Explainable few-shot learning with modern BERT for detecting emerging phishing attacks using XF PhishBERT.
Mohammed Tawfik, Ashraf A Abu-Ein, Amr H Abdelhaliem, Yasser Mohammad Al-Sharo, Islam S Fathi
Abstract
Open AccessPhishing attacks continue to evolve rapidly, with new campaigns emerging faster than traditional detection systems can adapt. Existing machine learning approaches require extensive labeled datasets, creating vulnerability windows when novel attack patterns appear. This limitation is particularly problematic in cybersecurity where obtaining large labeled datasets for emerging threats is time-consuming and expensive. This paper presents XF-PhishBERT, an explainable few-shot learning framework for phishing detection that combines ModernBERT transformer architecture with domain-specific URL features. The approach integrates prototypical networks and model-agnostic meta-learning (MAML) to enable effective detection with minimal training examples. A consensus-based feature selection methodology combines Random Forest importance, Mutual Information, and Recursive Feature Elimination with Cross-Validation (RFECV) to identify optimal feature subsets. The framework incorporates comprehensive explainability through SHAP analysis, attention visualization, and counterfactual explanations. Experimental evaluation on two datasets demonstrates that XF-PhishBERT achieves 99.9% accuracy with 10 examples per class and maintains 98.5% accuracy in one-shot learning scenarios. Cross-dataset evaluation shows 186% performance retention compared to 39% for traditional methods. Ablation studies confirm the contribution of each component, with ModernBERT integration providing 4.54 percentage point improvement over baseline approaches. Real-world deployment through a browser extension validated practical utility with 98.3% precision and 42ms average latency. The results demonstrate that few-shot learning can address the fundamental challenge of limited labeled data in cybersecurity applications while providing transparent decision-making support for security analysts.