Identifying and determining behaviors of attack gangs is not only an advanced stage of the network security event tracing and analysis, but also a core step of large‐scale combat and punishment of cyber attacks. Most of the work in the field of distributed denial of service (DDoS) attack analysis has focused on DDoS attack detection, and a part of the work involves the research of DDoS attack sourcing. We find that very little work has been done on the mining and analysis of DDoS attack gangs. DDoS attack gangs naturally have the attributes of human community relations. We propose a framework named HiAtGang, in which we define the concept of the gang detection in DDoS attacks and introduce the community analysis technology into DDoS attack gang analysis. Different attacker clustering algorithms are compared and analyzed. Based on analysis results of massive DDoS attack events that recorded by CNCERT/CC (The National Computer Network Emergency Response Technical Team/Coordination Center of China), the effective gang mining and attribute calibration have been achieved. More than 250 DDoS attack gangs have been successfully tracked. Our research fills the gaps in the field of the DDoS attack gang detection and has supported CNCERT/CC in publishing “Analysis Report on DDoS Attack Resources” for three consecutive years and achieved a good practical effect on combating DDoS attack crimes.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.