Bayesian Attack Graphs
- Bayesian Attack Graphs are probabilistic models structured as directed acyclic graphs that quantify risk by integrating vulnerabilities and network topology via Bayesian inference.
- They utilize conditional probability tables with AND/OR semantics to update compromise probabilities based on evidence from IDS alerts, SIEM systems, and forensic data.
- They support both static and dynamic analysis methods, employing techniques like Junction Tree and loopy belief propagation for scalable risk assessment.
Bayesian Attack Graphs (BAGs) are a fusion of attack graphs with Bayesian network inference over a directed acyclic graph (DAG), used to model how an attacker can progress through a network by exploiting vulnerabilities and satisfying preconditions to reach security states such as privileges or asset compromise. They provide quantitative, evidence-driven analysis under uncertainty, enabling static analysis of compromise risk at rest and dynamic analysis that updates posterior probabilities when new observations such as IDS alerts, SIEM evidence, forensic findings, or process-monitoring signals arrive (Muñoz-González et al., 2016, Kordy et al., 2013).
1. Formal definition and graph structure
A logical attack graph is commonly expressed as a directed bipartite DAG , where are security conditions, are exploits or vulnerabilities, encodes preconditions, and encodes postconditions. BAGs turn these conditions into random variables and impose Bayesian-network semantics on the resulting structure. A more explicit formulation defines a BAG as the tuple , where are nodes representing security conditions or privilege levels on specific hosts, are directed exploit transitions between security conditions, are the vulnerabilities affecting devices, and is the exploitation probability associated to each vulnerability (Muñoz-González et al., 2015, Vitale et al., 20 Apr 2026).
In the Bayesian-network view, each node is a binary random variable indicating whether the corresponding security condition is achieved. In one formulation, each node 0 is a Bernoulli variable with domain 1; in another, 2 with 3 meaning compromised or achieved. Directed edges encode causal dependencies induced by exploits, connectivity, credentials, or prior footholds. The joint distribution factorizes in the standard way:
4
A common modeling convention is to introduce a special initial node 5 denoting the attacker’s own machine and clamp it to 6 (Muñoz-González et al., 2016).
BAGs are acyclic by construction. This is a substantive modeling constraint rather than a superficial presentation choice. Attack graphs can contain cycles, but BAGs remove cycles to obtain an acyclic structure amenable to Bayesian inference. The survey literature cites the monotonicity constraint and procedures by Wang et al. as cycle-removal strategies; related exact-inference work also recommends splitting an initial attacker state into one node per entry path when this reduces unnecessary loops and inference complexity (Kordy et al., 2013).
Within the survey taxonomy of DAG-based security models, BAGs are classified as Attack-focused, Sequential, with Specific quantification, and with Main purpose Risk. Their listed characteristics are Structure DAG, Connectors AND/OR with conditional probabilities, and Formalization Formal (Kordy et al., 2013).
| Aspect | Survey classification |
|---|---|
| Modeling capability | Attack-focused; Sequential; Specific quantification; Main purpose Risk |
| Structural characterization | Structure DAG; Connectors AND/OR with conditional probabilities; Formalization Formal |
| Maturity/usability | Tool availability Commercial; Case study Toy; External use Independent; Paper count 10; Year 2005 |
This placement is important because it distinguishes BAGs from qualitative attack trees and from purely reachability-based attack graphs. A BAG is not merely a graph of possible paths; it is a probabilistic causal model over those paths.
2. Probabilistic semantics and CPT design
The central modeling task in a BAG is the construction of conditional probability tables (CPTs) or equivalent local conditional distributions. BAGs typically use AND or OR semantics to encode whether a child state requires all parent preconditions or only one of several alternative exploit paths. In the survey literature, Frigault et al. assign CPTs and estimate them from CVSS scores, Liu and Man assign edge probabilities, and Poolsappasit et al. use local conditional probability distributions and augment the graph with hardening or defense nodes (Kordy et al., 2013).
A standard BAG construction parameterizes CPTs with exploit success probabilities 7 associated with vulnerabilities on incoming edges. These are estimated from CVSS, typically the exploitability subscore scaled to 8. To account for imperfect alerts or observations with error rate 9, one formulation gives the following CPTs for a child 0 with parents 1 (Muñoz-González et al., 2016):
For an AND gate,
2
For an OR gate using noisy-OR semantics,
3
Closely related exact-inference work states the same logical content in a more compact form: for AND-type conditions the child probability is zero if any prerequisite is false and otherwise equals the product of the relevant exploit probabilities, while for OR-type conditions the canonical noisy-OR is
4
Here 5 is often set to the exploit success probability for parent path 6 (Muñoz-González et al., 2015).
Observation noise can also be modeled by adding an explicit observation node 7 with 8 specified by detection and false-alarm rates. This separates attack-progression semantics from sensing semantics and supports hard evidence, soft evidence, or likelihood potentials during dynamic inference (Muñoz-González et al., 2016).
Several assumptions recur across the literature. Exploit success probabilities are often treated as independent across vulnerabilities and roughly constant over days or weeks; if these change, one recommendation is to rebuild the model rather than introduce temporal dynamics into a static BAG. Probabilities are typically attacker-agnostic unless an external attacker model is available. Network topology, reachability, and the vulnerability set are often assumed fixed during dynamic inference; patching can be represented by setting 9, while adding hosts or vulnerabilities requires regeneration of the attack graph (Muñoz-González et al., 2016).
These choices make BAGs technically tractable, but they also delimit what the model claims to represent. A BAG is only as faithful as its CPTs, its attack graph, and the causal assumptions encoded in its parent sets.
3. Static and dynamic inference
BAG analysis is usually divided into static and dynamic modes. Static analysis computes unconditional marginals 0, used as risk estimates of compromise at rest:
1
Dynamic analysis incorporates evidence 2 and computes posteriors
3
In practice, hard evidence is often represented by clamping nodes to 4, while soft evidence can be represented through observation nodes or explicit likelihood factors (Muñoz-González et al., 2016).
Exact inference methods for BAGs include Variable Elimination (VE) and Junction Tree (JT) inference with belief propagation. The broader Bayesian-networks-for-security literature also highlights variable elimination, bucket elimination, importance sampling, the bucket tree algorithm, and the Lauritzen–Spiegelhalter algorithm. The attraction of JT for BAGs is that it amortizes computation across all marginals and supports fast re-computation when new evidence arrives (Muñoz-González et al., 2015, Kordy et al., 2013).
The structural parameter governing exact inference is treewidth. In standard asymptotic form, exact inference runs in time and memory 5, where 6 is the treewidth; for binary BAGs this means the largest clique or intermediate factor dominates the blow-up. This is why clustered or modular topologies with bounded in-degree are much more tractable than dense graphs. In experiments on synthetic BAGs, JT was orders of magnitude faster than VE, and dynamic JT was nearly linear and faster on clustered BAGs once the clique tree existed (Muñoz-González et al., 2015).
Dynamic inference also raises a methodological issue: which posterior summary should be used for operational risk assessment. Exact-inference work explicitly cautions against maximum posterior explanation or most probable explanation for BAG risk assessment, noting that in the worked example MPE yields implausible “everything compromised” explanations. Marginals and posteriors over relevant nodes are advocated instead (Muñoz-González et al., 2015).
Evidence can be integrated at different abstraction levels. In conventional BAGs, alerts from IDS or SIEM tools are mapped to node states and absorbed as hard or soft evidence. The survey literature emphasizes that posterior updating is one of the principal reasons to use Bayesian networks rather than bottom-up attack-tree operators. This supports queries such as the posterior probability that a target host is compromised, the posterior probability of intermediate footholds, and the relative likelihood of competing attack paths (Kordy et al., 2013).
The distinction between static and dynamic BAG analysis is therefore not merely temporal. Static analysis answers “what is the network risk posture at rest,” whereas dynamic analysis answers “how should the risk posture be updated, conditioned on observed evidence.”
4. Scalability, approximate inference, and cyclic BAGs
Exact Bayesian inference does not scale well on large or dense attack graphs, which motivates approximate methods. One influential approach maps the BAG factorization to a factor graph and applies Loopy Belief Propagation (LBP). With variable-to-factor messages
7
factor-to-variable messages
8
and beliefs
9
LBP yields exact marginals on trees or polytrees and approximate marginals on loopy graphs (Muñoz-González et al., 2016).
Initialization and scheduling materially affect numerical behavior. One reported setup initializes 0, initializes factor-to-variable messages by summing out other variables, uses convergence tolerance 1, sets 2, and optionally applies damping
3
with 4, where 5 is recommended for stability on loopy graphs (Muñoz-González et al., 2016).
Empirical results make the computational trade-off explicit. On pseudo-random BAGs with 40 nodes and 6, LBP achieved RMSE typically 7; on clustered BAGs with 8 nodes and 9, RMSE was 0. On 100-node pseudo-random graphs, LBP typically converged in 1 iterations, and after 5 iterations RMSE was approximately 2. For 3000-node BAGs, LBP static or dynamic runs required approximately 60 seconds on a standard laptop, whereas exact JT on a 16 GB machine was limited to 3 nodes for 4 and 5 for 6 due to memory limits (Muñoz-González et al., 2016).
A distinct line of work addresses a more fundamental problem: automatically generated BAGs often contain cycles, which make it impossible to use Bayesian network theory directly. “Cyclic Bayesian Attack Graphs: A Systematic Computational Approach” introduces an interpretation of BAGs based on combinational logic circuits, proves monotonicity and finite-time convergence of the associated Boolean dynamics, and gives an algorithm that computes state probabilities without altering the attack graphs. The algorithm “deals seamlessly with all cycles without the need to identify their types,” scales to graphs with 15000 nodes, and on realistic graphs with 1053, 2234, and 2341 nodes reported mean runtimes of about 3 s, 11 s, and 12 s respectively (Matthews et al., 2020).
Stochastic simulation provides another computational regime. “Stochastic Simulation Techniques for Inference and Sensitivity Analysis of Bayesian Attack Graphs” compares Probabilistic Logic Sampling, Likelihood Weighting, and Backward Simulation for dynamic evidence and concludes that likelihood weighting is most efficient for most uses. The same work also gives a practical sensitivity measure
7
computed with two inference runs per leaf node (Matthews et al., 2021).
| Approach | Setting | Reported properties |
|---|---|---|
| Junction Tree / Variable Elimination | Acyclic BAGs, exact inference | JT is orders of magnitude faster than VE; dynamic JT nearly linear on clustered BAGs once the clique tree exists (Muñoz-González et al., 2015) |
| Loopy Belief Propagation | Large loopy factor graphs from BAGs | Linear scaling with node count; RMSE 8 on 40-node pseudo-random graphs and 9 on 0-node clustered graphs; 3000-node runs in approximately 60 s (Muñoz-González et al., 2016) |
| Cyclic BAG algorithm | Cyclic BAGs | Computes state probabilities without altering the attack graphs; handles all cycles; scales to 15000 nodes (Matthews et al., 2020) |
| Likelihood Weighting | Dynamic evidence, large BAGs | Most efficient for most uses (Matthews et al., 2021) |
A plausible implication is that “Bayesian Attack Graph” now names a family of inference regimes rather than a single algorithmic stack. Exact JT, approximate LBP, stochastic simulation, and cyclic-graph procedures are all BAG analyses, but they apply under different structural and operational constraints.
5. Dynamic and domain-specific extensions
One extension aimed directly at dynamic risk assessment is the Bayesian Attack Model (BAM). BAM is a Bayesian-network-based extension to topological attack graphs that handles topological cycles by constructing, for each possible source asset, a Bayesian Attack Tree whose topological nodes are path-qualified states such as 1. The model introduces Bayesian topological nodes, Bayesian attack-step nodes, Bayesian condition nodes, and Bayesian sensor nodes, with sensor CPTs parameterized by false-positive and false-negative rates. A topological node uses a noisy-OR with leak 2 probabilityUnknownAttack, and an attack-step node succeeds only if its source is compromised and all conditions succeed, modulated by 3 probabilityNewAttackStep. Across all BATs, per-asset compromise probability is consolidated by taking the maximum probability over path-qualified nodes ending at that physical asset. On simulated topologies with up to 70 hosts and approximately 2000 vulnerabilities, generating BAM and running inference after a 7-step scenario completed in under approximately 90 seconds on a laptop-class machine (François-Xavier et al., 2016).
Another direction injects richer behavioral evidence into BAGs. “Dynamic Risk Assessment by Bayesian Attack Graphs and Process Mining” updates BAG CPTs online using process-mining evidence derived from packet-level event logs. Offline attack replay yields alignment distributions for each vulnerability, online traffic is converted into event logs and diagnosed against learned process models, and cosine similarity
4
is used to refresh edge CPTs, with
5
In the reported testbed, the posterior probability of terminal node 6 increased along one attack path from 7 under benign traffic to 8 upon confirmed exploitation (Vitale et al., 20 Apr 2026).
Recent cyber-physical-systems work uses BAG ideas in a different operational regime. “Active Bayesian Inference for Robust Control under Sensor False Data Injection Attacks” builds a Bayesian Attack Graph around a perception pipeline represented as a bipartite graph 9, with sensor-compromise variables 0, soft-measurement compromise variables 1, and alert variables 2. The model uses exact probabilistic inference by summing over 3 for small sensor sets, a simplified POMDP to justify a threshold-based probing policy, active probing to increase the KL divergence between competing hypotheses, and selective disabling of compromised sensors with EKF-based state estimation. The paper notes that for larger perception graphs, factor-graph message passing and approximate inference such as loopy belief propagation may be needed (Andersson et al., 13 Apr 2026).
A further development, the Dynamic Causal Attack Graph (DCAG), instantiates BAG-like reasoning for temporally dynamic cyber-physical systems by adding weighted causal intensities 4, conditional attack event parameters 5, logic gateways, and time-indexed self-propagation terms. The core update equations are
6
and
7
In the CTCS-3 case study, central subsystem nodes accumulate risk faster than trackside nodes, and considering functional safety of CBI reduces long-term risk (Zhang, 30 Sep 2025).
These extensions preserve the central BAG idea—latent attack states driving observable evidence—but broaden the evidential substrate from IDS alerts to process traces, perception-pipeline anomalies, and time-indexed causal propagation.
6. Relations to adjacent models, strengths, and limitations
BAGs are often confused with attack trees or with deterministic attack graphs, but the distinctions are explicit in the literature. Attack trees are AND–OR trees that decompose an attacker’s goal into subgoals and basic actions; they are typically static and often assume independence of leaves. BAGs replace fixed gate semantics with CPTs over a DAG, enabling probabilistic inference under conditional dependencies, handling sequential or causal dependencies, and supporting posterior updating when evidence arrives. By contrast, classical attack graphs model system states and transitions but do not, by themselves, provide the probabilistic semantics of Bayesian inference (Kordy et al., 2013).
The same survey situates BAGs relative to defense-oriented models. Defense trees, protection trees, and attack–defense trees add defenses in tree formalisms; Bayesian Defense Graphs integrate countermeasures more systematically through chance, decision, and utility nodes; BDMPs target time-to-success and detection or reaction with Markov processes and ordered gates. Static BAGs generally do not attach explicit Markov timing unless extended to dynamic Bayesian networks, BAM-style constructions, or DCAG-like temporal models (Kordy et al., 2013, Zhang, 30 Sep 2025).
The principal strengths repeatedly identified are quantitative, evidence-driven analysis under uncertainty, efficient DAG inference when structure is favorable, integration of vulnerability scoring such as CVSS, support for what-if defense optimization, and the ability to rank compromise probabilities of target and intermediate nodes under observed evidence (Kordy et al., 2013). The worked examples reinforce this point. In one small BAG, exact JT gave 8 and LBP estimated 9; after clamping 0, LBP became exact because the graph split into trees; setting 1 on one high-impact edge to zero reduced 2 from 3 to 4 (Muñoz-González et al., 2016).
The limitations are equally explicit. Cycle handling is intrinsic and can be intricate; standard BN inference requires acyclicity, while real attack graphs often contain cycles. Parameter estimation is difficult: CVSS-based 5 values are rough proxies for exploit success, and mis-specification affects absolute probabilities. Naive independence assumptions inherited from tree models can mislead. Static BAGs do not capture explicit timing without DBNs or other temporal extensions. Exact methods are bounded by treewidth and can become memory-bound. LBP is not guaranteed to converge, and when it converges its beliefs can still be biased, especially with strong loops and highly noisy CPTs. One paper also notes that experiments used synthetic BAGs due to lack of public real attack graphs (Muñoz-González et al., 2015, Muñoz-González et al., 2016).
Several research gaps are stated directly in the survey literature: automatic model construction from attack patterns or templates, bridging theory and industry, standardization of node labels, and agent-oriented views. A plausible implication is that the BAG literature has matured from a single formalism into a broader methodology: attack-graph structure supplies causal reachability, Bayesian inference supplies uncertainty quantification and posterior updating, and the remaining open problems concern model construction, parameter fidelity, temporal realism, and adversarial adaptation (Kordy et al., 2013, Ramiah et al., 2024).