From IPs to Threat Groups: Community Detection on Rule-Enhanced Homology Graphs
摘要
Modern cyber attacks increasingly employ distributed IPs to conduct multi-stage intrusions, making it critical to identify homologous IPs within massive attack traces. However, current IP homology analysis methods suffer from limited interpretability and rely solely on pairwise comparisons, failing to uncover potential threat groups effectively. In this paper, we propose a novel two-stage framework that first codifies expert-defined homology rules to identify potential homologous IP pairs, then applies community detection to aggregate IPs into potential attack groups. The homology rules encompass intrinsic attributes and behavioral patterns, and are further used to construct rule-enhanced graphs for analysis. Our method systematically combines expert-guided homology rules with graph-based community detection on rule-enhanced IP graphs. This dual approach achieves both interpretable threat homology at the IP level and structured attack group attribution at the organizational scale. Empirical validation on real-world attack logs demonstrates the discovery of coherent threat clusters, confirming the practical relevance of our approach. The released analysis code and community profiling dataset will further advance research in attack attribution.