Deep Reinforcement Learning for Phishing Detection with Transformer-Based Semantic Features

TL;DR

This paper introduces a hybrid deep reinforcement learning model combining semantic and lexical features for highly accurate and robust phishing detection, demonstrating significant improvements over traditional methods.

Contribution

It proposes a novel QR-DQN framework integrating RoBERTa embeddings with lexical features for phishing detection, enhancing stability and generalization.

Findings

Achieved 99.86% accuracy on test data.

Reduced generalization gap from 1.66% to 0.04%.

Model demonstrated high robustness and reliability.

Abstract

Phishing is a cybercrime in which individuals are deceived into revealing personal information, often resulting in financial loss. These attacks commonly occur through fraudulent messages, misleading advertisements, and compromised legitimate websites. This study proposes a Quantile Regression Deep Q-Network (QR-DQN) approach that integrates RoBERTa semantic embeddings with handcrafted lexical features to enhance phishing detection while accounting for uncertainties. Unlike traditional DQN methods that estimate single scalar Q-values, QR-DQN leverages quantile regression to model the distribution of returns, improving stability and generalization on unseen phishing data. A diverse dataset of 105,000 URLs was curated from PhishTank, OpenPhish, Cloudflare, and other sources, and the model was evaluated using an 80/20 train-test split. The QR-DQN framework achieved a test accuracy of 99.86%, precision of 99.75%, recall of 99.96%, and F1-score of 99.85%, demonstrating high effectiveness. Compared to standard DQN with lexical features, the hybrid QR-DQN with lexical and semantic features reduced the generalization gap from 1.66% to 0.04%, indicating significant improvement in robustness. Five-fold cross-validation confirmed model reliability, yielding a mean accuracy of 99.90% with a standard deviation of 0.04%. These results suggest that the proposed hybrid approach effectively identifies phishing threats, adapts to evolving attack strategies, and generalizes well to unseen data.