The article proposes an approach to modeling and ranking scenarios of destructive cyberattacks on corporate information and communication systems, based on the proposed iterative MRRW-PageRank algorithm. Unlike methods that rely on expert assessments or large language models to determine transition probabilities between network nodes, the proposed method utilizes only the structural topology of the network. The algorithm establishes interdependence between node importance (e.g., database servers) and the weights of links leading to them, simulating an adversary's strategy aimed at reaching critical resources via the most probable paths. Using a typical corporate network as a case study, the method's effectiveness is demonstrated in identifying critical intrusion paths and ranking attack scenarios by risk. This approach is particularly relevant during network design phases or initial security audits, when empirical data on vulnerabilities or incidents are unavailable.
Cyber risk analysis in corporate information and communication systems (ICS) remains one of the most pressing challenges in modern cybersecurity, particularly during network design phases, topological audits, or initial security assessments when empirical data on vulnerabilities, incident history, or access policies are unavailable. Under such conditions, the only accessible source of information is the network structure itself—the topology of interconnections among its components. This creates a need for methods capable of objectively, deterministically, and reproducibly evaluating potential attacker pathways based solely on system architecture.
Among existing approaches to attack scenario modeling, logic-probabilistic models are widely
used, formalizing hazardous system states through Boolean functions and probabilities of
individual node compromise [
On the other hand, node centrality analysis methods—particularly PageRank and its variants—
have long been employed to identify critical components in networks [
Reinforced Risk-Weighted PageRank) [
This paper introduces a novel approach to penetration scenario assessment that integrates
attack modeling (as in [
Thus, the objective of this work is to bridge the gap between logic-probabilistic modeling of penetration scenarios and the need for an objective, structure-based method to determine model parameters in situations where empirical data are unavailable.
To demonstrate the effectiveness of the proposed approach to evaluating penetration scenarios, we employ a model topology of a corporate information and communication system (ICS) that reflects the typical architecture of a medium-sized enterprise. This model comprises 12 key components covering the main categories of assets: external interface, switching core, servers of various purposes, administrator and user workstations, as well as auxiliary security and data storage systems.
The network is represented as a directed graph G = (V, E) , where the set of vertices V corresponds to the functional components of the ICS, and the set of directed edges E ⊆ V×V represents possible directed connections (e.g., network access, service invocation, authentication). Each edge (i, j) ∈ E indicates the possibility of transitioning from resource i to resource j – for instance, via network access, service call, or authentication. This formalization enables the representation of potential attacker movement paths as sequences of transitions between graph nodes.
The model includes the following nodes (see Tab. 1, Fig. 1).
The connections between nodes are established based on realistic interaction scenarios within a corporate network:
External traffic flows through FW → Router → SwC, reflecting a typical perimeter security architecture.
The web server (SW) is located in the DMZ, connected to SwC, and has outgoing links to SDB and SAD for data retrieval.
The Active Directory server (SAD) serves as the central component: it initiates connections to all workstations (WU1, WU2, WA) for authentication and management; it maintains a connection to NAS (to provide storage access); it initiates event transmission to SIEM; it initiates a reverse connection to SwC (e.g., for synchronization or monitoring). The administrator workstation (WA) has outgoing links to SDB, SAD, NAS, and SwC, reflecting its elevated privileges.
User workstations (WU1, WU2) are connected to NAS and SAD, and also connect via WAP. The wireless access point (WAP) initiates connections to WU1 and WU2 (as an access point).
SIEM does not initiate any connections—it only receives events (a passive node).
SDB has no outgoing links—it serves as an endpoint (the target of an attack).
In total, the graph defines 26 directed connections, representing both legitimate communication paths and potential attack vectors (e.g., using the web server or the administrator workstation as an initial entry point for further movement toward SDB).
In total, the graph defines 26 directed connections, representing both legitimate communication paths and potential attack vectors (e.g., leveraging the web server as an initial entry point for lateral movement toward SAD or SDB).
This topology enables modeling of complex intrusion scenarios, including: FW
SW SDB SAD NAS
External attacks via the web interface; Insider threats through workstation compromise; Vertical privilege escalation via an administrative workstation;
Lateral movement through the Active Directory server.
This model is realistic and reflects the complexity of modern corporate ICS (Information and Communication Systems). It is also ideally suited for applying the MRRW-PageRank method, as it contains nodes of varying criticality and diverse topological patterns (star, chain, centralized authentication, etc.).
This section proposes a methodology for evaluating scenarios of destructive actions within a
corporate network, based on the application of the iterative MRRW-PageRank algorithm
(Mutually-Reinforced Risk-Weighted PageRank). In contrast to approaches that rely on expert
judgments or large language models to determine transition probabilities between nodes [
The MRRW-PageRank algorithm (Mutually-Reinforced Risk-Weighted PageRank) is built upon the
iterative interaction between two network components: the node importance vector and the
linkweight matrix. The model is based on the assumption that a node’s importance is determined not
only by the number of incoming links but also by their quality—specifically, the probability that
each of these links will be exploited by an attacker to reach the target node. Conversely, the
likelihood of a link being used depends on the importance of the target node and the structural
characteristics of its connectivity within the network. This interdependence is modeled as an
iterative process converging to a stable weight distribution that reflects potential intrusion risks.
Initialization of node weights
Node weights are initially estimated using the standard PageRank algorithm, one of the most
wellknown methods for measuring centrality in directed graphs [
is normalized such that the sum of all its components Iterative update of links weight At each iteration
, the link weights are recalculated based on the current approximation of node importance. The weight of link is defined as: where is the current importance score of node j from the previous iteration, is the in-degree of node j, and α>0 is a normalization parameter controlling the influence of the degree on the weight.
This formula reflects two key hypotheses regarding attacker behavior: (1) the more important a node j is (i.e., the higher ), the higher the likelihood that paths leading to it will be exploited; and (2) the greater the in-degree of node j, the lower the weight assigned to each individual incoming link.
Thus, the weight of link is interpreted as the relative attractiveness of this path to an attacker, accounting for both the target’s value and its "popularity" within the network topology. Construction of the transition matrix
of the matrix is given by the normalized
If node i has no outgoing links (i.e., ), the standard PageRank damping strategy is applied. This matrix is row-stochastic, allowing it to be interpreted as a transition probability matrix for a Markov chain modeling an attacker’s movement through the network. Node Importance Update
The new node importance vector is computed using a modified PageRank equation, where uniform weights are replaced by weighted transitions:
This equation captures two distinct pathways for "visiting" nodes: with probability 1 − d, the attacker "jumps" to a random node (modeling unexpected attacks or exploitation of external vectors), and with probability d, the attacker follows weighted links according to the current transition matrix. The process is repeated iteratively until convergence is achieved: where ε is a small constant defining the desired computational precision.
The core idea is that the link weights obtained upon convergence of the MRRW-PageRank algorithm are interpreted as conditional probabilities of the attacker transitioning from one node to another:
P(vi → vj) = wij, where wij is the normalized weight of the link from node vi to node vj , obtained after completing the iterative process.
However, to ensure a correct probabilistic interpretation, the weights must be normalized separately for each source node so that the sum of probabilities of all possible transitions from that node equals 1:
The resulting matrix is row-stochastic and can be used as the transition matrix in a Markov chain modeling attacker behavior.
A penetration scenario is defined as a directed path in graph G = (V, E) leading from an initial node (threat source) to a target node (critical resource, e.g., a database server SDB). Formally, a scenario sk is represented as a sequence:
sk = (vk1, vk2,…, vkm), where vk1 ∈ Vsource is the initial node (e.g., FW, WU1, WA), vkm = vtarget is the target node (e.g., SDB), and (vki, vki+1) ∈ E for all i = 1,…, m − 1 .
considered more realistic.
All possible scenarios are generated by exhaustively enumerating all simple paths (i.e., paths without cycles) from each source node to the target node. This can be implemented using depthfirst search (DFS) algorithms or specialized attack graph analysis techniques.
The probability of scenario sk is computed as the product of the conditional probabilities of transitions between consecutive nodes:
In this formula, instead of the averaged LLM-based estimates used in prior work [
After computing the probabilities of all scenarios, they are ranked according to several criteria: – the primary criterion; scenarios with higher probability are
Duration (path length) – shorter paths are more attractive to attackers, as they require less time and effort.
Criticality of intermediate nodes – paths passing through high-ranked nodes (e.g., SAD, WA) may entail elevated risk due to the potential for vertical privilege escalation.
For an integrated ranking, a combined scoring function can be employed: where denotes the average weight of nodes along the path (as a measure of criticality), and α, β, γ ≥ 0 are tunable coefficients reflecting the analyst’s priorities.
Scenarios are sorted in descending order of the Score the most probable and most dangerous intrusion paths.
The proposed approach offers several significant advantages that enhance its scientific and practical value in the context of cyber-risk analysis.
First, it is deterministic: since the MRRW-PageRank algorithm contains no stochastic components, its results are fully reproducible under identical input conditions, unlike approaches based on large language models, which may produce variable outputs even when given identical prompts.
Second, the method does not rely on expert assessments or external data (e.g., CVSS scores, access logs, or incident history), making it suitable for application during the early stages of designing information and communication systems, when such information is not yet available.
Third, the approach is structurally well-founded: it formalizes the interdependence between the importance of target nodes and the attractiveness of paths leading to them by modeling the strategic behavior of an adversary who seeks to reach critical resources while accounting for the topological "overload" of targets.
Fourth, the resulting edge weights can be directly interpreted as conditional transition
probabilities and integrated into existing logic-probabilistic cybersecurity models [
Thus, the proposed methodology provides an objective, formalized, and computationally efficient foundation for assessing the likelihood of penetration scenarios, particularly under conditions of limited information about the system’s security posture.
To verify the effectiveness of the proposed methodology for assessing penetration scenarios based on MRRW-PageRank, computational simulations were performed using a typical corporate information and communication system comprising 12 components. The simulations were carried out according to the algorithm described in Section 3, employing the link-weight matrix obtained from the convergence of the MRRW-PageRank iterative process.
The database server (SDB) was selected as the target node (i.e., the ultimate objective of an attack) —a critical resource with no outgoing connections and thus representing the logical endpoint of most penetration scenarios. Threat sources were defined as all nodes possessing paths leading to SDB: FW, Router, SwC, WA, SW, SAD, WU1, WU2.
The weight matrix of connections W = [wij], obtained upon convergence of MRRW-PageRank (15 iterations, precision ε = 10−6), was used to construct the conditional transition probability matrix by normalizing its elements row-wise.
For example, for the node SwC (Switch-Core), the sum of outgoing weights equals: ∑wSwC,∗=0.0150+0.0150+0.0340+0.0425+0.0210+0.0260+0.0150+0.0240+0.0175=0.210.
Based on the network graph and the transition matrix , all simple paths (without cycles) from the initial nodes to the SDB were generated. In total, 12 unique scenarios were identified; the most probable ones are listed in Table 2. The table shows that the most dangerous scenarios are short paths with high probability, particularly those originating from the web server (SW) and the administrator workstation (WA). This underscores the importance of controlling external interfaces and privileged accounts.
Analysis of the obtained results allows for several important conclusions regarding the structure of cyber risks in the examined corporate network.
First, the most dangerous entry points are the web server (SW) and the administrator workstation (WA), as they exhibit the highest probabilities of direct transitions to the database server (SDB)—the primary attack target. Notably, the probability of the scenario SW → SDB (≈ 0.447) even exceeds that of WA → SDB (≈ 0.339), underscoring the critical role of the external attack vector via the web interface. This finding fully aligns with real-world cyberattack statistics, where web applications and privileged accounts consistently rank among the most common initial access points.
Second, although the Active Directory server (SAD) received the highest node weight among all components (0.182), it lacks a direct connection to SDB, and all paths through SAD are indirect and multi-hop (e.g., SAD → SwC → SDB). Due to normalization of outgoing link weights, the transition probability SAD → SwC is only ≈ 0.237, resulting in an overall scenario probability of s₄ ≈ 0.0237—significantly lower than that of direct transitions. This clearly illustrates a key advantage of the proposed method: it does not rely solely on the importance of individual nodes but also accounts for the actual topological accessibility of the target, including the number of alternative paths and their probabilistic weights.
Third, the external path FW → Router → SwC → SDB has a probability of 0.100, which adequately reflects the realistic external threat without overstating it as dominant compared to internal attack vectors. This confirms the model’s balance: it does not inflate the risk of external attacks when they require traversing multiple layers of defense.
Finally, all hypothetical scenarios involving traversal through the Network Attached Storage (NAS) or the SIEM system proved topologically infeasible, as these nodes possess no outgoing connections. This validates the correctness of the model construction and demonstrates its ability to automatically filter out unrealistic intrusion paths, thereby enhancing the reliability of the analysis.
Thus, the proposed approach not only identifies critical assets but also ranks realistic attack vectors based on the structural properties of the network, making it especially valuable during network design and initial security audit phases.
In contrast to approaches where transition probabilities were determined through expert judgment and incorporated subjective assessments (e.g., P(WA→SDB) = 0.65), the proposed method differs fundamentally:
Transition probabilities are determined objectively based solely on network topology, without relying on expert opinions or external data; Results are deterministic and fully reproducible: under identical input conditions, the algorithm always yields the same outcome, unlike large language models (LLMs), which may produce varying estimates even for identical prompts; The method does not require vulnerability data, CVSS scores, or incident history, making it particularly suitable for network design phases or initial security audits when such information is not yet available.
It is important to emphasize that within the MRRW-PageRank framework, the probability P(WA→SDB) is computed by normalizing the weights of all outgoing links from WA, yielding P(WA→SDB) ≈ 0.339 – a value grounded in the actual network structure rather than subjective assumptions. Thus, the proposed method not only eliminates subjectivity but also provides a structurally justified, transparent, and computationally efficient alternative to LLM-based approaches during early-stage cyber risk assessment.
This work proposes a novel approach to evaluating intrusion scenarios in corporate information and communication systems by integrating the problem of logic-probabilistic modeling of cyberattacks with a structural risk assessment method based on an iterative MRRW-PageRank algorithm. Unlike prior studies that relied on expert judgments or large language models to estimate transition probabilities between network nodes, the proposed method utilizes solely the network topology as its input data source. This makes it particularly suitable for design phases, topological audits, or preliminary security assessments, where empirical data on vulnerabilities, access policies, or incident history are unavailable.
Application of the method to a realistic 12-node network—including a firewall, router, core switch, servers of various purposes, administrator and user workstations, network-attached storage, a SIEM system, and a Wi-Fi access point—demonstrated its ability not only to identify critical assets (notably the Active Directory server and the database server) but also to rank intrusion scenarios according to their likelihood, duration, and structural attractiveness of the paths involved. The results revealed that the most probable attack vectors are direct transitions from the administrative workstation to the database server and external paths via the web server— findings fully consistent with known real-world cyberattack practices.
The scientific novelty of this work lies in the first formalization of intrusion scenario evaluation through the lens of interdependent weight updates for nodes and links: the importance of a target node increases the likelihood of paths leading to it, yet each individual path to a “highly connected” node (i.e., one with many incoming links) receives a lower weight due to reduced uniqueness. This approach effectively models the strategy of a real-world adversary who seeks to reach the most valuable resources but selects not just any path, but rather the one offering maximum effectiveness with minimal effort. This fundamentally distinguishes the proposed method from classical PageRank or other centrality metrics, which do not treat links as carriers of risk.
Furthermore, this study is the first to demonstrate that link weights derived via MRRWPageRank can be directly interpreted as conditional transition probabilities within a Markov chain modeling attacker behavior and subsequently employed within a logic-probabilistic framework to compute full attack scenario probabilities.
A key advantage of the proposed approach is its determinism and reproducibility: unlike LLMbased methods, results do not depend on random sampling, model version, or prompt formulation, thereby ensuring reliability and transparency of the analysis. At the same time, the method does not aim to fully replace LLM-based approaches; rather, it complements them by providing an objective, structurally grounded foundation for further refinement. For instance, MRRW weights can serve as initial values in Bayesian networks or as contextual input for LLM queries, thereby enhancing accuracy and reducing response variability.
A limitation of the method is its disregard for actual vulnerabilities, security configurations, or behavioral anomalies—yet precisely this characteristic renders it a universal tool for early stages of a system’s lifecycle. Future work will focus on integrating MRRW-PageRank with dynamic data (e.g., CVSS scores, access logs) to develop a hybrid model that combines structural soundness with adaptability to the real-time security state. Thus, the proposed approach not only fills a gap in existing cyber-risk analysis methodologies but also opens new avenues for building evolutionary, self-tuning cyber defense systems. During the preparation of this work, the authors used ChatGPT and Qwen to: translate certain text fragments into English, perform grammar and spelling checks, and paraphrase or reword content. After using these tools, the authors carefully reviewed and edited the content as needed and take full responsibility for the publication’s content.