abhizaik/phishing-detection

GitHub: abhizaik/phishing-detection

一个基于 Go 与 Svelte 的开源实时 URL 钓鱼检测引擎，提供可解释评分与透明报告。

Stars: 84 | Forks: 11

# Phishing Detection Engine（开源，实时 URL 扫描器）对 URL 进行快速、可解释的钓鱼检测 — 实时评分、明确判决、完全透明。开源且可直接用于生产。分析 URL 不到一秒，提供透明评分和详细报告。 [![Go](https://img.shields.io/badge/Go-1.24+-00ADD8?logo=go\&logoColor=white)](https://go.dev) [![Svelte](https://img.shields.io/badge/Svelte-5-orange?logo=svelte)](https://svelte.dev) [![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE) [![GitHub stars](https://img.shields.io/github/stars/abhizaik/phishing-detection?style=social)](https://github.com/abhizaik/phishing-detection) [⚡ Quick Start](#quick-start) · [🏛 Architecture](#architecture) · [📚 Docs](#documentation) · [🤝 Contributing](#contributing) · [🌍 Community](#community)

## 网络钓鱼检测演示 ![Phishing Detection Demo](https://raw.githubusercontent.com/abhizaik/phishing-detection/main/assets/demo.gif) ## 快速开始完整安装步骤：[docs/setup.md](docs/setup.md) 1. 克隆仓库 ``` git clone https://github.com/abhizaik/phishing-detection.git cd phishing-detection ``` 2. 启动应用（后端 + 前端，通过 Docker）前提条件：已安装并运行 Docker。 Windows：使用 WSL 或安装 make。 ``` make build make up ``` Web UI：**[localhost:3000](http://localhost:3000)** ## 功能 * 扫描 URL 是否存在 **钓鱼、恶意行为与不安全重定向** * 生成 **信任评分、明确判决与详细报告** * 通过 **UI、API 与扩展** 支持开发者与非技术用户 * 使用 **多种独立启发式分析器** 实现精准检测 * 基于 **Go（后端）** 与 **Svelte（前端）** 构建，适合生产环境 ## 用例 - 在用户点击前检测钓鱼链接 - 扫描 URL 的恶意行为 - 构建反钓鱼浏览器扩展 - 将钓鱼检测集成到后端服务 - 替代或补充商业钓鱼 API ## 为何使用此工具？大多数钓鱼检测方案要么是 **封闭的商业 API**，要么是 **学术机器学习演示**： * **商业工具**：昂贵、不透明、无法审计 * **ML 演示**：缓慢、脆弱、不适合实际部署 **钓鱼仍是主要网络威胁**，因为防御方缺乏 **快速、可解释、可控的检测系统**。本引擎填补这一空白，提供： * **透明、可解释的分析** — 每个判决都有具体信号支撑 * **快速实时扫描** — 多个分析器并行运行 * **灵活集成** — Web UI、HTTP API、浏览器扩展 * **完整的开源可控性** — 可审计、可修改、可自托管、可扩展 ## 适用对象 **普通用户** * 在网站或浏览器扩展中快速检查可疑 URL **开发者** * 将钓鱼检测集成到应用或后端服务 * 替代或补充商业钓鱼 API **安全工程师与 SOC 团队** * 构建可解释的反钓鱼检测流水线 * 使用可操作的透明信号审计 URL **学生与研究人员** * 将本项目作为 **学术或安全项目** 的实际生产级参考。学术或研究用途必须引用本仓库（参见 [CITATION.cff](CITATION.cff)）。 ## API 示例钓鱼检测引擎暴露一个简单的 HTTP API，用于实时 URL 分析。返回包含域名信息、SSL、重定向及最终判决的详细结构化分析。使用 API 扫描 URL： ``` curl -X GET http://localhost:8080/api/v1/analyze?url=https://example.com ```

Example API response



{

  "url": "https://example.com",

  "domain": "example.com",

  "features": {

    "rank": 175,

    "tld": {

      "tld": "com",

      "is_trusted_tld": false,

      "is_risky_tld": false,

      "is_icann": true

    },

    "url": {

      "url_shortener": false,

      "uses_ip": false,

      "contains_punycode": false,

      "too_long": false,

      "too_deep": false,

      "has_homoglyph": false,

      "subdomain_count": 0,

      "keywords": {

        "has_keywords": false,

        "found": [],

        "categories": {}

      }

    }

  },

  "infrastructure": {

    "ip_addresses": [

      "172.66.147.243",

      "104.20.23.154",

      "2606:4700:10::6814:179a",

      "2606:4700:10::ac42:93f3"

    ],

    "nameservers_valid": true,

    "ns_hosts": [

      "hera.ns.cloudflare.com."

    ],

    "mx_records_valid": false,

    "mx_hosts": [

      "."

    ]

  },

  "domain_info": {

    "domain": "EXAMPLE.COM",

    "registrar": "RESERVED-Internet Assigned Numbers Authority",

    "created": "1995-08-14T04:00:00Z",

    "updated": "2026-01-16T18:26:50Z",

    "expiry": "2026-08-13T04:00:00Z",

    "nameservers": [

      "ELLIOTT.NS.CLOUDFLARE.COM",

      "HERA.NS.CLOUDFLARE.COM"

    ],

    "status": [

      "client delete prohibited",

      "client transfer prohibited",

      "client update prohibited"

    ],

    "dnssec": true,

    "age_human": "30 years 8 months",

    "age_days": 11202,

    "raw": "{\"ldhName\":\"EXAMPLE.COM\",\"nameservers\":[{\"ldhName\":\"ELLIOTT.NS.CLOUDFLARE.COM\"},{\"ldhName\":\"HERA.NS.CLOUDFLARE.COM\"}],\"events\":[{\"eventAction\":\"registration\",\"eventDate\":\"1995-08-14T04:00:00Z\"},{\"eventAction\":\"expiration\",\"eventDate\":\"2026-08-13T04:00:00Z\"},{\"eventAction\":\"last changed\",\"eventDate\":\"2026-01-16T18:26:50Z\"},{\"eventAction\":\"last update of RDAP database\",\"eventDate\":\"2026-04-15T19:04:14Z\"}],\"entities\":[{\"roles\":[\"registrar\"],\"vcardArray\":[\"vcard\",[[\"version\",{},\"text\",\"4.0\"],[\"fn\",{},\"text\",\"RESERVED-Internet Assigned Numbers Authority\"]]]}],\"status\":[\"client delete prohibited\",\"client transfer prohibited\",\"client update prohibited\"],\"secureDNS\":{\"delegationSigned\":true}}",

    "source": "RDAP"

  },

  "analysis": {

    "redirection_result": {

      "is_redirected": false,

      "chain_length": 1,

      "chain": [

        "https://example.com"

      ],

      "final_url": "https://example.com",

      "final_url_domain": "example.com",

      "has_domain_jump": false

    },

    "http_status": {

      "code": 200,

      "text": "OK",

      "success": true,

      "is_redirect": false

    },

 "is_hsts_supported": false

  },

  "ssl_info": {

    "Domain": "example.com",

    "HasTLS": true,

    "ChainValid": true,

    "Issuer": "Cloudflare TLS Issuing ECC CA 1",

    "NotBefore": "2026-04-02T21:18:57Z",

    "NotAfter": "2026-07-01T21:24:46Z",

    "AgeDays": 12,

    "Fingerprint": "1AF627C6C2AC992E3C9102438F467C4C238D3112325AC7CF9003D77F75EFFFBA",

    "IsSuspicious": false,

    "Reasons": null,

    "CTLogged": true,

    "KnownBadChain": false

  },

  "tls_info": {

    "Present": true,

    "Issuer": "CLOUDFLARE, INC.",

    "AgeDays": 12,

    "HostnameMismatch": false

  },

  "content_data": {

    "url": "https://example.com",

    "title": "Example Domain",

    "has_forms": false,

    "has_login_form": false,

    "has_payment_form": false,

    "has_personal_form": false,

    "form_count": 0,

    "forms": null,

    "iframes": null,

    "has_hidden_iframe": false,

    "has_tracking": false,

    "fetch_duration": 137804093,

    "brand_check": {

      "brand_found": "",

      "is_mismatch": false,

      "detected_names": []

    }

  },

  "domain_randomness": {

    "Domain": "example.com",

    "Label": "example",

    "Length": 7,

    "Entropy": 2.521640636343318,

    "EntropyPerChar": 0.36023437662047403,

    "NormalizedEntropy": 0.06050092369175979,

    "VowelRatio": 0.42857142857142855,

    "DigitRatio": 0,

    "UniqueCharRatio": 0.8571428571428571,

    "LongestConsonantRun": 3,

    "BigramEnglishiness": 0.16666666666666666,

    "RandomnessScore": 0.3567918975896066,

    "IsSuspicious": false,

    "Reasons": []

  },

  "typosquat_result": {

    "is_suspicious": false

  },

  "phishing": {

    "in_database": true,

    "phish_id": 7366538,

    "phish_detail_page": "http://www.phishtank.com/phish_detail.php?phish_id=7366538",

    "verified": false,

    "verified_at": "",

    "valid": false,

    "target": "",

    "source": "phishtank",

    "from_cache": false,

    "raw_response": {

      "meta": {

        "timestamp": "2026-04-15T19:04:30+00:00",

        "serverid": "e5f3084e",

        "status": "success",

        "requestid": "172.17.128.1.69dfe13e5ee121.10644345"

      },

      "results": {

        "url": "https://example.com",

        "in_database": true,

        "phish_id": 7366538,

        "phish_detail_page": "http://www.phishtank.com/phish_detail.php?phish_id=7366538",

        "verified": false,

        "verified_at": null,

        "valid": false

      }

    }

  },

  "result": {

    "risk_score": 5,

    "trust_score": 100,

    "final_score": 98,

    "verdict": "Safe",

    "reasons": {

      "neutral_reasons": [

        "Standard, officially recognized domain extension.",

        "No email server configured for this domain."

      ],

      "good_reasons": [

        "Global Giant: Ranked #175 worldwide.",

        "Long-standing domain history (30 years 8 months).",

        "Advanced DNS security enabled (DNSSEC)."

      ],

      "bad_reasons": null

    }

  },

  "incomplete": false,

  "errors": null

}

## 架构基于并行实时 URL 评估的模块化分析器架构。高层仓库结构： ``` server/ Go backend cmd/safesurf Backend entry point internal/ Analyzers, domaininfo, screenshot web/website SvelteKit UI web/chrome-extension Chrome extension docker/ Dev & prod docs/ Setup, architecture, API, security, testing etc. Makefile ``` ## 检测引擎引擎使用多种独立分析器评估 URL，包括： - 域名信誉与年龄检查 - 可疑 URL 模式与同形异义字 - 重定向链分析 - HTTPS / 证书异常 - 已知钓鱼指示器与启发式规则 - 基于内容的信号（HTML、脚本、表单）每个分析器都为最终信任评分和判决做出贡献。 ## 性能 - 典型扫描时间：**~300–700 ms 每 URL** - 设计用于高效处理并发扫描 - 针对 **大规模实时钓鱼检测** 优化实际性能取决于启用的分析器与网络状况。 ## 局限性 - 基于启发式的检测可能产生误报 - 无机器学习模型（有意为之 — 优先保证可解释性与可审计性） - 准确性依赖外部信号（DNS、SSL 等） ## 文档所有文档位于 `docs/`。从这里开始：[docs/README.md](docs/README.md) [Interactive API docs (Swagger UI)](https://api.safesurf.xorwave.com/swagger/index.html) 完整端点参考：[docs/api.md](docs/api.md) ## 贡献欢迎提交错误报告、功能请求与 Pull Request。使用 [GitHub Issues](https://github.com/abhizaik/phishing-detection/issues) 报告错误或提出功能建议。代码贡献请参考 [CONTRIBUTING.md](.github/CONTRIBUTING.md)。

标签：EVTX分析, Go语言, SEO: 实时URL安全检测, SEO: 开源钓鱼扫描, SEO: 钓鱼检测引擎, Svelte前端, URL扫描, 不安全重定向, 信任评分, 反钓鱼, 可扩展检测, 多启发式分析, 威胁情报, 实时检测, 开发者工具, 开源安全工具, 恶意行为分析, 日志审计, 浏览器扩展, 生产就绪, 程序破解, 网络安全, 详细报告, 请求拦截, 逆向工程平台, 透明评分, 钓鱼检测, 隐私保护