Globally, individuals and organizations employ Quick Response (QR) codes for swift and convenient communication. Leveraging this, cybercriminals embed falsify and misleading information in QR codes to launch various phishing attacks which termed as Quishing. Many former studies have introduced defensive approaches to preclude Quishing such as by classifying the embedded content of QR codes and then label the QR codes accordingly, whereas other studies classify them using visual features (i.e., deep features, histogram density analysis features). However, these approaches mainly rely on black-box techniques which do not clearly provide interpretability and transparency to fully comprehend and reproduce the intrinsic decision process; therefore, having certain obvious limitations includes the approaches' trust, accountability, issues in bias detection, and many more. We proposed QR\"iS, the pioneer method to classify QR codes through the comprehensive structural analysis of a QR code which helps to identify phishing QR codes beforehand. Our classification method is clearly transparent which makes it reproducible, scalable, and easy to comprehend. First, we generated QR codes dataset (i.e. 400,000 samples) using recently published URLs datasets [1], [2]. Then, unlike black-box models, we developed a simple algorithm to extract 24 structural features from layout patterns present in QR codes. Later, we train the machine learning models on the harvested features and obtained accuracy of up to 83.18%. To further evaluate the effectiveness of our approach, we perform the comparative analysis of proposed method with relevant contemporary studies. Lastly, for real-world deployment and validation, we developed a mobile app which assures the feasibility of the proposed solution in real-world scenarios which eventually strengthen the applicability of the study.

翻译：全球范围内，个人与组织广泛使用快速响应（QR）码以实现高效便捷的信息传递。网络犯罪分子利用这一趋势，在QR码中嵌入伪造和误导性信息，发起各类钓鱼攻击，此类攻击被统称为“Quishing”（二维码钓鱼）。先前许多研究提出了防御Quishing的方法，例如通过对QR码嵌入内容进行分类并据此标记QR码，或利用视觉特征（如深度特征、直方图密度分析特征）进行分类。然而，这些方法主要依赖黑盒技术，未能清晰提供可解释性与透明度，难以完整理解和复现其内在决策过程；因此存在明显局限，包括方法可信度、可问责性、偏差检测问题等。我们提出QRiS——一种通过QR码综合结构分析实现先验识别的钓鱼二维码分类开创性方法。该分类方法具有完全透明性，易于复现、扩展和理解。首先，我们基于近期发布的URL数据集[1][2]生成了QR码数据集（含40万个样本）。随后，区别于黑盒模型，我们开发了一种简易算法，从QR码的布局模式中提取24个结构特征。接着，基于这些特征训练机器学习模型，获得了最高达83.18%的准确率。为深入评估方法有效性，我们将所提方法与相关前沿研究进行了对比分析。最后，为实现实际部署验证，我们开发了移动应用程序，证实了该方案在真实场景中的可行性，从而增强了研究的实用价值。