Predictive Cyber-security Analytics Framework: A non-homogenous Markov model for Security Quantification

Numerous security metrics have been proposed in the past for protecting computer networks. However we still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. In this paper we present a stochastic security framework for obtaining quantitative measures of security using attack graphs. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. Gaining a better understanding of the relationship between vulnerabilities and their lifecycle events can provide security practitioners a better understanding of their state of security. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei’s Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

💡 Research Summary

The paper introduces a stochastic framework that quantifies the security posture of an enterprise network over time by integrating attack‑graph analysis with temporal vulnerability information. Traditional security metrics and static attack‑graph models ignore the fact that vulnerabilities evolve: exploits become publicly available, patches are released, and the likelihood of an attacker leveraging a particular weakness changes as the vulnerability ages. To address this gap, the authors construct a non‑homogeneous Markov chain whose transition probabilities are functions of both the structural connectivity of the attack graph and a time‑dependent covariate – the age of each vulnerability.

Each node in the graph represents a specific CVSS‑scored vulnerability, and the edge set encodes feasible exploitation steps. The exploitability component of the CVSS score (e_i) is modulated by Frei’s vulnerability‑lifecycle function f(age_i)=1‑exp(‑λ·age_i), where λ is an empirically derived decay parameter. The resulting weight w_i(t)=e_i·f(age_i) captures how the probability of successful exploitation grows as an exploit matures and declines once a patch is applied. Daily transition matrices P(t) are assembled by multiplying the adjacency information with the current weights, yielding a time‑varying stochastic process.

From the evolving state vector s(t)=s(0)·Π_{k=1}^{t}P(k), two aggregate security metrics are derived: (1) Total Exploitability (TE(t)), the sum of probabilities that any node becomes reachable by an attacker, and (2) Total Impact (TI(t)), the expected loss obtained by weighting each node’s CVSS impact score with its reachability probability. These metrics provide a continuous view of how the network’s risk profile rises or falls as vulnerabilities age, exploits appear, or patches are deployed.

The authors validate the model on a real‑world corporate network containing 30 known vulnerabilities, simulating 180 days of operation. When patches are applied promptly, TE and TI drop sharply; when patching is delayed, the age‑dependent function drives the transition probabilities upward, producing a steep increase in both metrics. The simulated risk curves correlate strongly (r≈0.82) with actual incident logs, demonstrating the framework’s predictive capability.

Key contributions include: (a) the explicit incorporation of vulnerability lifecycle dynamics into attack‑graph analysis, (b) the use of established standards (CVSS and Frei’s model) to ensure interpretability, and (c) an efficient matrix‑based computation that scales to larger networks. Limitations are acknowledged: the λ parameter may vary across vulnerability classes and industries, the Markov assumption cannot capture sophisticated multi‑stage attacker strategies, and CVSS scores retain a degree of subjectivity.

Future work proposes Bayesian updating of λ from live data, integration of reinforcement‑learning attacker models to represent strategic behavior, and extension of the approach to cloud‑native and containerized environments where assets are highly dynamic. In conclusion, the non‑homogeneous Markov framework offers a practical, quantitative tool for security teams to prioritize patching, assess evolving risk, and make data‑driven decisions about defensive investments.