File size: 4,098 Bytes
deec82a | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 | ---
language: en
license: mit
library_name: phishbyte
pipeline_tag: text-classification
tags:
- phishing-detection
- email-security
- pytorch
- from-scratch
- no-pretrained-weights
- cascading-inference
- lightweight
- explainable-ai
datasets:
- CEAS-2008
metrics:
- f1
- precision
- recall
- accuracy
model-index:
- name: phishbyte
results:
- task:
type: text-classification
name: Phishing Email Detection
dataset:
name: CEAS-2008
type: ceas-2008
metrics:
- type: f1
value: 0.948
- type: accuracy
value: 0.944
- type: precision
value: 0.954
- type: recall
value: 0.943
---
# Phish_Byte
A from-scratch PyTorch model for **email phishing detection**.
**F1 0.948** on CEAS-2008. **12,545 parameters** (β9,000Γ smaller than DistilBERT).
**1,500+ emails/sec** on a laptop GPU. Every verdict explains itself.
## Why this exists
Every phishing detection model on HuggingFace is currently a fine-tuned
transformer (DistilBERT, BERT, RoBERTa) β 65 to 110 million parameters,
~250 MB on disk, ~50 ms per email on GPU. Phish_Byte takes a different
bet: a small custom MLP trained from scratch, fed by 29 carefully chosen
features, routed through a cascading inference pipeline. The model is
**9,000Γ smaller** than DistilBERT, performs competitively, deploys
without a GPU, and explains every decision.
## Usage
```python
from phishbyte import PhishByteEngine
engine = PhishByteEngine.from_pretrained("AnonymousSingh-007/phishbyte")
verdict = engine.analyze(raw_email_string)
print(verdict.label) # 'phishing'
print(verdict.probability) # 0.9735
print(verdict.confidence) # 'high'
print(verdict.layer_used) # 2 β MLP made this call
print(verdict.feature_weights) # full per-feature attribution
```
## Architecture
```
Layer 1 β rule scorers (~1 ms): domain + URL + SPF + subject
β
ββββΊ obvious phishing? short-circuit verdict
β
ββββΊ otherwise route to MLP
β
Layer 2 β MLP (~3 ms): 29 β 96 β 48 β 1 (sigmoid)
β
βΌ
PhishVerdict {label, probability, confidence, layer_used, feature_weights}
```
## Performance (CEAS-2008, n=2000 held-out)
| Metric | Value |
|------------------|----------:|
| F1 score | **0.948** |
| Accuracy | 94.40% |
| Precision | 0.9537 |
| Recall | 0.9432 |
| Parameters | 12,545 |
| Model size | ~50 KB |
| Throughput (GPU) | 1,527 /s |
| Throughput (CPU) | ~800 /s |
## Features (29 inputs)
- **Domain (5)**: From/Reply-To/Return-Path mismatch, freemail flag, brand impersonation
- **URL (5)**: HTTPS ratio, anchor mismatch, suspicious TLD, urgency, link density
- **SPF (3)**: SPF fail, no record, no sending IP
- **Subject (7)**: urgency, security theme, brand name, currency, all caps, fake RE, fake transaction ID
- **Character-level (5)**: caps ratio, digit ratio, special chars, avg word length, HTML/text ratio
- **Composite (4)**: per-layer normalized scores
## Limitations
- ~5% of decisions are wrong (F1 0.948, not 1.0). Use as one signal in defence-in-depth, not the only gate.
- Trained on CEAS-2008 β English-language phishing from 2008. Modern attack patterns and non-English emails will degrade performance.
- SPF validation is bypassed for training (historical domains don't resolve) but runs live at inference time.
- Adversarial emails crafted specifically to game these features will get through.
## Citation
```bibtex
@software{phishbyte2026,
author = {Singh, Samratth},
title = {Phish_Byte: A cascading from-scratch PyTorch model for email phishing detection},
year = {2026},
url = {https://github.com/AnonymousSingh-007/Phish_Byte}
}
```
## License
MIT
|