Cyber attacks are unauthorised actions against computer network infrastructure to exploit vulnerabilities in target systems, while cyber threats refer to potential adversarial events in which an attacker could exploit vulnerabilities (Li and Liu, 2021). Typically, a cyber attack can consist of a number of actions, events, or steps required for the attacker to gain access or sufficient privileges to achieve the objective of an attack, e.g., denial of service (DOS) or the delivery and use of malware. A common approach to classifying these steps has been through various frameworks such as the cyber kill chain (Hutchins et al., 2011). At a more technical level, potential or real cyber attacks have often been modelled as directed graph structures. Among these graph-based methods, attack graphs and their variants are often used to represent cyber attacks (Lallie et al., 2020; Liu et al., 2012; Wachter, 2023; Zeng et al., 2019; Zenitani, 2023). There are two commonly used forms of attack graphs: the first is a directed graph with nodes representing network states and edges (links) representing exploits, while the second uses nodes to represent pre- or post-conditions of an exploit and edges to show the consequences. In addition, knowledge-based methods are used to model attack concepts and vulnerability details (Alserhani, 2015; Qi et al., 2023; Sikos, 2023).

In order to understand, analyse, and visualise the sequence of events of a successful cyber attack, we will here use attack modelling techniques (AMTs). There are three main categories of AMT: (i) methods based on use cases like misuse or security use cases, (ii) temporal methods based on, e.g., cyber kill chains, and (iii) methods based on graphs (Lallie et al., 2020). Here, we will focus on graph-based models as they enable cyber analysts and researchers to formulate and use different metrics, both quantitative and qualitative, to optimise and prioritise defensive efforts (Lallie et al., 2020). Graph-based cyber attack modelling can be conducted at various technological levels, including applications, services, or entire computer networks. To achieve this, mappings from technical micro-service levels to higher clustering levels can be accomplished using technical configuration repositories.

In the literature, the term attack graph has been used to refer to a variety of modelling approaches (Wachter, 2023), which present a taxonomy of these models based on analysing 70 attack graph formalisms. This taxonomy uses a hierarchical categorisation with two top-level categories: sequential models and causal dependency models. Sequential models represent attack steps and paths formed by them, while causal dependency models focus on cause-effect relationships. Based on node semantics, sequential models are further categorised into asset-oriented, vulnerability-/exploit-oriented, and condition-/attribute-oriented types.

Our research approach will focus on network modelling, as it provides a range of methods and tools for analysing cyber-related graphs from different perspectives and aggregation levels. One recent approach involves modelling network structure and influence flow at a detailed level of nodes and links (Almiala et al., 2023; Kuikka and Kaski, 2024; Kuikka et al., 2022). This network model uses Markov processes and applies probability theory to assess the combined effects from multiple sources. Our method for evaluating the effects of various joining paths in both acyclic and cyclic (Levner and Tsadikovich, 2024) graphs extends the probabilistic techniques discussed in the literature (Carter et al., 2014; Homer et al., 2013; Stergiopoulos et al., 2022; Wang et al., 2008). In this study, we calculate the combined effect of multiple alternative paths in a graph by using the theorem of non-mutually exclusive events from probability theory. Details of the model and its corresponding algorithm can be found in (Kuikka et al., 2022). In general, our probabilistic modelling approach serves as an integrated, graph-based methodology or framework for analysing various types of influence spreading processes, including cyber attacks. The integration of modelling and analysis metrics within the same probabilistic framework makes our approach self-consistent, distinguishing it from other graph-based methods.

In this study, we present the modelling of cyber-related graphs through three use cases and demonstrate how the model can be applied to examine the exploitability, causality, and incomplete graph information in the computer network and services system. The first use case (Stergiopoulos et al., 2022) involves a directed acyclic graph in which the states of the system are represented as nodes and the vulnerabilities as links between the nodes, forming an attack graph. The exploitability of a vulnerability is interpreted as the probability of a successful exploit (i.e., traversability of a link). In the network model, these probabilities are assigned to link weights, which are derived using general CVSS scoring data (Common Vulnerability Scoring System) (NIST, 2012) and adjusted with a scaling factor. The second use case (Alsaheel et al., 2021) demonstrates a larger network structure of services and applications, illustrating how exploitability metrics can be utilised to produce aggregate security metrics concerning vulnerability and service levels. The third use case (Alsaheel et al., 2021; Jiang et al., 2017) involves two types of nodes, namely, attack entities and non-attack entities identified by an attack investigation tool using natural language processing and deep learning. This use case illustrates how our model can address inaccuracies in results from threat analysis tools.

These use cases demonstrate how different categorisations can be applied within the model. Because the model presents metrics as probabilities, it aids in forming a consistent understanding of the situation from various perspectives. Additionally, our model introduces novel methods for analysing cyber-related graphs. It employs a probabilistic technique to merge multiple alternative paths—both cyclic and acyclic—within a graph. The model uses a detailed model to consider all potential paths through the nodes of the network and defines new metrics to estimate the exploitability and impacts. For instance, it can be used to evaluate the impact of eliminating certain vulnerabilities across services or protecting targeted services within the system. Therefore, our model could serve as a valuable aid for cyber analysts and those designing cyber-secure systems. Based on our model, it is possible to develop a visualisation and analysis tool that allows cyber analysts to leverage various model outputs and metrics for real-world mitigation planning. This tool could include enterprise-specific assessments related to exploitability and impact values. As a result, analysts could perform what-if analyses and inspect specific parts of networks and systems.

In Section 3, we will present our network modelling method and analysis metrics. The pseudo-algorithms of our influence spreading model are reproduced in the supplementary material from our earlier study (Kuikka et al., 2022). In Section 2, we review related research on attack graphs and metrics used to assess the impacts of cyber attacks. In Section 4, we describe the data and networks of the use cases on which the model is demonstrated. In Section 5, we will explain how the model can be used to obtain new results in analysing cyber-related graphs through the three use cases. In Section 6, we will discuss the applications of our graph-based methods in analysing cyber vulnerabilities and attacks, and present concluding remarks.

Several reviews have been published about attack graphs and related cybersecurity methods and models to analyse them (Lallie et al., 2020; Wachter, 2023; Zeng et al., 2019; Zenitani, 2023). The review in (Lallie et al., 2020) provides a description of a theory of cyber attacks and how elements of attack graphs and attack trees are represented and visualised. The study in (Wachter, 2023) presents the state of research on the representation and analysis of cyber attacks using attack graph formalisms and proposing a classification based on an analysis of models regarding graph semantics, agents involved, and analytical features. This study also investigates which formalisms enable automatic attack graph generation from raw or processed data input.

The review in (Zenitani, 2023) presents a recent summary of studies on attack graphs, by focusing on key concepts such as exploit dependency and/or rules (Levner and Tsadikovich, 2024), monotonicity, and handling cycles. The study in (Zeng et al., 2019) describes the key concepts, generation methods, and computation tasks of attack graphs. Also, it summarises various analysis methods, including graph-based, Bayesian network-based, Markov model-based, cost-optimisation, and uncertainty analysis methods. In the attack graph analysis, there is a need to quantify the levels of threats, vulnerabilities, exploits, and impact, each with appropriate metrics. For example, in enterprise environments, system security metrics (Pendleton et al., 2016) and network attack graph metrics (Noel and Jajodia, 2017) have been proposed to evaluate and compare the threats and impacts of cyber attacks.

In the literature (Shakarian et al., 2015), an Independent Cascade (IC) model has been proposed as a way to describe influence maximisation. This model assumes that nodes activate their neighbours independently on the basis of a fixed probability rather than multi-step logical relationships, as in the case of our influence spreading model. A key difference is that the IC model does not consider joining paths, like our present model does by following the probabilistic rule of mutually non-exclusive events. This can result in a more realistic evaluation of the overall risk for the enterprise network and services. Our probabilistic method also allows us to calculate expected cumulative and non-cumulative impact values, as well as the circular effects of attack propagation.

The present study is related to two earlier works: one by Stergiopoulos et al. (2022) and another by Alsaheel et al. (2021). The data for the first two use cases are adapted from (Stergiopoulos et al., 2022), while the data for the third use case comes from (Alsaheel et al., 2021). The study in (Alsaheel et al., 2021) presents a sequence-based learning approach to investigate attacks, whereas (Stergiopoulos et al., 2022) proposes an automatic analysis of attack graphs to facilitate risk mitigation and prioritisation using probabilistic methods. Our method uses probability-based path combination, which complements the approach outlined in (Stergiopoulos et al., 2022). In that approach, single paths, as well as those with minimum and maximum exploitability and impact values, are assessed. However, our method is well suited for the comprehensive evaluation of enterprise networks. In contrast, the single path method allows for a detailed analysis of individual attack paths. Both techniques can be used together to examine different aspects of cyber attacks. Moreover, in enterprise-scale networks, analysing single paths can be computationally resource-intensive due to the vast number of potential combinations. Relying solely on subjective judgment to limit the set of possible paths may not produce accurate results.

Although there are a number of studies using graph-based cyber attacks modelling, a comprehensive approach applicable to various levels of applications and services in enterprise networks is still lacking. In the present study, we introduce a probabilistic method to quantitatively analyse cyber-related graphs and identify strategies to improve the resilience of network infrastructure.

Graphs related to cyber security, such as attack graphs and causal graphs, are mainly created to help visualise complexities of attack sequences and plan ways to prevent them (Lallie et al., 2020). These graphs are usually generated from large volumes of data for this purpose (Sheyner and Wing, 2003; Stojanović et al., 2020). Consequently, the resulting graphs typically contain a small number of nodes, ranging from a few to hundreds.

In our network-based modelling approach (Kuikka et al., 2022) we consider and analyse cyber attack processes from the point of view of influence spreading for finding ways to prevent or mitigate potential or ongoing attacks (Haque et al., 2021; Segovia-Ferreira et al., 2024). The model describes the network structure, including individual nodes and links. Influence spreads through a non-conserved process, moving from a node to all neighbouring nodes via directed links. In our model, the influence spreading can be assumed to take place via acyclic or cyclic Markov processes on a complex network structure. In the present study, the model describes attack propagation along self-avoiding paths, representing acyclic paths, and uses unrestricted paths to represent general propagation through either acyclic or cyclic paths.

The weights assigned to directed links represent the probabilities of successful attack propagation steps within a graph structure. Since the actual parameter values, including link weights and CVSS scores, can vary greatly in real environments, in this study, we employ a scaling factor to cover the full range of possible parameter values. This approach also enables what-if and sensitivity analyses to explore various attack scenarios and environments.

Our model is quite versatile as it offers different approaches to dealing with full breakthrough of nodes or self-avoiding paths. The first approach allows loops in the spreading process, while the second approach is better for examining connectivity between nodes. Loops consisting of a minimum of three nodes connected by links enable circular propagation of influence within the network structure. Both approaches yield similar results for directed acyclic graphs because the network lacks cyclic processes. In case of full breakthrough effects, a bidirectional link creates a cycle between the two nodes at each end of the link, resulting in recurring events in the network. Note that due to spreading, the effects are not limited to those nodes but spread throughout the network structure. In the case of self-avoiding paths, no recurring effects are permitted, and the process can propagate only in one direction along a path.

The method and corresponding algorithms proposed in our earlier article (Kuikka et al., 2022) are based on modelling network structure and spreading processes. This results in an N × N probability matrix C , where the number of nodes in the network is denoted by N . The matrix elements represent directed spreading or connectivity probabilities from one node to another in the network with a connecting path between them. When spreading from branching paths, it occurs in all possible directions, and the probabilities concern the first arrival at the end nodes. Subsequently, this matrix is used to define various metrics for analysing the network structure and network flow process. Note that models other than our influence spreading model can generate the probability matrix. As the analysis is based on the probability matrix, it is independent of the method used to produce the probability matrix. These models could even be non-Markovian or include other event types besides mutually non-exclusive events (OR rule) used to combine multiple joining alternative paths (Kuikka et al., 2022).

In network analysis, we use two metrics to evaluate the importance of a node, namely, out-centrality and in-centrality, and they are defined differently from the standard closeness centrality measures in the literature. One reason for using different metrics is the limitations of standard metrics in describing detailed network structures, because they are defined based on the shortest paths between nodes, thus ignoring other alternative paths an attack could propagate (Landherr et al., 2010). We use the probability matrix as the basis of analysis, as it enables the separation of the network modelling from the analysis (Kuikka et al., 2022).

Next, we define the centrality measures for the subset of nodes V in the network G of N nodes. (Note that in the case of the entire network V = G ). For the influence spreading through the network, we define the out-centrality of the source node s by C o u t s = 1 N − 1 ∑ t ∈ V s ≠ t C s , t (1) and the in-centrality of a target node t by C i n t = 1 N − 1 ∑ s ∈ V s ≠ t C s , t . (2) Here, the out-centrality of a node is the average value of probabilities of spreading from the source node to all other nodes in V , while the in-centrality of a node is the average value of probabilities of spreading from all other nodes in V to the target node. These centrality measures describe the physical properties of the network structure and the flow process. As C ( s , t ) is the probability of influence spreading from node s to node t , the sum in Equation 1 is interpreted as the expected value of the influenced nodes and the sum in Equation 2 as the expected number of nodes that spread influence to the specified node. In the context of cyber-related graphs, influence spreading refers to the propagation of cyber attacks within the graph. In this study, we adopt the convention of setting the state value of the source node as zero and using the corresponding normalisation factor 1 / ( N − 1 ) and express the results as percentage values.

When dealing with cyber-related graphs, the out-centrality is a measure for assessing the potential effect of a cyber attack on other nodes within the network. On the other hand, in-centrality is useful for understanding how various cyber attacks can affect nodes in the network. Detailed information can be obtained by focusing on a subset of start and end nodes using Equations 1, 2. Typically, the main focus is to explore vulnerabilities and the effect of a start node on an end node. However, multiple start nodes and end nodes can exist in one cyber-related graph.

Let us move on to discuss the metrics of exploitability and impact. The exploitability represents the probability of a successful cyber attack through a link, while impact describes its effect on the system, functionality, or operation. To assess the impact of different needs both at the technical and operational levels, the first step is to define the concept in the specific situation. The impact is calculated for the nodes and the exploitability is calculated for the links. We assume that the impact value does not influence the probabilities of propagation of the cyber attack. Therefore, impact values may not be expressed as probabilities and can have numerical values beyond the range of [ 0,1 ] . However, the impact values for different nodes are comparable, enabling us to calculate the desired sums for paths or network structures.

When assessing vulnerabilities, there are two main approaches: the General CVSS scoring (Common Vulnerability Scoring System) (NIST, 2012) or a custom evaluation method in which organisations supplement or override CVSS with their own risk assessments. The empirical CVSS scoring system provides a quantitative way to capture key characteristics of a vulnerability, resulting in scores that indicate its severity (the impact on a system) and exploitability (the ease of exploitation) (Mell et al., 2007). These metrics adhere to international standards for measuring cybersecurity risks. By using either CVSS or a custom evaluation, organisations can prioritise patches and mitigation strategies based on the potential impact of each vulnerability. We demonstrate the use of the CVSS scoring system in our first use case. In our second use case, since the general CVSS scores are uniformly high across all vulnerabilities, we focus on illustrating the network structure of services and applications and, therefore, use equal values for the vulnerability characteristics of all vulnerabilities. Furthermore, it is important to note that the general CVSS method may not accurately reflect the actual risk in a specific organisation or environment. The equations and algorithms used to score the base, temporal, and environmental metric groups are detailed in (Mell et al., 2007). Additional information on the origin and testing of these equations can be found at (FIRST, 2025).

Our approach is based on the use of link weights as probabilities to represent successful exploits. The exploitability metric measures the current state of exploit techniques or code availability. When easily accessible exploit code is publicly available, it increases the number of potential attackers, including unskilled ones, increasing the severity of vulnerabilities. The following equation illustrates how the factors A c c e s s V e c t o r , A c c e s s C o m p l e x i t y , and A u t h e n t i c a t i o n describe the accessibility and complexity of the vulnerability, and whether additional conditions are needed to exploit it. The exploitability metric is defined as follows (Mell et al., 2007): E x p l o i t a b i l i t y = 20 ∗ A c c e s s V e c t o r ∗ A c c e s s C o m p l e x i t y ∗ A u t h e n t i c a t i o n . (3)

Impact metric measures the potential consequences of exploiting a vulnerability of an IT asset. These impacts are independently defined based on the degree of loss in three key areas, namely, confidentiality, integrity, and availability. The present analysis can be further extended to consider specific business impacts by incorporating relevant effects in Equation 5. The total impact metric is defined as follows (Mell et al., 2007): I m p a c t = 10.41 ∗ 1 − 1 − C o n f I m p a c t ∗ 1 − I n t e g I m p a c t ∗ 1 − A v a i l I m p a c t . (4) In a network structure, a node can be targeted by different cyber attack paths from the source node through various links directed to the target node. In an attack graph, these may involve the same vulnerability. However, if different vulnerabilities can be exploited on one node, we calculate the weighted average value for the node or use the maximum impact of alternative exploits. We define a vector I with elements representing the impact values for the nodes in the network. The impact of a cyber attack from the start nodes S to the end nodes T can be defined as: I S , T ; I = ∑ i ∈ S j ∈ T C i , j I j , (5) where the matrix C consists of elements C ( i , j ) that represent the probabilities of successful attacks from node i to node j via alternative paths. The impact value on the end node alone includes the last exploit on the path. The impact value of Equation 5 can be calculated for specific events, including effects on specific services or aspects of security. Additionally, Equation 5 can be utilised to analyse the impact of exploits by determining the decrease in the impact value after mitigating vulnerabilities.

When all elements of vector I are set to one, we obtain a quantity that describes the attack propagation from the source node set S to the target node set T in the network. In this way, the impact value in Equation 5 is linked to the out- and in-centrality metrics in Equations 1, 2. Therefore, the centrality measures and the impact measure in Equation 5 are defined consistently with each other. Combining the alternative paths using probabilistic methods allows us to calculate accurate metrics based on Equations 3 and 4 for real-world cyber attacks and different classifications.

As a further characteristic measure, one can calculate a cumulative impact for an individual attack path, as done in (Stergiopoulos et al., 2022). In our model approach, the cumulative impact along a path is calculated by summing up the products of propagation probabilities and node impacts according to Equation 5. Once again, the impact on the end node only includes the impact on that node.

In summary, four kinds of impact metrics can be calculated: cumulative impacts along individual paths or all alternative paths, and non-cumulative impacts on the end nodes through individual or all alternative paths. In this study, we prefer metrics that combine alternative paths using a probability theory approach and methods. The factors C i , j in Equation 5 account for the effects of all potential alternative paths. This approach allows for the definition of new metrics in analysing cyber events from different perspectives and categorisations. In the next section, we provide examples of this through use cases.

For this study, we chose three different graph structures, described in Table 1 to serve as our use cases.

In this section, we present the results of our attack graph model for three different use cases. The first use case presents a small directed acyclic attack graph (Stergiopoulos et al., 2022). The second use case is a more complex attack graph from (Stergiopoulos et al., 2022) and finally, the third use case is a causal graph that was generated by an attack investigation tool using natural language processing and deep learning (Alsaheel et al., 2021).

In cybersecurity analysis of computer networks and service systems, it is natural to take a graph-based approach. Until recently, cyber-related graphs, such as attack graphs, have been created manually or generated by scanning network configurations to identify vulnerabilities and compute potential attack paths. In this case, the analysis of an attack graph involves examining individual paths that an attacker could take and evaluating the risk associated with each path.

In the present study, we have introduced a novel probabilistic graph-based analysis approach to investigate the structural and dynamic properties of the attack and causal graphs. This approach has previously been used in our research to model the spread of influence in complex networks. Here, we are applying this methodology for the first time to analyse the propagation of attacks and causal influences. In this context, out-centrality and in-centrality measures are used to identify critical nodes in the graph. The documented exploitability values of vulnerabilities mimic the probability of propagation of attacks or causal influences on possible paths or sequences of actions that an attacker or influencer can follow to achieve a particular objective, such as compromising a critical asset in a network. Similarly, the documented impact values of vulnerabilities are used to demonstrate the model in analysing cumulative and individual impacts of attacks.

Future research could focus on multilayer modelling of enterprise infrastructure and attack graphs. Additional areas of interest could include the integration of real-time attack graph generation and the exploration of hybrid approaches that combine machine learning or anomaly detection methods. Recently, there has emerged a variety of studies on AI-driven techniques in cybersecurity (Salem et al., 2024) and intrusion detection (Por et al., 2024). These approaches offer new opportunities to be integrated with the probabilistic methods discussed in this study.

In summary, we have developed a new method for analysing alternative paths within an attack graph and calculating their combined exploitability and impact. This approach differs from the previous methods since our approach offers a probabilistic framework to assess the combined effects of the entire attack graph, rather than focusing solely on the maximum or minimum scenarios. We have applied our model by presenting results related to functional services based on identified vulnerabilities. Additionally, this method can be extended to analyse multiple attack graphs simultaneously in a network structure. For higher levels of abstraction and summaries, it is essential to consistently aggregate alternative attack or causal effect paths within the model. This integrated perspective improves understanding of the situation and helps prioritise mitigation efforts. Thus, our model could be a versatile tool in the hands of cyber analysts.