pith. sign in

arxiv: 2604.18080 · v1 · submitted 2026-04-20 · 💻 cs.CR · cs.LG· cs.NI

Dynamic Risk Assessment by Bayesian Attack Graphs and Process Mining

Francesco Vitale , Simone Guarino , Stefano Perone , Massimiliano Rak , Nicola Mazzocca This is my paper

Pith reviewed 2026-05-10 04:23 UTC · model grok-4.3

classification 💻 cs.CR cs.LGcs.NI
keywords Bayesian Attack GraphsProcess MiningDynamic Risk AssessmentCybersecurityVulnerability ExploitationNetwork Traffic AnalysisConditional Probability TablesCVE Detection
0
0 comments X

The pith

Process mining on network traffic updates Bayesian attack graphs to reflect active vulnerability exploitation.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper proposes combining Bayesian Attack Graphs with process mining techniques to achieve dynamic risk assessment for cybersecurity systems. The method analyzes observed network traffic to identify patterns that indicate whether specific known vulnerabilities are under active exploitation. Evidence from this analysis revises the conditional probabilities in the attack graph, producing an updated estimate of the chance that critical system nodes will be compromised. The authors demonstrate the approach on a testbed with multiple machines and CVEs, mixing normal traffic with simulated attack sequences. A sympathetic reader cares because conventional attack graphs give only static snapshots, while this integration supplies operational updates tied to real behavior.

Core claim

The central claim is that process mining applied to network traffic can characterize malicious patterns and supply evidence that updates the conditional probability tables of a Bayesian Attack Graph, thereby supporting a dynamic evaluation of whether listed vulnerabilities are being exploited and whether the system faces an increased probability of compromise.

What carries the argument

The integration of process mining to extract behavioral evidence from network traces and feed it into the conditional probability tables of the Bayesian Attack Graph for specific CVE exploitation events.

If this is right

  • Risk assessments shift from static to responsive as new traffic evidence arrives.
  • Detection of active exploitation becomes possible even when benign and malicious flows coexist.
  • Conditional probability tables in the attack graph can be revised online without manual intervention.
  • The probability of system compromise can be recalculated continuously during live operation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same evidence-updating loop might be applied to other monitoring sources such as host logs or application events.
  • In operational settings the method could lower the rate of stale alerts by grounding probabilities in observed behavior rather than vulnerability lists alone.
  • Scaling the approach would require testing how process mining handles encrypted traffic or very high-volume networks without losing detection accuracy.

Load-bearing premise

Process mining on mixed network traffic can reliably isolate evidence of CVE exploitation attempts and translate that evidence into accurate updates for the attack graph probabilities.

What would settle it

A test run on the described cybersecurity testbed in which known exploitation attempts occur yet the Bayesian Attack Graph shows no corresponding rise in the updated probability of system compromise.

Figures

Figures reproduced from arXiv: 2604.18080 by Francesco Vitale, Massimiliano Rak, Nicola Mazzocca, Simone Guarino, Stefano Perone.

Figure 1
Figure 1. Figure 1: The proposed approach for dynamic risk assessment through process mining and BAGs. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: The BAG of the cybersecurity testbed. TABLE I EDGE CHARACTERIZATION IN THE BAG. Edge vi → vj Vulnerability u e1 Attacker → RA:192.168.56.1 CVE-2023-0600 e2 Attacker → RA:20.0.0.9 CVE-2010-2075 e3 192.168.56.1 → RA:20.0.0.1 (login) Administrative Credentials e4 RA:20.0.0.9 → RA:20.0.0.1 (login) Administrative Credentials e5 RA:20.0.0.9 → RA:20.0.0.1 CVE-2019-15107 e6, e7 RA:20.0.0.1 → RA:10.0.0.3 CVE-2011-2… view at source ↗
Figure 4
Figure 4. Figure 4: Exploit probability values for each attack step in AP1 (a) and AP2 [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
read the original abstract

While attack graphs are useful for identifying major cybersecurity threats affecting a system, they do not provide operational support for determining the likelihood of having a known vulnerability exploited, or that critical system nodes are likely to be compromised. In this paper, we perform dynamic risk assessment by combining Bayesian Attack Graphs (BAGs) and online monitoring of system behavior through process mining. Specifically, the proposed approach applies process mining techniques to characterize malicious network traffic and derive evidence regarding the probability of having a vulnerability actively exploited. This evidence is then provided to a BAG, which updates its conditional probability tables accordingly, enabling dynamic assessment of vulnerability exploitation. We apply our method to a cybersecurity testbed instantiating several machines deployed on different subnets and affected by several CVE vulnerabilities. The testbed is stimulated with both benign traffic and malicious behavior, which simulates network attack patterns aimed at exploiting the CVE vulnerabilities. The results indicate that our proposal effectively detects whether vulnerabilities are being actively exploited, allowing for an updated assessment of the probability of system compromise.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper proposes combining Bayesian Attack Graphs (BAGs) with process mining on network traffic for dynamic risk assessment. Process mining is applied to characterize malicious patterns in mixed benign/malicious traffic within a multi-machine testbed containing several CVE vulnerabilities; the extracted evidence is used to update BAG conditional probability tables, enabling updated assessments of exploitation likelihood and system compromise. The authors report that results from stimulating the testbed indicate effective detection of active exploitations.

Significance. If the integration were quantitatively validated, the work would provide a concrete operational bridge between static attack-graph analysis and real-time monitoring, addressing a recognized limitation of BAGs. The testbed design with multiple subnets and mixed traffic is a reasonable starting point for demonstrating the idea. However, the current manuscript supplies no performance numbers, baselines, or mapping details, so the claimed advance remains unproven.

major comments (3)
  1. [Evaluation] Evaluation section: the central claim that the method 'effectively detects whether vulnerabilities are being actively exploited' is supported only by the qualitative statement 'results indicate effective detection.' No precision, recall, F1 scores, confusion matrices, or ground-truth comparison for the process-mining step against labeled CVE exploitation sequences is provided, leaving the reliability of evidence extraction unverified.
  2. [Proposed Approach] Proposed approach / dynamic update mechanism: no equations or algorithmic description specify how raw process-mining output (event logs or discovered sequences) is translated into updates of the BAG conditional probability tables. Without this mapping, the claimed Bayesian update cannot be reproduced or assessed for correctness.
  3. [Results] Results: the manuscript reports no baseline comparisons (static BAG, alternative anomaly detectors, or random evidence injection) and supplies no error rates or sensitivity analysis for the combined system, so the incremental benefit of the process-mining component cannot be quantified.
minor comments (2)
  1. [Abstract / Introduction] The abstract and introduction use 'online monitoring' and 'process mining' interchangeably without clarifying whether the mining is performed in a streaming or batch fashion; a short clarification would improve readability.
  2. [Figures] Figure captions and axis labels in the testbed and result diagrams should explicitly state the traffic mix ratio and the ground-truth labels used for any visual comparison.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive comments, which help clarify the contributions and limitations of our work on integrating Bayesian Attack Graphs with process mining for dynamic risk assessment. We address each major comment below and commit to revisions that strengthen the manuscript without misrepresenting the current content.

read point-by-point responses

  1. Referee: [Evaluation] Evaluation section: the central claim that the method 'effectively detects whether vulnerabilities are being actively exploited' is supported only by the qualitative statement 'results indicate effective detection.' No precision, recall, F1 scores, confusion matrices, or ground-truth comparison for the process-mining step against labeled CVE exploitation sequences is provided, leaving the reliability of evidence extraction unverified.

    Authors: We agree that the evaluation relies on a qualitative statement and lacks the requested quantitative metrics. The testbed experiments used labeled benign and malicious traffic sequences, which in principle support ground-truth evaluation, but these details and metrics were not reported. In the revised manuscript we will add precision, recall, F1 scores, and a confusion matrix for the process-mining detection of CVE exploitation sequences. revision: yes

  2. Referee: [Proposed Approach] Proposed approach / dynamic update mechanism: no equations or algorithmic description specify how raw process-mining output (event logs or discovered sequences) is translated into updates of the BAG conditional probability tables. Without this mapping, the claimed Bayesian update cannot be reproduced or assessed for correctness.

    Authors: The referee correctly notes that the mapping from process-mining outputs to BAG updates is described only conceptually. The manuscript does not supply the explicit translation rules or equations. We will add a dedicated subsection with an algorithmic description and the corresponding equations showing how conformance or frequency measures from the mined models are converted into likelihood evidence and applied to update the conditional probability tables. revision: yes

  3. Referee: [Results] Results: the manuscript reports no baseline comparisons (static BAG, alternative anomaly detectors, or random evidence injection) and supplies no error rates or sensitivity analysis for the combined system, so the incremental benefit of the process-mining component cannot be quantified.

    Authors: We acknowledge that the results section contains no baseline comparisons or quantitative sensitivity analysis. The experiments demonstrated feasibility on a multi-subnet testbed with mixed traffic, but did not quantify incremental benefit. In the revision we will include a comparison against a static (non-updated) BAG, report overall error rates for the combined system, and add sensitivity analysis showing how varying strengths of process-mining evidence affect the final risk probabilities. revision: yes

Circularity Check

0 steps flagged

No circularity: method combines independent external techniques without self-referential reduction

full rationale

The paper proposes combining Bayesian Attack Graphs with process mining on network traffic to update conditional probability tables for dynamic risk assessment. No equations, derivations, or self-citations are shown that reduce any claimed prediction or result to a fitted parameter or input defined inside the paper itself. The central claim rests on applying process mining to extract evidence from mixed traffic and feeding it to an external BAG model; results are reported from a testbed experiment without internal loops or renamings that equate outputs to inputs by construction. This is self-contained against external benchmarks (process mining and BAGs are standard tools), so the derivation chain does not collapse.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The paper rests on standard Bayesian updating and the assumption that process mining can map traffic patterns to exploitation probabilities; no new free parameters, ad-hoc axioms, or invented entities are introduced in the abstract.

axioms (2)
  • domain assumption Process mining can extract reliable evidence of CVE exploitation from mixed network traffic logs
    Invoked when the abstract states that process mining derives evidence for updating BAG conditional probability tables.
  • standard math Bayesian Attack Graphs can incorporate external evidence to produce updated compromise probabilities
    Standard property of Bayesian networks used throughout the described method.

pith-pipeline@v0.9.0 · 5482 in / 1379 out tokens · 54057 ms · 2026-05-10T04:23:50.413267+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

16 extracted references · 16 canonical work pages

  1. [1]

    A taxonomy of graph-based risk, vulnerability, and attack assessment methods in iot systems,

    F. Arat, A. Karakaya, and S. Akleylek, “A taxonomy of graph-based risk, vulnerability, and attack assessment methods in iot systems,”Journal of Information Security and Applications, vol. 97, p. 104360, 2026

    work page 2026

  2. [2]

    Advanced attack graph framework for operational technology: scalable modeling, validation, and risk mitigation,

    A. Viticchi ´e, A. S. Colletto, G. Sunder, C. Basile, and A. Aliberti, “Advanced attack graph framework for operational technology: scalable modeling, validation, and risk mitigation,”Cluster Computing, vol. 28, no. 8, p. 531, 2025

    work page 2025

  3. [3]

    Vulnerability As- sessment Combining CVSS Temporal Metrics and Bayesian Networks,

    S. Perone, S. Guarino, L. Faramondi, and R. Setola, “Vulnerability As- sessment Combining CVSS Temporal Metrics and Bayesian Networks,” in2025 IEEE International Conference on Cyber Security and Resilience (CSR), 2025, pp. 606–611

    work page 2025

  4. [4]

    Network Traffic Analysis with Process Mining: The UPSIDE Case Study,

    F. Vitale, P. Palmiero, M. Rak, and N. Mazzocca, “Network Traffic Analysis with Process Mining: The UPSIDE Case Study,” 2025. [Online]. Available: https://arxiv.org/abs/2512.23718

    work page arXiv 2025

  5. [5]

    Dynamic security risk manage- ment using bayesian attack graphs,

    N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk manage- ment using bayesian attack graphs,”IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 61–74, 2012

    work page 2012

  6. [6]

    Holistic risk assessment in industrial control systems: Combining multiple bayesian networks with multi-criteria decision making,

    S. Guarino, L. Faramondi, G. Oliva, E. Del Prete, and R. Setola, “Holistic risk assessment in industrial control systems: Combining multiple bayesian networks with multi-criteria decision making,” in2024 32nd Mediterranean Conference on Control and Automation (MED). IEEE, 2024, pp. 37–42

    work page 2024

  7. [7]

    A stochastic model for calcu- lating well-founded probabilities of vulnerability exploitation,

    R. Sato, H. Kawaguchi, and Y . Nakatani, “A stochastic model for calcu- lating well-founded probabilities of vulnerability exploitation,” in2022 IEEE 22nd International Conference on Software Quality, Reliability, and Security Companion (QRS-C), 2022, pp. 34–43

    work page 2022

  8. [8]

    A bayesian–markov framework for proactive and dynamic cyber risk assessment driven by epss,

    P. Cheimonidis and K. Rantos, “A bayesian–markov framework for proactive and dynamic cyber risk assessment driven by epss,” in2025 IEEE International Conference on Cyber Security and Resilience (CSR), 2025, pp. 281–286

    work page 2025

  9. [9]

    Extent of an attack in an attack graph: Method to evaluate evidence set,

    M. Yadav and P. J. Hawrylak, “Extent of an attack in an attack graph: Method to evaluate evidence set,” in2025 13th International Symposium on Digital Forensics and Security (ISDFS). IEEE, 2025, pp. 1–6

    work page 2025

  10. [10]

    Inferring adversarial behaviour in cyber-physical power systems using a bayesian attack graph approach,

    A. Sahu and K. Davis, “Inferring adversarial behaviour in cyber-physical power systems using a bayesian attack graph approach,”IET Cyber- Physical Systems: Theory & Applications, vol. 8, no. 2, pp. 91–108, 2023

    work page 2023

  11. [11]

    Dynamic bayesian networks for the detection and analysis of cyber attacks to power systems

    D. Cerotti, D. Savarro, D. C. Raiteri, G. Dondossola, L. Egidi, G. Franceschinis, L. Portinale, and R. Terruggia, “Dynamic bayesian networks for the detection and analysis of cyber attacks to power systems.”IEEE Access, 2025

    work page 2025

  12. [12]

    W. M. P. van der Aalst and J. Carmona,Process Mining Handbook. Cham, Switzerland: Springer, 2022

    work page 2022

  13. [13]

    Control- flow anomaly detection by process mining-based feature extraction and dimensionality reduction,

    F. Vitale, M. Pegoraro, W. M. van der Aalst, and N. Mazzocca, “Control- flow anomaly detection by process mining-based feature extraction and dimensionality reduction,”Knowledge-Based Systems, vol. 310, p. 112970, 2025

    work page 2025

  14. [14]

    Applying process mining techniques to dns traces analysis,

    J. Bustos-Jim ´enez, C. Saint-Pierre, and A. Graves, “Applying process mining techniques to dns traces analysis,” in2014 33rd International Conference of the Chilean Computer Science Society (SCCC), 2014, pp. 12–16

    work page 2014

  15. [15]

    Analyzing a tcp/ip-protocol with process mining techniques,

    C. Wakup and J. Desel, “Analyzing a tcp/ip-protocol with process mining techniques,” inBusiness Process Management Workshops, F. Fournier and J. Mendling, Eds. Cham: Springer International Publishing, 2015, pp. 353–364

    work page 2015

  16. [16]

    Exact inference techniques for the analysis of bayesian attack graphs,

    L. Mu ˜noz-Gonz´alez, D. Sgandurra, M. Barr `ere, and E. C. Lupu, “Exact inference techniques for the analysis of bayesian attack graphs,”IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 2, pp. 231–244, 2019

    work page 2019