Collaborative Dual-Framework Defense: CTI and LLM-Based Enhanced Smishing Detection

Smishing has become a severe cybersecurity threat. Attackers now use AI and social engineering to craft more sophisticated campaigns. To address this challenge, this study proposes a dual-layer detection framework. It combines cyber threat intelligence (CTI), machine learning, and a large language model (LLM). The framework uses 22 features built from 2,811 real SMS messages. These features are categorized as content-based, context-based, and Indicators of Compromise (IOC)-based features. Five machine learning models were evaluated. XGBoost, trained with a 70% training, 10% validation, and 20% test split, achieved the best performance. It had a recall of 92.08% and an F1-score of 94.66%. For borderline cases, the study experimented with 4 LLMs (including GPT-4o and LLaMA 3). They served as a semantic verification layer. All models achieved a recall rate above 98.5% and produced human-readable explanations. The study demonstrated that these 4 models are complementary verifiers rather than main classifiers. The results show that structured threat intelligence used during feature engineering improves machine learning model performance. With semantic reasoning, the framework also generates accessible reports for non-specialists. This lowers the barrier for effective smishing detection.