From: PUMD: a PU learning-based malicious domain detection framework
No. | Work | Object | Technique | Dataset | Feature construction* | Model training | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Data anonymize | Ground truth SRC | Handcraft | Implicit | Trainset size | Imbalance ratio | ||||||||||
HC | T | W | E | IC | A | Mali | Benign | Unlabel | |||||||
1 | PUMD(our) | Malicious activity DN(C&C) | PU learning: iForest + RF | DN, IP Addr | manual label | â | â | â | â | â | 100â861 | 19651â20412 | 22.8â204.1 | ||
2 | Phoenix | DGA | mahalanobis distance + dbscan | generate DN, blacklist, Alexa | â | â | ~ 100k | ||||||||
3 | AULD | Malicious activity DN | filter-rule + canopy + k-means | IP Addr | simulate DN, Alexa | â | â | â | |||||||
4 | HinDom | Malicious activity DN | HIN + transductive classify | IP Addr | blacklist, Alexa, whitelist | â | â | 0.02Mâ0.22M | 0.07Mâ0.63M | 2.8 | |||||
5 | ELM | Malicious activity DN | ELM | blacklist, Alexa | â | â | â | ~ 20k | ~ 6k | 0.3 | |||||
6 | LSTM.MI | DGA | cost-sensitive lstm | blacklist, Alexa | â | ~ 41k (total) | ~ 44k | 2â3534 | |||||||
7 | KSDom | Malicious activity DN | catboost+ kmSmote | blacklist, Alexa, whitelist | â | â | â | 5.4k, 3.6k, 1.8k, 0.9k | 9k | 1.6, 2.5, 5, 10 | |||||
8 | HAC_Easy Ensemble | Malicious activity DN | undersample +ensemble learning | blacklist, Alexa | â | â | 2.7k | 5.76k | 2.1 |
No. | Work | Object | Technique | Model testing | Model output | |||
---|---|---|---|---|---|---|---|---|
Testset size | Imbalance ratio | Process | Class | |||||
Mali | Benign | |||||||
1 | PUMD(our) | Malicious activity DN(C&C) | PU learning: iForest + RF | 91â852 | 19560 | 22.9â214.9 | Auto | 2 |
2 | Phoenix | DGA | mahalanobis distance + dbscan | ~ 1.3M | Threshold, Rule- match | 5 | ||
3 | AULD | Malicious activity DN | filter-rule + canopy + k-means | 1462 | 9068 | 6.2 | Threshold, Manual -analysis | 2 |
4 | HinDom | Malicious activity DN | HIN + transductive classify | ~ 0.25M | ~ 0.7M | 2.8 | Auto | 2 |
5 | ELM | Malicious activity DN | ELM | ~ 20k | ~ 6k | 0.3 | Auto | 2 |
6 | LSTM.MI | DGA | cost-sensitive lstm | ~ 41k (total) | ~ 44k | 2â3534 | Auto | 38 |
7 | KSDom | Malicious activity DN | catboost+ kmSmote | 0.6k, 0.4k, 0.2k, 0.1k | 1k | 1.6,2.5, 5,10 | Auto | 2 |
8 | HAC_Easy Ensemble | Malicious activity DN | undersample +ensemble learning | 0.3k | 0.64k | 2.1 | Auto | 2 |