Traditional attack graphs struggle to dynamically assess the likelihood of known vulnerabilities being exploited and the risk of compromise at critical nodes. This work proposes a novel approach that integrates Bayesian attack graphs with process mining to enable real-time monitoring of network behavior for malicious traffic detection and dynamic updating of conditional probabilities associated with vulnerability exploitation. By incorporating process mining into the Bayesian attack graph framework for the first time, the method overcomes the limitations of static analysis. Evaluated in a test environment containing multiple CVE-listed vulnerabilities, the approach effectively identifies exploitation activities and significantly improves both the accuracy and timeliness of estimating the probability of system compromise.

While attack graphs are useful for identifying major cybersecurity threats affecting a system, they do not provide operational support for determining the likelihood of having a known vulnerability exploited, or that critical system nodes are likely to be compromised. In this paper, we perform dynamic risk assessment by combining Bayesian Attack Graphs (BAGs) and online monitoring of system behavior through process mining. Specifically, the proposed approach applies process mining techniques to characterize malicious network traffic and derive evidence regarding the probability of having a vulnerability actively exploited. This evidence is then provided to a BAG, which updates its conditional probability tables accordingly, enabling dynamic assessment of vulnerability exploitation. We apply our method to a cybersecurity testbed instantiating several machines deployed on different subnets and affected by several CVE vulnerabilities. The testbed is stimulated with both benign traffic and malicious behavior, which simulates network attack patterns aimed at exploiting the CVE vulnerabilities. The results indicate that our proposal effectively detects whether vulnerabilities are being actively exploited, allowing for an updated assessment of the probability of system compromise.