As modern computer attacks are growing more and more complicated, there is a need for defenders to detect malicious activities and analyze which attacker or organization these attacks came from. It is a challenge to model an attacker from malicious web logs. In this paper, we modeled attacker activities based on malicious HTTP requests collected from kinds of websites, which recorded the behavior of IP addresses and provided the possibility to describe the attacker based on HTTP requests. First, we propose a novel method to get the IP address embedding through two aspects: we designed a heterogeneous graph, named IP-Domain-Graph, to capture the relation between the IP address and the domain it has sent malicious requests, and we designed an embedding method of requests content to capture the behavioral characteristics of the IP address. Then we use a similarity calculation method to cluster IP addresses to describe an attacker. The experimental results demonstrate the effectiveness of the proposed method.