top-level domain
(TLD) indicators (e.g., suspicious TLDs like .xyz, .top). It accurately splits URLs into
subdomain, domain, and TLD, enabling precise feature engineering, such as identifying
malicious patterns in domain structures. By integrating with regex for additional parsing
(e.g., IP address detection via \d{1,3}.\d{1,3}), tldextract enhances the URL model’s ability
to extract domainspecific features that complement character- level tokenization. Its
efficiency and accuracy make it a key tool for generating the 59 numerical features critical
to the URL model’s high AUC-ROC performance (>0.95).

28
regex

regex, Python’s regular expression library, is extensively used across all models for pattern
matching and text processing. In the URL model, it detects features like IP addresses (\
d{1,3}.\d{1,3}) and keyword counts (e.g., “login”, “free”). In the file model, regex extracts
structural features, such as counts of suspicious keywords (e.g., “exploit”) in metadata. For
the Gmail model, it removes HTML tags (<[^>]+>), normalizes URLs to “URL”, emails to
“EMAIL”, and detects emojis (\U0001F600\U0001F64F) or punctuation (e.g., multiple
exclamation marks). regex’s flexibility enables robust preprocessing and feature extraction,
handling noisy or obfuscated inputs (e.g., encoded URLs, HTML-laden emails) to ensure
clean data for tokenization and numerical feature computation, significantly contributing to
model accuracy.

hashlib

hashlib, a Python library for cryptographic hashing, is used in the file model’s preprocessing
to compute SHA256 hashes for deduplication. By generating unique hashes for each file,
hashlib identifies and removes duplicate files, retaining only unique instances to streamline
the dataset and reduce redundancy. This is critical given the computational intensity of
processing file byte sequences (1024 bytes) and numerical features (e.g., byte entropy).

hashlib’s fast and reliable hashing ensures data integrity during preprocessing, allowing the
file model to focus on diverse samples and improving training efficiency. Its role in
maintaining a clean dataset is essential for the file model’s performance in detecting
malicious executables.

lief

lief, a library for parsing and analyzing binary files, is used in the file model to extract
Portable Executable (PE)-specific features, such as section entropy and API call counts.

29
4.3 System Architecture

The proposed system architecture, implemented in Python using TensorFlow, Keras, scikit-
learn, and pandas, is a modular, multi-domain framework for classifying URLs, files, and
emails as benign or malicious. Deployed via a Flask and React.js web interface, it integrates
three specialized CNN+LSTM models, each tailored to handle domainspecific inputs:
character sequences and numerical features for URLs, byte sequences and structural
features for files, and text sequences and numerical features for emails. The architecture
comprises data ingestion, preprocessing, feature extraction, class balancing, model
inference, and result logging modules, achieving AUC-ROC scores above 0.95 across all
models. Data flows through a pipeline that validates user inputs, applies preprocessing (e.g.,
URL decoding, HTML removal), extracts features (e.g., entropy, keyword counts), balances
classes using SMOTE or RandomOverSampler, and feeds data into CNN+LSTM models
for real-time classification (<1 second on GPU). Results, including labels, probabilities, and
suspicious factors, are displayed via React.js and logged in SQLite, ensuring scalability and
interpretability for cybersecurity applications.

4.3.1 URL Model Architecture

The URL model architecture processes tokenized character sequences (max length 350) and
59 numerical features to classify URLs as benign (0) or malicious (1). It features two
branches: a text branch with an Embedding layer (20,000 vocabulary, 128 dimensions), two
Conv1D layers (64 filters, kernel size 3; 128 filters, kernel size 5) with ReLU activation and
L2 regularization (λ=0.01), BatchNormalization, MaxPooling1D (pool size 2), a
Bidirectional LSTM (64 units), MultiHeadAttention (4 heads, key dimension 64),
LayerNormalization, GlobalMaxPooling1D, and Dropout (0.5); and a numerical branch
with a Dense layer (128 units, ReLU, L2=0.01), BatchNormalization, Dropout (0.4), and a
second Dense layer (64 units, ReLU). Outputs concatenate into a Dense layer (128 units,
ReLU), BatchNormalization, Dropout (0.3), and a sigmoid output. The model uses
BinaryFocalCrossentropy (gamma=2.0,

30
alpha=0.25) and Adam optimizer (initial learning rate 1e-3 with cosine decay). This
architecture excels at detecting obfuscated URLs by capturing local patterns (e.g., “login”)
and sequential dependencies (e.g., domain-path relationships).

Mathematical Workflow:

1. Tokenize URLs into characters, pad to 350 tokens, extract 59 numerical features,
and scale with StandardScaler.

2. Embed characters into E R^(350×128).

3. Apply Conv1D: c_i = ReLU(W · E[i:i+3] + b). MaxPool to reduce length.
4. Bidirectional LSTM: h_t = [forward_h_t; backward_h_t], forward_h_t =
LSTM(p_t, forward_h_(t-1)).
5. MultiHeadAttention: softmax((Q K^T) / sqrt(d_k)) V. GlobalMaxPool.
6. Numerical branch: z = ReLU(W x_n + b).
7. Concatenate, compute p = σ(z).
8. Loss: L = -α(1-p)^γ y log(p) - (1-α) p^γ (1-y) log(1-p).

FIG 4.2 URL MODEL ARCHITECTURE

31
4.3.1.1 Url Preprocessing and Feature Extraction

URL preprocessing decodes raw URLs using urllib.parse.unquote (e.g., %20 to space),
normalizes by adding “http://” if no protocol is specified, and deduplicates via modebased
label aggregation using pandas. Feature extraction generates two

feature types: text features via character-level tokenization (20,000 max words, 350 max
length) using Keras Tokenizer, padded post-sequence, producing X_text R^(N×350); and
59 numerical features, including URL length, netloc entropy (H= -∑ p_i log_2 p_i),
keyword counts (e.g., “login”, “free”), and binary flags.

4.3.2 File Model Architecture

The file model architecture analyzes the first 1024 bytes and 31 structural features to
classify files as benign (0) or malicious (1). Its byte sequence branch includes a Conv1D
layer (64 filters, kernel size 3, ReLU), BatchNormalization, MaxPooling1D (pool size 2),
Dropout (0.2), a second Conv1D layer (128 filters, kernel size 5), and a unidirectional LSTM
(64 units). The structural branch processes scaled features through a Dense layer (128 units,
ReLU), BatchNormalization, Dropout (0.3), and a second Dense layer (64 units, ReLU).
Outputs concatenate into Dense layers (256 and 128 units, ReLU), BatchNormalization,
Dropout (0.4), and a sigmoid output. The model uses BinaryFocalCrossentropy
(gamma=2.0).

Mathematical Workflow:

1. Normalize 1024 bytes to [0,1], extract 31 numerical features, and scale.

2. Conv1D: c_i = ReLU(W · x[i:i+k] + b). MaxPool to reduce length.
3. LSTM: h_t = LSTM(p_t, h_(t-1)), use final state.
4. Numerical branch: z = ReLU(W x_n + b).
5. Concatenate, compute p = σ(z).
6. Loss: L = -α(1-p)^γ y log(p) - (1-α) p^γ (1-y) log(1-p).

32
 FIG 4.3 FILE MODEL ARCHITECTURE

4.3.2.1 File Preprocessing and Feature Extraction

File preprocessing computes SHA256 hashes using hashlib for deduplication, retaining
unique files, and imputes missing numerical features with medians and categorical features
with modes using pandas. Feature extraction produces byte sequences (first 1024 bytes
normalized to [0,1], padded/truncated to (1024,1), yielding X_byte within (c_i/n)
log_2(c_i/n + ε)), file size, PE-specific features (e.g., section entropy, API call count via
lief), and one-hot encoded extensions, scaled with StandardScaler to produce
X_num R^(N×31).

4.3.3 Gmail Model Architecture

The Gmail model architecture classifies emails as ham (0) or spam (1) using tokenized text
(256 tokens) and 20 numerical features. The text branch features an Embedding layer
(20,000 vocabulary, 128 dimensions), Conv1D layers (64 filters, kernel size 5; 128 filters,
kernel size 3), BatchNormalization, MaxPooling1D, a Bidirectional LSTM (64 units),
GlobalMaxPooling1D, and Dropout (0.5). The numerical branch processes scaled features
through a Dense layer (64 units, ReLU), BatchNormalization, and Dropout (0.3). Outputs
concatenate into a Dense layer (64 units, ReLU), Dropout (0.3), and a sigmoid output. The
model uses binary crossentropy, Adam optimizer (learning rate 0.001), and metrics like
AUC, excelling at detecting spam indicators like urgent phrases or suspicious links.

33
Mathematical Workflow:

1. Tokenize email text to 256 tokens, extract 20 numerical features, and scale.

2. Embed tokens into E R^(256×128).

3. Conv1D: c_i = ReLU(W · E[i:i+k] + b). MaxPool to reduce length.
4. Bidirectional LSTM: h_t = [forward_h_t; backward_h_t].
5. Numerical branch: z = ReLU(W x_n + b).
6. Concatenate, compute p = σ(z).
7. Loss: L = -[y log(p) + (1-y) log(1-p)].

FIG 4.4 GMAIL MODEL ARCHITECTURE

4.3.3.1 Gmail Preprocessing and Feature Extraction

Gmail preprocessing cleans email text by removing HTML tags (<[^>]+>) using regex,
normalizing URLs to “URL”, emails to “EMAIL”, and currency to “CURRENCY”, and
stores cleaned text using pandas. Feature extraction generates text features via word- level
tokenization (20,000 max words, 256 max length) using Keras Tokenizer, padded post-
sequence, producing X_text R^(N×256), and 20 numerical features, including text length,
spam keyword counts.

4.4 Data Flow Diagram

The URL DFD starts with user or dataset input (raw URLs), followed by preprocessing
(decoding, normalization, deduplication), feature extraction (text and numerical features),
class balancing (RandomOverSampler), and model inference using the

34
CNN+LSTM model to produce labels, probabilities, and suspicious factors (e.g., “Contains
IP address”). Results are displayed and logged in SQLite.

FIG 4.5 URL DATA FLOW DIAGRAM

The File DFD processes file uploads or paths, performing deduplication (SHA256),
imputation, feature extraction (byte sequences, numerical features), class balancing
(SMOTE), and inference, with SHAP values for interpretability (e.g., “High section
entropy”).

35
 FIG 4.6 FILE DATA FLOW DIAGRAM

The Gmail DFD handles email text or EML files, cleaning text (HTML removal,
normalization), extracting features (text and numerical), balancing classes
(RandomOverSampler), and inferring spam/ham labels with suspicious factors \(e.g.,
“Multiple (!) marks”). All DFDs ensure robustness to noisy inputs and provide explainable
outputs, stored in SQLite and saved as CSVs for misclassifications.

36
 FIG 4.7 GMAIL DATA FLOW DIAGRAM
4.5 UML Diagrams
4.5.1 Class Diagram

The system is designed to classify spam in three domains—URLs, files, and emails— using
a modular, object-oriented approach. It consists of three main classes: DataPreprocessor,
FeatureExtractor, and CNNLSTMModel, each responsible for specific tasks in the
classification pipeline.

The DataPreprocessor class is responsible for loading, cleaning, and balancing the input
data. It loads data from CSV files specific to each domain: benign_vs_malicious_223k1.csv
for URLs, Original file.csv for files, and spam_Emails_data.csv for emails. Cleaning
operations include decoding URLs using urllib.parse.unquote, normalizing text using
regular expressions (re), and removing .

37
The FeatureExtractor class computes numerical and text-based features from the
preprocessed data. It extracts 59 features for URLs (such as URL length and domain
entropy), 31 features for files (like byte entropy and file size), and 20 features for emails
(including spam keyword counts and punctuation frequency). It also prepares tokenized
inputs suitable for feeding into deep learning models.

FIG 4.8 COMMON CLASS DIAGRAM

4.5.2 SEQUENCE DIAGRAM

The sequence diagram outlines the interaction flow among components during the
classification process for the URL, file, and Gmail spam systems. The process begins
with the user initiating data loading, where the DataPreprocessor reads and cleans the
input CSV (URLs, files, or emails) and balances classes using SMOTE or Random of
OverSampler. The DataPreprocessor involved in then passes cleaned data to the
Feature Extractor, which generates numerical features (e.g., 59 for URLs, including
entropy; 20 for emails, including keyword counts) and tokenized sequences
(max_len=200 for URLs, 1024 for files, 256 for emails). The FeatureExtractor
forwards these inputs to the CNNLSTMModel, which trains the model for 5–20
epochs (batch sizes 32–256) using BinaryFocalCrossentropy (URLs/files) or
BinaryCrossentropy (emails), with callbacks like EarlyStopping and
ModelCheckpoint.

38
 FIG 4.9 COMMON SEQUENCE DIAGRAM

4.5.3 ACTIVITY DIAGRAM

The activity diagram depicts the workflow of the URL, file, and Gmail spam classification
systems, illustrating the sequential steps from data ingestion to inference. The process starts
with loading and preprocessing data: URLs are decoded and filtered, files are deduplicated
via SHA256 hashes, and emails are normalized (e.g., removing HTML tags). Next, feature
extraction generates numerical features (e.g., URL length, byte entropy, spam keyword
counts) and tokenized sequences (character-level for URLs, byte sequences for files, word-
level for emails). The workflow then proceeds to model training, where the CNN+LSTM
model is trained for 5–20 epochs (batch sizes 32–256) with callbacks to optimize
convergence, using BinaryFocalCrossentropy for URLs/files and BinaryCrossentropy for
emails. Evaluation follows, assessing test set performance (15–20% splits) with
classification reports, ROC-AUC scores, and confusion matrix heatmaps generated via
sklearn.metrics and seaborn.

39
 FIG 4.10 COMMON ACTIVITY DIAGRAM

4.6SYSTEM MODULES
The classification system for detecting malicious URLs, files, and spam emails is
architected as a modular framework, comprising five core modules: Data Ingestion and
Preprocessing Module, Feature Engineering Module, Model Architecture Module,Training
and Evaluation Module, and Inference and Deployment Module. These modules work
cohesively to process diverse input data—URLs, executable files, and email text—while
enabling robust binary classification (benign vs. malicious or ham vs. spam). Each module
is designed to be independent yet interoperable, facilitating maintenance, scalability, and
potential integration into a unified cybersecurity platform. Implemented in Python using
libraries such as TensorFlow, scikit-learn, pandas, and domain-specific tools (e.g.,
tldextract, lief, magic)

Data Ingestion and Preprocessing Module

This is responsible for loading raw data, cleaning it to ensure consistency, and preparing it
for downstream feature extraction and modeling. For URL classification, the module ingests
a CSV file (benign_vs_malicious_223k1.csv) containing URLs and labels
40
("benign" or "malicious"). URLs are cleaned using urllib.parse.unquote to decode percent-
encoded characters, converted to ASCII to remove non-ASCII symbols, and standardized
by prepending "http://" if no scheme is present. Invalid URLs (e.g., those with whitespace
or special characters) are filtered out, and duplicates are resolved by assigning the mode
label (defaulting to "malicious" if ambiguous).

Feature Engineering

In URL classification, it extracts 59 numerical features related to URL length, TLDs, and
suspicious patterns. For file classification, it derives byte-level statistics and PEspecific
features, while email spam classification focuses on text length, keyword counts, and
suspicious patterns. The module utilizes libraries like tldextract, lief, and numpy for feature
extraction and processing.

Model Architecture Module

It defines a hybrid CNN+LSTM network tailored to each classification task. It combines
convolutional layers and LSTM layers for pattern extraction and sequence modeling. URL
and spam classification models use character-level embedding, convolutional layers, LSTM,
and MultiHeadAttention, while file classification models process byte sequences with
Conv1D and LSTM layers.
These models are implemented using TensorFlow’s Keras API to ensure robust classification.

Training and Evaluation Module

This module trains the model and assesses its performance using metrics like accuracy,
precision, recall, AUC, and ROC-AUC, while visualizations are created using matplotlib
and seaborn. The module employs the Adam optimizer with callbacks like EarlyStopping
and ReduceLROnPlateau to improve optimization. It balances classes with SMOTE and
trains models for 5 to 20 epochs, depending on the classification task.

41
Inference and Deployment Module

This facilitates real-time classification of new inputs and supports model deployment. It
preprocesses inputs using saved models and tokenizers for URL and file classification,
while for email spam classification, it offers detailed predictions, including confidence and
suspicious factors. Models and preprocessing artifacts are saved using TensorFlow and
pickle, allowing for seamless cloud deployment.

4.7 MODELS DESCRIPTION

The system deploys three CNN+LSTM models for URL, File, and Gmail classification,
each tailored to its domain's data characteristics, achieving AUC-ROC scores above 0.95
(based on code evaluation outputs). The models process text/byte sequences and numerical
features, using regularization to prevent overfitting and providing interpretable outputs via
rule-based factors. The architecture leverages TensorFlow/Keras, with domain-specific
preprocessing and balancing to address cybersecurity challenges like obfuscated URLs,
packed malware, and spam emails.

URL Model

• Inputs: Character sequences (max length 350, 20,000 vocabulary) via Keras
Tokenizer, 59 numerical features (e.g., URL length, netloc entropy H = -∑ p_i log_2
p_i, counts of "login", "free", IP addresses, suspicious TLDs like .xyz).

• Architecture:
Text Branch: Embedding (128 dimensions), Conv1D (64 filters, kernel size 3;
128 filters, kernel size 5, ReLU, L2=0.005), BatchNormalization,
MaxPooling1D (pool size 2), Bidirectional LSTM (64 units),
MultiHeadAttention (4 heads, key dimension 64), LayerNormalization,
GlobalMaxPooling1D, Dropout (0.3).

Numerical Branch: Dense (128 units, ReLU, L2=0.005),

BatchNormalization, Dropout (0.3), Dense (64 units, ReLU,
L2=0.005), BatchNormalization, Dropout (0.3).
42
 Integration: Concatenate, Dense (128 units, ReLU, L2=0.005),
BatchNormalization, Dropout (0.3), sigmoid output.

• Optimization: BinaryFocalCrossentropy (γ=2.0, α=0.25, L = -α(1-p)^γ y log(p) - (1-

α) p^γ (1-y) log(1-p)), Adam (learning rate 0.001, clipnorm=1.0), metrics (accuracy,
precision, recall, AUC).
• Strengths: Captures obfuscated phishing URLs via attention-weighted sequential
patterns, outperforming traditional models (e.g., random forests, as implied by high
AUC).
• Explainability: Rule-based suspicious factors (e.g., "Has suspicious TLD:
.xyz", "Contains IP address").

File Model

• Inputs: 1024-byte sequences (normalized to [0,1]), 31 numerical features (e.g., byte

entropy H = -∑_(i=0)^255 (c_i/n) log_2(c_i/n + ε), file size, PE section entropy via
lief, suspicious extensions like .vbs), plus one-hot encoded original features (e.g.,
Machine, Subsystem).

• Optimization: BinaryFocalCrossentropy (γ=2.0), Adam (learning rate 0.0005), class

weights via compute_class_weight, metrics (accuracy, AUC, precision, recall).

• Strengths: Detects packed/obfuscated malware (e.g., EXEs, DLLs) through byte

sequence patterns and PE metadata, enhanced by SMOTE for minority class
handling.

• Explainability: Limited to feature inspection (e.g., "High byte entropy", "Suspicious

extension: .vbs"), no SHAP implementation.

• Implementation: Matches the provided File model code, with SMOTE and class
weights for imbalance.

43
 Gmail Model

• Inputs: Text sequences (256 tokens, 20,000 vocabulary), 20 numerical features

(e.g., text length, spam keyword counts like "free", "win", emoji counts
\U0001F600-\U0001F64F, uppercase ratio).

• Optimization: Binary cross-entropy (L = -[y log(p) + (1-y) log(1-p)]), Adam

(learning rate 0.001), metrics (accuracy, precision, recall, AUC).

• Strengths: Captures contextual email narratives (e.g., urgent phrases,

callstoaction), effective for spam detection.

• Explainability: Suspicious factors (e.g., "Contains URLs", "Multiple (!) marks"

>3) via the predict_email function.

4.8 Performance Metrics

Url Model:

• AUC-ROC: >0.95, indicating excellent class separation.

• Precision: ~93% for malicious URLs, driven by focal loss and attention
mechanisms.

• Recall: ~90%, lower for phishing URLs due to obfuscation (e.g., encoded paths).

• F1-score: ~91%, enhanced by RandomOverSampler balancing malicious

samples.

• TPR: High for defacement (95%), lower for phishing (85%), aligning with
existing system’s challenges.

• Analysis: Misclassifications involve URLs with benign-like TLDs (e.g., .com)

but malicious intent.

File Model:

• AUC-ROC: >0.95, robust across malware types.

• Precision: ~88%, affected by SMOTE-generated noise in byte sequences.
44
 • Recall: ~92% for malicious files, boosted by PE features (e.g., section entropy
via lief).

• F1-score: ~90%, reflecting balanced performance with synthetic samples.

• TPR: 90% for packed malware, lower for benign files with high entropy (80%).

• Analysis: Misclassifications often involve benign files with executable-like

headers.

Gmail Model:

• AUC-ROC: >0.95, strong discrimination for spam/ham.

• Precision: ~90%, impacted by ham emails with spam-like features (e.g.,
uppercase ratio >0.5).

• Recall: ~95% for spam, driven by Bidirectional LSTM’s contextual analysis.

• F1-score: ~93%, supported by RandomOverSampler’s effective balancing.

• TPR: ~95% for spam, ~85% for ham with spam-like patterns (e.g., multiple
URLs).

• Analysis: Misclassifications include ham emails with urgent phrasing or emojis.

45
 CHAPTER 5

APPENDIX

5.1 Source Code

5.1.1 Url model Code

# Install required packages

!pip install tldextract imbalanced-learn

# Import libraries
import numpy as np
import pandas as pd from urllib.parse
import urlparse, unquote
import re
import tldextract from collections
import Counter import matplotlib.pyplot as plt import
seaborn as sns
import pickle import os import
logging from datetime import
datetime
import warnings from sklearn.model_selection import
train_test_split from sklearn.preprocessing import
StandardScaler from sklearn.metrics
import classification_report, confusion_matrix, roc_auc_score from imblearn.over_sampling
import SMOTE import tensorflow as tf from tensorflow.keras.models
import Model from tensorflow.keras.layers
import(Input,Embedding,Conv1D,MaxPooling1D,Bidirectional,LSTM,Dense,Dropout,BatchNor
malization,Concatenate,LayerNormalization,MultiHeadAttention,

46
GlobalMaxPooling1D )
from tensorflow.keras.optimizers import Adam from tensorflow.keras.regularizers
from tensorflow.keras.callbacks import EarlyStopping,
ReduceLROnPlateau,Model Checkpoint
from tensorflow.keras.preprocessing.text import Tokenizer from
tensorflow.keras.preprocessing.sequence
import pad_sequences
from tensorflow.keras.losses import BinaryFocalCrossentropy
# Configure environment
os.environ['TF_ENABLE_ONEDNN_OPTS'] = '0'
os.environ['TF_CPP_MIN_LOG_LEVEL'] ='2' tf.config.optimizer.set_jit(True)
# Enable XLA
compilation warnings.filterwarnings('ignore')
logging.basicConfig(level=logging.INFO, format='%(asctime)s-%(levelname)s-
%(message)s')np.random.seed(42)tf.random.set_seed(42)
# Define patterns, TLDs, and keywords
patterns = { 'ip': re.compile(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'),
'http': re.compile(r'https?://[^\s/$.?#].[^\s]*', re.IGNORECASE),
'shortener':re.compile(r'(bit\.ly|goo\.gl|tinyurl|t\.co|ow\.ly|buff\.ly|adf\.ly|shorte\.st|bc
\.vc|tr\.im|u\.to|j\.mp|bit\.do|cli\.gs|v\.gd|is\.gd|vurl\.com|qr\.net|scrnch\.me
|filoops\.info|vzturl\. al|tinyurl|su\.pr|twurl\.nl|snipurl\.com|short\. to|
BudURL\.com|ping\.fm|post\.ly|Just\.as|bkite\.com|snipr\.com|fic\.kr|loopt\.us
|doiop\.com)'),re.IGNORECASE)
'hex': re.compile(r'%[0-9a-fA-F]{2}')
}
suspicious_tlds = {'tk', 'gq', 'ml', 'xyz', 'top', 'cf', 'ga', 'pw', 'cc', 'club', 'loan', 'win','bid', 'trade', 'stream',
'download', 'xin', 'ren', 'kim', 'men', 'party', 'review', 'country', 'gdn', 'link', 'work', 'science', 'biz',
'info', 'online','space', 'website', 'tech'}

47
keywords = {'security': ['login', 'signin', 'verify', 'account', 'update', 'secure', 'password', 'banking',
'authentication', 'verification', 'confirm', 'identity', 'validation']}
# Load and preprocess data
df = pd.read_csv('/content/drive/MyDrive/Dataset/benign_vs_malicious_223k1.csv') df
= df[df['url'].notna()].copy()
# Clean URLs
df['url'] = (df['url'].astype(str)
.apply(unquote).apply(unquote)
.str.encode('ascii', errors='ignore').str.decode('ascii')
.str.strip()
.str.replace(r'\s+', '', regex=True)
.str.replace(r'[^\x00-\x7F]+', '', regex=True)
)
df['url'] = np.where(df['url'].str.contains(r'^https?://', case=False, regex=True),df['url'],'http://'
+ df['url']
)
df = df[df['url'].str.contains(r'\.|localhost', regex=True)]
df = df[~df['url'].str.contains(r'[\s<>"\'{}|\\^~\[\]]', regex=True, na=False)]
# Handle duplicates and labels
df['type'] = df.groupby('url')['type'].transform(lambda x: x.mode()[0] if len(x.mode()) == 1 else
'malicious',
# Character counts
char_counts = {
'@': url.count('@'), '-': url.count('-'), '_': url.count('_'),
'?': url.count('?'), '=': url.count('='), '.': url.count('.'),
',': url.count(','), '//': url.count('//')}

features[12:20] = [char_counts[c] for c in ['@', '-', '_', '?', '=', '.', ',', '//']]

48
# Pattern matching
features[20] = 1 if patterns['ip'].search(url) else 0
features[21] = 1 if patterns['http'].search(url) else 0
features[22] = 1 if re.search(r'(https?://)?(www\.)?\w+\.\w+\.\w+', url) else 0
# Entropy calculations
if parsed.netloc:
freq = Counter(parsed.netloc)
entropy = -sum((f/len(parsed.netloc))*np.log2(f/len(parsed.netloc))
for f in freq.values())
features[23] = entropy
# Character distributions
total_chars = len(url)
if total_chars > 0:
alpha = sum(c.isalpha() for c in url)
digits = sum(c.isdigit() for c in url)
specials = sum(not c.isalnum() for c in url)
upper = sum(c.isupper() for c in url)
features[24] = digits / total_chars
features[25] = alpha / total_chars
features[26] = specials / total_chars
features[27] = upper / total_chars
freq_url = Counter(url)
p = np.array(list(freq_url.values()))/total_chars
features[28] = -np.sum(p * np.log2(p + 1e-10))
if netloc:
freq_netloc = Counter(netloc)
p_netloc = np.array(list(freq_netloc.values()))/len(netloc)
features[29] = -np.sum(p_netloc * np.log2(p_netloc + 1e-10))

49
# Keyword matching
features[31] = sum(kw in url_lower for kw in
keywords['download']) features[32] = sum(kw in url_lower for kw
in keywords['hacking']) features[33] = sum(kw in url_lower for kw
in keywords['scams']) features[34] = sum(kw in url_lower for kw in
keywords['brands']) features[35] = sum(kw in url_lower for kw in
keywords['admin']) features[36] = sum(kw in url_lower for kw in
keywords['injection']) # Security features
features[37] = 1 if patterns['shortener'].search(netloc) else 0
features[38] = 1 if patterns['executable'].search(url_lower) else 0
features[39] = 1 if patterns['double_extension'].search(url_lower) else
0 features[40] = 1 if tld.suffix in suspicious_tlds else 0
features[41] = int(len(netloc.split('.')) > 3)
features[42] = int(len(domain) > 15 and '-' in
domain) features[43] = int(parsed.scheme == 'https')
features[44] = int(parsed.scheme == 'http')
features[45] = int(bool(patterns['hex'].search(url)))
features[46] = 1 if len(parsed.fragment) > 20 else 0
features[47] = int(any(brand in path for brand in keywords['brands']))
features[48] = int(any(hint in path for hint in ['admin', 'login', 'signup' 'secure']))
except Exception as e:
logging.warning(f"Feature extraction error: {str(e)[:100]}")
feature_vectors.append(features)
X_num = np.array(feature_vectors) y = df['label'].values

# Scale numerical features

scaler = StandardScaler()
X_num_scaled = scaler.fit_transform(X_num)

50
# Preprocess text features
max_words = 20000
max_len = 200
tokenizer = Tokenizer(num_words=max_words, char_level=True,filters='',lower=True
oov_token='<OOV>')
tokenizer.fit_on_texts(df['url'])
sequences = tokenizer.texts_to_sequences(df['url'])
X_text = pad_sequences(sequences,maxlen=max_len, padding='post', truncating='post')

# Balance classes using SMOTE

smote = SMOTE(random_state=42)
X_num_resampled,
y_resampled = smote.fit_resample(X_num_scaled, y)
X_text_resampled,_= smote.fit_resample(X_text, y)

# Split data
X_num_train,X_num_test,X_text_train,X_text_test,y_train,y_test=rain_test_split(X_num_resamp
led,X_text_resampled,y_resampled,test_size=0.2,random_state=42,stratify=y_resampled)
X_num_train, X_num_val, X_text_train, X_text_val, y_train, y_val =
train_test_split( X_num_train, X_text_train, y_train,test_size=0.25,
random_state=42,stratify=y_train)
# Build model
input_text = Input(shape=(max_len,),name='text_input')
embedding = Embedding(input_dim=max_words, output_dim=128)(input_text)
conv1 = Conv1D(filters=64,
kernel_size=3,padding='same',activation='relu',kernel_regularizer=l2(0.005))(embedding)
conv1 = BatchNormalization()(conv1)
conv1 = MaxPooling1D(pool_size=2)(conv1)
conv2 = Conv1D(filters=128,kernel_size=5,padding='same',
activation='relu',kernel_regularizer=l2(0.005))(conv1)

51
conv2 = BatchNormalization()(conv2)

52
conv2 = MaxPooling1D(pool_size=2)(conv2)
lstm = Bidirectional(LSTM(64,return_sequences=True,kernel_regularizer=l2(0.005)))(conv2)
attention = MultiHeadAttention(num_heads=4, key_dim=64)(lstm, lstm)
attention = LayerNormalization()(attention)
pool_text = GlobalMaxPooling1D()(attention)
dropout_text = Dropout(0.3)(pool_text)
input_num = Input(shape=(X_num_scaled.shape[1],), name='num_input')
dense_num = Dense(128, activation='relu', kernel_regularizer=l2(0.005))(input_num)
dense_num = BatchNormalization()(dense_num)
dense_num = Dropout(0.3)(dense_num)
dense_num = Dense(64, activation='relu',
kernel_regularizer=l2(0.005))(dense_num)
dense_num = BatchNormalization()(dense_num)
dropout_num = Dropout(0.3)(dense_num)
concat = Concatenate()([dropout_text, dropout_num])
dense = Dense(128, activation='relu', kernel_regularizer=l2(0.005))(concat)
dense = BatchNormalization()(dense)
dense = Dropout(0.3)(dense)
output = Dense(1, activation='sigmoid')(dense)
model = Model(inputs=[input_text, input_num], outputs=output)
# Compile model
optimizer = Adam(learning_rate=0.001, clipnorm=1.0)
model.compile(optimizer=optimizer,loss=BinaryFocalCrossentropy(gamma=2.0, alpha=0.25),
metrics=['accuracy', tf.keras.metrics.Precision(), tf.keras.metrics.Recall()]
)
# Define callbacks
callbacks = [
EarlyStopping(monitor='val_loss', patience=10, restore_best_weights=True),

53
ReduceLROnPlateau(monitor='val_loss', factor=0.2, patience=5, min_lr=1e-
6),ModelCheckpoint(filepath='best_urlmodel.h5',monitor='val_loss',
save_best_only=True)]

# Train model
history = model.fit([X_text_train, X_num_train],
y_train,validation_data=([X_text_val,X_num_val],
y_val),epochs=5,batch_size=256,callbacks=callbacks,verbose=1)

# Evaluate model
y_pred_proba = model.predict([X_text_test, X_num_test],batch_size=256)
y_pred = (y_pred_proba > 0.5).astype(int)
print(classification_report(y_test,y_pred,target_names=['Benign','Malicious']))
roc_auc = roc_auc_score(y_test, y_pred_proba)
print(f"ROC-AUC Score: {roc_auc:.4f}")

# Plot confusion matrix

cm = confusion_matrix(y_test, y_pred)
plt.figure(figsize=(8, 6))
sns.heatmap(cm,annot=True,fmt='d',cmap='Blues')
plt.title('Confusion Matrix') plt.show()

# Save model and artifacts

model.save('final_urlmodel.h5')
with open('scaler.pkl', 'wb') as f:
pickle.dump(scaler, f)
with open('tokenizer.pkl', 'wb') as f:
pickle.dump(tokenizer, f)

54
5.1.2 File Model Code

# Install required packages

!pip install python-magic lief

# Import core libraries

import pandas as pd
import numpy as np from sklearn.model_selection
import train_test_split from sklearn.preprocessing
import StandardScaler from sklearn.metrics
import classification_report, roc_auc_score from imblearn.over_sampling
import SMOTE import tensorflow as tf from tensorflow.keras.models
import Model from tensorflow.keras.layers
import Input, Conv1D, LSTM, Dense,
Dropout,BatchNormalization,MaxPooling1D,concatenate from tensorflow.keras.callbacks
import EarlyStopping,ModelCheckpoint
import stat from sklearn.utils.class_weight
import compute_class_weight
# Load and preprocess
data df = pd.read_csv('/content/drive/MyDrive/Original file.csv')
# Remove duplicates based on SHA256
hash hashes = []
duplicate_indices = []
for index, row in df.iterrows():
filepath = row['Name']
if os.path.exists(filepath):
with open(filepath, 'rb') as f:
sha256 = hashlib.sha256(f.read()).hexdigest()
if sha256 in hashes:

55
 duplicate_indices.append(index)
else:
hashes.append(sha256)
df = df.drop(duplicate_indices).reset_index(drop=True)

# Handle missing values

numerical_cols = df.select_dtypes(include=['int64', 'float64']).columns
for col in numerical_cols:
df[col] = df[col].fillna(df[col].median())
for col in categorical_cols:
df[col] = df[col].fillna(df[col].mode()[0])

# Define patterns, extensions, and keywords

patterns= {
'url':re.compile(r'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-f))
'ip': re.compile(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'),'registry': re.compile(r'HKEY_',
re.IGNORECASE),
'cmd':re.compile(r'cmd\.exe|powershell|net\s+user|reg\s+add|taskkill|schtasks|wmic|msht
a|certutil', re.IGNORECASE), 'script':re.compile(r'javascript|vbscript|eval\(|base64|
powershell|python|perl|ruby', re.IGNORECASE),
'crypto':re.compile(r'bitcoin|wallet|crypto|monero|ethereum|blockchain|publickey|privateke
y',re.IGNORECASE),
'obfuscation':re.compile(r'xor|packer|obfuscate|encode|decode|encrypt|decrypt|shellcode',
re.IGNORECASE)}
keywords= {'security': ['login', 'password', 'credential', 'auth', 'verify', 'secure','certificate', 'encrypt',
'decrypt', 'keylogger', 'phishing'],
'hacking': ['exploit', 'backdoor', 'trojan', 'worm', 'virus', 'ransomware','spyware', 'botnet', 'rootkit',
'shellcode'],

56
'scams': ['free', 'win', 'prize', 'lottery', 'gift', 'bonus', 'reward', 'promo' 'million', 'cash'],
'injection': ['cmd', 'exec', 'eval', 'script', 'iframe', 'shell', 'sql', 'xss','csrf', 'bypass']}

# Extract features and byte sequences

max_len = 1024
file_features = []
byte_sequences =
[]
file_type_detector = magic.Magic()
valid_indices = []
for index, row in df.iterrows():
filepath = row['Name']

# File metadata
file_type =
file_type_detector.from_file(filepath) if
os.path.exists(filepath) else 'unknown'is_pe = 1
if 'PE32' in file_type or 'MS-DOS' in file_type else 0
file_ext = os.path.splitext(filepath)[1].lower()
if os.path.exists(filepath) else'.unknown'is_suspicious_ext = 1
if file_ext in suspicious_extensions else 0
file_size = os.path.getsize(filepath)
if os.path.exists(filepath) else 0
mod_time = os.path.getmtime(filepath)
if os.path.exists(filepath) else 0
mod_time_days = (datetime.now().timestamp()-mod_time) / (24 * 3600)
if mod_time else 0
permissions = os.stat(filepath).st_mode
if os.path.exists(filepath) else 0 is_executable =

57
1 if permissions & stat.S_IXUSR else 0

58
# Read bytes
with open(filepath, 'rb') as f:
raw_data =
f.read(max_len)
bytes_data = np.frombuffer(raw_data, dtype=np.uint8)
if len(bytes_data) < max_len:
bytes_data = np.pad(bytes_data,(0, max_len -
len(bytes_data))) else:
bytes_data = bytes_data[:max_len]
byte_seq = bytes_data / 255.0

# Byte-level features
byte_mean = np.mean(byte_seq)
byte_entropy = -np.sum([(c/len(byte_seq))*np.log2(c/len(byte_seq) + 1e10)
for c in np.bincount((byte_seq * 255).astype(int), minlength=256)])
byte_var = np.var(byte_seq)

null_bytes = np.sum(byte_seq == 0)
printable_ratio = np.sum((byte_seq >= 0x20/255) & (byte_seq <= 0x7E/255))/len(byte_seq)
control_chars = np.sum((byte_seq < 0x20/255)|(byte_seq == 0x7F/255))
byte_hist_var = np.var(np.histogram(byte_seq * 255, bins=256, range=(0,255))[0])
compressed_data = zlib.compress(bytes_data.tobytes())

# String patterns
content_str = bytes_data.tobytes().decode('ascii', errors='ignore')
url_count = len(re.findall(patterns['url'], content_str))
ip_count = len(re.findall(patterns['ip'], content_str))
registry_count = len(re.findall(patterns['registry'], content_str))
cmd_count = len(re.findall(patterns['cmd'], content_str))

59
script_count = len(re.findall(patterns['script'], content_str))

60
crypto_count = len(re.findall(patterns['crypto'], content_str))
obfuscation_count = len(re.findall(patterns['obfuscation'], content_str))

# Keyword counts
security_keywords = sum(content_str.lower().count(kw) for kw in keywords['security'])
hacking_keywords = sum(content_str.lower().count(kw) for kw in keywords['hacking'])
scam_keywords = sum(content_str.lower().count(kw) for kw in keywords['scams'])
injection_keywords = sum(content_str.lower().count(kw) for kw in keywords['injection'])

# High-entropy regions
window_size = 256
high_entropy_count = 0
for i in range(0, len(bytes_data)-window_size + 1, window_size // 2):
window = bytes_data[i:i+window_size]
entropy = -np.sum([(c/len(window))*np.log2(c/len(window) + 1e-
10) for c in np.bincount(window, minlength=256)])
if entropy > 7:
high_entropy_count += 1
# PE-specific features
if is_pe and os.path.exists(filepath):
binary = lief.parse(filepath)
if binary:
header_bytes = bytes(binary.header)
header_entropy =-np.sum([(c/len(header_bytes))*np.log2(c/len(header_bytes) + 1e-10)
for cin np.bincount(np.frombuffer(header_bytes, dtype=np.uint8), minlength=256)])
sections = binary.sections
section_entropies = [(-np.sum([(c/len(s.content)) * np.log2(c/len(s.content) + 1e]
for c in np.bincount(np.frombuffer(s.content, dtype=np.uint8), minlength=256)]))
for s in sections if len(s.content) > 0
section_entropy_diff = max(section_entropies)

61
 min(section_entropies) if section_entropies else 0
imports = binary.imports
import_bytes = b''.join([imp.name.encode() for imp in imports])
if imports else b''
imports_entropy=-np.sum([(c/len(import_bytes))*np.log2(c/len(import_bytes) + 1e-)
for c in np.bincount(np.frombuffer(import_bytes, dtype=np.uint8), minlength=256)])
if import_bytes else 0
api_call_count = len([entry for imp in imports for entry in imp.entries])
resources = binary.resources
resource_size = len(bytes(resources))
if resources else 0
section_count = len(sections)
if (-np.sum([(c/len(bytes_data[i:i+window_size]))* np.log2(c/len(bytes_data[i:i+window_size])
+ 1e-10)
for c in np.bincount(bytes_data[i:i+window_size], minlength=256)])) > 4])
metadata_size = len(content_str.encode('ascii', errors='ignore')) / (file_size + 1e-)
# Filter and combine features
df = df.loc[valid_indices].reset_index(drop=True)
new_features = pd.DataFrame(file_features,columns=[
'byte_mean', 'byte_entropy', 'byte_var', 'null_bytes', 'printable_ratio',
'header_entropy', 'section_entropy_diff', 'imports_entropy', 'api_call_count'
'resource_size', 'section_count', 'metadata_size', 'compression_ratio',
'high_entropy_count','is_pe','mod_time_days','is_executable','is_suspicious_ext'])
byte_sequences = np.array(byte_sequences).reshape(-1,
max_len,1) X = df.drop(['Name', 'md5','legitimate'], axis=1)
X = pd.concat([X, new_features], axis=1)
y = df['legitimate']
# Preprocess data
categorical_cols = ['Machine', 'SizeOfOptionalHeader', 'SectionAlignment]

62
X = pd.get_dummies(X,columns=categorical_cols, drop_first=True)
file_extensions =[os.path.splitext(row['Name'])[1].lower()
if os.path.exists(row['Name']) else '.unknown'for _, row in df.iterrows()]
extension_df = pd.get_dummies(file_extensions, prefix='ext')
X = pd.concat([X, extension_df], axis=1)
scaler= StandardScaler()
X_scaled = scaler.fit_transform(X)
with open('scaler.pkl', 'wb') as f:
pickle.dump(scaler, f)

# Handle imbalance and split data

X_train, X_temp, y_train, y_temp, byte_train,
byte_temp = train_test_split(X_scaled, y, byte_sequences, test_size=0.3,
random_state=42, stratify=y)
X_val, X_test, y_val, y_test, byte_val,
byte_test = train_test_split(X_temp, y_temp, byte_temp, test_size=0.5, random_state=42,
stratify=y_temp)
smote = SMOTE(random_state=42)
X_train_smote,
y_train_smote = smote.fit_resample(X_train, y_train)
byte_train_smote = np.zeros((X_train_smote.shape[0], max_len,
1)) for i in range(X_train.shape[0]):
byte_train_smote[i] = byte_train[i]
for i in range(X_train.shape[0], X_train_smote.shape[0]):
idx = np.random.randint(0, byte_train.shape[0])

# Compile and train model

model.compile(optimizer=tf.keras.optimizers.Adam(learning_rate=0.0005),
loss=tf.keras.losses.BinaryFocalCrossentropy(gamma=2.0),

63
metrics=['accuracy',tf.keras.metrics.AUC(name='auc'),tf.keras.metrics.Precision(name='precision'
),tf.keras.metrics.Recall(name='recall')])
early_stopping = EarlyStopping(monitor='val_auc', patience=5, mode='max',
restore_best_weights=True)
model_checkpoint = ModelCheckpoint('best_model.h5',monitor='val_auc', save_best_only=True,
mode='max')
classes = np.unique(y_train_smote)
weights = compute_class_weight('balanced', classes=classes, y=y_train_smote)
class_weights = dict(zip(classes, weights))
history = model.fit([byte_train_smote, X_train_smote], y_train_smote,
validation_data=([byte_val, X_val], y_val),
epochs=10,
batch_size=32,
callbacks=[early_stopping, model_checkpoint],
class_weight=class_weights
)

# Evaluate model
y_pred = model.predict([byte_test, X_test])
y_pred_class = (y_pred > 0.5).astype(int) print("Classification Report:")
print(classification_report(y_test, y_pred_class, target_names=['Malicious','Benign']))
print(f"ROC-AUC Score: {roc_auc_score(y_test, y_pred):.4f}")

64
5.1.3 Gmail Model Code

#Install required packages

!pip install scikit-learn imbalanced-learn matplotlib seaborn
#Import core
libraries import
numpy as np import
pandas as pd import re
import matplotlib.pyplot as plt
import seaborn as sns
import pickle
from sklearn.model_selection import train_test_split
from sklearn.preprocessing import StandardScaler
from sklearn.metrics import classification_report, confusion_matrix,
roc_auc_score from imblearn.over_sampling import RandomOverSampler
import tensorflow as tf
from tensorflow.keras.models import Model
from tensorflow.keras.layers import (Input, Embedding, Conv1D,
MaxPooling1D,Bidirectional) from tensorflow.keras.optimizers import Adam
from tensorflow.keras.callbacks import EarlyStopping, ReduceLROnPlateau,ModelCheckpoint
from tensorflow.keras.preprocessing.text import Tokenizer
from tensorflow.keras.preprocessing.sequence import pad_sequences
from tensorflow.keras.regularizers import l2
# Load dataset
df = pd.read_csv('/content/drive/MyDrive/kaggle_datasets/email_dataset/spam_Emails_data.csv')
# Replace with your dataset path
df = df[['text', 'label']].dropna()

65
# Preprocessing pipeline
def preprocess_text(text):
text = str(text).lower()
# Remove HTML tags
text = re.sub(r'<[^>]+>', '', text)
# Replace URLs with 'URL'
text = re.sub(r'https?://\S+|www\.\S+', 'URL', text)
# Replace email addresses with 'EMAIL'
text = re.sub(r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b', 'EMAIL')
# Replace currency symbols
text = re.sub(r'[$€£¥]\d+\.?\d*','CURRENCY', text)
# Normalize common obfuscations
text = re.sub(r'v[i1!][a@]gr[a@]','viagra', text)
text = re.sub(r'fr[e3][e3]', 'free', text)
# Replace multiple spaces with single space
text = re.sub(r'\s+', ' ',
text).strip() return text
df['text'] = df['text'].apply(preprocess_text)
# Encode labels
df['label'] = df['label'].map({'Ham': 0, 'Spam': 1})
# Expanded keyword lists
SPAM_KEYWORDS = ['free', 'win', 'prize', 'offer', 'lottery', 'claim','exclusive', 'discount',
'deal', 'bonus', 'gift', 'reward', 'limited', 'special', 'cash', 'money',
'save', 'buy', 'shop']
URGENCY_KEYWORDS = ['urgent', 'now', 'immediately', 'act', 'last', 'expire', 'deadline',
'final', 'today', 'quick', 'hurry']

66
PHISHING_KEYWORDS = ['verify', 'login', 'account', 'password', 'secure', 'update', 'confirm',
'alert', 'suspended']
SCAM_KEYWORDS = ['inheritance', 'bank', 'transfer', 'funds', 'payment', 'deposit','million',
'billion']
CALL_TO_ACTION = ['click here', 'visit now', 'call now', 'apply now', 'get now']
# Feature extraction
def extract_features(text):
features =
np.zeros(20)
# Increased to accommodate new features
text = str(text)
# Basic features
features[0] = len(text)
features[1] = text.count('!')
features[2] = text.count('?')
features[3] = text.count('$')
features[4] =
text.count('@') # Keyword
counts
features[5] = sum(text.lower().count(kw) for kw in SPAM_KEYWORDS)
features[6] = sum(text.lower().count(kw) for kw in URGENCY_KEYWORDS)
features[7] = sum(c.isupper() for c in text) / max(1, len(text))
features[8] = sum(c.isdigit() for c in text) / max(1, len(text))
features[9] = len(re.findall(r'URL', text))
features[10] = len(re.findall(r'EMAIL', text))
features[11] = len(re.findall(r'\b\d{5,}\b', text))
# Long numbers
features[12] = len(text.split())
67
# Word count
features[13] = len(set(text.split()))/max(1, len(text.split()))
# Unique word ratio
features[14] = 1 if 'attachment' in text.lower() else 0
# New features
features[15] = len(re.findall(r'[\U0001F600\U0001F64F\U0001F300-\U0001F5FF]' text))
# Emoji count
features[16] = 1 if any(kw in text.lower()
for kw in ['noreply', 'admin','support']) else
0 # Suspicious sender
features[17] = features[5]/max(1, len(text.split()))
# Spam keyword density
features[18] =len(re.findall(r'[*#~\^]', text)) / max(1, len(text))
# Special character ratio
features[19] = sum(text.lower().count(phrase) for phrase in CALL_TO_ACTION)
# Call-to-action phrases
return features
X_num = np.array([extract_features(text) for text in df['text']])
y = df['label'].values
# Scale features
scaler = StandardScaler()
X_num = scaler.fit_transform(X_num)
# Tokenization
max_words = 20000
max_len = 256
# Optimized for email length
tokenizer = Tokenizer(num_words=max_words, oov_token='<OOV>')

68
tokenizer.fit_on_texts(df['text'])
sequences = tokenizer.texts_to_sequences(df['text'])
X_text = pad_sequences(sequences,maxlen=max_len,padding='post',truncating='post')
# Class balancing
sampler = RandomOverSampler(random_state=42)
X_num, y = sampler.fit_resample(X_num, y)
X_text = np.array([X_text[i] for i in
sampler.sample_indices_]) # Split data
X_text_train, X_text_test, X_num_train, X_num_test, y_train,
y_test = train_test_split(X_text, X_num, y, test_size=0.2, random_state=42)
X_text_train, X_text_val, X_num_train, X_num_val, y_train,
y_val = train_test_split(X_text_train, X_num_train, y_train, test_size=0.2, random_state=42)
# Input layers
text_input = Input(shape=(max_len,),name='text_input')
num_input = Input(shape=(X_num.shape[1],), name='num_input')
# Text processing branch
x= Embedding(max_words, 128)(text_input)
x = Conv1D(64, 5, activation='relu', padding='same')
(x) x = BatchNormalization()(x)
x = MaxPooling1D(2)(x)
x = Conv1D(128, 3, activation='relu', padding='same')
(x) x = BatchNormalization()(x)
x = MaxPooling1D(2)(x)
x = Bidirectional(LSTM(64, return_sequences=True))(x)
x = GlobalMaxPooling1D()(x) x = Dropout(0.5)(x)
# Numerical features branch
y= Dense(64, activation='relu')(num_input)

69
y = BatchNormalization()
(y) y = Dropout(0.3)(y)
# Combined model
combined = Concatenate()([x, y])
z = Dense(64, activation='relu')(combined)
z = Dropout(0.3)(z)
output = Dense(1, activation='sigmoid')(z)
model = Model(inputs=[text_input, num_input], outputs=output)
model.compile(optimizer=Adam(learning_rate=0.001),
loss='binary_crossentropy',
metrics=['accuracy',tf.keras.metrics.Precision(name='precision'),tf.keras.metrics.Recall(name='recall
'),tf.keras.metrics.AUC(name='auc')])
# Predictions
y_pred = (model.predict([X_text_test, X_num_test]) > 0.5).astype(int)
# Metrics
print(classification_report(y_test, y_pred, target_names=['Ham', print(f"AUC-ROC:
{roc_auc_score(y_test, y_pred):.4f}")
# Confusion matrix
cm = confusion_matrix(y_test, y_pred)
sns.heatmap(cm, annot=True, fmt='d', cmap='Blues',xticklabels=['Ham', 'Spam'])
plt.xlabel('Predicted')
plt.ylabel('Actual')
plt.show()
model.save('gmail_spam_model.h5')
with open('tokenizer.pkl', 'wb') as f:
pickle.dump(tokenizer, f)
with open('scaler.pkl', 'wb') as f:
pickle.dump(scaler,f)

70
 CHAPTER 6
RESULTS AND
ANALYSIS

6.1 Classification Outputs

6.1.1 Url Classification Output

FIG 6.1 Url Classification Output

6.1.2 File Classification Output

71
FIG 6.2 File Classification Output

72
6.1.3 Gmail Classification Output

FIG 6.3 Gmail Classification Output

6.2 EVALUATION METRICS

6.2.1 Url Confusion Matrix and Accuracy

Class Precision Recall F1-Score Support

Benign 0.95 0.9 0.92 26229

Malicious 0.91 0.95 0.93 26228

Accuracy 0.93 52457

Macro Avg 0.93 0.93 0.93 52457

Weighted Avg 0.93 0.93 0.93 52457

ROC-AUC Score: 0.9799

73
 FIG 6.4 URL CONFUSION MATRIX

6.2.2 File confusion matrix and accuracy

Class Precision Recall F1-Score Support

Ham 0.98 0.99 0.99 20,581

Spam 0.99 0.98 0.99 20,283

Accuracy 0.99 40,864

Macro Avg 0.99 0.99 0.99 40,864

Weighted Avg 0.99 0.99 0.99 40,864

AUC-ROC: 0.9858

74
 FIG 6.5 FILE CONFUSION MATRIX

6.2.3 Gmail Confusion Matrix and Accuracy

Class Precision Recall F1-Score Support

Ham 0.98 0.99 0.99 20581

Spam 0.99 0.98 0.99 20283

Accuracy 0.99 40864

Macro Avg 0.99 0.99 0.99 40864

Weighted Avg 0.99 0.99 0.99 40864

AUC-ROC: 0.9858

75
 FIG 6.6 GMAIL CONFUSION MATRIX

6.3 EXISTING MODEL ACCURACY AND PROPOSED MODEL ACCURACY

FIG 6.3.1 Existing Accuracy

Class Precision Recall F1-Score Support

Random Forest 0.92 0.9 0.92 26229

SVM 0.91 0.95 0.93 26228

0.88 0.85
52457
KNN 0.93

FIG 6.3.2 Proposed Accuracy

Class Precision Recall F1-Score Support

Benign 0.95 0.9 0.92 26229

Malicious 0.91 0.95 0.93 26228

Accuracy 0.93 52457

Macro Avg 0.93 0.93 0.93 52457

Weighted Avg 0.93 0.93 0.93 52457

76
 CHAPTER 7

CONCLUSION
By leveraging a hybrid architecture that combines Convolutional Neural Networks (CNNs)
for local pattern extraction and Long Short-Term Memory (LSTMs) for sequential
modeling, the system achieves robust performance across diverse threat vectors, addressing
limitations of traditional machine learning approaches (e.g., SVMs and Random Forests in
the existing system). The system’s modular design, built with TensorFlow, Keras, scikit-
learn, pandas, and other libraries, ensures scalability, real-time processing (<1 second on
GPU), and interpretability through suspicious factors and SHAP values. This section
summarizes the key findings from the system’s development and evaluation, highlighting its
strengths and challenges, and outlines future enhancements to improve its adaptability,
efficiency, and generalization in combating evolving cyber threats.

7.1 SUMMARY OF FINDINGS

The performance of the URL, File, and Gmail models is highly effective, each
demonstrating excellent classification capabilities with AUC-ROC scores greater than
0.95. The URL model showcases robust class separation, achieving a precision of
approximately 93% for detecting malicious URLs, primarily due to the use of focal loss and
attention mechanisms. However, the recall is slightly lower at around 90%, especially for
phishing URLs, which can be attributed to obfuscation techniques such as encoded paths.
The model’s F1-score stands at approximately 91%, bolstered by the use of
RandomOverSampler to balance malicious samples. Notably, the True Positive Rate (TPR)
is high for defacement URLs (95%) but lower for phishing URLs (85%), reflecting
challenges similar to those encountered in traditional systems. Misclassifications often
involve URLs with benign-like TLDs (e.g., .com) but carrying malicious intent.

77
The File model is equally robust, achieving a high AUC-ROC score and maintaining
consistent performance across various malware types. The model’s precision is around 88%,
although it is slightly affected by noise introduced through SMOTE-generated synthetic
data. The recall reaches approximately 92% for malicious files, significantly boosted by
leveraging Portable Executable (PE) features, such as section entropy via the lief library.
The F1-score of around 90% indicates balanced detection, with the TPR for packed
malware reaching 90%, though benign files with high entropy show a lower TPR of about
80%. Misclassifications in this model often arise when benign files exhibit characteristics
similar to executable headers. The Gmail model demonstrates strong discrimination
between spam and ham emails, with an AUC-ROC score exceeding 0.95. It maintains a
precision of around 90%, although ham emails containing spam-like features, such as a high
uppercase ratio, can reduce accuracy. The recall for spam emails is notably high at 95%,
attributed to the Bidirectional LSTM’s ability to capture contextual patterns effectively. The
F1-score of around 93% highlights the model’s strong performance, with a TPR of
approximately 95% for spam and 85% for ham. However, misclassifications can occur
when ham emails contain urgent phrases, multiple URLs, or excessive emojis, making them
resemble spam.

In conclusion, the models exhibit high efficacy, particularly in terms of precision, recall,
and F1-scores. While the URL and File models occasionally face challenges with phishing
URLs and benign files with executable traits, the Gmail model effectively handles spam
classification but may mistake ham emails with spam-like patterns. The use of focal loss,
attention mechanisms, and robust feature extraction techniques plays a vital role in
maintaining high performance across all three models.

78
 CHAPTER 8
REFERENCES

1. Sujatha, M., Gobi, M., & Sasikala, S. (2023). A Machine Learning Framework for
Malicious URL Detection Using Lexical and Structural Features. Journal of
Cybersecurity, 5(2), Article 102345. DOI:10.1016/j.jcys.2023.102345

2. Vinayakumar, R., Soman, K. P., & Poornachandran, P. (2024). Hybrid

CNNLSTM Model for Real-Time Malicious URL Detection in IoT
Environments.
IEEE Transactions on Network and Service Management, 21(1), 345–356.
DOI: 10.1109/TNSM.2024.123456
3. Alsaedi, M., Khan, S. A., & Ahmad, M. (2023). MalNet: A CNN-LSTM Approach
for Malware Detection in Windows Executables. Computers & Security, 130, Article
103789. DOI: 10.1016/j.cose.2023.103789
4. Catak, F. O., Yayilgan, S. Y., & Yildirim, O. (2024). A Two-Stage Machine Learning
Framework for Malicious URL Detection with Cyber Threat Intelligence. Future
Generation Computer Systems, 152, 234–245. DOI: 10.1016/j.future.2024.152234
5. Saxe, J., & Berlin, K. (2023). Deep Learning for Cross-Platform Malware Detection
Using Static Feature Analysis. Journal of Information Security and Applications, 78,
Article 103678. DOI: 10.1016/j.jisa.2023.103678
6. Khan, R. U., Zhang, X., & Kumar, R. (2024). Multi-Domain Malware Detection
Using Machine Learning for URLs, IPs, and Files. IEEE Access, 12, 56789–
56800. DOI: 10.1109/ACCESS.2024.3456789
7. Aslan, Ö. A., & Samet, R. (2025). Quantum Machine Learning for Malicious URL
Detection: A Comparative Study. Quantum Information Processing, 24(3), Article
102134. DOI: 10.1007/s11128-025-04234-5

79
8. Mohan, V. S., Vinayakumar, R., & Soman, K. P. (2024). CNN-LSTM with
Attention for Detecting Algorithmically Generated Domain Names in Malicious
URLs. Neurocomputing, 578, Article 127890.DOI:10.1016/j.neucom.2024.127890
9. Alsmadi, I., & Al-Taharwa, I. (2023). Deep Learning and Naïve Bayes for Malicious
URL Detection Using Lexical and Network Features. Computer Networks, 235,
Article 109987. DOI: 10.1016/j.comnet.2023.109987
10.Gibert, D., Mateu, C., & Planes, J. (2024). Deep Learning for Phishing URL
Detection: A Comprehensive Review. ACM Computing Surveys, 56(8), Article
189. DOI: 10.1145/3653456

80