Model Card for OmniPhish-Ensemble
OmniPhish is a Tri-Modal Stacking Ensemble designed to detect highly evasive, zero-day phishing websites. It mathematically outperforms traditional machine learning baselines by fusing Deep Semantic representations with Structural Sequence modeling and explicit heuristic feature extraction.
This modelcard aims to be a base template for new models. It has been generated using this raw template.
Model Details
Model Description
OmniPhish processes live web pages through three distinct modalities to catch advanced phishing kits that evade standard visual (e.g., logo matching) or simple text-based detection systems. It utilizes a Semantic Engine (CodeBERT fine-tuned via LoRA) to analyze underlying JavaScript logic, a Structural Engine (1D-CNN or GNN) to process the raw HTML DOM sequence, and a Meta-Classifier (XGBoost) to fuse these latent spaces into a final zero-day classification.
- Developed by: Sulaiman Eksambi
- Model type: Stacking Ensemble (CodeBERT + 1D-CNN/GNN + XGBoost)
- Language(s) (NLP): English (as well as HTML and JavaScript semantics)
- License: MIT
- Finetuned from model: microsoft/codebert-base
Model Sources
- Repository: https://github.com/sulaimanxmb/OmniPhish-Ensemble
- Demo: https://huggingface.co/spaces/XMB480/Omniphish
Uses
Direct Use
The model is intended to be used by cybersecurity researchers, threat intelligence analysts, and enterprise security teams to evaluate suspicious URLs in real-time. It takes a raw URL, renders the JavaScript via a headless browser, and classifies the resulting DOM structure as Safe or Phishing.
Downstream Use
The latent embeddings generated by the CodeBERT and CNN/GNN layers can be extracted and used as high-fidelity features for downstream enterprise SIEM (Security Information and Event Management) platforms or custom web application firewalls (WAFs).
Out-of-Scope Use
This model evaluates the structure and semantics of the rendered DOM. It is not designed to evaluate network-level IOCs (Indicators of Compromise) such as IP reputation, DNS sinkholes, or raw TLS certificate authority validity on its own.
Bias, Risks, and Limitations
Because the model looks for highly complex DOM structures and obfuscated JavaScript to identify sophisticated phishing kits, it may occasionally flag legitimate, highly complex enterprise Single Page Applications (SPAs) that utilize heavy anti-bot obfuscation as false positives.
Recommendations
Users should implement a safelist/allowlist for known, highly trafficked enterprise domains (e.g., standard login portals for major tech companies) to prevent expected false positives caused by proprietary obfuscation techniques triggering the AI's heuristic thresholds.
How to Get Started with the Model
Use the Hugging Face Space Live Inference Engine linked in the Demo section for immediate interactive testing. For programmatic use, clone the GitHub repository and execute the master pipeline script:
python run_pipeline.py
Model tree for XMB480/OmniPhish-Ensemble
Base model
microsoft/codebert-base