随着信息技术飞速发展，网络攻击事件频发，造成了日益严重的经济损失或社会影响.为了减少损失或预防未来潜在的攻击，需要对网络攻击事件进行溯源以实现对攻击者的挖掘追责.当前的溯源过程主要依赖于人工完成、效率低下.面对日益增加的海量溯源数据和日趋全面的溯源建模分析维度，亟需半自动化或自动化的网络攻击者挖掘方法.本文提出一种基于图模型的网络攻击溯源方法，建立网络攻击事件溯源本体模型，融合网络攻击事件中提取的线索数据和威胁情报数据，形成网络攻击事件溯源关系图；引入图嵌入算法自动学习嵌有关联线索特征的网络攻击事件特征向量，进而利用历史网络攻击事件特征向量训练SVM（Support Vector Machine）分类器，并基于SVM分类器完成网络攻击者的挖掘溯源；最后，通过实验验证了本文方法的可行性和有效性.
With the rapid development of technologies such as computers and smart devices, cyber attack incidents happen frequently, which cause increasingly serious economic losses or reputation losses. In order to reduce losses and prevent future potential attacks, it is necessary to trace the source of cyber attack incidents to achieve accountability for the attackers. The attribution of cyber attackers is mainly a manual process by forensic analyst. Faced with increasing analysis data and analysis dimensions, semi-automated or automated cyber attackers mining analysis methods are urgently needed. In this work, we propose a graph model-based attacker mining analysis method for cyber attack incidents. This method first establishes an ontology model for cyber attack incident attribution, and then fuses clue data extracted from cyber attack incidents with various threat intelligence data to construct a cyber attack incidents attribution relationship graph. The graph embedding algorithm automatically learns the representation vector of cyber attack incidents, which embedded clue characteristics of cyber attack incidents, from the attribution relationship graph of cyber attack incidents. And then a classifier is trained with the historical cyber attack incidents representation vector, which classifies the cyber attack incident to one cyber attacker. Finally, the feasibility and effectiveness of the method are verified by experiments.