By: Rekarius Asia University

Abstract

Cloud computing services are also targets of phishing attacks. This paper will discuss deep learning-based methods for detecting phishing attacks in a cloud environment. The first approach utilises recurrent neural networks (RNNs) with long short-term memory (LSTM) to enhance phishing detection. The second approach uses Multi-Head Attention and Bidirectional Gated Recurrent Units (MHA-BiGRU). The first approach yielded 98.88% accuracy, while the second approach achieved 98.85% accuracy.

Keywords Cloud Environment, Phishing Detection, RNNs-LSTM-based, MHA-BiGRU-based

Introduction

Cloud computing (CC) enables users to access computational services via the internet, allowing them to utilize their data and software from any location with an internet connection [1]. The widespread adoption of cloud computing services for data storage, processing, and communication has made these platforms a target for attackers [4]. Cybercriminals are increasingly designing phishing campaigns that resemble legitimate communications from cloud service providers, leveraging authentic user interfaces to gain user trust and compromise security [2]. The sophistication of phishing attacks in cloud ecosystems poses significant challenges to traditional detection methods.

To address these challenges, This paper will discuss deep learning-based methods for detecting phishing attacks in a cloud environment. The first approach utilises recurrent neural networks (RNNs) with long short-term memory (LSTM) to enhance phishing detection. The second approach uses Multi-Head Attention and Bidirectional Gated Recurrent Units (MHA-BiGRU).

Methodology

RNN-LSTM

The proposed system is specifically de- signed to address the dynamic and evolving nature of phishing attacks in cloud settings by capturing sequential and temporal patterns in user interactions. The methodology consists of four phases: data acquisition and preprocessing, feature representation, model training, and performance evaluation.

Data Exploration and Analysis

The main data source of the research is from PhishTank. Each entry includes critical information such as the URL of the phishing site’s URL, submission time, verification status, and operational state. They used 10,000 samples, evenly categorized as authentic or phishing based on 18 distinct attributes that focus on URL structure and activity patterns.

A preliminary exploration of the dataset revealed patterns in phishing behavior and response efficiency. Key observations include:

Phishing lifecycle The dataset records both submission and verification timestamps, allowing for analysis of the time taken to confirm a phishing report. This provides insight into response efficiency.

URL characteristics Phishing URLs often feature irregular structures, including excessive length, presence of IP addresses, or frequent use of special characters, which differentiate them from legitimate URLs.

Verfications patterns Most verified phishing sites are confirmed within a short time frame, highlighting the effectiveness of the PhishTanks validation process.

To ensure the quality of the dataset for training and evaluation, the following steps were undertaken:

removal of incomplete or duplicate entries to maintain data integrity,
normalization of URL features to ensure consistency across samples,
label encoding of target variables, with phishing URLs labeled as “1” and legitimate URLs as “0”. These steps ensure that the dataset is both clean and ready for robust feature extraction and model training.

Feature Extraction

They extracted following key attributes:

- Having IP – indicates the presence of an IP address in the URL, a tac- tic commonly used in phishing attacks to bypass domain-based detection. – URL Length – represents the total length of the URL.

Phishing URLs often have unusually long paths to obfus- cate their content.

- Redirection – counts the number of redirects in a URL. Phishing websites frequently use multiple redirections to conceal their malicious intent.
- Https Domain – verifies the presence of HTTPS in the domain. Phishing attackers often exploit this to create a false sense of security.
- TinyURL – identifies the use of URL shortening services, which are fre- quently leveraged in phishing campaigns to obscure malicious destinations.
- Prefix/Suffix – checks for the presence of prefix or suffix patterns in domain names, as these can mimic legitimate domains.
- Cloud Keyword Presence – detects cloud-related key- words (e.g., cloud, aws, azure) in the URL, which phishers

may use to impersonate trusted cloud providers.

- Service Name Similarity – analyzes the similarity be- tween the URL con- tent and popular cloud service names to deceive users into assuming legitimacy.

- SSL Certification – determines the validity of SSL certifi- cates as phishing websites may use SSL to appear credible.
- Request Pattern Complexity – evaluates the complexity of the URL’s re- quest pattern, as phishing sites often include irregular or unusually structured paths. – Label – the target variable, classifying URLs as phishing or legitimate.

These features are essential for identifying phishing websites by analyzing both structural and behavioral patterns.

Phishing Detection Model

The model lever- ages an RNN framework augmented with LSTM layers to effectively capture sequential and temporal patterns in cloud service interactions. By analyzing these behavioral patterns over time, the model can differentiate between phishing and legitimate activities with high precision.

The proposed architecture is designed to process input sequences while pre- serving contextual and temporal dependencies critical for identifying phishing attempts. The model is made up of multiple layers, each serving a specific role in the detection pipeline. In the embedding layer, input tokens are first converted into dense vectors that represent their semantic meaning. This layer is crucial for the model to understand the contextual links. Embedding tokens into dense representations gives the model a numerical representation of text that improves interpretability for future layers, helping it uncover phishing patterns. The quality of the embeddings can be improved using pre-trained models like Word2Vec or GloVe, The LSTM layers capture embedded data sequence dependencies. LSTMs can keep crucial information and discard less important information, making them suitable for detecting phishing patterns that depend on earlier or later sequences. The LSTM technique selectively updates and preserves cell states through these gates to keep the model’s phishing detection knowledge. To enhance the model’s capacity to capture long-range dependencies, we can also implement a bidirectional LSTM, which processes the input sequence in both forward and backward directions. A fully connected layer and output layer evaluate the final hidden state hT after LSTM layers, converting the learned features into a probability score for phishing attempts. The probability of the sequence being phishing is between 0 and 1 with this function. These layers decide by mapping the RNN’s learned properties into a binary outcome. Next, the model is trained by minimizing a binary cross-entropy loss function that compares true labels and predicted probability. The loss function encourages accurate model predictions by reducing the error between true labels and pre- dictions. Regularization methods such as dropout can be added after LSTM layers to enhance generalization and reduce overfitting. The dropout layer al- lows the model to avoid over-reliance on any single feature by randomly setting a percentage p of input units to zero during training. The performance of the model is optimized through careful selection of hyper parameters, including the learning rate, batch size, number of LSTM layers, and dropout rate. Hy-perparameter tuning is performed systematically using grid search and cross-validation to identify the best configuration. Regularization techniques are applied to mitigate overfitting, ensuring that the model maintains strong predictive capabilities when ex- posed to unseen data.

The following parameters are assumed during model training:

Embedding dimension = 256, enhancing the representation of tokens to capture more intricate semantic relationships while still being manageable in terms of computational resources.
LSTM units = 256 for each LSTM layer, increasing the model’s ability to effectively learn and retain complex sequential dependencies in the data.
Dropout rate = 0.3, striking a balance between reducing overfitting and preserving enough model capacity to ensure robust learning.
Batch size = 64, allowing for more stable gradient updates while also accommodating larger data chunks, which can lead to better convergence.
Epochs = 50, with an emphasis on using early stopping based on validation loss to ensure that the model does not overtrain while still having sufficient training time to achieve high accuracy.

Table 1: Accuracy and loss performance of the model

Evaluation metric	Performance value
Training accuracy	0.988
Validation accuracy	0.977
Training loss	0.0318
Validation loss	0.0537

MHA-GRU

The MHA-BiGRU model [3] is applied for the identification of the phishing URLs. The GRU adjusts the cell state through two gating components and has

Figure 1: Structure of MHA-BiGRU model

relatively better performance, fewer parameters, and lower computation complexity than LSTM. In the MHA-BiGRU mechanism, the MHA model enables us to learn some useful data in the representation subspace. Moreover, the self-attention model captures the internal structure of the sentence and learns the word dependence relationship within the sentence. This model can be processed in parallel, which reduces the computation complexity. The multi-head self-attention module represents the overall semantics of the sentence. In this study, the Dynamic Arithmetic Optimization Algorithm (DAOA) adjusts the hyperparameter value of the MHA-BiGRU model. By applying dynamic inertia weights to balance global exploration and local exploitation, DAOA is used to optimize the weights and hyperparameters of the MHA-BiGRU model, improving training efficiency and detection accuracy.

The structure of MHA-BiGRU model is shown in figure 1.

Conclusion

The research concludes that the proposed MHA-BiGRU model, optimized with DAOA, significantly outperforms traditional models in phishing detection, achieving an accuracy of 98.85%. Achieving an accuracy of 98.88%, the RNN-LSTM model demonstrated the potential of deep learning to significantly enhance phishing detection in cloud computing, thereby reinforcing cybersecurity by distinguishing legitimate from malicious interactions.

References

M.M. Alani and H. Tawfik. Phishnot: a cloud-based machine-learning ap- proach to phishing url detection. Computer Networks, 218(4):109407, 2022.
M. Dawood et al. Cyberattacks and security of cloud computing: A complete guideline. Symmetry, 15(11):1981, 2023.
Vishnukumar Ravula and Mangayarkarasi Ramaiah. Enhancing phishing detection with dynamic optimization and character-level deep learning in cloud environments. PeerJ Computer Science, 11:e2640, 2025.
Oussama Senouci and Nadjib Benaouda. Enhancing phishing detection in cloud environments using rnn-lstm in a deep learning framework. Journal of Telecommunications and Information Technology, (1):1–9, 2025.
Massoudi, M., & Malhotra, R. (2025). AI-driven healthcare systems: A personalized symptom-based disease prognosis tool using RF, GNB, and SVC techniques. Innovation and Emerging Technologies, 12, 2550003.
Alsaleh, A. (2025). Leveraging artificial intelligence for sustainable healthcare transformation: Socioeconomic impacts and ethical implications. Innovation and Emerging Technologies, 12, 2550015.
Lim, Y. H., Yeoh, P. S. Q., & Lai, K. W. (2025). Evaluating fine-tuned GPT models on different datasets in the healthcare domain. Innovation and Emerging Technologies, 12, 1-7.

Cite As

Rekarius (2025) Phishing Detection Based on Deep Learning in Cloud Environment, Insights2Techinfo, pp.1

893200cookie-checkPhishing Detection Based on Deep Learning in Cloud Environment

Post Views: 21

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Phishing Detection Based on Deep Learning in Cloud Environment

Abstract

Introduction

Methodology

RNN-LSTM

Data Exploration and Analysis

Feature Extraction

Phishing Detection Model

MHA-GRU

Conclusion

References

Cite As

Leave a Reply Cancel reply

Detecting and Preventing Phishing Attacks in IoT-Based Smart Healthcare Systems

Data-Driven Insights into Rare Disease Diagnosis and Treatment with AI

Genetic Algorithms and Data Analytics for Cybersecurity in Phishing and Blockchain Systems

Machine Learning in Biometric Security Systems

The Role of AI and Machine Learning in Cloud Storage

How AI is Revolutionizing Cyber Forensics

Memory in Conversational AI Agents: The Backbone of Long-Term Intelligence

The Future of Remote Work and Hybrid Models in 2025

Photonic AI Processors: Architectures, Applications, and Limitations

Neuro-Symbolic AI: The Comeback of Logic in an LLM World

Metaverse and Virtual Reality: What’s Next?