SentinelGraph: Temporal Graph Reasoning for Sender Group Attribution in Honeypot Traffic

Hosts generating unsolicited network traffic increasingly operate in a coordinated manner rather than in isolation. Scanning and exploitation activities are often distributed across multiple hosts that share common infrastructure, toolchains, and behavioral patterns, forming loosely coupled yet persistently aligned sender groups. Accurately attributing such groups is critical for understanding organized activities and strengthening network defense capabilities. However, existing attribution approaches face notable limitations. Methods that rely on threat intelligence suffer from delayed updates and limited coverage. Static feature-based approaches ignore temporal ordering and therefore fail to capture multi-stage behavioral evolution. Although dynamic sequence models incorporate temporal patterns, they typically overlook the collaborative structural relationships among coordinated senders. In this paper, we propose SentinelGraph, a temporal graph reasoning framework for sender group attribution from honeypot traffic. SentinelGraph constructs a temporal knowledge graph and integrates a recurrent graph evolution module to jointly model coordination structures and their temporal dynamics. A structure enhancement module further exploits contextual information available at the target time, while an auxiliary relation loss encourages the learning of enriched entity representations. This design enables accurate attribution even for previously unseen senders by leveraging information from their observed neighbors. Experiments on real-world honeypot data demonstrate that SentinelGraph substantially outperforms state-of-the-art methods in modeling coordinated network behaviors.