Business Context

TrustShield, a certificate intelligence vendor, scans public TLS certificates and internal enterprise PKI logs to detect suspicious certificate issuance. The security team wants a binary classifier that flags potentially malicious or misissued certificates for analyst review before they are trusted by downstream systems.

Dataset

The training data combines Certificate Transparency logs, enterprise CA issuance records, and analyst labels from prior investigations.

• Size: 420K certificates, 48 engineered features
• Target: Binary — suspicious certificate (1) vs normal certificate (0)
• Class balance: 6.5% positive, 93.5% negative
• Missing data: 18% missing in domain_age and WHOIS-derived fields, 7% missing in some issuer metadata for legacy internal CAs

Success Criteria

A solution is considered good enough if it achieves PR-AUC >= 0.55, recall >= 0.80 at precision >= 0.35, and produces feature-level explanations usable by security analysts.

Constraints

• Batch scoring must complete in under 10 minutes for 1M certificates/day.
• Analysts need interpretable reasons for flags.
• False negatives are costly, but analyst review capacity limits false positives.
• The model should be retrained monthly because issuer behavior changes over time.

Deliverables

1. Build a binary classification pipeline for suspicious certificate detection.
2. Explain model choice, feature engineering, and imbalance handling.
3. Evaluate with metrics appropriate for imbalanced security data.
4. Propose a thresholding strategy for analyst review queues.
5. Describe how you would deploy, monitor, and retrain the model safely.