Papers
Topics
Authors
Recent
Search
2000 character limit reached

CyberCane: Neuro-Symbolic RAG for Privacy-Preserving Phishing Detection with Formal Ontology Reasoning

Published 26 Apr 2026 in cs.CR, cs.AI, and cs.IR | (2604.23563v1)

Abstract: Privacy-critical domains require phishing detection systems that satisfy contradictory constraints: near-zero false positives to prevent workflow disruption, transparent explanations for non-expert staff, strict regulatory compliance prohibiting sensitive data exposure to external APIs, and robustness against AI-generated attacks. Existing rule-based systems are brittle to novel campaigns, while LLM-based detectors violate privacy regulations through unredacted data transmission. We introduce CyberCane, a neuro-symbolic framework integrating deterministic symbolic analysis with privacy-preserving retrieval-augmented generation (RAG). Our dual-phase pipeline applies lightweight symbolic rules to email metadata, then escalates borderline cases to semantic classification via RAG with automated sensitive data redaction and retrieval from a phishing-only corpus. We further introduce PhishOnt, an OWL ontology enabling verifiable attack classification through formal reasoning chains. Evaluation on DataPhish2025 (12.3k emails; mixed human/LLM) and Nazario/SpamAssassin demonstrates a 78.6-point recall gain over symbolic-only detection on AI-generated threats, with precision exceeding 98% and FPR as low as 0.16%. Healthcare deployment projects a 542x ROI; tunable operating points support diverse risk tolerances, with open-source implementation at https://github.com/sbhakim/Cybercane.

Summary

  • The paper presents a dual-phase neuro-symbolic framework combining symbolic rules with privacy-preserving RAG to accurately detect phishing attacks.
  • It employs formal ontology reasoning (PhishOnt) to provide transparent, auditable explanations, achieving high recall and precision in test scenarios.
  • The design ensures zero PHI exposure while delivering significant ROI and adaptability for sensitive domains like healthcare.

CyberCane: Neuro-Symbolic RAG for Privacy-Preserving Phishing Detection with Formal Ontology Reasoning

Introduction

Effective phishing detection in privacy-critical domains such as healthcare necessitates reconciling contradictory requirements: low false-positive rates (FPR), robust explainability for non-expert IT staff, regulatory compliance that restricts all external transmission of sensitive content, and resilience to AI-generated attack vectors. The paper "CyberCane: Neuro-Symbolic RAG for Privacy-Preserving Phishing Detection with Formal Ontology Reasoning" (2604.23563) introduces a neuro-symbolic framework that achieves this through a dual-phase pipeline integrating deterministic symbolic rules with privacy-preserving retrieval-augmented generation (RAG), underpinned by a robust ontological reasoning formalism.

Dual-Phase Architecture

CyberCane operates as a sequential, dual-phase detection pipeline. Phase 1 applies tuned symbolic rules over email metadata, instantly computing risk scores and mapping them to discrete verdicts (benign, needs_review, phishing) using variable thresholds. The symbolic layer directly surfaces technical violations such as missing MX/SPF/DMARC records, domain inconsistencies, and obfuscated URLs, with design emphasis on formal verifiability and minimum latency for compliance with time-sensitive domains such as healthcare.

Emails unresolved by Phase 1 escalate to Phase 2, which implements privacy-preserving RAG. Here, input undergoes strict PHI redaction before neural embedding (OpenAIโ€™s text-embedding-3-small), and vector retrieval is performed against a phishing-only corpus using HNSW indexing. The top-k neighborsโ€™ similarities inform AI-driven risk scoring, and explanations are produced using LLM reasoning (gpt-4.1-mini), integrating symbolic indicators, retrieved attack examples, and explicit ontology-driven attack types. Figure 1

Figure 1: CyberCane dual-phase architecture where symbolic pre-filtering is cascaded with privacy-preserving RAG and formal explainability.

This construction enforces architectural privacy-by-design, ensuring that PHI is never transmitted to external APIs and all attack reasoning chains can be formally traced back through symbolic decisions.

Ontological Reasoning: PhishOnt

PhishOnt, the OWL-based ontology, encodes the attack taxonomy via Description Logic axioms: Phase 1 triggers (e.g., missing DNS auth, obfuscated URLs) map to ontology properties, and attacks are classified by formal axiom satisfaction. The reasoning engine supports multi-label outputs with confidence quantification and explicable inference chains, a requirement for security audits under HIPAA/GDPR constraints. The ontology covers multiple healthcare-specific attack classes (prescription fraud, insurance scams, EHR credential theft, appointment scams), each defined over symbolic feature conjunctions and disjunctions.

Empirical results indicate that PhishOnt is activated on 85% of test emails, with average attack label cardinality per instance of 2.66 and a mean confidence score discriminating phishing from benign by +1.84pp. Notably, only 14.5% of benign activations exceed the mean phishing confidence, demonstrating PhishOnt's discriminative value as a supporting contextual signal. Figure 2

Figure 2: Domain-adapted phishing attack taxonomy (healthcare case), operationalized by the PhishOnt ontology and mapping formal indicator chains to class labels.

Privacy-Preserving RAG Layer

The RAG subsystem rigorously redacts all emails (emails, SSNs, credit cards, phones, DoBs) prior to neural embedding. Vector retrieval is executed over a phishing-only corpus with calibrated thresholds, ensuring the AI verdict is grounded in hard similarity statistics, not stochastic LLM output. Empirical analysis shows that redaction is active on over half of test data, with no statistically significant drop in F1 across LLM-generated and human-written attacksโ€”refuting concerns that semantic utility is lost by regex-based masking.

Crucially, unlike prior RAG approaches, the LLM never generates stand-alone risk scores; all LLM output is supporting explanation, integrating explicit context including formal attack traces from PhishOnt. Figure 3

Figure 3: Deterministic ROC for Phase 1 and vector similarity histograms, establishing semantic escalation thresholds for phase escalation under strict FPR constraints.

Explanation Groundedness and Multi-Layered Transparency

LLM-powered explanations are strictly confined to referencing evidence provided: symbolic rule triggers, retrieved examples (with scores), and ontology-inferred types. A manual audit of explanation tags ([AUTH], [URL], [SIMILARITY], [ONTOLOGY], [URGENCY], [CONTENT]) demonstrates that ONTOLOGY and SIMILARITY tags reach 100% supportโ€”every ONTOLOGY explanation has corresponding formal evidence chains, fully satisfying auditability for regulated deployments. Non-ontology tags (e.g., AUTH) display variable support, indicating the persistent difficulty of verifying free-form LLM content in reasoning-constrained settings. Figure 4

Figure 4: Example CyberCane detection output integrating symbolic rule evidence, semantic retrieval, and contextual LLM analysis for comprehensive, auditable explanations.

Experimental Results

Benchmarking was performed on Nazario/SpamAssassin and the AI-augmented DataPhish 2025 corpus. On DataPhish 2025, the dual-phase pipeline achieves recall = 99.1%, precision = 98.2% (F1 = 0.987), with robust invariance under author (human vs. 17 LLMs) and psychological attack intent (urgency, greed, authority, altruism). For classical datasets, a highly conservative threshold yields precision = 99.5%, recall = 37.2%, and FPR = 0.16%. Notably, the recall improvement over symbolic-only detection for AI-generated attacks is 78.6 percentage points. The false negative taxonomy reveals that 71.2% of misses are by design (high thresholds to suppress FP), not technical limitation (28.8%).

Baseline comparisons against privacy-constrained TF-IDF and GPT-4 Direct show that CyberCane achieves 6x lower FPR than redacted TF-IDF models and zero PHI exposure, while LLM-only models transmit PHI in 53.2% of casesโ€”automatically breaching HIPAA. Figure 5

Figure 5: Precision-recall profiles, coverage-precision tradeoff, failure source taxonomy, and cost-benefit landscape across deployment configurations.

Economic and Practical Implications

For a mid-sized healthcare installation (10,000 daily emails, 4.4% phishing rate), CyberCane detects 164 attacks/day, preventing โ‰ˆ16.4 regulatory breaches/day at a cost of \$1,506/day (API + labor + FP impact). This yields a 542x risk-mitigated ROI, escalating to >1,400x at high-recall operating points. Operating point flexibility enables organizations to select desired cost/benefit tradeoffs via threshold tuning (see Table 4 and main text Table 9).

The architecture supports rapid adaptation for other privacy-critical sectors by retraining the RAG corpus and updating PhishOnt taxonomies, as all privacy logic is encapsulated in preprocessing modules.

Limitations and Future Directions

The framework depends on labeled attack corpora and may not generalize perfectly to adversarial zero-day attacks that semantically diverge from indexed threats. Quasi-identifier residuals, embedding inversion attacks, and organizational implementation of technical/admin safeguards constitute soft spots in absolute regulatory compliance and adversarial robustness. Further research is required in adversarial RAG hardening, federated PhishOnt updates, and expansion to multi-modal threats (SMS, voice phishing).

Conclusion

CyberCane establishes a deployable paradigm for privacy-preserving phishing detection, adhering to regulatory mandates and organizational risk appetites in critical sectors. The dual-phase neuro-symbolic architecture fuses deterministic formal guarantees with the adaptability of neural retrieval, providing robust, transparent, and economically justifiable defense against human and AI-generated phishing. Structured explanations, zero PHI exposure, and operating point flexibility set a deployment standard for future neuro-symbolic security agents in regulated environments.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.