{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,2]],"date-time":"2025-11-02T07:36:01Z","timestamp":1762068961755,"version":"build-2065373602"},"reference-count":46,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,10,1]],"date-time":"2022-10-01T00:00:00Z","timestamp":1664582400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,10,1]],"date-time":"2022-10-01T00:00:00Z","timestamp":1664582400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"National Key Research and Development Program of Chin","award":["2021YFF0307203","2019QY1300"],"award-info":[{"award-number":["2021YFF0307203","2019QY1300"]}]},{"DOI":"10.13039\/501100004739","name":"Youth Innovation Promotion Association CAS","doi-asserted-by":"crossref","award":["2021156"],"award-info":[{"award-number":["2021156"]}],"id":[{"id":"10.13039\/501100004739","id-type":"DOI","asserted-by":"crossref"}]},{"name":"the Strategic Priority Research Program of Chinese Academy of Sciences","award":["XDC02040100"],"award-info":[{"award-number":["XDC02040100"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of Chin","doi-asserted-by":"crossref","award":["61802404"],"award-info":[{"award-number":["61802404"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Domain name system (DNS), as one of the most critical internet infrastructure, has been abused by various cyber attacks. Current malicious domain detection capabilities are limited by insufficient credible label information, severe class imbalance, and incompact distribution of domain samples in different malicious activities. This paper proposes a malicious domain detection framework named PUMD, which innovatively introduces Positive and Unlabeled (PU) learning solution to solve the problem of insufficient label information, adopts customized sample weight to improve the impact of class imbalance, and effectively constructs evidence features based on resource overlapping to reduce the intra-class distance of malicious samples. Besides, a feature selection strategy based on permutation importance and binning is proposed to screen the most informative detection features. Finally, we conduct experiments on the open source real DNS traffic dataset provided by QI-ANXIN Technology Group to evaluate the PUMD framework\u2019s ability to capture potential command and control (C&amp;C) domains for malicious activities. The experimental results prove that PUMD can achieve the best detection performance under different label frequencies and class imbalance ratios.<\/jats:p>","DOI":"10.1186\/s42400-022-00124-x","type":"journal-article","created":{"date-parts":[[2022,10,1]],"date-time":"2022-10-01T03:50:03Z","timestamp":1664596203000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["PUMD: a PU learning-based malicious domain detection framework"],"prefix":"10.1186","volume":"5","author":[{"given":"Zhaoshan","family":"Fan","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Qing","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Haoran","family":"Jiao","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Junrong","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zelin","family":"Cui","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Song","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yuling","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,10,1]]},"reference":[{"unstructured":"ALEXA-INTERNET: Alexa topsites (2021). https:\/\/www.alexa.com\/topsites. Accessed 20 Aug 2021","key":"124_CR1"},{"key":"124_CR2","doi-asserted-by":"publisher","first-page":"101787","DOI":"10.1016\/j.cose.2020.101787","volume":"93","author":"AO Almashhadani","year":"2020","unstructured":"Almashhadani AO, Kaiiali M, Carlin D, Sezer S (2020) Maldomdetector: a system for detecting algorithmically generated domain names with machine learning. Comput Secur 93:101787","journal-title":"Comput Secur"},{"unstructured":"Andre Correa: Malware Patrol (2021). https:\/\/www.malwarepatrol.net\/. Accessed 20 Aug 2021","key":"124_CR3"},{"unstructured":"Antonakakis M, Perdisci R, Dagon D, Lee W, Feamster N (2010) Building a dynamic reputation system for DNS. In: USENIX security symposium, pp 273\u2013290","key":"124_CR4"},{"issue":"4","key":"124_CR5","doi-asserted-by":"publisher","first-page":"719","DOI":"10.1007\/s10994-020-05877-5","volume":"109","author":"J Bekker","year":"2020","unstructured":"Bekker J, Davis J (2020) Learning from positive and unlabeled data: a survey. Mach Learn 109(4):719\u2013760","journal-title":"Mach Learn"},{"doi-asserted-by":"crossref","unstructured":"Bekker J, Robberechts P, Davis J (2019) Beyond the selected completely at random assumption for learning from positive and unlabeled data. In: Joint European conference on machine learning and knowledge discovery in databases. Springer, pp 71\u201385","key":"124_CR6","DOI":"10.1007\/978-3-030-46147-8_5"},{"doi-asserted-by":"crossref","unstructured":"Cao Y, Han W, Le Y (2008) Anti-phishing based on automated individual white-list. In: Proceedings of the 4th ACM workshop on digital identity management, pp 51\u201360","key":"124_CR7","DOI":"10.1145\/1456424.1456434"},{"doi-asserted-by":"crossref","unstructured":"Choi H, Lee H, Kim H (2009) BotGAD: detecting botnets by capturing group activities in network traffic. In: Proceedings of the fourth international ICST conference on COMmunication System softWAre and middlewaRE, pp 1\u20138","key":"124_CR8","DOI":"10.1145\/1621890.1621893"},{"doi-asserted-by":"crossref","unstructured":"Choi H, Lee H, Lee H, Kim H (2007) Botnet detection by monitoring group activities in DNS traffic. In: 7th IEEE international conference on computer and information technology (CIT 2007). IEEE, pp 715\u2013720","key":"124_CR9","DOI":"10.1109\/CIT.2007.90"},{"doi-asserted-by":"crossref","unstructured":"Curtin RR, Gardner AB, Grzonkowski S, Kleymenov A, Mosquera A (2019) Detecting DGA domains with recurrent neural networks and side information. In: Proceedings of the 14th international conference on availability, reliability and security, pp 1\u201310","key":"124_CR10","DOI":"10.1145\/3339252.3339258"},{"unstructured":"Dhamnani S, Sinha R, Vinay V, Kumari L, Savova M (2021) Botcha: detecting malicious non-human traffic in the wild. arXiv preprint arXiv:2103.01428","key":"124_CR11"},{"issue":"2","key":"124_CR12","first-page":"433","volume":"57","author":"DS Du Peng","year":"2020","unstructured":"Du Peng DS (2020) A DGA domain name detection method based on deep learning models with mixed word embedding. J Comput Res Dev 57(2):433","journal-title":"J Comput Res Dev"},{"doi-asserted-by":"crossref","unstructured":"Elkan C, Noto K (2008) Learning classifiers from only positive and unlabeled data. In: Proceedings of the 14th ACM SIGKDD international conference on knowledge discovery and data mining, pp 213\u2013220","key":"124_CR13","DOI":"10.1145\/1401890.1401920"},{"key":"124_CR14","first-page":"6","volume":"10","author":"M Felegyhazi","year":"2010","unstructured":"Felegyhazi M, Kreibich C, Paxson V (2010) On the potential of proactive domain blacklisting. LEET 10:6","journal-title":"LEET"},{"doi-asserted-by":"crossref","unstructured":"Hao S, Kantchelian A, Miller B, Paxson V, Feamster N (2016) Predator: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 1568\u20131579","key":"124_CR15","DOI":"10.1145\/2976749.2978317"},{"doi-asserted-by":"crossref","unstructured":"He W, Gou G, Kang C, Liu C, Li Z, Xiong G (2019) Malicious domain detection via domain relationship and graph models. In: 2019 IEEE 38th international performance computing and communications conference (IPCCC). IEEE, pp 1\u20138","key":"124_CR16","DOI":"10.1109\/IPCCC47392.2019.8958718"},{"doi-asserted-by":"crossref","unstructured":"Huang S-Y, Mao C-H, Lee H-M (2010) Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection. In: Proceedings of the 5th ACM symposium on information, computer and communications security, pp 101\u2013111","key":"124_CR17","DOI":"10.1145\/1755688.1755702"},{"doi-asserted-by":"crossref","unstructured":"Kang J, Lee D (2007) Advanced white list approach for preventing access to phishing sites. In: 2007 international conference on convergence information technology (ICCIT 2007). IEEE, pp 491\u2013496","key":"124_CR18","DOI":"10.1109\/ICCIT.2007.50"},{"unstructured":"Lee WS, Liu B (2003) Learning with positive and unlabeled examples using weighted logistic regression. In: ICML, vol 3, pp 448\u2013455","key":"124_CR19"},{"doi-asserted-by":"crossref","unstructured":"Liu FT, Ting KM, Zhou Z-H (2008) Isolation forest. In: 2008 eighth IEEE international conference on data mining. IEEE, pp 413\u2013422","key":"124_CR20","DOI":"10.1109\/ICDM.2008.17"},{"key":"124_CR21","first-page":"1","volume":"2018","author":"Z Liu","year":"2018","unstructured":"Liu Z, Zeng Y, Zhang P, Xue J, Zhang J, Liu J (2018) An imbalanced malicious domains detection method based on passive DNS traffic analysis. Secur Commun Netw 2018:1\u20137","journal-title":"Secur Commun Netw"},{"doi-asserted-by":"crossref","unstructured":"Luo Y, Cheng S, Liu C, Jiang F (2018) PU learning in payload-based web anomaly detection. In: 2018 third international conference on security of smart cities, industrial control system and communications (SSIC). IEEE, pp 1\u20135","key":"124_CR22","DOI":"10.1109\/SSIC.2018.8556662"},{"doi-asserted-by":"crossref","unstructured":"Ma J, Saul LK, Savage S, Voelker GM (2009) Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD international conference on knowledge discovery and data mining, pp 1245\u20131254","key":"124_CR23","DOI":"10.1145\/1557019.1557153"},{"issue":"11","key":"124_CR24","doi-asserted-by":"publisher","first-page":"1906","DOI":"10.1109\/TIFS.2014.2357251","volume":"9","author":"X Ma","year":"2014","unstructured":"Ma X, Zhang J, Tao J, Li J, Tian J, Guan X (2014) DNSRadar: outsourcing malicious domain detection based on distributed cache-footprints. IEEE Trans Inf Forensics Secur 9(11):1906\u20131921","journal-title":"IEEE Trans Inf Forensics Secur"},{"doi-asserted-by":"crossref","unstructured":"Morales JA, Al-Bataineh A, Xu S, Sandhu R (2009) Analyzing DNS activities of bot processes. In: 2009 4th international conference on malicious and unwanted software (MALWARE). IEEE, pp 98\u2013103","key":"124_CR25","DOI":"10.1109\/MALWARE.2009.5403014"},{"unstructured":"Phishtank: PhishTank open api (2021). https:\/\/www.phishtank.com. Accessed 20 Aug 2021","key":"124_CR26"},{"unstructured":"Prieto I, Maga\u00f1a E, Morat\u00f3 D, Izal M (2011) Botnet detection based on DNS records and active probing. In: Proceedings of the international conference on security and cryptography. IEEE, pp 307\u2013316","key":"124_CR27"},{"unstructured":"QI-ANXIN: DataCon opendata (2020). https:\/\/datacon.qianxin.com\/opendata\/dns. Accessed 20 Feb 2007","key":"124_CR28"},{"issue":"3","key":"124_CR29","doi-asserted-by":"publisher","first-page":"794","DOI":"10.1587\/transcom.E95.B.794","volume":"95","author":"K Sato","year":"2012","unstructured":"Sato K, Ishibashi K, Toyono T, Hasegawa H, Yoshino H (2012) Extending black domain name list by using co-occurrence relation between DNS queries. IEICE Trans Commun 95(3):794\u2013802","journal-title":"IEICE Trans Commun"},{"doi-asserted-by":"crossref","unstructured":"Schiavoni S, Maggi F, Cavallaro L, Zanero S (2014) Phoenix: DGA-based botnet tracking and intelligence. In: International conference on detection of intrusions and malware, and vulnerability assessment. Springer, pp 192\u2013211","key":"124_CR30","DOI":"10.1007\/978-3-319-08509-8_11"},{"unstructured":"Sch\u00fcppen S, Teubert D, Herrmann P, Meyer U (2018) $$\\{$$FANCI$$\\}$$: Feature-based automated NXDomain classification and intelligence. In: 27th $$\\{$$USENIX$$\\}$$ security symposium ($$\\{$$USENIX$$\\}$$ security 18), pp 1165\u20131181","key":"124_CR31"},{"issue":"3","key":"124_CR32","doi-asserted-by":"publisher","first-page":"1347","DOI":"10.1007\/s11063-017-9666-7","volume":"48","author":"Y Shi","year":"2018","unstructured":"Shi Y, Chen G, Li J (2018) Malicious domain name detection based on extreme machine learning. Neural Process Lett 48(3):1347\u20131357","journal-title":"Neural Process Lett"},{"key":"124_CR33","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1016\/j.cose.2015.09.004","volume":"55","author":"M Stevanovic","year":"2015","unstructured":"Stevanovic M, Pedersen JM, D\u2019Alconzo A, Ruehrup S, Berger A (2015) On the ground truth problem of malicious DNS traffic analysis. Comput Secur 55:142\u2013158","journal-title":"Comput Secur"},{"doi-asserted-by":"crossref","unstructured":"Sun L, Wei X, Zhang J, He L, Philip SY, Srisa-an W (2017) Contaminant removal for android malware detection systems. In: 2017 IEEE international conference on big data (big data). IEEE, pp 1053\u20131062","key":"124_CR34","DOI":"10.1109\/BigData.2017.8258029"},{"unstructured":"Sun X, Tong M, Yang J, Xinran L, Heng L (2019) $$\\{$$HinDom$$\\}$$: a robust malicious domain detection system based on heterogeneous information network with transductive classification. In: 22nd international symposium on research in attacks, intrusions and defenses ($$\\{$$RAID$$\\}$$ 2019), pp 399\u2013412","key":"124_CR35"},{"unstructured":"SURBL.ORG: SURBL-URI Reputation Data (2021). http:\/\/www.surbl.org\/. Accessed 20 Aug 2021","key":"124_CR36"},{"unstructured":"The Spamhaus Project Ltd: The Domain Block List (2021). https:\/\/www.spamhaus.org\/dbl\/. Accessed 20 Aug 2021","key":"124_CR37"},{"doi-asserted-by":"crossref","unstructured":"Tong V, Nguyen G (2016) A method for detecting DGA botnet based on semantic and cluster analysis. In: Proceedings of the seventh symposium on information and communication technology, pp 272\u2013277","key":"124_CR38","DOI":"10.1145\/3011077.3011112"},{"key":"124_CR39","doi-asserted-by":"publisher","first-page":"2401","DOI":"10.1016\/j.neucom.2017.11.018","volume":"275","author":"D Tran","year":"2018","unstructured":"Tran D, Mac H, Tong V, Tran HA, Nguyen LG (2018) A LSTM based framework for handling multiclass imbalance in DGA botnet detection. Neurocomputing 275:2401\u20132413","journal-title":"Neurocomputing"},{"issue":"11","key":"124_CR40","first-page":"2579","volume":"9","author":"L Van der Maaten","year":"2008","unstructured":"Van der Maaten L, Hinton G (2008) Visualizing data using t-SNE. J Mach Learn Res 9(11):2579\u20132605","journal-title":"J Mach Learn Res"},{"doi-asserted-by":"crossref","unstructured":"Villamar\u00edn-Salom\u00f3n R, Brustoloni JC (2009) Bayesian bot detection based on dns traffic similarity. In: Proceedings of the 2009 ACM symposium on applied computing, pp 2035\u20132041","key":"124_CR41","DOI":"10.1145\/1529282.1529734"},{"doi-asserted-by":"crossref","unstructured":"Wang Q, Li L, Jiang B, Lu Z, Liu J, Jian S (2020) Malicious domain detection based on k-means and smote. In: International conference on computational science. Springer, pp 468\u2013481","key":"124_CR42","DOI":"10.1007\/978-3-030-50417-5_35"},{"doi-asserted-by":"crossref","unstructured":"Wu S, Fulton J, Liu N, Feng C, Zhang L (2019) Risky host detection with bias reduced semi-supervised learning. In: Proceedings of the 2019 international conference on artificial intelligence and computer science, pp 34\u201340","key":"124_CR43","DOI":"10.1145\/3349341.3349365"},{"issue":"14","key":"124_CR44","doi-asserted-by":"publisher","first-page":"3180","DOI":"10.3390\/s19143180","volume":"19","author":"G Yan","year":"2019","unstructured":"Yan G, Li Q, Guo D, Li B (2019) AULD: large scale suspicious DNS activities detection via unsupervised learning in advanced persistent threats. Sensors 19(14):3180","journal-title":"Sensors"},{"doi-asserted-by":"crossref","unstructured":"Zhang Y-L, Li L, Zhou J, Li X, Liu Y, Zhang Y, Zhou Z-H (2017) POSTER: a PU learning based system for potential malicious URL detection. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 2599\u20132601","key":"124_CR45","DOI":"10.1145\/3133956.3138825"},{"issue":"3\/4","key":"124_CR46","first-page":"116","volume":"3","author":"Y Zhou","year":"2013","unstructured":"Zhou Y, Li Q-S, Miao Q, Yim K (2013) DGA-based botnet detection using DNS traffic. J Internet Serv Inf Secur 3(3\/4):116\u2013123","journal-title":"J Internet Serv Inf Secur"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00124-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-022-00124-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00124-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,10,1]],"date-time":"2022-10-01T03:52:13Z","timestamp":1664596333000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-022-00124-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,1]]},"references-count":46,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["124"],"URL":"https:\/\/doi.org\/10.1186\/s42400-022-00124-x","relation":{},"ISSN":["2523-3246"],"issn-type":[{"type":"electronic","value":"2523-3246"}],"subject":[],"published":{"date-parts":[[2022,10,1]]},"assertion":[{"value":"7 September 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"27 March 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 October 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"19"}}