The authors built PhishSigma++, a phishing-email detector that extracts 40 typed entity classes (e.g., sender domain, URLs, attachments) and 5 cross-type relations to form a typed email graph, then uses particle-swarm optimization to select a sparse discriminative relation mask for classification and evidence summarization. On 29,142 RFC822 messages, it achieves 0.9675 F1 on clean data and maintains 0.9579 F1 under non-adaptive "Good Word" padding attacks (ρ=0.8), while token-based Bayesian and DistilBERT baselines collapse to 0.0243 and 0.7284 F1 respectively. The method generalizes hand-crafted Sigma rules by learning which entity relations are discriminative from data.
Main takeaways:
- Focuses on invariant typed-entity relations (sender–URL, attachment–text) rather than mutable surface text, making it robust to adversarial text insertion
- Extracts 40 entity types and 5 cross-type relations to build a typed email graph; PSO selects a sparse discriminative mask
- Achieves 0.9675 F1 on clean phishing vs. ham; under Good Word padding (ρ=0.8) maintains 0.9579 F1 while text baselines collapse
- Compared to traditional Sigma rules (hand-written field conditions), PhishSigma++ offers higher detection, broader relational coverage, and data-driven feature selection
- Thresholded typed-relation scores encode a useful fragment of Sigma-style field conditions, unifying hand-crafted and learned approaches