Techniques are described herein for convicting malicious actors across datasets of different origins. The algorithm allows correlation of the available ground truth knowledge from one dataset with observations in another dataset. In the network/endpoint security field this algorithm allows for conviction of malicious network traffic and identification of Command and Control infrastructure of newly detected malware, even if no direct communication between binaries and domains is observed