English

Dynamic Risk Assessment by Bayesian Attack Graphs and Process Mining

Cryptography and Security 2026-04-21 v1 Machine Learning Networking and Internet Architecture

Abstract

While attack graphs are useful for identifying major cybersecurity threats affecting a system, they do not provide operational support for determining the likelihood of having a known vulnerability exploited, or that critical system nodes are likely to be compromised. In this paper, we perform dynamic risk assessment by combining Bayesian Attack Graphs (BAGs) and online monitoring of system behavior through process mining. Specifically, the proposed approach applies process mining techniques to characterize malicious network traffic and derive evidence regarding the probability of having a vulnerability actively exploited. This evidence is then provided to a BAG, which updates its conditional probability tables accordingly, enabling dynamic assessment of vulnerability exploitation. We apply our method to a cybersecurity testbed instantiating several machines deployed on different subnets and affected by several CVE vulnerabilities. The testbed is stimulated with both benign traffic and malicious behavior, which simulates network attack patterns aimed at exploiting the CVE vulnerabilities. The results indicate that our proposal effectively detects whether vulnerabilities are being actively exploited, allowing for an updated assessment of the probability of system compromise.

Keywords

Cite

@article{arxiv.2604.18080,
  title  = {Dynamic Risk Assessment by Bayesian Attack Graphs and Process Mining},
  author = {Francesco Vitale and Simone Guarino and Stefano Perone and Massimiliano Rak and Nicola Mazzocca},
  journal= {arXiv preprint arXiv:2604.18080},
  year   = {2026}
}

Comments

Accepted to the 2026 IEEE International Conference on Cyber Security and Resilience

R2 v1 2026-07-01T12:18:05.149Z