OPH-Guard: An Operationally Interpretable
Tree-Ensemble Framework for Phishing URL Screening in
Secure Web Access Management
Reem Atassi1,∗
1Higher Colleges of Technology, UAE
Email: ratassi@hct.ac.ae
Abstract
Phishing URLs still present a security threat to organizations because they enable credential theft and account
takeover together with payment fraud and unauthorized digital service access. The existing research on phishing
detection has been studied extensively yet most published papers still show a preference for predictive
performance assessment compared to operational system capabilities and tests and governance system implementation.
The researchers developed OPH-Guard as an operational security system which uses compact
tree ensembles to identify phishing URLs for their secure web access management system. The integrated
workflow s ystem e nables i nstitutional a nd s mall e nterprise t o i mplement p ublic d ata i ngestion a nd feature
validation together with tabular model learning and post-hoc explanation and security-action mapping. The
empirical evaluation used a public GitHub-hosted phishing URL dataset which contains 11,481 labeled records
and 87 predictive features. The researchers conducted a comparison between three tree-based learners according
to a stratified 80/20 hold-out protocol which included Decision Tree and Random Forest and Extra Trees.
The actual results from Extra Trees produced the highest accuracy score of 0.9856 which included 0.9921 precision
and 0.9791 recall and 0.9855 F1-score and 0.9984 ROC-AUC from the held-out test results. The study
investigates security relevance for top predictors through google index and page rank and domain age and
phish hints which provide evidence that the resulting model enables organizations to manage browsing risk
through URL triage together with secure information management controls. The study presents a reproducible
framework together with a complete screening algorithm and a summary of existing research from ten studies
and a system which connects model results to security operations.
Keywords: Phishing URL detection; Tree ensembles; Extra Trees; Secure web access management; Operational
interpretability; Cybersecurity analytics