Current cyber attribution approaches typically operate on a per-incident basis, leaving open whether aggregating evidence across campaigns improves adversary identification. We investigate whether cross-campaign attribution reduces ambiguity or whether structural limits persist under longitudinal data. We model adversary fingerprints as multi-dimensional feature vectors encoding behavioral, infrastructural, and temporal characteristics derived from covert beacon interactions. We introduce ARCANE (Attacker Re-identification via Cross-campaign Attribution Network), a probabilistic framework that aggregates passive telemetry across campaigns and organizations to construct persistent adversary fingerprints. These fingerprints are updated using a Bayesian belief network that integrates new evidence over time. A time-decayed confidence metric captures accumulated similarity across campaigns. Evaluation on a synthetic dataset of multiple threat profiles shows that intra-actor similarity consistently exceeds inter-actor similarity. However, separation between distinct actors remains limited due to shared operational practices among sophisticated adversaries. Results indicate that cross-campaign aggregation alone does not resolve attribution ambiguity. Performance is constrained by a structural ceiling in feature space, where inter-actor similarity remains high even without evasion. Attribution accuracy remains stable under increasing evasion, suggesting the main limitation is feature indistinguishability rather than adversarial adaptation. These findings highlight the need for additional signal classes, such as targeting patterns, temporal coordination, and infrastructure relationships, to improve attribution reliability.

翻译：当前网络溯源方法通常基于单次事件进行分析，尚不明确跨活动证据聚合是否有助于提升攻击者识别能力。本研究探讨跨活动溯源能否减少歧义，或纵向数据下是否存在结构性限制。我们将攻击者指纹建模为多维特征向量，编码从隐蔽信标交互中提取的行为、基础设施及时间特征。我们提出ARCANE（基于跨活动溯源网络的攻击者再识别）概率框架，该框架聚合跨组织、跨活动的被动遥测数据以构建持久性攻击者指纹。这些指纹通过整合新证据的贝叶斯信念网络随时间更新，并采用时间衰减置信度指标量化跨活动的累积相似性。在包含多种威胁画像的合成数据集上的评估显示，内部角色相似性始终高于角色间相似性。然而，由于高级攻击者共享通用操作实践，不同角色间的区分度仍有限。结果表明，仅依靠跨活动聚合无法解决溯源歧义。性能受限于特征空间的结构性天花板——即使不存在规避行为，角色间相似性仍保持较高水平。在规避行为增加时，溯源准确性保持稳定，表明主要限制因素为特征可区分性不足而非攻击者适应性对抗。这些发现凸显了引入目标模式、时间协调及基础设施关系等额外信号类型以提升溯源可靠性的必要性。