While attack graphs are useful for identifying major cybersecurity threats affecting a system, they do not provide operational support for determining the likelihood of having a known vulnerability exploited, or that critical system nodes are likely to be compromised. In this paper, we perform dynamic risk assessment by combining Bayesian Attack Graphs (BAGs) and online monitoring of system behavior through process mining. Specifically, the proposed approach applies process mining techniques to characterize malicious network traffic and derive evidence regarding the probability of having a vulnerability actively exploited. This evidence is then provided to a BAG, which updates its conditional probability tables accordingly, enabling dynamic assessment of vulnerability exploitation. We apply our method to a cybersecurity testbed instantiating several machines deployed on different subnets and affected by several CVE vulnerabilities. The testbed is stimulated with both benign traffic and malicious behavior, which simulates network attack patterns aimed at exploiting the CVE vulnerabilities. The results indicate that our proposal effectively detects whether vulnerabilities are being actively exploited, allowing for an updated assessment of the probability of system compromise.

翻译：尽管攻击图有助于识别影响系统的主要网络安全威胁，但其无法提供操作层面的支持以判断已知漏洞被利用的可能性，或关键系统节点被攻破的概率。本文通过结合贝叶斯攻击图（Bayesian Attack Graphs, BAGs）与基于过程挖掘的系统行为在线监测，实现了动态风险评估。具体而言，所提出的方法应用过程挖掘技术刻画恶意网络流量特征，并推导关于漏洞被主动利用概率的证据。该证据随后输入至贝叶斯攻击图（BAG），使其相应更新条件概率表，从而实现漏洞利用风险的动态评估。我们将该方法应用于一个网络安全测试平台，该平台部署了分布于不同子网的多台机器，并受多个CVE漏洞影响。测试平台同时以良性流量和恶意行为进行刺激——这些恶意行为模拟旨在利用CVE漏洞的网络攻击模式。结果表明，我们的方法能有效检测漏洞是否正在被主动利用，从而对系统被攻破的概率实现动态更新的评估。