Article

Geo-Aware Clustering of Cyber Attacks Using K-Means and DBSCAN for Threat Intelligence Mapping

---

Abstract

The increasing volume and complexity of cybersecurity attacks present significant challenges for effective threat detection and response. This study applies unsupervised machine learning techniques K-Means and DBSCAN to analyze 40,000 cyberattack records containing attributes such as anomaly scores, attack types, severity levels, and geographic locations. The goal is to uncover latent structures and regional patterns within the data that can inform threat intelligence and response strategies. Descriptive statistics and feature correlation analysis were performed as a foundation for clustering. K-Means clustering, guided by Elbow and Silhouette methods, identified three distinct clusters with balanced distributions and moderate separation (Silhouette Score = 0.23893; Davies-Bouldin Index = 1.33). In contrast, DBSCAN revealed dense pockets of attacks and successfully isolated noise points, capturing regions with higher anomaly severity. Geo-spatial visualizations and cluster-specific summaries showed that both algorithms provide valuable but complementary perspectives: K-Means offers interpretable groupings for strategic profiling, while DBSCAN excels at isolating high-risk outliers and concentrated attack behaviors. The findings demonstrate the utility of clustering-based approaches in extracting actionable insights from complex cyber threat data, paving the way for adaptive and region-sensitive cybersecurity defense frameworks.

Keywords: Cybersecurity, Clustering, K-Means, DBSCAN, Geo-spatial Analysi, Threat Intelligence, Anomaly Detection

How to Cite:

Latif, A. & Riyadi, S., (2025) “Geo-Aware Clustering of Cyber Attacks Using K-Means and DBSCAN for Threat Intelligence Mapping”, Journal of Cyber Law 1(4), 282-299. doi: https://doi.org/10.63913/jcl.v1i4.74