Dynamic Risk Assessment by Bayesian Attack Graphs and Process Mining

TL;DR

This paper introduces a dynamic risk assessment method combining Bayesian Attack Graphs and process mining to detect active exploitation of vulnerabilities in cybersecurity systems.

Contribution

It proposes a novel approach that integrates process mining with Bayesian Attack Graphs for real-time vulnerability exploitation detection.

Findings

Effectively detects active exploitation of vulnerabilities.

Provides updated probability assessments of system compromise.

Validated on a cybersecurity testbed with real attack scenarios.

Abstract

While attack graphs are useful for identifying major cybersecurity threats affecting a system, they do not provide operational support for determining the likelihood of having a known vulnerability exploited, or that critical system nodes are likely to be compromised. In this paper, we perform dynamic risk assessment by combining Bayesian Attack Graphs (BAGs) and online monitoring of system behavior through process mining. Specifically, the proposed approach applies process mining techniques to characterize malicious network traffic and derive evidence regarding the probability of having a vulnerability actively exploited. This evidence is then provided to a BAG, which updates its conditional probability tables accordingly, enabling dynamic assessment of vulnerability exploitation. We apply our method to a cybersecurity testbed instantiating several machines deployed on different subnets and affected by several CVE vulnerabilities. The testbed is stimulated with both benign traffic and malicious behavior, which simulates network attack patterns aimed at exploiting the CVE vulnerabilities. The results indicate that our proposal effectively detects whether vulnerabilities are being actively exploited, allowing for an updated assessment of the probability of system compromise.