PUMD:a PU learning-based malicious domain detection framework

作     者：Zhaoshan Fan Qing Wang Haoran Jiao Junrong Liu Zelin Cui Song Liu Yuling Liu 

作者机构：Institute of Information EngineeringChinese Academy of SciencesBeijing 100093China School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijing 100049China 

出 版 物：《Cybersecurity》 (网络空间安全科学与技术（英文）)

年 卷 期：2023年第6卷第1期

页      面：90-111页

核心收录：

学科分类：08[工学] 081104[工学-模式识别与智能系统] 0811[工学-控制科学与工程] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：This research is supported by National Key Research and Development Program of China(Nos.2021YFF0307203,2019QY1300) Youth Innovation Promotion Association CAS(No.2021156),the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDC02040100) National Natural Science Foundation of China(No.61802404). 

主　　题：Malicious domain detection Insufficient credible label information Class imbalance Incompact distribution PUlearning 

摘      要：Domain name system(DNS),as one of the most critical internet infrastructure,has been abused by various cyber attacks.Current malicious domain detection capabilities are limited by insufficient credible label information,severe class imbalance,and incompact distribution of domain samples in different malicious activities.This paper proposes a malicious domain detection framework named PUMD,which innovatively introduces Positive and Unlabeled(PU)learning solution to solve the problem of insuffcient label information,adopts customized sample weight to improve the impact of class imbalance,and effectively constructs evidence features based on resource overlapping to reduce the intra-class distance of malicious samples.Besides,a feature selection strategy based on permutation importance and binning is proposed to screen the most informative detection features.Finally,we conduct experiments on the open source real DNS traffic dataset provided by QI-ANXIN Technology Group to evaluate the PUMD framework s abil-ity to capture potential command and control(C&C)domains for malicious activities.The experimental results prove that PUMD can achieve the best detection performance under different label frequencies and class imbalance ratios.