MODELING CYBERATTACK SCENARIOS AS A MARKOV DECISION PROCESS WITH A SEMANTICALLY CONSTRAINED ACTION SPACE
DOI:
https://doi.org/10.28925/2663-4023.2026.33.1232Keywords:
марковський процес; прийняття рішень; кібербезпека; загроза; атака; навчання з підкріпленням; нейронна мережа; моделювання; машинне навчання; штучний інтелектAbstract
A formal model for representing cyberattack scenarios as a Markov decision process is proposed, in which, unlike static attack graphs, the dynamics of system state changes depending on the executed attack steps are explicitly defined, while the set of admissible actions is formed considering semantic dependencies between steps, in particular AND and OR type dependencies. The proposed approach provides a temporal interpretation of scenarios through the time-to-compromise (TTC) metric and allows describing both simple and complex multi-step compromise trajectories. The model combines a dynamic MDP representation with an invariant graph representation of states, constructed using graph neural network mechanisms. The experimental study was conducted on a set of stochastically generated MAL-graphs aligned with open attack models and web datasets and includes a comparison with baseline graph-based methods and reinforcement learning methods without semantic constraints. The obtained results show that the proposed approach provides a substantial reduction of the average time to compromise and decreases the variance of results, which indicates improved learning stability. It is demonstrated that the introduction of a semantically constrained action set eliminates irrelevant transitions and significantly increases the share of successful compromise scenarios. The greatest gain is observed on deep multi-step attack trajectories dominated by AND dependencies, where the semantic structure of the graph has a decisive impact on the space of available decisions. The practical significance lies in the possibility of applying the model for quantitative evaluation of cyberattack scenarios, ranking of compromise trajectories and decision support, as well as integration into automated penetration testing systems and cyber training ranges.
Downloads
References
Zenitani, K. (2023). Attack graph analysis: An explanatory guide. Computers & Security, 126, 103081. https://doi.org/10.1016/j.cose.2022.103081
Ibrahim, M., & Elhafiz, R. (2022). Integrated clinical environment security analysis using reinforcement learning. Bioengineering, 9(6), 253. https://doi.org/10.3390/bioengineering9060253
Kaya, M. O., Ozdem, M., & Das, R. (2025). A new hybrid approach combining GCN and LSTM for real-time anomaly detection from dynamic computer network data. Computer Networks, 268, 111372. https://doi.org/10.1016/j.comnet.2025.111372
Xie, R., & Liu, D. (2026). A novel hybrid graph neural network and transformer model for intrusion detection. Peer-to-Peer Networking and Applications,19(2). https://doi.org/10.1007/s12083-025-02171-w
Vitulyova, Y., Babenko, T., Kolesnikova, K., Kiktev, N., & Abramkina, O. (2025). A hybrid approach using graph neural networks and LSTM for attack vector reconstruction. Computers, 14(8), 301. https://doi.org/10.3390/computers14080301
Yousefi, M., Mtetwa, N., Zhang, Y., & Tianfield, H. (2018). A reinforcement learning approach for attack graph analysis. In 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications / 12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE) (pp. 212-217). IEEE. https://doi.org/10.1109/TrustCom/BigDataSE.2018.00041
Yu, Z., Jia, Y., Han, W., Zhang, J., Yang, M., & Mei, Y. (2025). ShotFlex: A reinforcement learning-based cyber attack path generation method for cybersecurity evaluation. Security and Safety, 4, 2025006. https://doi.org/10.1051/sands/2025006
Kim, B.-S., Suk, H.-W., Choi, Y.-H., Moon, D.-S., & Kim, M.-S. (2024). Optimal cyber attack strategy using reinforcement learning based on Common Vulnerability Scoring System. Computer Modeling in Engineering & Sciences, 141(2), 1551-1574. https://doi.org/10.32604/cmes.2024.052375
Abdullayeva, F., & Suleymanzade, S. (2024). Cyber security attack recognition on cloud computing networks based on graph convolutional neural network and GraphSAGE models. Results in Control and Optimization, 15, 100423. https://doi.org/10.1016/j.rico.2024.100423
Ren, W., Zhang, H., & Lei, Y. (2025). Network attack knowledge inference with graph convolutional networks and convolutional 2D KG embeddings. Scientific Reports, 15(1). https://doi.org/10.1038/s41598-025-17941-y
Liu, G., Lu, K., & Pi, S. (2025). Graph neural networks embedded with domain knowledge for cyber threat intelligence entity and relationship mining. PeerJ Computer Science, 11, e2769. https://doi.org/10.7717/peerj-cs.2769
Li, Y., & Li, X. (2021). Research on multi-target network security assessment with attack graph expert system model. Scientific Programming, 2021, 1-11. https://doi.org/10.1155/2021/9921731
Levner, E., & Tsadikovich, D. (2024). Fast algorithm for cyber-attack estimation and attack path extraction using attack graphs with AND/OR nodes. Algorithms, 17(11), 504. https://doi.org/10.3390/a17110504
Ibrahim, A., Bozhinoski, S., & Pretschner, A. (2019). Attack graph generation for microservice architecture. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing (pp. 1235-1242). ACM. https://doi.org/10.1145/3297280.3297401
Prytula, A., & Kupershtein, L. (2025). Analysis of penetration testing approaches using reinforcement learning. Cybersecurity: Education, Science, Technique, 4(28), 259-271. https://doi.org/10.28925/2663-4023.2025.28.789
Johnson, P., Lagerström, R., & Ekstedt, M. (2018). A meta language for threat modeling and attack simulations. In Proceedings of the 13th International Conference on Availability, Reliability and Security (pp. 1-8). ACM. https://doi.org/10.1145/3230833.3232799
Veličković, P., Cucurull, G., Casanova, A., Romero, A., Liò, P., & Bengio, Y. (2018). Graph attention networks. In International Conference on Learning Representations (ICLR 2018). https://doi.org/10.48550/arXiv.1710.10903
mal-lang. (n.d.). enterpriseLang: Enterprise language for the Meta Attack Language framework [Software]. GitHub. https://github.com/mal-lang/enterpriseLang
OWASP Foundation. (n.d.). WebGoat: A deliberately insecure web application [Software]. GitHub. https://github.com/WebGoat/WebGoat
Torrano-Gimenez, C., Perez-Villegas, A., & Alvarez, G. (2010). HTTP Dataset CSIC 2010 [Dataset]. Spanish National Research Council (CSIC). https://www.kaggle.com/datasets/ispangler/csic-2010-web-application-attacks
Kaggle. (n.d.). Malicious URL Detection Dataset [Dataset]. Kaggle. https://www.kaggle.com/datasets/moutasmtamimi/malicious-url-detection-dataset-enhanced-2026
Kupershtein, L. M., Prytula, A. V., & Malinovskyi, V. I. (2024). Analysis of web applications penetration testing technologies. Scientific Works of Vinnytsia National Technical University, 2, 45-53. https://doi.org/10.31649/2307-5376-2024-2-45-53
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Андрій Притула, Леонід Куперштейн
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
