Enhanced Phishing Detection Using Binary Encoding XGBoost and LSTM Feature Extraction and Capsule Network Classification

preprint OA: closed
Full text JSON View at publisher

Abstract

Abstract Phishing attacks are a critical threat to the security of the online world. Detection methods traditionally cannot keep pace with the ever-evolving tactics of the attackers. The research suggests a sophisticated phishing detection system based on Capsule Networks (CapsNet) and incorporating XGBoost and LSTM for feature extraction, while Gradient Boosting is used for feature selection. The system uses email data and hence captures critical features such as sender information, subject lines, email bodies and URLs. This data is thus using binary encoding for preprocessing the model. To evaluate the model, various performance metrics are calculated, including Accuracy, Precision, Recall and F1-score. The CapsNet model classifies with an accuracy of 99.62%, precision of 99.53%, a recall of 99.70% and an F1-score of 99.62%. It has outperformed other current phishing detection methods like PDMLP, AdaBoost and Naive Bayes (NB), especially in sensitivity and overall classification performance. Additionally, the low FPR (0.0173) and FNR (0.022889) of the model further increase its reliability for real-world phishing detection. The proposed hybrid system looks very promising in the fight against advanced phishing attacks as it can detect phishing websites and emails remarkably well.
Full text 12,755 characters · extracted from preprint-html · click to expand
Enhanced Phishing Detection Using Binary Encoding XGBoost and LSTM Feature Extraction and Capsule Network Classification | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Enhanced Phishing Detection Using Binary Encoding XGBoost and LSTM Feature Extraction and Capsule Network Classification Azath Mubarakali This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7485526/v1 This work is licensed under a CC BY 4.0 License Status: Published Journal Publication published 06 Jan, 2026 Read the published version in International Journal of Information Security → Version 1 posted 10 You are reading this latest preprint version Abstract Phishing attacks are a critical threat to the security of the online world. Detection methods traditionally cannot keep pace with the ever-evolving tactics of the attackers. The research suggests a sophisticated phishing detection system based on Capsule Networks (CapsNet) and incorporating XGBoost and LSTM for feature extraction, while Gradient Boosting is used for feature selection. The system uses email data and hence captures critical features such as sender information, subject lines, email bodies and URLs. This data is thus using binary encoding for preprocessing the model. To evaluate the model, various performance metrics are calculated, including Accuracy, Precision, Recall and F1-score. The CapsNet model classifies with an accuracy of 99.62%, precision of 99.53%, a recall of 99.70% and an F1-score of 99.62%. It has outperformed other current phishing detection methods like PDMLP, AdaBoost and Naive Bayes (NB), especially in sensitivity and overall classification performance. Additionally, the low FPR (0.0173) and FNR (0.022889) of the model further increase its reliability for real-world phishing detection. The proposed hybrid system looks very promising in the fight against advanced phishing attacks as it can detect phishing websites and emails remarkably well. Phishing detection Binary encoding Gradient Boosting Extreme Gradient Boosting Long Short-Term Memory Capsule Networks Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Published Journal Publication published 06 Jan, 2026 Read the published version in International Journal of Information Security → Version 1 posted Editorial decision: Revision requested 25 Sep, 2025 Reviews received at journal 23 Sep, 2025 Reviews received at journal 21 Sep, 2025 Reviewers agreed at journal 19 Sep, 2025 Reviewers agreed at journal 06 Sep, 2025 Reviewers agreed at journal 03 Sep, 2025 Reviewers invited by journal 02 Sep, 2025 Editor assigned by journal 30 Aug, 2025 Submission checks completed at journal 30 Aug, 2025 First submitted to journal 29 Aug, 2025 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7485526","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":513981299,"identity":"5f69f205-9be9-4d40-8837-bd6119d532dc","order_by":0,"name":"Azath Mubarakali","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABKklEQVRIie3QMUvDQBTA8RcOLg6vZL2g1q+QkKVCoF8lQYhLBN0dAgGnqGuKfoiIkNItoZAulqwRl5RCXBQaBNGleKUOQtLq6HB/uOM4+HG8AxCJ/mlktWl8SR70UJH9hJ97ALhRSP4PwlANMgvAYn8noBWutpUo1+Pn+SnE9lCezurwnO1B4dbzzgfrKphIi9ptEJZkuh/Ckz0Kjg01yhhKweu9gRYz1EuPqIO4+Uzq6T5yEiUOqCVlSOSTeJcTO8qBkk6THIzlek3yinyWS4YU3Gor0TL8fqVwqHp3wRB3XLomU6+V6A94dsOJMQoreji4YsgwM/Rbh88SpH7bLN18Er1xsj9UHPIYvJv9/sSflS+myX/sKF3ULeOvkpYb7r32e5FIJBL91hewYmpSBtXTjgAAAABJRU5ErkJggg==","orcid":"","institution":"King Khalid University","correspondingAuthor":true,"prefix":"","firstName":"Azath","middleName":"","lastName":"Mubarakali","suffix":""}],"badges":[],"createdAt":"2025-08-29 06:38:08","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7485526/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7485526/v1","draftVersion":[],"editorialEvents":[{"content":"https://doi.org/10.1007/s10207-025-01157-2","type":"published","date":"2026-01-06T15:58:26+00:00"}],"editorialNote":"","failedWorkflow":false,"files":[{"id":100070905,"identity":"70a29df8-46c3-437b-b0ae-e8f351a3459f","added_by":"auto","created_at":"2026-01-12 16:18:41","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":771899,"visible":true,"origin":"","legend":"","description":"","filename":"InternationalJournalofInformationSecurity.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7485526/v1_covered_80be93c4-917c-40cc-913c-58d5438dc34a.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Enhanced Phishing Detection Using Binary Encoding XGBoost and LSTM Feature Extraction and Capsule Network Classification","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":true,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"international-journal-of-information-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"ijis","sideBox":"Learn more about [International Journal of Information Security](http://link.springer.com/journal/10207)","snPcode":"10207","submissionUrl":"https://submission.nature.com/new-submission/10207/3","title":"International Journal of Information Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Phishing detection, Binary encoding, Gradient Boosting, Extreme Gradient Boosting, Long Short-Term Memory, Capsule Networks","lastPublishedDoi":"10.21203/rs.3.rs-7485526/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7485526/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003ePhishing attacks are a critical threat to the security of the online world. Detection methods traditionally cannot keep pace with the ever-evolving tactics of the attackers. The research suggests a sophisticated phishing detection system based on Capsule Networks (CapsNet) and incorporating XGBoost and LSTM for feature extraction, while Gradient Boosting is used for feature selection. The system uses email data and hence captures critical features such as sender information, subject lines, email bodies and URLs. This data is thus using binary encoding for preprocessing the model. To evaluate the model, various performance metrics are calculated, including Accuracy, Precision, Recall and F1-score. The CapsNet model classifies with an accuracy of 99.62%, precision of 99.53%, a recall of 99.70% and an F1-score of 99.62%. It has outperformed other current phishing detection methods like PDMLP, AdaBoost and Naive Bayes (NB), especially in sensitivity and overall classification performance. Additionally, the low FPR (0.0173) and FNR (0.022889) of the model further increase its reliability for real-world phishing detection. The proposed hybrid system looks very promising in the fight against advanced phishing attacks as it can detect phishing websites and emails remarkably well.\u003c/p\u003e","manuscriptTitle":"Enhanced Phishing Detection Using Binary Encoding XGBoost and LSTM Feature Extraction and Capsule Network Classification","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-09-13 14:12:48","doi":"10.21203/rs.3.rs-7485526/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Revision requested","date":"2025-09-26T02:06:48+00:00","index":"","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2025-09-23T06:01:45+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2025-09-21T15:22:21+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"51910690102545106057892448116175211570","date":"2025-09-19T04:01:49+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"241385658207164897132383427014318126108","date":"2025-09-06T06:31:01+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"85937262601059417735635449816261129938","date":"2025-09-03T04:52:02+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2025-09-02T05:22:12+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2025-08-30T15:55:42+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2025-08-30T12:26:11+00:00","index":"","fulltext":""},{"type":"submitted","content":"International Journal of Information Security","date":"2025-08-29T06:22:46+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"international-journal-of-information-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"ijis","sideBox":"Learn more about [International Journal of Information Security](http://link.springer.com/journal/10207)","snPcode":"10207","submissionUrl":"https://submission.nature.com/new-submission/10207/3","title":"International Journal of Information Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"917a9cd3-093d-4d9f-b5d5-5a8b9cdbfc82","owner":[],"postedDate":"September 13th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"published-in-journal","subjectAreas":[],"tags":[],"updatedAt":"2026-01-12T16:15:41+00:00","versionOfRecord":{"articleIdentity":"rs-7485526","link":"https://doi.org/10.1007/s10207-025-01157-2","journal":{"identity":"international-journal-of-information-security","isVorOnly":false,"title":"International Journal of Information Security"},"publishedOn":"2026-01-06 15:58:26","publishedOnDateReadable":"January 6th, 2026"},"versionCreatedAt":"2025-09-13 14:12:48","video":"","vorDoi":"10.1007/s10207-025-01157-2","vorDoiUrl":"https://doi.org/10.1007/s10207-025-01157-2","workflowStages":[]},"version":"v1","identity":"rs-7485526","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7485526","identity":"rs-7485526","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2025) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00