A Queueing-Theoretic Framework for Dynamic Attack Surfaces: Data-Integrated Risk Analysis and Adaptive Defense

This paper proposes a queueing-theoretic framework that models the temporal evolution of cyber-attack surfaces as a backlog of vulnerabilities, demonstrating how AI-driven automation amplifies exploit risks and validating a reinforcement learning-based adaptive defense strategy that reduces active vulnerabilities by over 90% while accounting for heavy-tailed patching times and resource constraints.

The Gist

Imagine your organization's computer network is a massive, bustling warehouse.

In this warehouse, "vulnerabilities" (security holes) are like broken boxes that keep arriving on the conveyor belt. Some arrive because someone found a crack in the design; others appear because a new supplier sent a defective product.

The "attack surface" is simply the pile of broken boxes sitting on the floor waiting to be fixed. If the pile gets too high, a thief (the hacker) can easily grab one, break it open, and steal your goods.

This paper proposes a new way to manage this warehouse using three main ideas: a Queueing Model, the AI Factor, and a Smart Robot Manager.

1. The Warehouse Analogy: A Queueing System

The authors treat the pile of broken boxes not as a static list, but as a dynamic line (queue).

• Arrivals: New vulnerabilities keep showing up.
• Departures: Boxes leave the line in two ways:
  1. The Good Way: Your team patches them (fixes the box).
  2. The Bad Way: Hackers exploit them (steal the box).

The key insight is that this isn't a steady stream. Sometimes, a hundred broken boxes arrive at once (a "burst"), and your team can only fix a few. This creates a backlog. The paper uses math (queueing theory) to prove that if you don't keep up with the arrivals, the pile grows dangerously large, and the risk of theft skyrockets.

2. The "AI Amplifier" Twist

The paper asks: What happens if both the thieves and the warehouse managers get AI superpowers?

• Symmetric AI: Imagine both the hackers and your team get robots that work 4x faster. You might think, "Great! We are 4x faster, so we are safe!"
  • The Surprise: The paper shows that even if you are 4x faster, the number of successful thefts actually goes up. Why? Because the thieves are also 4x faster. They are grabbing the broken boxes before your team can even touch them. The "race" just happens in fast-forward, but the thieves still win more often because they are aggressive.
• Asymmetric AI: If only the hackers get AI robots, and your team stays human-speed, the warehouse gets overwhelmed almost instantly. The pile of broken boxes explodes, and the theft rate goes through the roof.

3. The "Heavy-Tailed" Problem (The Stubborn Boxes)

The researchers looked at real data from open-source software (like the code behind Google's tools) and found something scary: Patching times are "heavy-tailed."

In a normal world, if you have a broken box, you fix it in 10 minutes. In the real world, most boxes are fixed quickly, but some boxes sit there for months or years because they are hard to fix, or no one is assigned to them.

The paper proves that these "stubborn boxes" create a Long-Range Dependence. This means that a vulnerability discovered today can still be a threat next year. The system doesn't "forget" past mistakes quickly. This creates a persistent, lingering risk that static security plans (which assume everything resets every day) completely miss.

4. The Solution: A Smart Robot Manager (Reinforcement Learning)

Since the arrival of broken boxes is unpredictable and the "stubborn boxes" linger, you can't just hire a fixed number of workers. You need a Smart Robot Manager (an AI algorithm) that watches the pile in real-time.

• The Problem: You have a limited budget (a fixed number of workers). If you switch workers around too often, you waste time and money retraining them (this is called "switching cost").
• The Solution: The authors built a Reinforcement Learning (RL) algorithm. Think of this as a robot that learns by trial and error.
  • It watches the pile grow.
  • It decides: "Should I send 5 workers now? Or wait until the pile gets bigger?"
  • It balances the cost of moving workers around against the risk of a theft.

The Results:
When they tested this robot manager on real-world data:

• It reduced the average number of broken boxes (active vulnerabilities) by over 90% compared to standard methods.
• It did this without spending more money; it just spent the existing budget smarter, focusing effort exactly when the pile was getting dangerous.
• It smoothed out the chaos, preventing those massive, scary spikes in risk.

The Big Takeaway

Cybersecurity isn't about building a higher wall; it's about managing the flow.

1. Vulnerabilities arrive in unpredictable bursts.
2. Fixing them takes a long time for some, creating a lingering risk.
3. AI speeds up both attacks and defenses, often making the situation worse if you aren't careful.
4. The best defense isn't a static plan; it's an adaptive strategy that dynamically shifts resources to where the danger is highest, right now.

By treating the attack surface as a living, breathing queue rather than a static list, this paper gives defenders a mathematical way to stay one step ahead of the thieves, even when the thieves are using AI.

Technical Summary

1. Problem Statement

The paper addresses the critical challenge of modeling and managing the temporal evolution of cyber-attack surfaces. Traditional cybersecurity risk models often rely on static or stationary assumptions, failing to capture the dynamic, time-varying nature of vulnerabilities in modern, complex infrastructures (e.g., cloud, IoT, software supply chains).

Key gaps identified include:

• Lack of Dynamic Modeling: Existing approaches treat attack surfaces as static quantities rather than evolving stochastic processes.
• Ignoring Temporal Dependencies: Vulnerability lifetimes and arrival patterns often exhibit "burstiness" and "heavy-tailed" distributions, leading to long-range dependence (LRD) that static models miss.
• AI Amplification: The dual role of AI in accelerating both vulnerability discovery/exploitation and defense is not quantitatively modeled.
• Suboptimal Resource Allocation: Defenders often use static patching strategies that do not adapt to fluctuating threat levels or account for the operational costs (switching costs) of changing defense policies.

2. Methodology

The authors propose a comprehensive framework combining Queueing Theory, Empirical Data Analysis, and Reinforcement Learning (RL).

A. Queueing-Theoretic Model

The attack surface is modeled as a stochastic queueing system where:

• Arrivals ($V(t)$): Represent the discovery or creation of new vulnerabilities.
• Departures: Represent vulnerabilities leaving the system via either successful patching (defense) or successful exploitation (attack).
• State ($N(t)$): The number of active (unpatched) vulnerabilities at time $t$, representing the instantaneous attack surface size.
• Race Condition: For each vulnerability, there is a race between the defense time ($D_d$) and exploit time ($D_l$). The vulnerability is removed when the minimum of these two occurs.
• Constraints: The model incorporates resource limits, including a maximum number of parallel servers ($m$) and a global service rate constraint ($b$), formulated as a G/G/m–b model.

B. AI Amplification Factor

The framework introduces an AI amplification factor ($a$) that scales arrival, exploit, and patching rates. The authors analyze both symmetric scaling (AI used by both sides) and asymmetric scaling (AI used only by attackers).

C. Empirical Validation (Data Integration)

The model is validated using the ARVO dataset (Atlas of Reproducible Vulnerabilities for Open Source Software), containing over 4,000 vulnerabilities from Google's OSS-Fuzz.

• Segmentation: The non-stationary time series is segmented into quasi-stationary intervals using Gaussian Mixture Models (GMM).
• Distribution Fitting: The authors found that vulnerability arrival and service (patching) times follow heavy-tailed distributions (e.g., Loglogistic, Gamma-InverseGaussian) rather than exponential distributions.
• Theoretical Proof: They prove that heavy-tailed service times induce Long-Range Dependence (LRD) in the attack surface size, meaning past events significantly influence future risk over long time scales.

D. Adaptive Defense via Reinforcement Learning

To manage the dynamic system under constraints, the problem is formulated as a Constrained Markov Decision Process (CMDP).

• Objective: Minimize cumulative cost (exploit risk + defense effort) while penalizing switching costs (the magnitude of change in defense policy between steps, not just the frequency).
• Algorithm: A novel RL algorithm is developed with:
  • Optimistic Q-learning: Uses upper confidence bounds to encourage exploration.
  • Delayed Policy Switching: Updates the policy only at geometrically increasing intervals to balance responsiveness with operational stability (reducing switching costs).
  • Regret Bound: The algorithm achieves a near-optimal regret bound of $\tilde{O}(\sqrt{T})$, even with resource and switching constraints.

3. Key Contributions

1. Dynamic Queueing Model: A novel abstraction of the attack surface as a queue where arrivals are vulnerabilities and departures are patches or exploits, capturing backlog dynamics and resource contention.
2. AI Amplification Analysis: Demonstrates that even symmetric AI scaling (where both attackers and defenders use AI equally) can increase the rate of successful exploits due to the non-linear nature of the system, while asymmetric scaling (attackers only) drastically worsens outcomes.
3. Empirical Validation & LRD: First to validate a queueing model of attack surfaces using large-scale real-world data (ARVO), proving that heavy-tailed patching times induce Long-Range Dependence, explaining persistent cyber risk.
4. RL with Switching Costs: Formulates dynamic defense as a CMDP that explicitly models the magnitude of policy changes as a cost (not just frequency), a novel contribution to safe RL literature.
5. Near-Optimal Algorithm: Develops an RL algorithm with provable near-optimal regret bounds under resource budgets and switching constraints.

4. Key Results

• Static vs. Dynamic Defense:
  • In model-based simulations, the RL policy reduced successful exploit rates by up to 55% compared to static allocation strategies.
  • In trace-driven experiments using the ARVO dataset, the RL policy reduced the average number of active vulnerabilities by over 90% compared to existing defense practices, without increasing the total maintenance budget.
• Aggregate Budget Efficiency: When constrained to the same total defense budget as the baseline, the RL policy reduced the mean queue length by 45% and the 95th/99th percentile tail sizes by >50%, proving that better allocation is more effective than simply adding resources.
• AI Impact: Symmetric AI scaling preserved the shape of the attack surface distribution but compressed the time scale, increasing exploit frequency by the amplification factor. Asymmetric AI scaling (attackers only) caused a super-linear increase in exploit rates.
• Heavy-Tail Effects: The empirical data confirmed that patching times are heavy-tailed, leading to LRD. This implies that average-based risk assessments are insufficient; defenders must account for persistent, long-tail exposure.

5. Significance

This paper provides a quantitative, theoretically grounded foundation for understanding and defending against evolving cyber threats.

• Paradigm Shift: It moves cybersecurity risk analysis from static snapshots to dynamic, time-dependent stochastic processes.
• Operational Insight: It highlights that "heavy-tailed" patching delays create systemic bottlenecks that cannot be solved by simple linear scaling of resources.
• Practical Application: The proposed RL-based defense strategy offers a practical, adaptive mechanism for organizations to allocate limited security resources efficiently, significantly reducing exposure without requiring massive budget increases.
• AI Readiness: It provides a framework to anticipate how AI-driven automation will reshape the cyber landscape, warning that defensive acceleration must outpace offensive acceleration to maintain security.

In summary, the work bridges the gap between theoretical queueing models, empirical data analysis, and adaptive control, offering a robust solution for managing the complex, dynamic nature of modern cyber attack surfaces.