The invention relates to a TTP automatic extraction and attack team clustering method. Along with increasingly popularization of advanced persistent threats in the global range, the Internet of Thingsis directly exposed to the Internet due to poor security, so that the Internet of Things becomes an excellent weapon for a hacker organization to initiate APT attacks. Therefore, an attacker can establish a botnet by using the attacked Internet of Things device and initiate an APT attack by using the botnet. The invention provides a framework for observing and predicting attacks of the Internet of Things. The framework aims at automatically extracting technologies, tactics and processes of attackers and mining potential attacker teams behind a large number of attacks. Firstly, related fieldsare extracted from captured Internet of Things honeypot logs; and then, the attack behavior is mapped to an ATT & CK framework to realize TTP automatic extraction. Furthermore, the method generates four feature groups including 18 features including TTP, time, IP and URL, potential attack groups are mined through specific hierarchical clustering, and finally, an attack tree is generated for each attacker cluster so as to better describe team attack behaviors.