HGHAN: Hacker group identification based on heterogeneous graph attention network

The hacker group identification is an important pre-work for tasks such as hacking tracing, criminal portraits. The current hacker identification mainly relies on fingerprints and clue collection. However, the increasing complexity of organizational attacks makes cyber-attacks no longer a single action, but a hierarchical attack chain. It is indeed a big challenge of portraying the complete attack chain and correlating multiple attack records. In addition, extracting feature information of hacker groups from the attack chain requires a novel solution to optimize the conventional identification. This paper proposes a novel method HGHAN for hacker group identification based on the heterogeneous graph. The core of HGHAN is the heterogeneous graph attention network. It extracts the hacker group feature from the Web attack heterogeneous information network, which models the Web attack chain of hacker groups. Through experiments on Web attack data from the Zone-H.org site, the results prove that the HAN algorithm improves the performance of hacker group identification, and has a better identification effect than other heterogeneous graph node embedding algorithms.