A Hybrid Attention-Based Deep Learning Architecture for Phishing Detection

Phishing has emerged as one of the most persistent and rapidly evolving threats in the field of cybersecurity, exploiting human psychology and technological vulnerabilities to obtain sensitive information such as login credentials, financial data, and personal identifiers [1]. Attackers increasingly employ social engineering techniques, including deceptive emails, forged websites, and manipulated hyperlinks to impersonate legitimate entities and deceive users into revealing confidential details [2]. The widespread adoption of digital services in sectors such as E-banking, E-commerce, and E-governance has further expanded the attack surface, intensifying the frequency and complexity of phishing incidents worldwide [3]. Conventional strategies such as blacklist-based filters and heuristic rules struggle to address emerging phishing threats, as they were designed for known patterns and lack adaptability [4].

To address these limitations, the research community has progressively shifted toward machine learning (ML) and deep learning (DL) methodologies for phishing detection. ML-based models improve adaptability compared to heuristic systems but still face challenges in feature engineering and false classification rates when dealing with diverse phishing data. In contrast, DL frameworks, especially those leveraging convolutional neural networks (CNNs), recurrent neural networks (RNNs), and self-attention architectures, have demonstrated exceptional ability to automatically learn complex representations from high-dimensional data, enabling them to identify subtle behavioural and structural cues associated with phishing activities [5].

Nonetheless, despite these advancements, numerous research gaps remain. Existing DL models often lack the capability to simultaneously capture both spatial dependencies (relationships between feature patterns) and sequential dependencies (temporal or contextual relationships in URLs and content). Moreover, many models suffer from overfitting and reduced interpretability, limiting their robustness against rapidly evolving phishing strategies.

The present research introduces a hybrid DL architecture that integrates Gated Self-Attention Sparse Autoencoder (GAttn-SAE) with Attention-Optimized Convolutional Bidirectional Long Short-Term Memory (AConv-BiLSTM) networks to overcome these challenges. The GAttn-SAE module efficiently extracts critical phishing-related features using self-attention mechanisms, while the AConv-BiLSTM model combines Conv1D and BiLSTM layers to analyze both spatial and sequential phishing patterns. This dual-module approach enhances feature discrimination, reduces false positives, and improves generalization against novel phishing variants. Comparative experimental evaluation shows that the proposed model significantly outperforms existing ML-based and DL-based approaches in terms of accuracy, precision, recall, and ROC-AUC. Thereby establishing a robust and adaptive defense mechanism against modern phishing attacks. The key contributions of this work can be explained in three parts. First, we introduce a new hybrid phishing-detection architecture that combines both a GAttn-SAE that is used to depict discriminative features and an AConv-BiLSTM classifier to simultaneously represent spatial URL patterns and long-range sequential dependencies. Second, the suggested framework has high detection rates with lower computational complexity than transformer-based models, which is measured by model depth, the number of parameters, and training convergence properties, and is applicable to real-time and resource-limited cybersecurity settings. Third, we perform an extensive empirical analysis on publicly accessible phishing benchmarks, we compare the proposed model to classical machine-learning, deep-learning baselines, and state-of-the-art transformer architectures, and we compare them on standard measures, such as accuracy, precision, recall, F1-score, and ROC-AUC.

The remainder of this paper is structured as follows: Section II reviews related literature and existing phishing detection methodologies; Section III details the proposed hybrid architecture and its operational framework; Section IV presents the experimental setup, and evaluation metrics; Section V discusses the results and comparative analysis highlighting the model’s performance and novelty and finally, Section VI concludes the study with future research directions.

In the design of the proposed hybrid model, the philosophy is based on the successful experience of transformer architectures like BERT and Denseformer that used self-attention to detect long-range dependencies in textual and sequential data. Nevertheless, transformer models are less applicable in real-time deployment in cybersecurity, as they usually need enormous annotated datasets and computation resources to get trained and be highly accurate in the detection of phishing and fraud. The proposed framework incorporates lightweight attention elements in its design to balance between performance and efficiency. GAttn-SAE is made with the same representational power as transformer encoders on the feature extraction task, and AConv-BiLSTM is provided that combines both convolutional and bidirectional recurrent processing to model hierarchical attentive behavior. The design is interpretable and efficient, like traditional neural models, but with more sophisticated contextual correlations than transformer models. The proposed framework implements DL methods that improve both extractive capabilities for features and classification performance and adaptive behavior for new phishing techniques. GAttn-SAE and AConv-BiLSTM constitute the model's two components dedicated to feature representation learning and phishing classification tasks, respectively. The workflow step processes data by repairing missing values and removing duplicates while applying representations to domain names, email metadata, and URL patterns, as shown in Figure 1. Standardization normalization falls under the normalization techniques used to normalize numerical features by making their values have a mean of zero, while the variance becomes one. The dataset distribution takes place into distinct training and testing parts for model assessment purposes. The notation used throughout the proposed GAttn-SAE + AConv-BiLSTM framework is summarized in Table 1.

Table 1. Notation used in the proposed model

Figure 1. Phishing detection model using Gated Self-Attention Sparse Autoencoder (GAttn-SAE) and Attention-Optimized Convolutional Bidirectional Long Short-Term Memory (AConv-BiLSTM)

The GAttn-SAE module serves to extract important data patterns from unprocessed phishing data and remove unnecessary information. The initial portion of the encoder contains 128 ReLU units in its first layer, followed by a second layer equipped with 64 units to transform input features into latent space vectors. Development of the encoder included the self-attention mechanism that focuses on significant features by computing attention scores between various input attributes.

A GAttn-SAE together with AConv-BiLSTM constitute the proposed phishing detection model, which enables high precision detection while being adaptable, as shown in Figure 2. The model starts by obtaining relevant phishing features from URL attributes and email header contents, along with metadata elements in its initial input phase. With ReLU activation, the GAttn-SAE component contains two encoder layers of 128 and 64 neurons to decrease dimensions and retain essential information. The self-attention component evaluates important features that lead to a 64-dimensional output encoding representation. AConv-BiLSTM uses Conv1D layers having 64 filters to discover localized phishing patterns in addition to BiLSTM layers containing 64 forward and 64 backward units that can learn sequential dependencies inside phishing datasets. The processed features pass through two fully connected layers with ReLU activation, which contain 64 neurons, then 32 neurons to improve the classification steps. The output predictions of the network occur through its final sigmoid-activated layer to determine phishing or legitimate inputs. By combining hybrid attention-based encoding with CNN-LSTM classification, the system achieves optimal feature selection and sequential learning and better accuracy results. This architecture employs self-attention for dynamic pattern highlighting. It uses Conv1D to extract spatial correlation and BiLSTM to capture sequential dependencies. Together, these components make the model resilient against new phishing techniques.

Figure 2. Gated Self-Attention Sparse Autoencoder (GAttn-SAE) + Attention-Optimized Convolutional Bidirectional Long Short-Term Memory (AConv-BiLSTM): A hybrid deep learning (DL) model for phishing detection

The input features begin with the encoder network containing two fully connected layers.

$h_1=\operatorname{Re} L U\left(W_1 X+b_1\right)$                (1)

$h_2=\operatorname{Re} L U\left(W_2 h_1+b_2\right)$               (2)

The weight matrices are denoted as W₁, W₂, b₁, b₂ are the bias vectors. The input feature vector is designated as X.

The model contains three principal input layers named Q, K, V, which correspond to Query, Key, and Value, while d_k defines the dimensions of the key. The system gives greater weight to essential indicators of phishing activity, specifically including domain entropy, URL length, and special character detection. The decoder maintains important data points by using two dense layers to regenerate the input information from the latent representation.

$A=\operatorname{softmax}\left(\frac{Q K^T}{\sqrt{d_k}}\right)$                 (3)

Through the decoder process, the original input gets decoded back from its latent representation form.

$\widehat{X}=\sigma\left(W_d h_2+b_d\right)$               (4)

During the optimization process, Mean Squared Error (MSE) minimizes the reconstruction error in the autoencoder.

$L_{M S E}=\frac{1}{n} \sum_{i=1}^n\left(x_i-\widehat{x_i}\right)^2$               (5)

This layer uses its capability to extract local phishing patterns from features that have undergone encoding.

$y[i]=\sum_{k=1}^K W_{K^*} X[i+k-1]$              (6)

The AConv-BiLSTM classifier utilizes convolutional layers and bidirectional LSTMs to process phishing features that were extracted from the phishing details. The initial phase of the model utilizes a 1D CNN that works with 64 filters of size 3 to analyze local patterns present in phishing URLs as well as webpage metadata. The BiLSTM technology enables sequential dependency detection by processing data forward and backward while receiving its input from the convolutional layer outputs.

$h_t^{\text {forward }}=f\left(W_{i h} x_t+w_{h h} h_{t-1}+b_h\right)$                (7)

$h_t^{\text {backward }}=f\left(W_{i h} x_t+w_{h h} h_{t+1}+b_h\right)$               (8)

The BiLSTM-generated outputs go through a fully connected layer to perform phishing classification.

$y=\sigma\left(W_0 h+b_0\right)$               (9)

The processing in both directions allows the system to detect patterns in phishing contexts, which include URL component order or email header sequences. A sigmoid-activated fully connected layer receives inputs from concatenated BiLSTM outputs to generate binary classifications that identify phishing attempts through values approaching 1. The classification task being binary makes Binary Cross-Entropy (BCE) Loss the appropriate choice:

$L_{B C E}=-\frac{1}{N} \sum_{i=1}^N\left[y_i \log \left(\widehat{y_i}\right)+\left(1+y_i\right) \log \left(1-\widehat{y_i}\right)\right]$                 (10)

The formula represents the prediction of $\widehat{y}_i$ against the actual value y_i. The optimization process relies on the Adam optimizer to reach convergence while using a learning rate of 0.001. The training process consists of 50 epochs with early stopping implemented to avoid overfitting, and it operates at a batch size of 32. Performance evaluation of phishing detection utilizes Accuracy together with Precision, Recall, F1-score, and ROC-AUC for effectiveness assessment during the model evaluation stage.

The model demonstrates a successful accuracy rate of 98.4%, thus showing it can effectively separate phishing attempts from regular cases, as shown in Table 5. This high precision value of 97.8% indicates the model effectively produces few erroneous security alerts, making it ideal for real-time applications. The model demonstrates a successful ability to detect most phishing attacks based on its recall results (98.9%). A perfect combination of precision and recall makes the F1-score reach 98.3%, thereby proving overall model efficiency. The excellent discriminative power of the classifier is shown by its ROC-AUC score of 99.1%.

Table 5. Performance metrics of Gated Self-Attention Sparse Autoencoder (GAttn-SAE) + Attention-Optimized Convolutional Bidirectional Long Short-Term Memory (AConv-BiLSTM)

Figure 3. Feature distribution of encoded data in the phishing detection model

GAttn-SAE produces the distribution of extracted features from phishing data as shown in Figure 3. The input features have been reshaped into indexes that detect important patterns related to phishing activities. The values on the y-axis demonstrate the range together with both median values and variability of encoded feature values, which reveal how the model recognizes phishing indicators. The autoencoder demonstrates its ability to successfully identify different phishing features since its feature distributions exhibit balance across all range values and moderate variability. Feature importances transition smoothly between indices because the model learned effective data representations that support accurate classification in the subsequent Auction Conv + BiLSTM model.

Figure 4. Training and validation accuracy of the phishing detection model

Figure 4 demonstrates how the proposed GAttn-SAE + AConv-BiLSTM phishing detection model progresses its training and validation accuracy metrics throughout 50 training cycles. Training accuracy appears through the solid blue line, and validation accuracy uses the dashed orange line in the plot. The model begins with low accuracy levels before ending the training with enhanced ability to detect useful patterns that help the accuracy levels rise steadily. The model attains a notable increase in validation accuracy at epoch 30, which follows closely behind training accuracy as it grows to 98.4%. The distance between model training accuracy and validation accuracy reduces because the model shows weak overfitting and good generalization while performing phishing attack detection.

Figure 5. Training and validation loss of the phishing detection model

The training and validation loss metrics of GAttn-SAE + AConv-BiLSTM phishing detection model are presented in Figure 5 over 50 epochs. Both lines here show different functions: The solid blue shows training loss, yet validation loss appears as dotted orange. Both loss measures exceed 0.5 during the beginning period because the model is actively extracting information from the dataset. Learning performance improves noticeably when the loss begins its sharp descent at epoch 20 before concluding training. The model achieves effective feature extraction and classification because both losses diminish to near-zero levels by epoch 40. The parallel behavior of training and validation losses during the whole training process demonstrates that the model achieves good generalization across unknown phishing data without overfitting.

Figure 6. Performance metrics of the phishing detection model

Figure 6 demonstrates the performance metrics for the GAttn-SAE + AConv-BiLSTM phishing detection model that establishes its classification abilities. The figure displays percentage values from 95% to 100% on the vertical axis with different metrics appearing on the horizontal axis. A high model accuracy level reaches 98.4%, which demonstrates its solid ability to categorize instances. The model demonstrates a high precision rate of 97.8%, which decreases false alarms, and it demonstrates an excellent recall value of 98.9%, indicating correct detection of phishing attempts. The F1-score stands as 98.3%, which demonstrates how the model provides equilibrium of precision and recall metrics indicative of its reliability factor. Evaluation of the discrimination power between phishing and legitimate instances through the ROC-AUC score yielded an outstanding 99.1% result. The model demonstrates exceptional performance through all metrics, which proves its robust nature as well as its effectiveness and reliability for detecting phishing attacks with high confidence levels and minimum errors.

Figure 7. Confusion matrix for phishing detection model

The held-out test set of about 460 samples (20% of the total samples) is computed with a default decision threshold of 0.5 on the probability of being either a phish, and the AUC-ROC score comes by running the range of decision thresholds. Figure 7 displays the performance of GAttn-SAE + AConv-BiLSTM as a phishing detection system through its classification results between legitimate (0) and phishing (1) transactions. Apart from the predicted label values, the x-axis features actual labels as displayed on the y-axis. The model correctly diagnosed both legitimate and phishing examples through the diagonal values represented by 1111 and 1071. False positive misclassifications numbered 46 instances, while false negative misclassifications reached 58 instances according to the off-diagonal model output. The detection reliability is strong because of the minimal number of incorrect label assignments.

A comparative evaluation of the proposed GAttn-SAE + AConv BiLSTM hybrid against modern transformer-based phishing detection systems such as BERT-base, RoBERTa-base, and Denseformer is recorded in Table 6. The results indicate that transformer encoders systematically attain high detection rates (98.6% to 98.9%) and ROC-AUC above 99%, thereby indicating superior contextual modelling. However, these architectures are associated with significant computational requirements and necessitate extensive fine-tuning on large, annotated corpora. On the other hand, the hybrid one achieves an accuracy of 98.4% and an ROC-AUC of 99.1%, which are comparable to the state-of-the-art transformer results, yet has a much leaner architectural footprint and converges much faster. In turn, a combination of self-attention-based feature extraction and an effective Convolutional-BiLSTM architecture can be used to provide the performance of the transformer in terms of discrimination with significantly less computational complexity, which makes it more applicable to real-time phishing detection and low-resource cybersecurity scenarios.

Table 6. Comparison of the proposed hybrid model with transformer-based phishing detection frameworks

The high effectiveness of the suggested GAttn-SAE + AConv-BiLSTM framework can be explained by the fact that it focuses on the discriminatory phishing information on various levels of representations. The GAttn-SAE focuses on the high-impact URL and metadata features, including abnormal URL length, high character entropy, overuse of special symbols, and irregular distributions of tokens by attaching greater attention weights to the attributes that do not follow legitimate patterns, and eliminates redundant or low-information features. These attention-weighted representations can then be used to model the localized structural patterns and long-range sequential dependencies of URL components and header metadata with an effective AConv-BiLSTM classifier. A study of the false positives and false negatives above shows that those that persist are mostly the legitimate URLs with disproportionately large entropy (e.g., automatically generated tracking links) and the highly spoofed phishing URLs that resemble benign lexical forms to the greatest extent. These examples demonstrate the intrinsic difficulty in separating advanced phishing attacks and harmless anomalies and encourage future expansion of such schemes by adding contextual or behavioral clues to further decrease the residual misclassifications.