{"id":"https://openalex.org/W7161685751","doi":"https://doi.org/10.48550/arxiv.2605.17201","title":"Filter-then-Verify: A Multiphase GNN and ModernBERT Framework for Social Engineering Detection in Email Networks","display_name":"Filter-then-Verify: A Multiphase GNN and ModernBERT Framework for Social Engineering Detection in Email Networks","publication_year":2026,"publication_date":"2026-05-17","ids":{"openalex":"https://openalex.org/W7161685751","doi":"https://doi.org/10.48550/arxiv.2605.17201"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.17201","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.17201","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.17201","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5126692194","display_name":"Barsat Khadka","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Khadka, Barsat","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136478193","display_name":"Prasant Koirala","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Koirala, Prasant","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136477731","display_name":"Kshitiz Neupane","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Neupane, Kshitiz","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5102764912","display_name":"Nick Rahimi","orcid":"https://orcid.org/0000-0002-1964-1794"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rahimi, Nick","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.54339998960495,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.54339998960495,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.08529999852180481,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.04899999871850014,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.7222999930381775},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7214000225067139},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.6743000149726868},{"id":"https://openalex.org/keywords/social-engineering","display_name":"Social engineering (security)","score":0.5396000146865845},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.49000000953674316},{"id":"https://openalex.org/keywords/insider-threat","display_name":"Insider threat","score":0.428600013256073},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.4000000059604645},{"id":"https://openalex.org/keywords/feature-engineering","display_name":"Feature engineering","score":0.37860000133514404},{"id":"https://openalex.org/keywords/precision-and-recall","display_name":"Precision and recall","score":0.375900000333786}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7932999730110168},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.7222999930381775},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7214000225067139},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.6743000149726868},{"id":"https://openalex.org/C70118762","wikidata":"https://www.wikidata.org/wiki/Q376934","display_name":"Social engineering (security)","level":2,"score":0.5396000146865845},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.49000000953674316},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4575999975204468},{"id":"https://openalex.org/C2776633304","wikidata":"https://www.wikidata.org/wiki/Q6038026","display_name":"Insider threat","level":3,"score":0.428600013256073},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.4000000059604645},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3813000023365021},{"id":"https://openalex.org/C2778827112","wikidata":"https://www.wikidata.org/wiki/Q22245680","display_name":"Feature engineering","level":3,"score":0.37860000133514404},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.375900000333786},{"id":"https://openalex.org/C186625053","wikidata":"https://www.wikidata.org/wiki/Q1130191","display_name":"Information overload","level":2,"score":0.3718000054359436},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.36980000138282776},{"id":"https://openalex.org/C2778971194","wikidata":"https://www.wikidata.org/wiki/Q1664551","display_name":"Insider","level":2,"score":0.3686000108718872},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.3508000075817108},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.34860000014305115},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.3411000072956085},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.3402000069618225},{"id":"https://openalex.org/C518677369","wikidata":"https://www.wikidata.org/wiki/Q202833","display_name":"Social media","level":2,"score":0.3303000032901764},{"id":"https://openalex.org/C114713312","wikidata":"https://www.wikidata.org/wiki/Q7551269","display_name":"Social network analysis","level":3,"score":0.28619998693466187},{"id":"https://openalex.org/C183322885","wikidata":"https://www.wikidata.org/wiki/Q17007702","display_name":"Context model","level":3,"score":0.28049999475479126},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.28040000796318054},{"id":"https://openalex.org/C4727928","wikidata":"https://www.wikidata.org/wiki/Q17164759","display_name":"Social network (sociolinguistics)","level":3,"score":0.273499995470047},{"id":"https://openalex.org/C2776973144","wikidata":"https://www.wikidata.org/wiki/Q6880649","display_name":"Misuse detection","level":4,"score":0.2680000066757202}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.17201","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.17201","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.17201","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.17201","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Social":[0],"engineering":[1,108],"attacks":[2,88,109],"exploit":[3],"human":[4],"trust":[5],"rather":[6],"than":[7],"software":[8],"vulnerabilities,":[9],"making":[10],"them":[11],"difficult":[12],"to":[13,53],"detect":[14],"using":[15],"conventional":[16],"filters.":[17],"We":[18],"propose":[19],"a":[20,35],"two-stage":[21],"filter-then-verify":[22],"framework":[23,70],"combining":[24,96],"inductive":[25],"Graph":[26],"Neural":[27],"Networks":[28],"(GNNs)":[29],"for":[30,39],"structural":[31,75,97],"anomaly":[32],"detection":[33,104],"with":[34,62],"co-attention":[36],"ModernBERT":[37],"model":[38],"content":[40,99],"verification.":[41],"The":[42],"GNN":[43],"identifies":[44],"anomalous":[45],"sender-receiver":[46],"patterns,":[47],"while":[48],"BERT":[49,82],"analyzes":[50],"message":[51],"context":[52],"reduce":[54],"false":[55],"positives.":[56],"Using":[57],"the":[58,69],"Enron":[59],"dataset":[60],"augmented":[61],"realistic":[63],"synthetic":[64],"campaigns,":[65],"we":[66],"show":[67],"that":[68,95],"achieves":[71],"86%":[72],"recall":[73],"in":[74,110],"filtering":[76],"and":[77,89,98],"over":[78],"92%":[79],"precision":[80],"after":[81],"refinement,":[83],"effectively":[84],"detecting":[85],"both":[86],"external":[87],"insider":[90],"threats.":[91],"Our":[92],"results":[93],"demonstrate":[94],"analysis":[100],"allows":[101],"practical,":[102],"scalable":[103],"of":[105],"multi-stage":[106],"social":[107],"email":[111],"networks.":[112]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-20T00:00:00"}