Expand description
§phishnano
Lightweight offline phishing URL detection library with an embedded
decision tree forest model (LightGBM-trained). The model is compiled into the library at build
time via include_bytes!, enabling zero-configuration, fully local
inference with microsecond-level latency and no network requests.
Designed for integration into password managers, browser extensions, email security gateways, and embedded systems where privacy-preserving, offline URL classification is required.
§Key Advantages
- Offline & privacy-preserving: 100% local inference, zero network requests, no data leaves the host
- Lightweight: ~123 KB embedded model (bincode format)
- Low latency: ~20 microseconds per URL on commodity hardware
- Zero configuration: No runtime files, no API keys, no external services
- Embedded-friendly: Compact binary suitable for resource-constrained environments
§Quick Start
use phishnano::{load_default_model, predict_url};
let model = load_default_model().expect("Failed to load model");
let score = predict_url("http://suspicious-site.com/login", &model);
if score >= 0.20 {
println!("Phishing detected (score={:.4})", score);
} else {
println!("URL is safe (score={:.4})", score);
}§Use Cases
- Password managers: Warn users before autofilling credentials on suspicious login pages
- Browser extensions: Real-time URL classification during navigation
- Email security gateways: Scan links in incoming messages without forwarding URLs to cloud APIs
- Security pipelines: Batch URL classification in SOAR / SIEM workflows
- Embedded systems: On-device phishing detection in network appliances with limited connectivity
§Architecture
- Model: LightGBM Random Forest, 100 decision trees, max depth 7
(additive
sigmoid(init_score + Σ raw_leaf)scoring) - Features: 500 character n-gram hash features + 39 manual features (21 hand-crafted + 18 structural)
- Model size: ~120 KB (bincode format, embedded)
- Scoring: Decision tree forest (LightGBM additive sigmoid scoring)
- Inference latency: ~20 microseconds per URL
- Privacy: 100% local inference, no network requests
- Default threshold: 0.20 (scores >= 0.20 are classified as phishing)
§Modules
model: Model serialization, deserialization, and loadingextractor: Feature extraction from URL stringspredictor: Decision tree traversal and scoringindicators: Detailed risk indicator extractionscoring: Production scorer (delegates to the decision tree forest)
§Core API
load_default_model(): Load the embedded default model (zero config)predict_url(): Predict phishing probability for a URLpredict_url_detailed(): Predict with risk indicators (explains why)extract_features(): Extract the 539-dimensional feature vectorModel: The decision tree forest model structTree: A single decision tree in the forestload_model_from_path(): Load a model from a file pathload_model_from_bytes(): Load a model from raw bytesconvert_json_to_bincode(): Convert JSON model to bincode format
Re-exports§
pub use extractor::extract_features;pub use indicators::predict_url_detailed;pub use indicators::Indicator;pub use indicators::IndicatorCategory;pub use indicators::IndicatorSource;pub use indicators::Prediction;pub use model::convert_json_to_bincode;pub use model::load_default_model;pub use model::load_model_from_bytes;pub use model::load_model_from_path;pub use model::Model;pub use model::Tree;pub use predictor::predict_url;
Modules§
- extractor
- Feature extraction module for URL analysis.
- indicators
- Risk indicator extraction for detailed phishing URL analysis.
- model
- Model serialization and loading module.
- predictor
- Prediction module for phishing URL scoring.
- scoring
- Phishing URL scoring with the embedded decision tree forest.