User-Centric Phishing Detection: A RAG and LLM-Based Approach
Abrar Hamed Al Barwani, Abdelaziz Amara Korba, Raja Waseem Anwar
TL;DR
This work addresses the challenge of high false positives in phishing detection by introducing a personalized detection framework that combines Retrieval-Augmented Generation (RAG) with Large Language Models (LLMs). By building user-specific context from historical emails and real-time threat intelligence, the system conditions LLM decisions to distinguish malicious messages from legitimate but unusual communications. The authors implement a six-stage pipeline—data preprocessing, semantic embeddings, threat intelligence integration, contextual retrieval, structured prompting, and LLM classification—and evaluate four open-source LLMs, demonstrating substantial reductions in false positives while maintaining high detection accuracy, with Llama4-Scout plus RAG achieving top performance. The approach offers a practical, privacy-conscious path to high-precision, low-friction email security that adapts to individual user patterns and current threat landscapes.
Abstract
The escalating sophistication of phishing emails necessitates a shift beyond traditional rule-based and conventional machine-learning-based detectors. Although large language models (LLMs) offer strong natural language understanding, using them as standalone classifiers often yields elevated falsepositive (FP) rates, which mislabel legitimate emails as phishing and create significant operational burden. This paper presents a personalized phishing detection framework that integrates LLMs with retrieval-augmented generation (RAG). For each message, the system constructs user-specific context by retrieving a compact set of the user's historical legitimate emails and enriching it with real-time domain and URL reputation from a cyber-threat intelligence platform, then conditions the LLM's decision on this evidence. We evaluate four open-source LLMs (Llama4-Scout, DeepSeek-R1, Mistral-Saba, and Gemma2) on an email dataset collected from public and institutional sources. Results show high performance; for example, Llama4-Scout attains an F1-score of 0.9703 and achieves a 66.7% reduction in FPs with RAG. These findings validate that a RAG-based, user-profiling approach is both feasible and effective for building high-precision, low-friction email security systems that adapt to individual communication patterns.
