DYNAMIC DETERMINATION OF INFORMATION SYSTEM SECURITY PARAMETERS BASED ON ATTACK GRAPHS AND MARKOV MODELS UNDER CONDITIONS OF UNCERTAINTY

Nazym  Zhumangaliyeva; Lazat  Kydyralina; Guljanat  Esenbekova; Dmytro Prokopovych-Tkachenko; Mykola  Mormul

doi:10.37943/25EXWB8090

Authors

Nazym Zhumangaliyeva Satbayev University https://orcid.org/0000-0003-1130-3405
Lazat Kydyralina Shakarim University of Semey https://orcid.org/0000-0002-2836-0919
Guljanat Esenbekova Temirbek Zhurgenov Kazakh National Academy of Arts https://orcid.org/0009-0001-1879-3024
Dmytro Prokopovych-Tkachenko University of Customs and Finance https://orcid.org/0000-0002-6590-3898
Mykola Mormul University of Customs and Finance https://orcid.org/0000-0002-8036-3236

DOI:

https://doi.org/10.37943/25EXWB8090

Keywords:

attack-graph, Markov-chain, uncertainty, regularization, telemetry, compromise-probability, risk-management, countermeasures, Zero-Trust

Abstract

The article presents an approach to the dynamic determination of information system security parameters under conditions of uncertainty and incomplete monitoring data. An attack graph is used as the structural foundation, describing possible compromise trajectories while considering vulnerability dependencies, configurations, access rights, and protective measures. To obtain quantitative assessments, a Markov model of adversary progress is introduced, in which intermediate states represent attack stages and absorbing states correspond to the achievement of critical goals related to violations of confidentiality, integrity, and availability. A key element of the methodology is the procedure for estimating transition probabilities given sparse observations from security logs and interval-based expert estimates for poorly observed attack steps. The proposed combination of event statistics and expert constraints is supplemented by regularization and dynamic updates, which increase parameterization stability, reduce the impact of isolated incidents, and account for operational environment drift. The calculated output indicators include the probability of compromise within a given horizon, separate violation probabilities for confidentiality, integrity, and availability, and the expected time to compromise. Experimental demonstration on a typical corporate architecture confirms the model's suitability for comparing defense scenarios and quantitatively justifying countermeasures: strengthening segmentation and privilege control reduces the reachability of target states, while enhancing monitoring and response further decreases the probability of achieving goals and increases the predicted time to compromise. Signs of attacks on management planes are also considered, including vulnerabilities in secure exchange protocols and network management protocols, as well as the compromise of device firmware. The results can be used for risk-oriented planning of security measures under budget constraints and for forming dynamic security effectiveness indicators in a Zero Trust architecture.

Author Biographies

Nazym Zhumangaliyeva, Satbayev University

Postgraduate Student, Department of Software Engineering

Lazat Kydyralina , Shakarim University of Semey

PhD, Acting Associate Professor of the Department of Informatics

Guljanat Esenbekova, Temirbek Zhurgenov Kazakh National Academy of Arts

Candidate of Technical Sciences, Associate Professor of the Department of "Computer Technologies"

Dmytro Prokopovych-Tkachenko, University of Customs and Finance

PhD in Technical Sciences, Associate Professor

Head of the Department of Cybersecurity and Information Technologies, Senior Research Fellow, Institute of Information, Security and Law of the National Academy of Legal Sciences of Ukraine

Doctor of Science Candidate at the Department of Cybersecurity Systems and Technologies, State University of Telecommunications

Mykola Mormul, University of Customs and Finance

PhD in Technical Sciences, Associate Professor at the Department of Cybersecurity and Information Technologies

References

Kaynar, K. (2016). A taxonomy for attack graph generation and usage in network security. Journal of Information Security and Applications, 29, 27–56. https://doi.org/10.1016/j.jisa.2016.02.001

Zeng, J., Wu, S., Chen, Y., Zeng, R., & Wu, C. (2019). Survey of attack graph analysis methods from the perspective of data and knowledge processing. Security and Communication Networks, 2019, 2031063. https://doi.org/10.1155/2019/2031063

Zenitani, K. (2023). Attack graph analysis: An explanatory guide. Computers & Security, 126, 103081. https://doi.org/10.1016/j.cose.2022.103081

Koo, K., Moon, D., Huh, J.-H., Jung, S.-H., & Lee, H. (2022). Attack graph generation with machine learning for network security. Electronics, 11(9), 1332. https://doi.org/10.3390/electronics11091332

Shin, G. Y., Kim, J., & Kim, H. K. (2022). Network Security Node-Edge Scoring System Using Attack Graph Based on Vulnerability Correlation. Applied Sciences, 12(14), 6852. https://doi.org/10.3390/app12146852

Hacks, S., Höglund, M., Lagerström, R., & Ekstedt, M. (2020). powerLang: A probabilistic attack simulation language for the power domain. Energy Informatics, 3, 30. https://doi.org/10.1186/s42162-020-00134-4

Chen, L., Li, Y., Zhang, X., & Wang, J. (2024). A Bayesian-Attack-Graph-Based Security Assessment Framework for Cyber-Physical Power Systems. Electronics, 13(13), 2628. https://doi.org/10.3390/electronics13132628

Roy, S., & Dasgupta, P. (2025). Security Risk Assessment with Bayesian Attack Graphs is #P-Complete. In 2025 IEEE Military Communications Conference (MILCOM 2025). https://doi.org/10.1109/MILCOM64451.2025.11310281

Vitale, F., Guarino, S., Perone, S., Rak, M., & Mazzocca, N. (2026). Dynamic Risk Assessment by Bayesian Attack Graphs and Process Mining. arXiv:2604.18080. https://doi.org/10.48550/arXiv.2604.18080

National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). https://doi.org/10.6028/NIST.CSWP.29

International Organization for Standardization and International Electrotechnical Commission. (2022). ISO/IEC 27005:2022. Information security, cybersecurity and privacy protection — Guidance on managing information security risks.

Chandramouli, R., & Butcher, Z. (2023). A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments (NIST SP 800-207A). https://doi.org/10.6028/NIST.SP.800-207A

Cybersecurity and Infrastructure Security Agency. (2023). Zero Trust Maturity Model, Version 2.0. https://www.cisa.gov/zero-trust-maturity-model

Joint Task Force. (2022). Assessing Security and Privacy Controls in Information Systems and Organizations (NIST SP 800-53A Rev. 5). https://doi.org/10.6028/NIST.SP.800-53Ar5

Erola, A., Agrafiotis, I., Nurse, J. R. C., Axon, L., Goldsmith, M., & Creese, S. (2022). A system to calculate Cyber Value-at-Risk. Computers & Security, 113, 102545. https://doi.org/10.1016/j.cose.2021.102545

Rencelj Ling, E., & Ekstedt, M. (2023). Estimating Time-To-Compromise for Industrial Control System Vulnerabilities. SN Computer Science, 4, 435. https://doi.org/10.1007/s42979-023-01750-z

Sharma, D. P., & Jamdagni, A. (2025). Evaluating Moving Target Defense Methods Using Time to Compromise and Security Risk Metrics in IoT Networks. Electronics, 14(11), 2205. https://doi.org/10.3390/electronics14112205

National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0: Quick-Start Guides. https://www.nist.gov/cyberframework

MITRE. (2025). MITRE ATT&CK Enterprise Matrix. https://attack.mitre.org/

Imrana, Y., Xiang, Y., Ali, L., & Abdul-Rauf, Z. (2021). A bidirectional LSTM deep learning approach for intrusion detection. Expert Systems with Applications, 185, 115524. https://doi.org/10.1016/j.eswa.2021.115524

Al-Omar, B., Alazzam, H., Aldabbas, H., & Alsmadi, I. (2023). Intrusion Detection Using Attention-Based CNN-LSTM Model. Computers, Materials & Continua, 75(3), 5779–5800. https://doi.org/10.1007/978-3-031-34111-3_43

Altaie, R. H., Hoomod, H. K., “An Intrusion Detection System using a Hybrid Lightweight Deep Learning Algorithm”, Eng. Technol. Appl. Sci. Res., vol. 14, no. 5, pp. 16740–16743, Oct. 2024. https://doi.org/10.48084/etasr.7657

Xiao, M., Jiang, C., Cui, Y., et al. (2021). Image-based malware classification using section distribution information. Computers & Security, 110, 102420. https://doi.org/10.1016/j.cose.2021.102420

Moussas, V., Andreatos, A., & Tryfonas, T. (2021). Malware Detection Based on Code Visualization and Two-Level Classification. Information, 12(3), 118. https://doi.org/10.3390/info12030118

FIRST. (2023). Common Vulnerability Scoring System v4.0: Specification Document. https://www.first.org/cvss/specification-document

DYNAMIC DETERMINATION OF INFORMATION SYSTEM SECURITY PARAMETERS BASED ON ATTACK GRAPHS AND MARKOV MODELS UNDER CONDITIONS OF UNCERTAINTY

Authors

DOI:

Keywords:

Abstract

Author Biographies

Nazym Zhumangaliyeva, Satbayev University

Lazat Kydyralina , Shakarim University of Semey

Guljanat Esenbekova, Temirbek Zhurgenov Kazakh National Academy of Arts

Dmytro Prokopovych-Tkachenko, University of Customs and Finance

Mykola Mormul, University of Customs and Finance

References

Downloads

Published

How to Cite

Issue

Section

License