Skip to main content

Crate phishnano

Crate phishnano 

Source
Expand description

§phishnano

Lightweight offline phishing URL detection library with an embedded decision tree forest model (LightGBM-trained). The model is compiled into the library at build time via include_bytes!, enabling zero-configuration, fully local inference with microsecond-level latency and no network requests.

Designed for integration into password managers, browser extensions, email security gateways, and embedded systems where privacy-preserving, offline URL classification is required.

§Key Advantages

  • Offline & privacy-preserving: 100% local inference, zero network requests, no data leaves the host
  • Lightweight: ~123 KB embedded model (bincode format)
  • Low latency: ~20 microseconds per URL on commodity hardware
  • Zero configuration: No runtime files, no API keys, no external services
  • Embedded-friendly: Compact binary suitable for resource-constrained environments

§Quick Start

use phishnano::{load_default_model, predict_url};

let model = load_default_model().expect("Failed to load model");
let score = predict_url("http://suspicious-site.com/login", &model);

if score >= 0.20 {
    println!("Phishing detected (score={:.4})", score);
} else {
    println!("URL is safe (score={:.4})", score);
}

§Use Cases

  • Password managers: Warn users before autofilling credentials on suspicious login pages
  • Browser extensions: Real-time URL classification during navigation
  • Email security gateways: Scan links in incoming messages without forwarding URLs to cloud APIs
  • Security pipelines: Batch URL classification in SOAR / SIEM workflows
  • Embedded systems: On-device phishing detection in network appliances with limited connectivity

§Architecture

  • Model: LightGBM Random Forest, 100 decision trees, max depth 7 (additive sigmoid(init_score + Σ raw_leaf) scoring)
  • Features: 500 character n-gram hash features + 39 manual features (21 hand-crafted + 18 structural)
  • Model size: ~120 KB (bincode format, embedded)
  • Scoring: Decision tree forest (LightGBM additive sigmoid scoring)
  • Inference latency: ~20 microseconds per URL
  • Privacy: 100% local inference, no network requests
  • Default threshold: 0.20 (scores >= 0.20 are classified as phishing)

§Modules

  • model: Model serialization, deserialization, and loading
  • extractor: Feature extraction from URL strings
  • predictor: Decision tree traversal and scoring
  • indicators: Detailed risk indicator extraction
  • scoring: Production scorer (delegates to the decision tree forest)

§Core API

Re-exports§

pub use extractor::extract_features;
pub use indicators::predict_url_detailed;
pub use indicators::Indicator;
pub use indicators::IndicatorCategory;
pub use indicators::IndicatorSource;
pub use indicators::Prediction;
pub use model::convert_json_to_bincode;
pub use model::load_default_model;
pub use model::load_model_from_bytes;
pub use model::load_model_from_path;
pub use model::Model;
pub use model::Tree;
pub use predictor::predict_url;

Modules§

extractor
Feature extraction module for URL analysis.
indicators
Risk indicator extraction for detailed phishing URL analysis.
model
Model serialization and loading module.
predictor
Prediction module for phishing URL scoring.
scoring
Phishing URL scoring with the embedded decision tree forest.