Threat Campaigns

How Campaigns Are Formed

• • Shared C2: IPs contacting the same Command & Control servers
• • Shared botnet: IPs linked to the same botnet family
• • Subnet overlap: IPs in the same /24 subnet with 3+ shared ports
• • Shared commands: IPs executing 2+ identical attack commands
• • Temporal correlation: Closely timed activity patterns

Confidence Scoring

• • Subnet overlap: 20% weight
• • Shared C2: 25% weight
• • Shared botnet: 20% weight
• • Temporal link: 15% weight
• • Shared commands: 20% weight

Confidence = sum of matched indicator weights. Union-find clustering merges connected IPs into campaigns.