Identifying and determining behaviors of attack gangs is not only an advanced stage of the net-work security event tracing and analysis,but also a core step of large-scale combat and punishment of cyber at-tacks.Most of the work in the field of distributed denial of service(DDoS)attack analysis has focused on DDoS attack detection,and a part of the work involves the re-search of DDoS attack sourcing.We find that very little work has been done on the mining and analysis of DDoS attack gangs.DDoS attack gangs naturally have the at-tributes of human community relations.We propose a framework named HiAtGang,in which we define the concept of the gang detection in DDoS attacks and intro-duce the community analysis technology into DDoS at-tack gang analysis.Different attacker clustering al-gorithms are compared and analyzed.Based on analysis results of massive DDoS attack events that recorded by CNCERT/CC(The National Computer Network Emer-gency Response Technical Team/Coordination Center of China),the effective gang mining and attribute calibra-tion have been achieved.More than 250 DDoS attack gangs have been successfully tracked.Our research fills the gaps in the field of the DDoS attack gang detection and has supported CNCERT/CC in publishing"Analysis Report on DDoS Attack Resources"for three consecutive years and achieved a good practical effect on combating DDoS attack crimes.

ZHU Tian;QIU Xiaokang;RAO Yu;YAN Hanbing;ZHOU Yu;SHI Guixin

National Computer Network Emergency Response Technical Team Center,Beijing 100029,China;School of Economics and Management,Beihang University,Beijing 100191,China

电子学报（英文）

[1]ZHU Tian;QIU Xiaokang;RAO Yu;YAN Hanbing;ZHOU Yu;SHI Guixin-.HiAtGang:How to Mine the Gangs Hidden Behind DDoS Attacks)[J].电子学报（英文）,2022(02):293-303

HiAtGang,Gangs,gangs,tacks,tack,Emer,calibra

How,Mine,Hidden,Behind,DDoS,Attacks,Identifying,determining,behaviors,not,only,advanced,stage,net,security,tracing,analysis,also,core,step,large,scale,punishment,cyber,Most,field,distributed,denial,service,has,focused,detection,part,involves,sourcing,We,find,that,very,little,been,done,naturally,have,tributes,human,community,relations,propose,framework,named,which,we,define,concept,attacks,intro,duce,technology,into,Different,attacker,clustering,gorithms,compared,analyzed,Based,results,massive,events,recorded,by,CNCERT,CC,National,Computer,Network,gency,Response,Technical,Team,Coordination,Center,China,effective,attribute,achieved,More,than,successfully,tracked,Our,research,fills,gaps,supported,publishing,Analysis,Report,Resources,three,consecutive,years,good,practical,combating,crimes

0.49972