An attacking node detection apparatus, method, and computer program product thereof are provided. The attacking node detection apparatus stores a plurality of access records of an application, wherein each access record includes a network address of a host and an access content. The attacking node detection apparatus filters the access records into a plurality of filtered access records according to a predetermined rule so that the access content of each filtered access record conforms to the predetermined rule. The attacking node detection apparatus creates at least one access relation of each of the network addresses according to the filtered access records, wherein each access relation is defined by one of the network addresses and one of the access contents. The attacking node detection apparatus identifies a specific network address as an attacking node according to the access relations.