- The paper presents a dual-phase neuro-symbolic framework combining symbolic rules with privacy-preserving RAG to accurately detect phishing attacks.
- It employs formal ontology reasoning (PhishOnt) to provide transparent, auditable explanations, achieving high recall and precision in test scenarios.
- The design ensures zero PHI exposure while delivering significant ROI and adaptability for sensitive domains like healthcare.
Introduction
Effective phishing detection in privacy-critical domains such as healthcare necessitates reconciling contradictory requirements: low false-positive rates (FPR), robust explainability for non-expert IT staff, regulatory compliance that restricts all external transmission of sensitive content, and resilience to AI-generated attack vectors. The paper "CyberCane: Neuro-Symbolic RAG for Privacy-Preserving Phishing Detection with Formal Ontology Reasoning" (2604.23563) introduces a neuro-symbolic framework that achieves this through a dual-phase pipeline integrating deterministic symbolic rules with privacy-preserving retrieval-augmented generation (RAG), underpinned by a robust ontological reasoning formalism.
Dual-Phase Architecture
CyberCane operates as a sequential, dual-phase detection pipeline. Phase 1 applies tuned symbolic rules over email metadata, instantly computing risk scores and mapping them to discrete verdicts (benign, needs_review, phishing) using variable thresholds. The symbolic layer directly surfaces technical violations such as missing MX/SPF/DMARC records, domain inconsistencies, and obfuscated URLs, with design emphasis on formal verifiability and minimum latency for compliance with time-sensitive domains such as healthcare.
Emails unresolved by Phase 1 escalate to Phase 2, which implements privacy-preserving RAG. Here, input undergoes strict PHI redaction before neural embedding (OpenAIโs text-embedding-3-small), and vector retrieval is performed against a phishing-only corpus using HNSW indexing. The top-k neighborsโ similarities inform AI-driven risk scoring, and explanations are produced using LLM reasoning (gpt-4.1-mini), integrating symbolic indicators, retrieved attack examples, and explicit ontology-driven attack types.
Figure 1: CyberCane dual-phase architecture where symbolic pre-filtering is cascaded with privacy-preserving RAG and formal explainability.
This construction enforces architectural privacy-by-design, ensuring that PHI is never transmitted to external APIs and all attack reasoning chains can be formally traced back through symbolic decisions.
Ontological Reasoning: PhishOnt
PhishOnt, the OWL-based ontology, encodes the attack taxonomy via Description Logic axioms: Phase 1 triggers (e.g., missing DNS auth, obfuscated URLs) map to ontology properties, and attacks are classified by formal axiom satisfaction. The reasoning engine supports multi-label outputs with confidence quantification and explicable inference chains, a requirement for security audits under HIPAA/GDPR constraints. The ontology covers multiple healthcare-specific attack classes (prescription fraud, insurance scams, EHR credential theft, appointment scams), each defined over symbolic feature conjunctions and disjunctions.
Empirical results indicate that PhishOnt is activated on 85% of test emails, with average attack label cardinality per instance of 2.66 and a mean confidence score discriminating phishing from benign by +1.84pp. Notably, only 14.5% of benign activations exceed the mean phishing confidence, demonstrating PhishOnt's discriminative value as a supporting contextual signal.
Figure 2: Domain-adapted phishing attack taxonomy (healthcare case), operationalized by the PhishOnt ontology and mapping formal indicator chains to class labels.
Privacy-Preserving RAG Layer
The RAG subsystem rigorously redacts all emails (emails, SSNs, credit cards, phones, DoBs) prior to neural embedding. Vector retrieval is executed over a phishing-only corpus with calibrated thresholds, ensuring the AI verdict is grounded in hard similarity statistics, not stochastic LLM output. Empirical analysis shows that redaction is active on over half of test data, with no statistically significant drop in F1 across LLM-generated and human-written attacksโrefuting concerns that semantic utility is lost by regex-based masking.
Crucially, unlike prior RAG approaches, the LLM never generates stand-alone risk scores; all LLM output is supporting explanation, integrating explicit context including formal attack traces from PhishOnt.
Figure 3: Deterministic ROC for Phase 1 and vector similarity histograms, establishing semantic escalation thresholds for phase escalation under strict FPR constraints.
Explanation Groundedness and Multi-Layered Transparency
LLM-powered explanations are strictly confined to referencing evidence provided: symbolic rule triggers, retrieved examples (with scores), and ontology-inferred types. A manual audit of explanation tags ([AUTH], [URL], [SIMILARITY], [ONTOLOGY], [URGENCY], [CONTENT]) demonstrates that ONTOLOGY and SIMILARITY tags reach 100% supportโevery ONTOLOGY explanation has corresponding formal evidence chains, fully satisfying auditability for regulated deployments. Non-ontology tags (e.g., AUTH) display variable support, indicating the persistent difficulty of verifying free-form LLM content in reasoning-constrained settings.
Figure 4: Example CyberCane detection output integrating symbolic rule evidence, semantic retrieval, and contextual LLM analysis for comprehensive, auditable explanations.
Experimental Results
Benchmarking was performed on Nazario/SpamAssassin and the AI-augmented DataPhish 2025 corpus. On DataPhish 2025, the dual-phase pipeline achieves recall = 99.1%, precision = 98.2% (F1 = 0.987), with robust invariance under author (human vs. 17 LLMs) and psychological attack intent (urgency, greed, authority, altruism). For classical datasets, a highly conservative threshold yields precision = 99.5%, recall = 37.2%, and FPR = 0.16%. Notably, the recall improvement over symbolic-only detection for AI-generated attacks is 78.6 percentage points. The false negative taxonomy reveals that 71.2% of misses are by design (high thresholds to suppress FP), not technical limitation (28.8%).
Baseline comparisons against privacy-constrained TF-IDF and GPT-4 Direct show that CyberCane achieves 6x lower FPR than redacted TF-IDF models and zero PHI exposure, while LLM-only models transmit PHI in 53.2% of casesโautomatically breaching HIPAA.
Figure 5: Precision-recall profiles, coverage-precision tradeoff, failure source taxonomy, and cost-benefit landscape across deployment configurations.
Economic and Practical Implications
For a mid-sized healthcare installation (10,000 daily emails, 4.4% phishing rate), CyberCane detects 164 attacks/day, preventing โ16.4 regulatory breaches/day at a cost of \$1,506/day (API + labor + FP impact). This yields a 542x risk-mitigated ROI, escalating to >1,400x at high-recall operating points. Operating point flexibility enables organizations to select desired cost/benefit tradeoffs via threshold tuning (see Table 4 and main text Table 9).
The architecture supports rapid adaptation for other privacy-critical sectors by retraining the RAG corpus and updating PhishOnt taxonomies, as all privacy logic is encapsulated in preprocessing modules.
Limitations and Future Directions
The framework depends on labeled attack corpora and may not generalize perfectly to adversarial zero-day attacks that semantically diverge from indexed threats. Quasi-identifier residuals, embedding inversion attacks, and organizational implementation of technical/admin safeguards constitute soft spots in absolute regulatory compliance and adversarial robustness. Further research is required in adversarial RAG hardening, federated PhishOnt updates, and expansion to multi-modal threats (SMS, voice phishing).
Conclusion
CyberCane establishes a deployable paradigm for privacy-preserving phishing detection, adhering to regulatory mandates and organizational risk appetites in critical sectors. The dual-phase neuro-symbolic architecture fuses deterministic formal guarantees with the adaptability of neural retrieval, providing robust, transparent, and economically justifiable defense against human and AI-generated phishing. Structured explanations, zero PHI exposure, and operating point flexibility set a deployment standard for future neuro-symbolic security agents in regulated environments.