| ---
|
| language: en
|
| license: mit
|
| library_name: phishbyte
|
| pipeline_tag: text-classification
|
| tags:
|
| - phishing-detection
|
| - email-security
|
| - pytorch
|
| - from-scratch
|
| - no-pretrained-weights
|
| - cascading-inference
|
| - lightweight
|
| - explainable-ai
|
| datasets:
|
| - CEAS-2008
|
| metrics:
|
| - f1
|
| - precision
|
| - recall
|
| - accuracy
|
| model-index:
|
| - name: phishbyte
|
| results:
|
| - task:
|
| type: text-classification
|
| name: Phishing Email Detection
|
| dataset:
|
| name: CEAS-2008
|
| type: ceas-2008
|
| metrics:
|
| - type: f1
|
| value: 0.948
|
| - type: accuracy
|
| value: 0.944
|
| - type: precision
|
| value: 0.954
|
| - type: recall
|
| value: 0.943
|
| ---
|
|
|
| # Phish_Byte
|
|
|
| A from-scratch PyTorch model for **email phishing detection**.
|
| **F1 0.948** on CEAS-2008. **12,545 parameters** (β9,000Γ smaller than DistilBERT).
|
| **1,500+ emails/sec** on a laptop GPU. Every verdict explains itself.
|
|
|
| ## Why this exists
|
|
|
| Every phishing detection model on HuggingFace is currently a fine-tuned
|
| transformer (DistilBERT, BERT, RoBERTa) β 65 to 110 million parameters,
|
| ~250 MB on disk, ~50 ms per email on GPU. Phish_Byte takes a different
|
| bet: a small custom MLP trained from scratch, fed by 29 carefully chosen
|
| features, routed through a cascading inference pipeline. The model is
|
| **9,000Γ smaller** than DistilBERT, performs competitively, deploys
|
| without a GPU, and explains every decision.
|
|
|
| ## Usage
|
|
|
| ```python
|
| from phishbyte import PhishByteEngine
|
|
|
| engine = PhishByteEngine.from_pretrained("AnonymousSingh-007/phishbyte")
|
| verdict = engine.analyze(raw_email_string)
|
|
|
| print(verdict.label) # 'phishing'
|
| print(verdict.probability) # 0.9735
|
| print(verdict.confidence) # 'high'
|
| print(verdict.layer_used) # 2 β MLP made this call
|
| print(verdict.feature_weights) # full per-feature attribution
|
| ```
|
|
|
| ## Architecture
|
|
|
| ```
|
| Layer 1 β rule scorers (~1 ms): domain + URL + SPF + subject
|
| β
|
| ββββΊ obvious phishing? short-circuit verdict
|
| β
|
| ββββΊ otherwise route to MLP
|
| β
|
| Layer 2 β MLP (~3 ms): 29 β 96 β 48 β 1 (sigmoid)
|
| β
|
| βΌ
|
| PhishVerdict {label, probability, confidence, layer_used, feature_weights}
|
| ```
|
|
|
| ## Performance (CEAS-2008, n=2000 held-out)
|
|
|
| | Metric | Value |
|
| |------------------|----------:|
|
| | F1 score | **0.948** |
|
| | Accuracy | 94.40% |
|
| | Precision | 0.9537 |
|
| | Recall | 0.9432 |
|
| | Parameters | 12,545 |
|
| | Model size | ~50 KB |
|
| | Throughput (GPU) | 1,527 /s |
|
| | Throughput (CPU) | ~800 /s |
|
|
|
| ## Features (29 inputs)
|
|
|
| - **Domain (5)**: From/Reply-To/Return-Path mismatch, freemail flag, brand impersonation
|
| - **URL (5)**: HTTPS ratio, anchor mismatch, suspicious TLD, urgency, link density
|
| - **SPF (3)**: SPF fail, no record, no sending IP
|
| - **Subject (7)**: urgency, security theme, brand name, currency, all caps, fake RE, fake transaction ID
|
| - **Character-level (5)**: caps ratio, digit ratio, special chars, avg word length, HTML/text ratio
|
| - **Composite (4)**: per-layer normalized scores
|
|
|
| ## Limitations
|
|
|
| - ~5% of decisions are wrong (F1 0.948, not 1.0). Use as one signal in defence-in-depth, not the only gate.
|
| - Trained on CEAS-2008 β English-language phishing from 2008. Modern attack patterns and non-English emails will degrade performance.
|
| - SPF validation is bypassed for training (historical domains don't resolve) but runs live at inference time.
|
| - Adversarial emails crafted specifically to game these features will get through.
|
|
|
| ## Citation
|
|
|
| ```bibtex
|
| @software{phishbyte2026,
|
| author = {Singh, Samratth},
|
| title = {Phish_Byte: A cascading from-scratch PyTorch model for email phishing detection},
|
| year = {2026},
|
| url = {https://github.com/AnonymousSingh-007/Phish_Byte}
|
| }
|
| ```
|
|
|
| ## License
|
|
|
| MIT
|
|
|
