Model Card for OmniPhish-Ensemble

OmniPhish is a Tri-Modal Stacking Ensemble designed to detect highly evasive, zero-day phishing websites. It mathematically outperforms traditional machine learning baselines by fusing Deep Semantic representations with Structural Sequence modeling and explicit heuristic feature extraction.

This modelcard aims to be a base template for new models. It has been generated using this raw template.

Model Details

Model Description

OmniPhish processes live web pages through three distinct modalities to catch advanced phishing kits that evade standard visual (e.g., logo matching) or simple text-based detection systems. It utilizes a Semantic Engine (CodeBERT fine-tuned via LoRA) to analyze underlying JavaScript logic, a Structural Engine (1D-CNN or GNN) to process the raw HTML DOM sequence, and a Meta-Classifier (XGBoost) to fuse these latent spaces into a final zero-day classification.

  • Developed by: Sulaiman Eksambi
  • Model type: Stacking Ensemble (CodeBERT + 1D-CNN/GNN + XGBoost)
  • Language(s) (NLP): English (as well as HTML and JavaScript semantics)
  • License: MIT
  • Finetuned from model: microsoft/codebert-base

Model Sources

Uses

Direct Use

The model is intended to be used by cybersecurity researchers, threat intelligence analysts, and enterprise security teams to evaluate suspicious URLs in real-time. It takes a raw URL, renders the JavaScript via a headless browser, and classifies the resulting DOM structure as Safe or Phishing.

Downstream Use

The latent embeddings generated by the CodeBERT and CNN/GNN layers can be extracted and used as high-fidelity features for downstream enterprise SIEM (Security Information and Event Management) platforms or custom web application firewalls (WAFs).

Out-of-Scope Use

This model evaluates the structure and semantics of the rendered DOM. It is not designed to evaluate network-level IOCs (Indicators of Compromise) such as IP reputation, DNS sinkholes, or raw TLS certificate authority validity on its own.

Bias, Risks, and Limitations

Because the model looks for highly complex DOM structures and obfuscated JavaScript to identify sophisticated phishing kits, it may occasionally flag legitimate, highly complex enterprise Single Page Applications (SPAs) that utilize heavy anti-bot obfuscation as false positives.

Recommendations

Users should implement a safelist/allowlist for known, highly trafficked enterprise domains (e.g., standard login portals for major tech companies) to prevent expected false positives caused by proprietary obfuscation techniques triggering the AI's heuristic thresholds.

How to Get Started with the Model

Use the Hugging Face Space Live Inference Engine linked in the Demo section for immediate interactive testing. For programmatic use, clone the GitHub repository and execute the master pipeline script:

python run_pipeline.py
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support

Model tree for XMB480/OmniPhish-Ensemble

Finetuned
(143)
this model

Space using XMB480/OmniPhish-Ensemble 1