Integrating Network and Attack Graphs for Service-Centric Impact Analysis

We present a novel methodology for modelling, visualising, and analysing cyber threats, attack paths, as well as their impact on user services in enterprise or infrastructure networks of digital devices and services they provide. Using probabilistic methods to track the propagation of an attack through attack graphs, via the service or application layers, and on physical communication networks, our model enables us to analyse cyber attacks at different levels of detail. Understanding the propagation of an attack within a service among microservices and its spread between different services or application servers could help detect and mitigate it early. We demonstrate that this network-based influence spreading modelling approach enables the evaluation of diverse attack scenarios and the development of protection and mitigation measures, taking into account the criticality of services from the user’s perspective. This methodology could also aid security specialists and system administrators in making well-informed decisions regarding risk mitigation strategies.

💡 Research Summary

The paper introduces a novel methodology that integrates attack graphs with the underlying communication network graph to perform service‑centric impact analysis of cyber attacks. Traditional attack‑graph approaches focus on host‑level vulnerabilities and do not explicitly consider the physical or logical network topology through which an attacker must traverse. By merging the two graph structures, the authors create a unified probabilistic model that captures both the propagation of exploits across microservices and the connectivity constraints imposed by the network infrastructure.

The construction of the combined graph proceeds as follows: each attack state (node) in the attack graph is grouped with the network node that hosts the corresponding service, linked by an undirected edge of weight 1.0. Start and end states, representing the attacker’s initial foothold and final goal, are connected to the relevant network nodes with directed edges (start → network, network → end). This grouping allows the model to treat a set of attack states as a single “service node” while preserving the underlying network’s routing probabilities.

Probabilities are calculated in two layers. The network‑level probability pN(i,j) quantifies the chance that an attacker can move from service i to service j via any non‑intersecting path in the communication network. The authors adopt the Simple Contagion Algorithm (cited as