The active learning approach for machine learning can greatly benefit those environments where a wealth of unlabeled data is available, and the labeling cost of the data can be restrictive. In this regard, security operations centers (SOCs) can take advantage of the human expertise available to improve machine learning-based detection models using the active learning approach. In the context of SOC operations and IoT botnet detection, our study provides a thorough benchmarking of the application of different active learning approaches within the framework of pool-based sampling. The selection of the optimal query instance for learning is evaluated using uncertainty sampling, ranked batch-mode sampling, and query by committee strategies. Our results show that the active learning approach can help to generate better detection models using all the active learning query strategies tested in our benchmarking setup. Leveraging the human–machine interaction can produce high-performance models in the context of IoT botnet detection using significantly less data than the passive approaches traditionally used for the generation of machine learning-based detection systems. Additionally, the impact of wrong-labeled data in the active learning implementation is explored.

机器学习的主动学习方法可以极大地有利于那些有大量未标记数据可用的环境，并且数据的标记成本可能受到限制。在这方面，安全运营中心 (SOC) 可以利用可用的人类专业知识，使用主动学习方法改进基于机器学习的检测模型。在 SOC 操作和 IoT 僵尸网络检测的背景下，我们的研究提供了在基于池的采样框架内应用不同主动学习方法的全面基准测试。使用不确定性抽样、排序批处理模式抽样和委员会查询策略来评估用于学习的最佳查询实例的选择。我们的结果表明，主动学习方法可以帮助使用我们的基准测试设置中测试的所有主动学习查询策略生成更好的检测模型。与传统上用于生成基于机器学习的检测系统的被动方法相比，利用人机交互可以在物联网僵尸网络检测的背景下使用更少的数据生成高性能模型。此外，还探讨了错误标记数据对主动学习实施的影响。