Papers
Topics
Authors
Recent
Search
2000 character limit reached

A Queueing-Theoretic Framework for Dynamic Attack Surfaces: Data-Integrated Risk Analysis and Adaptive Defense

Published 12 Apr 2026 in cs.CR, cs.AI, cs.LG, eess.SY, and math.OC | (2604.10427v2)

Abstract: We develop a queueing-theoretic framework to model the temporal evolution of cyber-attack surfaces, where the number of active vulnerabilities is represented as the backlog of a queue. Vulnerabilities arrive as they are discovered or created, and leave the system when they are patched or successfully exploited. Building on this model, we study how automation affects attack and defense dynamics by introducing an AI amplification factor that scales arrival, exploit, and patching rates. Our analysis shows that even symmetric automation can increase the rate of successful exploits. We validate the model using vulnerability data collected from an open source software supply chain and show that it closely matches real-world attack surface dynamics. Empirical results reveal heavy-tailed patching times, which we prove induce long-range dependence in vulnerability backlog and help explain persistent cyber risk. Utilizing our queueing abstraction for the attack surface, we develop a systematic approach for cyber risk mitigation. We formulate the dynamic defense problem as a constrained Markov decision process with resource-budget and switching-cost constraints, and develop a reinforcement learning (RL) algorithm that achieves provably near-optimal regret. Numerical experiments validate the approach and demonstrate that our adaptive RL-based defense policies significantly reduce successful exploits and mitigate heavy-tail queue events. Using trace-driven experiments on the ARVO dataset, we show that the proposed RL-based defense policy reduces the average number of active vulnerabilities in a software supply chain by over 90% compared to existing defense practices, without increasing the overall maintenance budget. Our results allow defenders to quantify cumulative exposure risk under long-range dependent attack dynamics and to design adaptive defense strategies with provable efficiency.

Summary

  • The paper introduces a queueing-theoretic model that rigorously captures the dynamic backlog of vulnerabilities and nonstationary patching processes in cyber systems.
  • It demonstrates that both symmetric and asymmetric AI acceleration can trigger superlinear increases in exploit rates and abrupt phase transitions in attack surface exposure.
  • The reinforcement learning-based adaptive defense significantly reduces mean and tail vulnerability counts, validated empirically using ARVO data.

A Queueing-Theoretic Framework for Dynamic Attack Surfaces: Data-Integrated Risk Analysis and Adaptive Defense

Overview of Contributions

This work systematically formalizes the temporal evolution of cyber-attack surfaces using a queueing-theoretic approach, embedding both theoretical and empirical rigor throughout. The attack surface is rigorously modeled as the instantaneous backlog of a stochastic service system, where vulnerabilities dynamically arrive and depart via patching or exploitation. The paper seamlessly couples this formulation with empirical calibration using operational data from real software supply-chain events and introduces a reinforcement learning (RL) methodology for adaptive defense resource allocation under budget and switching constraints. The core results expose essential nonlinearities in cyber-risk, highlight the emergence of long-range dependence (LRD) inherent in vulnerability management, and quantify the operational consequences of symmetric and asymmetric AI-accelerated cyber activities. Figure 1

Figure 1: The attack surface is abstracted as a queue subject to arrivals (vulnerabilities) and departures (patching, exploitation), supporting both theoretical analysis and empirical integration.

Dynamic Attack Surface Model

The attack surface is modeled as a dynamic queue N(t)N(t), where arrivals correspond to vulnerability disclosures (or creations) and departures represent successful patching or exploitation. The race condition for each vulnerability is between defensive (DdD_d) and offensive (DlD_l) action times, with removal dictated by the minimum. The model incorporates both defense concurrency limitations through mm servers and a global resource constraint bb on total patching rate. This abstraction generalizes to G/G/mG/G/mbb queueing systems, moving beyond simplistic memoryless models and accurately representing burstiness and heavy-tailed persistence found in real vulnerability data.

A critical aspect of the queueing abstraction is the explicit coupling between attack surface growth and defense throughput: as N(t)N(t) increases, patching resources are diluted, and the field of exposure for attackers scales up. The defense process is nontrivially resource-limited, and both arrival and service processes are empirically shown to be nonstationary, bursty, and heavy-tailed.

Impact of Automation and AI

The model integrates an AI amplification factor capable of scaling arrival, patching, and exploit rates. Notably, the analysis demonstrates that even symmetric AI augmentation of both offense and defense can yield superlinear increases in successful exploit rates, due to accelerated event dynamics and nonlinear backlog feedbacks. Figure 2

Figure 2: Steady-state normalized attack surface size shifts sharply with lower normalized defense rates, highlighting abrupt phase transitions in exposure.

Figure 3

Figure 3: Asymmetric AI acceleration, favoring attackers, results in pronounced rightward shifts in the attack surface distribution, significantly increasing exposure risk.

The empirical and analytical findings underscore that simple rate-matching in AI adoption (i.e., “arms race” parity) does not neutralize escalation in exploit events—operational risk increases as a function of both the frequency and the rate of vulnerability exposure.

Empirical Validation: Heavy-Tailed Temporal Risk

Using the ARVO dataset—comprising over 4,000 event-level open-source vulnerabilities—the paper validates the theoretical constructs and calibrates system parameters strictly from operational evidence. Event arrivals, patching, and exploit durations are shown to be extremely heavy-tailed with decay exponents u(2,3)u\in (2,3). The segmentation procedure (via GMM and KL-divergence analysis) extracts quasi-stationary regimes from nonstationary empirical traces, then fits G/G/mG/G/mDdD_d0 queue models within each segment, achieving KL divergence to empirical data as low as 0.11, commensurate with nonparametric bootstraps. Figure 4

Figure 4: The reconstructed queue length DdD_d1 from ARVO data exhibits bursty increases and persistent slow declines, confirming heavy-tailed, nonstationary backlog.

Figure 5

Figure 5: KL divergence sharply decreases as more Gaussian mixture components are allowed, with diminishing returns after roughly ten, justifying model segmentation.

Heavy-tailed patching times induce long-range dependence (LRD) in queue occupancy, ensuring that correlations in exposure decay polynomially, not exponentially—formally established in the paper and reconcilable with established LRD theory for DdD_d2 systems. Figure 6

Figure 6: Empirical and parametric fits for inter-arrival (IA) and service time (ST) distributions confirm heavy-tailed behavior and model fidelity in representative ARVO segments.

Figure 7

Figure 7: Segmented DdD_d3–DdD_d4 model and nonparametric fits closely match the empirical QLD, validating the queueing abstraction across regimes.

Adaptive Defense via Reinforcement Learning

Adaptive defense resource allocation is cast as a constrained Markov decision process. The paper introduces an RL algorithm that:

  • Simultaneously handles budget (DdD_d5) and switching-cost constraints, penalizing the amount of defense policy change (not just frequency).
  • Establishes a nontrivial regret upper bound—DdD_d6—against a clairvoyant oracle, with logarithmic switching overhead.
  • Maintains near-optimal policy performance under both stochastic and adversarial arrival regimes. Figure 8

    Figure 8: RL-based defense significantly outperforms fixed allocation, reducing successful exploit rates (stochastic arrivals).

    Figure 9

    Figure 9: RL's performance gain persists and is robust even under adversarial arrival bursts.

    Figure 10

    Figure 10: Empirically, RL policy reduces and stabilizes active vulnerability queue length versus baseline practice, using the ARVO trace.

    Figure 11

    Figure 11: RL reallocation under identical aggregate budget achieves large reductions in queue backlog: mean and variance of queue size are lower by more than 45%.

Empirically, the adaptive RL-based policy reduces the average attack surface in the ARVO trace by over 90% under the same budget, a result that stands in sharp contrast to static baseline strategies. Importantly, RL achieves dramatic reductions not only in mean occupancy but also in the upper tails (95th, 99th percentiles), thereby mitigating the risk of catastrophic backlog events.

Implications and Future Work

The queueing-theoretic framework exposes nonlinear, persistent, and bursty characteristics of vulnerability dynamics overlooked in static or snapshot models of cyber risk. The findings show that heavy-tailed patching times generate persistent system-wide risk through LRD, invalidating short-memory risk estimation approaches. The practical implication is that adaptation and intelligent, state-contingent resource allocation—not just increased total resources—are necessary for meaningful risk mitigation.

Furthermore, symmetric AI arms races in automation amplify overall event rates without reducing exposure, and even modest asymmetry can sharply escalate exploit outcomes. This necessitates not only adoption but also strategic prioritization and timing in defensive automation.

Future directions include generalization to:

  • Multi-queue (multi-component or federated systems) dynamics with interdependent backlogs,
  • Explicit modeling of vulnerability heterogeneity and impact-weighted prioritization,
  • Multi-agent RL or collaborative defense for federated ecosystems,
  • Enhanced empirical calibration through more granular, sector-specific event datasets.

Conclusion

By bridging queueing theory, empirical cyber event data, and advanced RL, this paper advances the quantitative modeling of dynamic cyber-attack surfaces. It rigorously demonstrates that defense efficacy is a complex function of temporal resource allocation, empirical workload calibration, and nonstationary risk dynamics—exposing key levers for both operational and policy-level improvement in cyber risk mitigation.

Reference: "A Queueing-Theoretic Framework for Dynamic Attack Surfaces: Data-Integrated Risk Analysis and Adaptive Defense" (2604.10427)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.