摘要:Recently, cyber attacks are constantly increasing, and the recognition of cyber attacks beforehand hasrisen in prominence for the rapid response. However, since the attackers generally use hidden IP via VPNor Proxy to hide their actions and origins, it is not easy to recognize their attacks in advance. To addressthis problem, in this paper, we propose an approach to extract the cyber reconnaissance activity pattern ofthe attacker who uses hidden IP. We first collected the web logs that generated by the attackers who hadaccessed certain web pages using hidden IP. Then we analysed the collected web logs based onSNA(Social Network Analysis) and K-means clustering algorithm, and extracted some differentiated behaviorpatterns. We also compare the extracted behavior patterns and the normal behavior patterns of general webusers to verify the differences of them.