// MODEL-BASED DIAGNOSTIC · BAYESIAN + VIRUSTOTAL · LEVENSHTEIN DISTANCE · WEIGHTED AVERAGE
1. Domain Age (WHOIS)
Checks how old the domain is. Domains under 30 days old are high-risk indicators.
2. VirusTotal (70+ engines)
URL scanned across 70+ antivirus engines. Malicious/suspicious ratio feeds the Bayesian likelihood.
3. Bayesian Score (40%)
P(Phishing|Evidence) = P(E|Ph) × P(Ph) / P(E). New-domain signal (0.56) prevents score collapse when VT returns 0.
4. Levenshtein Score (60%)
Token-based comparison against 15 brands. Brand token in wrong domain = 1.0. Typosquat (paypa1) = normalized similarity.
5. Final = 0.40×Bayesian + 0.60×Levenshtein
Override: Levenshtein ≥ 0.65 forces HIGH RISK regardless of Bayesian.