This dataset is created to form a Balanced URLs dataset with the same number of unique Benign and Malicious URLs. The total number of URLs in the dataset is 632,508 unique URLs.

The creation of the dataset has involved 2 different datasets from Kaggle which are as follows:

First Dataset: 450,176 URLs, out of which 77% benign and 23% malicious URLs. Can be found here: https://www.kaggle.com/datasets/siddharthkumar25/malicious-and-benign-urls

Second Dataset: 651,191 URLs, out of which 428103 benign or safe URLs, 96457 defacement URLs, 94111 phishing URLs, and 32520 malware URLs. Can be found here: https://www.kaggle.com/datasets/sid321axn/malicious-urls-dataset

To create the Balanced dataset, the first dataset was the main dataset, and then more malicious URLs from the second dataset were added, after that the extra Benign URLs were removed to keep the balance. Of course, unifying the columns and removing the duplicates were done to only keep the unique instances.

For more information about the collection of the URLs themselves, please refer to the mentioned datasets above.

All the URLs are in one .csv file with 3 columns: 1- First column is the 'url' column which has the list of URLs. 2- Second column is the 'label' which states the class of the URL wether 'benign' or 'malicious'. 3- Third column is the 'result' which also represents the class of the URL but with 0 and 1 values. {0 is benign and 1 is malicious}.

Context Malicious URLs or malicious website is a very serious threat to cybersecurity. Malicious URLs host unsolicited content (spam, phishing, drive-by downloads, etc.) and lure unsuspecting users to become victims of scams (monetary loss, theft of private information, and malware installation), and cause losses of billions of dollars every year. We have collected this dataset to include a large number of examples of Malicious URLs so that a machine learning-based model can be developed to identify malicious urls so that we can stop them in advance before infecting computer system or spreading through inteinternet.

Content we have collected a huge dataset of 651,191 URLs, out of which 428103 benign or safe URLs, 96457 defacement URLs, 94111 phishing URLs, and 32520 malware URLs. Figure 2 depicts their distribution in terms of percentage. As we know one of the most crucial tasks is to curate the dataset for a machine learning project. We have curated this dataset from five different sources.

For collecting benign, phishing, malware and defacement URLs we have used URL dataset (ISCX-URL-2016) For increasing phishing and malware URLs, we have used Malware domain black list dataset. We have increased benign URLs using faizan git repo At last, we have increased more number of phishing URLs using Phishtank dataset and PhishStorm dataset As we have told you that dataset is collected from different sources. So firstly, we have collected the URLs from different sources into a separate data frame and finally merge them to retain only URLs and their class type.

This dataset is a consolidated collection of malicious, phishing, and unsafe URLs gathered from multiple reputable cybersecurity intelligence sources. It is designed to support machine learning research, threat detection modeling, academic projects, and security analysis. The dataset combines various categories of malicious URLs, including malware distribution sites, phishing links, and adult-content blacklist entries, to provide a comprehensive view of harmful web activity.

This dataset does not contain live malicious content; only URL strings and labels are provided. It is safe for research and educational use.

The dataset contains DNS records, IP-related features, WHOIS/RDAP information, information from TLS handshakes and certificates, and GeoIP information for 368,956 benign domains from Cisco Umbrella, 461,338 benign domains from the actual CESNET network traffic, 164,425 phishing domains from PhishTank and OpenPhish services, and 100,809 malware domains from various sources like ThreatFox, The Firebog, MISP threat intelligence platform, and other sources. The ground truth for the phishing dataset was double-check with the VirusTotal (VT) service. Domain names not considered malicious by VT have been removed from phishing and malware datasets. Similarly, benign domain names that were considered risky by VT have been removed from the benign datasets. The data was collected between March 2023 and July 2024. The final assessment of the data was conducted in August 2024.

The dataset is useful for cybersecurity research, e.g. statistical analysis of domain data or feature extraction for training machine learning-based classifiers, e.g. for phishing and malware website detection.

Data Files

• The data is located in the following individual files:

  • benign_umbrella.json - data for 368,956 benign domains from Cisco Umbrella,
  • benign_cesnet.json - data for 461,338 benign domains from the CESNET network,
  • phishing.json - data for 164,425 phishing domains, and
  • malware.json - data for 100,809 malware domains.

Data Structure

In 2024, the total detection cases of web-based malware sites in South Korea amounted to roughly ** thousand, a slight increase compared to the previous year. The highest number of detected web-based malware sites in South Korea was ****** cases in 2014. The type of web-based malware sites was comprised of distribution sites and staging sties.

Summary of previous works on malicious URL detection.

The suspicious file and URL analysis market is booming, projected to reach $88 million in 2025 and grow at a CAGR of 6.4% through 2033. Learn about key drivers, trends, and top players shaping this crucial cybersecurity sector. Discover market size projections, regional breakdowns, and insights into cloud-based vs. on-premise solutions.

The global suspicious file and URL analysis market is booming, projected to reach $412 million by 2033 with a 15% CAGR. This report analyzes market trends, key players (CrowdStrike, Symantec, McAfee), and regional growth, highlighting the increasing demand for robust cybersecurity solutions in the face of rising cyber threats. Learn more about cloud-based solutions and the impact of AI on threat detection.

Phishing URL Classification Dataset

This dataset contains URLs labeled as 'Safe' (0) or 'Not Safe' (1) for phishing detection tasks.

  Dataset Summary

This dataset contains URLs labeled for phishing detection tasks. It's designed to help train and evaluate models that can identify potentially malicious URLs.

  Dataset Creation

The dataset was synthetically generated using a custom script that creates both legitimate and potentially phishing URLs. This approach… See the full description on the dataset page: https://huggingface.co/datasets/imanoop7/phishing_url_classification.

This dataset is part of my PhD research on malware detection and classification using Deep Learning. It contains static analysis data: Top-1000 imported functions extracted from the 'pe_imports' elements of Cuckoo Sandbox reports. PE malware examples were downloaded from virusshare.com. PE goodware examples were downloaded from portableapps.com and from Windows 7 x86 directories.

The performance of the proposed ensemble classifier in classifying four classes of malicious URLs for testing data.

The suspicious file and URL analysis market is booming, projected to reach $150 million by 2033 with a 6.7% CAGR. This in-depth analysis explores market drivers, trends, restraints, key players (CrowdStrike, McAfee, Symantec, etc.), and regional growth. Discover the latest insights on protecting against ransomware, phishing, and malware.

Dataset consisting of feature vectors of 215 attributes extracted from 15,036 applications (5,560 malware apps from Drebin project and 9,476 benign apps). The dataset has been used to develop and evaluate multilevel classifier fusion approach for Android malware detection, published in the IEEE Transactions on Cybernetics paper 'DroidFusion: A Novel Multilevel Classifier Fusion Approach for Android Malware Detection'. The supporting file contains further description of the feature vectors/attributes obtained via static code analysis of the Android apps.

EustassKidman/malicious-url dataset hosted on Hugging Face and contributed by the HF Datasets community

Benchmarking the proposed work with previous works in malicious URL detection.

This dataset consists of phishing and malicious URLs along with detailed metadata that helps in understanding their activity, status, and technical characteristics. It is suitable for tasks such as URL classification, phishing detection, threat intelligence, and malware analysis.

🔹 Key Highlights

Contains URLs reported as phishing or malicious.

Includes timestamps for when URLs were added and last seen online.

Provides threat classifications (e.g., phishing, malware, fraud, botnet).

Enriched with technical tags indicating malware families or targeted platforms (e.g., Mozi, elf, mips, 32-bit).

Potential Use Cases

Training machine learning models for phishing/malware URL detection.

Building threat intelligence dashboards.

Performing exploratory data analysis (EDA) on phishing trends over time.

Understanding malware targeting patterns (e.g., IoT attacks using Mozi botnet).

Discover the booming Website Malware Scanner market analysis! Explore key trends, growth drivers, leading companies (Invicti, Acunetix, Qualys), and future projections for 2025-2033. Learn how to protect your website from cyber threats.

Comprehensive database of known malicious URLs, phishing sites, and threat indicators

A dataset of URLs with binary labels for malicious/benign classification

The dataset contains extracted attributes from websites that can be used for Classification of webpages as malicious or benign. The dataset also includes raw page content including JavaScript code that can be used as unstructured data in Deep Learning or for extracting further attributes. The data has been collected by crawling the Internet using MalCrawler [1]. The labels have been verified using the Google Safe Browsing API [2]. Attributes have been selected based on their relevance [3]. The details of dataset attributes is as given below: 'url' - The URL of the webpage. 'ip_add' - IP Address of the webpage. 'geo_loc' - The geographic location where the webpage is hosted. 'url_len' - The length of URL. 'js_len' - Length of JavaScript code on the webpage. 'js_obf_len - Length of obfuscated JavaScript code. 'tld' - The Top Level Domain of the webpage. 'who_is' - Whether the WHO IS domain information is compete or not. 'https' - Whether the site uses https or http. 'content' - The raw webpage content including JavaScript code. 'label' - The class label for benign or malicious webpage.

Python code for extraction of the above listed dataset attributes is attached. The Visualisation of this dataset and it python code is also attached. This visualisation can be seen online on Kaggle [5].