phishnano
Lightweight phishing URL detection library with an embedded Random Forest model. Designed for integration into password managers, browser extensions, and security gateways where local, privacy-preserving inference is required.
Features
- Embedded model: Zero configuration, the bincode model is compiled into the library via
include_bytes! - Compact: ~110 KB embedded model, no external files needed
- Fast inference: ~20 microseconds per URL
- Zero network dependency: Fully local inference, no API calls
- Cross-platform: Windows / macOS / Linux
Quick Start
Add to your Cargo.toml:
[]
= "0.1"
use ;
Performance
| Metric | Value |
|---|---|
| Accuracy | 95% |
| Phishing precision | 97% |
| Phishing recall | 93% |
| Normal precision | 93% |
| Normal recall | 97% |
| AUC-ROC | 0.9907 |
| Model size (embedded) | ~110 KB (bincode) |
| Inference latency | ~20 us |
| Default threshold | 0.45 |
CLI Tool
# Install
# Classify a URL (uses the embedded model, no external files needed)
# With a custom threshold
# Load a custom model file instead of the embedded one
# Convert a JSON model to bincode
Project Structure
phishnano/
|-- Cargo.toml # Library crate + workspace root
|-- src/ # Library source code
| |-- lib.rs
| |-- model.rs # Model struct, load_default_model(), include_bytes!
| |-- extractor.rs # Feature extraction (n-gram + manual)
| `-- predictor.rs # Random forest prediction
|-- resources/ # Model files
| |-- model_data.bincode # Embedded bincode model (~110 KB)
| |-- model_data.json # JSON model for debugging
| `-- test_features.json # Cross-language test data
|-- phishnano-cli/ # CLI binary crate (workspace member)
| |-- Cargo.toml
| `-- src/
| `-- main.rs
|-- training/ # Training scripts (not published to crates.io)
| |-- data/ # Training datasets (gitignored)
| `-- scripts/ # Python training scripts
| |-- train.py
| |-- export.py
| |-- threshold_analysis.py
| |-- model_analysis.py
| |-- download_phreshphish.py
| |-- requirements.txt
| `-- README.md
|-- .github/
| `-- workflows/
| |-- ci.yml # CI: build + test + clippy + fmt
| `-- publish.yml # CD: publish to crates.io on tag push
|-- .gitignore
|-- LICENSE
`-- README.md
Training
The model is pre-trained and embedded in the library. Training data and scripts are maintained in a separate repository and are not included in this crate.
Model Architecture
phishnano uses a Random Forest classifier with 25 decision trees (max depth 7) trained on 410,000+ labeled URLs.
Feature extraction
Each URL is converted to a 519-dimensional feature vector:
- 500 n-gram features: Character 2-grams and 3-grams, hashed into 500 buckets using MurmurHash3 (unsigned, seed=0)
- 19 manual features: URL length, domain length, special character counts, digit ratio, path/query length, TLD code, sensitive word detection, etc.
Hyperparameters
| Parameter | Value |
|---|---|
| n_estimators | 25 |
| max_depth | 7 |
| min_samples_split | 10 |
| class_weight | {0: 1, 1: 2.0} |
| random_state | 42 |
| test_size | 0.2 (stratified) |
Training data sources
The model is trained on ~496,000 labeled URLs (after deduplication) drawn from public phishing feeds (PhishTank, OpenPhish, Kaggle), legitimate URL rankings (Tranco, Majestic, US federal .gov domains), and the PhreshPhish dataset (HuggingFace).
CI/CD
- CI (
.github/workflows/ci.yml): Builds and tests on push/PR across Ubuntu, Windows, and macOS. Runscargo fmt --check,cargo clippy -- -D warnings,cargo build --release --all, andcargo test --all. - Publish (
.github/workflows/publish.yml): Publishes bothphishnano(library) andphishnano-clito crates.io when a version tag (v*) is pushed. Requires theCARGO_REGISTRY_TOKENrepository secret.
License
MIT