My guess would be that ISPs could probably work out the difference only if they had admin access into the home router.

Ever since the Code Red/Nimda viral outbreaks that quashed many major networks, cable providers ended up adding a lot of scanning security tech to their networks. These days it's been handy at detecting the non viral kind like the Zeus malware too. I scope this to cable modem networks due to Code Red hiting them particularly hard. This was due to some subnetting practices back then that essentially had neighborhoods running more like a LAN. ISDN/DSL variants of broadband were a little more protected by default from Code Red/Nimda but not by much. Ultimately the rise of home routers added a lot of security via obscurity due to hiding peoples computers behind NAT.

Somewhere I may still have logs from my home linux server that show how bad @Home cable internet was being hammered by those Windows only virus infection attempts.

Basics of their security tech is that it knows the command and control servers or other malware infrastructure, and sees when customers are making repeated routing requests to those destinations. This has led to some cat and mouse games, as initially malware would have specific ports it used. These days, I wouldn't be surprised if the more difficult kind of malware is routing it's C&C traffic through tor or torrent like networks. It's long been a common practice to route C&C traffic into IRC or other similar mediums to try and avoid detection.

My exposure to security risks in the 90s at ISPs I helped run, and the light security work I did for a cancelled MMO really helped me appreciate not getting into InfoSec full time.