Physics-Informed Graph Neural Networks for Attack Path Prediction

Abstract

The automated identification and evaluation of potential attack paths within infrastructures is a critical aspect of cybersecurity risk assessment. However, existing methods become impractical when applied to complex infrastructures. While machine learning (ML) has proven effective in predicting the exploitation of individual vulnerabilities, its potential for full-path prediction remains largely untapped. This challenge stems from two key obstacles: the lack of adequate datasets for training the models and the dimensionality of the learning problem. To address the first issue, we provide a dataset of 1033 detailed environment graphs and associated attack paths, with the objective of supporting the community in advancing ML-based attack path prediction. To tackle the second, we introduce a novel Physics-Informed Graph Neural Network (PIGNN) architecture for attack path prediction. Our experiments demonstrate its effectiveness, achieving an F1 score of $0.9308$ for full-path prediction. We also introduce a self-supervised learning architecture for initial access and impact prediction, achieving F1 scores of $0.9780$ and $0.8214$, respectively. Our results indicate that the PIGNN effectively captures adversarial patterns in high-dimensional spaces, demonstrating promising generalization potential towards fully automated assessments.

1. Introduction

Information Systems (ISs) are socio-technical structures integrating organizational and technological components [1,2] to support business operations, decision-making, and management [3]. IS security can be compromised by vulnerabilities arising from software flaws and misconfigurations. Consequently, organizations must assess and manage risks associated with IS [3]. Risk-based IS management has been a key focus since the 1990s [4,5,6,7], providing a structured approach to identifying, analyzing, and mitigating potential threats [8]. A key aspect of IS risk management is risk assessment [4,8], which consists of three phases: risk identification, risk analysis, and risk evaluation.

Attack Path Analysis (APA) is a method for the risk assessment of attack scenarios applied in complex environments [9,10,11]. A typical APA framework consists of an adversary model, an environment model, and an optimization algorithm [11,12]. Early APA frameworks used graphical approaches to model adversarial behavior and systems [13,14], later evolving into probabilistic models [15,16,17,18,19,20,21,22,23,24,25,26,27,28]. Modern APA frameworks generally fall into adversary-oriented [29,30,31,32,33,34,35,36,37,38] or system-oriented methods [39,40,41,42,43,44,45,46,47,48,49,50,51,52,53] and can vary in their level of abstraction. Higher-abstraction models keep scenario exploration tractable [29,30,31], while lower abstraction offers more detailed analysis but is computationally intensive [43,44,45,46,47,48,49].

For a given environment, APA frameworks provide risk assessment decision support in three main directions: (1) deductive reasoning, i.e., identifying the impact of an attack path (consequence) given its starting point (cause), (2) inductive reasoning, i.e., determining the initial access point of the attack path given its impact, and (3) a combination of both, i.e., identifying the full path when both the cause and consequence are fixed (see Section 2.3 for formal notation). Yet, as infrastructures grow more complex and adversary techniques evolve, uncertainty makes these settings increasingly challenging and existing model-based methods impractical and prone to imprecisions [54,55,56]. To address this issue, state-of-the-art (SoTA) data-driven methods like Exploit Prediction Scoring System (EPSS) [57] leverage machine learning (ML) algorithms to predict exploitation likelihood in a model-agnostic manner, outperforming model-based equivalents [57,58,59,60,61,62,63].

This research focuses on a subclass of ML algorithms known as deep learning (DL) [64], which uses Deep Neural Networks (DNNs) for function approximation, motivated by the “universal approximation theorem” [65]. A DNN designed to predict full attack paths in any given environment must learn the joint distribution of adversary behavior and environmental characteristics across various combinations. However, the feasibility of generalizing over such a high-dimensional space remains unclear, as no public dataset currently supports this learning task. Existing APA datasets typically provide either detailed attack sequences or environmental properties but not both [54,66]. For instance, datasets derived from cyber threat intelligence (CTI) report mining offer rich APA details but lack broader environmental descriptions, focusing only on the affected scope [67]. Conversely, macro-level datasets [68] aggregate public breach reports across diverse environments but do not include attack path details. Reinforcement Learning (RL) environments could be considered an alternative. However, RL-based approaches suffer from a similar trade-off: high-fidelity emulated frameworks demand significant computational resources, while lightweight simulated frameworks can only represent limited environments [69]. Ultimately, constructing such a dataset from real-world attack paths remains an open challenge, as organizations are generally reluctant to disclose detailed information about their infrastructure and incidents [70,71,72,73,74,75].

Our research aims to bridge this gap by making the following contributions: (1) framing and sharing a deep learning dataset of detailed environments with corresponding attack paths and (2) implementing and training DNN architecture for conducting inductive, deductive, and hybrid setting risk assessments. Through these contributions, this paper seeks to answer the following research questions: 

(RQ) Can adversary behavior be generalized across multiple environments to achieve full path prediction accuracy comparable to SoTA exploit prediction methods ?

This paper is organized as follows: Section 2 will present the materials and methods, including our dataset and algorithms; Section 3 will present the experimental results on inductive, deductive, and hybrid settings; Section 4 will discuss the limits of this research along with new opportunities; and Section 5 will conclude this paper. To ensure the reproducibility of our findings, all data and algorithms presented in this paper can be found in the replication package (https://github.com/mbdlrocks/PhD_Replication_Package/tree/master/Physics-Informed-GNN%20(PIGNN), accessed on 7 April 2025). Readers are encouraged to explore the repository for further implementation details or to train their own models on the dataset.

2. Materials and Methods

Section 2.1 first presents the motivations for creating a new dataset and discusses the challenges and limitations of this approach. Section 2.2 then provides a brief introduction to physics-informed neural networks (PINNs), along with the motivations for applying them to attack path prediction. Next, Section 2.3 formalities the learning problem we address. Finally, we introduce two prediction architectures (see Section 2.4) and describe our training procedures, covering both physics-informed learning (see Section 2.5) and self-supervised learning (see Section 2.6).

2.1. Dataset

As discussed in Section 1, to the best of our knowledge, no existing dataset satisfies our criteria—namely, capturing a diverse range of detailed environments along with their associated attack paths. Given these constraints, we opted for a synthetic data-generation approach to conduct experimentation. Our goal was to construct a dataset that allowed us to experimentally evaluate the computational feasibility of generalizing across the high-dimensional spaces of environments and attack. Generating such a dataset and making it suitable for statistical learning presents several challenges, notably (1) ensuring technically realistic attack paths and environments while balancing granularity with dimensionality (see Section 2.1.1), (2) identifying and mitigating potential biases in feature distribution (see Section 2.1.2), and (3) structuring data efficiently for learning algorithms (see Section 2.1.3).

2.1.1. Realistic Attacks and Environments

The dataset consists of 1033 samples, each containing an environment and an attack path. As discussed in Section 2.2, this dataset is sufficient for a physics-informed architecture which can generalize with limited training samples. We combined simulation and expert validation methods: environment graphs were simulated using BloodHound [76], a tool for auditing Active Directory (AD) environments, and attack paths for each environment were retrieved using Caldera [77], an APA framework for automated red teaming. This approach enables the rapid generation of environments and the selection of relevant Techniques, Tactics, and Procedures (TTPs), emulating an adversary (see [78]). Similar approaches combining automation with expert oversight for path generation have been proposed by other authors [79,80], in which generated paths are manually reviewed by experts. In our case, the initial dataset was reduced from 1150 graphs to 1033 (≃10.17%) after manual inspection. There are also limits to this approach, which we discuss in Section 4.

The environments represent AD domains as directed graphs $G=(V,E)$, with nodes $v\in V$ representing Users, Computers, Domains, Group Policy Objects (GPOs), and Organizational Units (OUs) (see [81] for details). The edges $e\in E$ encode non-traversable relationships (e.g., ${\mathrm{OU}}_j$ inherits properties from ${\mathrm{GPO}}_i$ [76]) and traversable ones (e.g., ${\mathrm{User}}_i$ can open a session on ${\mathrm{Computer}}_j$). Node features provide additional information regarding the entities (e.g., vulnerabilities, privileges). Each network consists of 100 users with dedicated computers, connected across four subnets, with an average of 15% vulnerable hosts per environment. For further details, we kindly invite the reader to refer to the dataset documentation.

Each attack path (see Figure 1) represents an “identity snowball” attack scenario [11,79,80], in which an adversary gains initial access to a low-privileged account (e.g., via phishing) and escalates privileges by compromising additional accounts and systems. The goal is ultimately to reach the Domain Administrator (DA) [11,31]. While this attack model is widely popular among security auditors, it is also leveraged by known threat groups [82], who use Bloodhound to find the shortest paths to high-value targets [31]. Given its relevance in both offensive and defensive security and motivated by existing research, we focused on this scenario for our experiments.

2.1.2. Exploratory Data Analysis

A key aspect to examine in our generated samples is the type of edges traversed in attack paths. As shown in Figure 2(bottom left), the most frequently exploited edges are AdminTo edges (representing user accounts with administrative privileges on a system [83]), MemberOf edges (indicating group membership relationships [84]), and HasSession edges (corresponding to adversaries accessing stored credentials on a machine [85]). In Figure 2(top), we observe that these edge types follow an approximately normal distribution across graphs. If they were not normally distributed and exhibited a strong correlation with attack paths, the dataset could be skewed, potentially leading to biased models. Similar patterns are observed for edge counts and connection density (i.e., the number of parallel edges between two nodes), as illustrated in Appendix A Figure A1, Figure A2 and Figure A3.

Regarding the nodes composing attack paths, Figure 2(bottom right) shows that their degree distribution slightly differs from that of the overall graph. This is expected, as nodes inside the path necessarily have a minimum degree of two. Finally, the analysis of the path length distribution reveals no overrepresented lengths, which is desirable; a bias in path lengths could indicate unintended artifacts in the generation algorithm. For additional metrics, we refer the reader to the replication package (https://github.com/mbdlrocks/PhD_Replication_Package/tree/master/Physics-Informed-GNN%20(PIGNN)/_visualisations_.ipynb, accessed on 7 April 2025) and Appendix A, where

Table A1. Statistical summary of the dataset.

	Num_Nodes	Num_Edges	Density	Avg_Degree	Median_Degree	Max_Degree
count	1033	1033	1033	1033	1033	1033
mean	361.0	3040.83	0.0234	16.85	5.88	423.89
std	0.0	90.19	0.0007	0.50	0.32	3.27
min	361.0	2755	0.0212	15.26	5	414
25%	361.0	2979	0.0229	16.50	6	422
50%	361.0	3043	0.0234	16.86	6	424
75%	361.0	3102	0.0239	17.19	6	426
max	361.0	3288	0.0253	18.22	6	437

provides an overview of the dataset.

2.1.3. Data Structure for Learning

Graphs and associated paths are preprocessed for PyTorch [86] and provided as .pt files. This preprocessing step is responsible for (1) converting the raw graph into an adequate tensor-based format and (2) ensuring that all graphs have the correct dimensions. The preprocessing script can be found in the replication package (https://github.com/mbdlrocks/PhD_Replication_Package/tree/master/Physics-Informed-GNN%20(PIGNN)/_Preprocessing_, accessed on 7 April 2025). In the dataset, denoted by $\mathcal{D}={\{X_i,Y_i\}}_{i=0}^n$, each sample $X_i=(A_i,F_i)$ is a tuple comprising an adjacency tensor $A_i\in {\mathbb{R}}^{\left|V\right|\times \left|V\right|\times d}$ and a graph signal tensor $F_i\in {\mathbb{R}}^{\left|V\right|\times p}$, with d the number of different edge types and p the node features. For a given graph $X_i$, the label $Y_i\in {\mathbb{R}}^{\left|V\right|\times \left|V\right|}$ is an adjacency matrix where $Y_{ij}=1$ if an edge between nodes i and j is part of the attack path. The dataset comprises $n=1033$ unique samples, each containing $p=20$ node features and $d=16$ unique edge types. The tensor-based format conversion is also illustrated in Figure 3.

This dataset is the first of its kind and should be considered as a prototype for future enhancements. We purposefully restricted some of its aspects (e.g., the assumption that attacks originate from user accounts rather than public-facing systems or restriction to identity snowball attacks). These design choices, along with the reliance on automatically generated synthetic data instead of ground-truth samples, should be understood in the context of this paper’s objective—demonstrating the efficiency of learning-based algorithms for APA. At the same time, they enabled the rapid development of a sufficiently robust experimental setting for testing our methods. For future enhancements or for organizations appropriating the dataset, start-node probabilities could be aligned with internal phishing campaign results. Another key aspect of this dataset is its extensibility through graph-based structures. Notably, existing cybersecurity knowledge graphs (CSKGs) [87,88,89,90,91,92] can be used to add new nodes and (non-traversable) edges to environments [54]. This data augmentation proposal is discussed in Section 4.

2.2. Physics-Informed Learning

In Section 1, we presented the generalization of attack paths across high-dimensional environments as one of the key challenges of this research. To address this challenge, we introduce a Physics-Informed Graph Neural Network (PIGNN). 

Physics-informed neural networks (PINNs) [93], also known as Theory-Trained Neural Networks (TTNs) [94]—or, more generally, model-based deep learning [95]—are designated as an emerging research field of neural network architectures that integrates prior knowledge of physical laws and known interaction logic into the learning process. 

In the context of attack path prediction across high-dimensional environments, using PINNs instead of agnostic Deep Neural Networks presents two key advantages: (1) incorporating known interaction principles and properties into the training restricts the space of feasible learnable solutions and thereby enhances the generalizability of the function approximation, and (2) by embedding this prior knowledge, PINNs also effectively augment the information content of the available data, enabling convergence towards accurate solutions with a limited number of training samples.

To include known interaction principles into the training, we crafted a custom “physics-informed” loss function. In our case, this loss function exploits known properties of graph theory to penalize the network when predictions are incoherent with domain knowledge, e.g., if predicted adjacency matrix describes a graph containing cycles or branches. The loss function is detailed in Section 2.5.

2.3. Formal Problem Setting

Given the dataset $\mathcal{D}={\{X_i,Y_i\}}_{i=0}^n$, we define the corresponding learning task for each of the three risk assessment problem objectives discussed in Section 1: 

Predict the full path given start and end nodes, i.e., given $X_i=(A_i,F_i)$, predict ${\widehat{Y}}_i$;  Predict end node given start node, i.e., given $X_i=(A_i,F_i^{\prime })$, predict ${\widehat{F}}_i^{\mathrm{end}}$ where $F_i^{\prime }=F_i\setminus F_i^{\mathrm{end}}$ (exclude “Start Node” feature);  Predict start node given end node, i.e., given $X_i=(A_i,F_i^{\prime })$, predict ${\widehat{F}}_i^{\mathrm{start}}$ where $F_i^{\prime }=F_i\setminus F_i^{\mathrm{start}}$ (exclude “End Node” feature);

Here, learning means minimizing the empirical risk over all predictions given our model $f_{\theta }(·)$ (parametrised by $\theta$), e.g., in path prediction, over the set of possible parameters $\Theta$, find $\widehat{\theta }$, which minimizes $\mathcal{R}\left(\theta \right)={\displaystyle \frac{1}{n}}{\sum }_{i=1}^n\mathcal{L}(f_{\theta }(A_i,F_i),Y_i)$, where $\mathcal{L}(·)$ measures the error between our prediction $f_{\theta }(A_i,F_i)$ and the ground truth attack path adjacency matrix $Y_i$.

2.4. Architecture

The neural architecture is composed of two main blocks, as illustrated in Figure 4. The first block is a graph convolution block, responsible for generating a tensor $\mathcal{H}\in {\mathbb{R}}^{\left|V\right|\times H}$, in which each node v is associated with a vector $h_v={\mathcal{H}}_{v,:}\in {\mathbb{R}}^H$, called the embedding of v. The embedding vector encodes the signal vector (given by $F_{v,:}$) relative to the graph structure (given by A). The embeddings $\mathcal{H}$ are then fed forward into the second block.

The second block depends on problem at hand. For full path prediction, $\mathcal{H}$ is fed into a multilayer perceptron (MLP) [64] which outputs a prediction matrix $\widehat{Y}$. For start/end node prediction, $\mathcal{H}$ is fed into an encoder which outputs a compressed representation of $\mathcal{H}$, denoted by $\mathcal{Z}\in {\mathbb{R}}^{\left|V\right|\times z}$. This latent representation is then fed into a classifier which outputs a vector of $\widehat{Y}\in {\mathbb{R}}^{\left|V\right|}$, where, after applying a threshold, only the start/end node value is set to 1.

2.4.1. Graph Convolution Block

Graph Convolutional Networks (GCNs) [96] are neural networks designed for learning embeddings in graphs. Graph convolution was introduced in [97] as a way to learn graph structures using neural networks. GraphSAGE [98] is a specific GCN architecture which relies on sample-and-aggregate convolution (SAGEConv) layers to efficiently learn the embeddings on directed graphs. During inference, for each node $v\in V$, the SAGEConv first aggregates feature representations from its immediate neighbors via a learnable aggregation function. The aggregate is then concatenated with the node’s own feature vector. The resulting vector is then processed by a learnable fully connected layer and an element-wise non-linear activation function. The output from the final layer serves as the learned embedding of v. In this paper, we use a slightly different version of the SAGEConv original implementation [98], which employs batch matrix multiplication (BMM) for fast aggregation, detailed in Algorithm 1 and illustrated in Figure 5.

Algorithm 1 Inference with BMM SAGEConv layer

1: Input: Adjacency tensor $A\in {\mathbb{R}}^{B\times \left|V\right|\times \left|V\right|\times d}$   2: Input: Signal tensor $F\in {\mathbb{R}}^{B\times \left|V\right|\times p}$   3: Initialize ${\mathcal{H}}^{\left(0\right)}\leftarrow F,{\mathcal{H}}^{\prime }\leftarrow$ zero matrix   4: for $i\leftarrow 1 \mathrm{to} d$ do     5:     Inverse degree matrix: $D_i^{-1}\in {\mathbb{R}}^{B\times \left|V\right|\times \left|V\right|}$ for edge type $A_i$   6:     Aggregate: ${\mathcal{H}}^{\prime }\leftarrow {\mathcal{H}}_{i-1}^{\prime }+\left(w_i·\left(D_i^{-1}{A}_i·{\mathcal{H}}^{\left(0\right)}\right)\right)$   7: end   8: Concatenate: ${\mathcal{H}}^{\prime }\leftarrow ({\mathcal{H}}^{\left(0\right)}\oplus {\mathcal{H}}^{\prime }/d)$   9: Transform and Activate: ${\mathcal{H}}^{\left(1\right)}\leftarrow f(W·{\mathcal{H}}^{\prime })$    10: Output: Final embeddings ${\mathcal{H}}^{\left(1\right)}\in {\mathbb{R}}^{B\times \left|V\right|\times H}$

In our path prediction architecture, the first block consists of two BMM SAGEConv layers (see Figure 4). During inference, both F and A are input into the first BMM SAGEConv layer. F is used to retrieve $h_v^{\left(0\right)}$, and A is used to identify the neighbors $\mathcal{N}\left(v\right)$ of v. The trained layer produces the first embedding tensor ${\mathcal{H}}^{\left(1\right)}$. This tensor is then passed through an activation function, specifically Rectified Linear Unit (ReLU). The Rectified Linear Unit (ReLU) is a standard non-linear function used in deep learning frameworks [64]; the function is defined as $f\left(x\right)=\max (0,x)$. After activation, the signal is passed through the second layer along with A. The second BMM SAGEConv generates the final embedding tensor, $\mathcal{H}={\mathcal{H}}^{\left(2\right)}$. During training, each BMM SAGEConv layer is followed by a dropout layer to prevent overfitting. The layer randomly zeroes some of the elements of the input tensor with a probability p. For details on the block implementation and to maintain section conciseness, please refer to the replication package. For algorithmic complexity analysis, see Appendix E.

The BMM SAGEConv layer k, given ${\mathcal{H}}^{\left(0\right)}=F$, can be written compactly as follows: $$\begin{array}{c}\hfill {\mathcal{H}}^{\left(k\right)}=f^{\left(k\right)}\left(\left({\mathcal{H}}^{(k-1)}\oplus \left({\displaystyle \frac{1}{d}}\sum _{i=1}^d{w}_i^{\left(k\right)}·\left[D_i^{-1}{A}_i·{\mathcal{H}}^{(k-1)}\right]\right)\right)·W^{\left(k\right)}\right)\end{array}$$ (1) where ⊕ designates the concatenation operation, $f(·)$ designates the ReLU activation function, $w_i^{\left(k\right)}$ designates the i-th type edge learnable weight matrix, and $W^{\left(k\right)}$ designates the learnable weight matrix for the k-th layer.

2.4.2. Path Prediction Task

During full path prediction, the graph embeddings $\mathcal{H}$ are used to generate the attack path matrix $\widehat{Y}$. Specifically, these embeddings are processed by a multilayer perceptron (MLP) [64] with $k=4$ fully connected hidden layers, each with learnable parameters. Each hidden layer comprises 512 neurons, followed by a ReLU activation function. The final hidden layer is fully connected to an output layer with $\left|V\right|$ neurons, followed by a normalization step. Normalization is applied using a logistic function that scales the logits from the preceding layer. The logistic function, denoted $\sigma (·)$ is a standard non-linear function which can be used for normalization. The function is defined as $\sigma \left(x\right)={\displaystyle \frac{1}{1+e^{-x}}}$. This transformation produces the matrix $\widehat{Y}$, where each element is constrained to the range $[0,1]$. The matrix $\widehat{Y}$ serves as the final adjacency matrix encoding the attack paths, where ${\widehat{Y}}_{ij}=y$ indicates the probability that an edge $i\to j$ belongs to the attack path. To convert this probability to categorical (0 or 1) values, we compute the model’s Receiver Operating Characteristic (ROC) curve (see Appendix D) and determine the optimal threshold using Youden’s J index [99]. The threshold value is provided in Section 3. Figure 4 illustrates the path prediction block.

2.4.3. Node Classification Task

A distinct architecture is employed for the start/end node classification task. During inference, an encoder [64] compresses the input embedding tensor $\mathcal{H}$ into a lower-dimensional representation $\mathcal{Z}\in {\mathbb{R}}^{\left|V\right|\times z}$, where $z\le H$. The encoder consists of $k=4$ fully connected layers with trainable parameters and ReLU activations, progressively reducing the dimensionality ($128\to 64\to 36\to 18\to z$) to compress the embeddings. The latent representation $\mathcal{Z}$ is then passed to an MLP [64], responsible for classification. The MLP processes $\mathcal{Z}$ through a fully connected layer followed by a ReLU activation, then a second fully connected layer with normalization. It outputs a probability vector $\widehat{Y}\in {\mathbb{R}}^{\left|V\right|}$. The probabilities are then converted to a prediction vector, where all values are set to 0 except for a single index corresponding to the predicted start or end node, using Youden’s J index, as previously discussed. Two separate classifiers are trained: one for predicting start nodes and the other for end nodes. For algorithmic complexity, refer to Appendix E.

2.5. Path Prediction Training

All blocks are trained end-to-end, meaning that for a given problem set, the graph convolution and path prediction (or node classification) blocks are optimized simultaneously. All models are trained using the Adaptive Moment Estimation (ADAM) optimizer [100], a standard approach in deep learning [64]. The optimizer computes the gradients of the model loss $\mathcal{L}(·)$ with respect to its parameters. The path prediction architecture is trained by optimizing its parameters using a physics-informed loss function. The node classification architecture, in contrast, is trained with a regular (non physics-informed) loss function.

To train the path-prediction architecture, we define the following loss function:

$$\mathcal{L}=\Phi {\mathcal{L}}_{\mathrm{data}}+\Psi {\mathcal{L}}_{\mathrm{pinn}}$$

(2)

where ${\mathcal{L}}_{\mathrm{data}}$ is a masked-weighted binary cross-entropy (MWBCE) loss (see Section 2.5.1), and ${\mathcal{L}}_{\mathrm{pinn}}$ is a physics-informed loss (see Section 2.5.2). The hyperparameters $\Phi$ and $\Psi$ balance the contribution of each loss term to the total loss.

2.5.1. Data Loss

Since the target prediction matrix is highly sparse, the data loss incorporates a masking strategy to mitigate the class imbalance. Without masking, the network tends to learn parameters that predict ${\widehat{Y}}_{ij}=0,\forall ij\in Y$, which minimizes the loss but does not predict meaningful path structures.

We define the masking mechanism in ${\mathcal{L}}_{\mathrm{data}}$ such that a subset of negative label entries ($Y_{ij}=0$) is randomly sampled within the target adjacency matrix Y while all positive labels ($Y_{ij}\ne 0$) are retained. Let ${\mathcal{M}}_{ij}$ denote this mask for an entry $Y_{ij}$, defined as follows:

$${\mathcal{M}}_{ij}=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}{Y}_{ij}\ne 0\hfill \\ 1,\hfill & \mathrm{if}{Y}_{ij}=0\mathrm{and}{u}_i<w_c,u_i\sim \mathrm{Uniform}(0,1)\hfill \\ 0,\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(3)

where $w_c$ is the masking coefficient that determines the fraction of $Y_{ij}=0$ values included in the loss computation. We set $w_c$ to a small value to force the network to focus on edges composing the attack path. We also introduce a weighting mechanism. Let $w_p$ be the weighting coefficient for type-II errors, defined as follows:

$$w_p={\displaystyle \frac{|Y_{ij}=1|}{|Y_{ij}=0|}}·w_s$$

(4)

where $|Y_{ij}=1|$ and $|Y_{ij}=0|$ denote the number of positive and negative entries, respectively. Since $w_p$ is typically large, we introduce a scaling factor $w_s$, set to ${10}^{-3}$. We then define $\gamma ={\displaystyle \frac{1}{w_p}}$ as the weighting coefficient for positive labels. With the mask $\mathcal{M}$ and weight coefficient $\gamma$ defined, the weighted binary cross entropy (WBCE) loss is:

$${\mathcal{L}}_{\mathrm{wbce}}({\widehat{Y}}_{ij},Y_{ij})=-\left(Y_{ij}log\left({\widehat{Y}}_{ij}\right)+(1-Y_{ij})\gamma log(1-{\widehat{Y}}_{ij})\right)$$

(5)

Averaging over the unmasked elements for training samples in batch size N, the data loss is thus computed as follows:

$${\mathcal{L}}_{\mathrm{data}}={\displaystyle \frac{1}{N}}\sum _{n=1}^N·\left({\displaystyle \frac{1}{\left|\mathcal{M}\right|}}\sum _{ij}-{\mathcal{M}}_{ij}·\left[Y_{ij}log\left({\widehat{Y}}_{ij}\right)+\left(1-Y_{ij}\right)·\gamma log\left(1-{\widehat{Y}}_{ij}\right)\right]\right)$$

(6)

This formulation ensures that the loss focuses on the most relevant edges while preventing the model from collapsing to a trivial all-zeros prediction.

2.5.2. Physics-Inspired Loss

The physics-informed loss ensures that the predicted $\widehat{Y}$ adjacency matrix adheres to domain knowledge. In our case, it implies that the graph described in the predicted matrix (1) contains no branches, (2) consists of a single connected path component, with all other nodes remaining isolated, (3) contains no cycles. If the network’s prediction violates these constraints, ${\mathcal{L}}_{\mathrm{pinn}}$ and thus $\mathcal{L}(·)$ increase. Formally, given $\alpha ,\beta ,\zeta \in [0,1]$ the physics-inspired loss is written as follows:

$${\mathcal{L}}_{\mathrm{pinn}}=\alpha ·{\mathcal{L}}_{\mathrm{degree}}+\beta ·{\mathcal{L}}_{\mathrm{connectivity}}+\zeta ·{\mathcal{L}}_{\mathrm{cycle}}$$

(7)

2.5.3. Degree Component

The objective of ${\mathcal{L}}_{\mathrm{degree}}$ is to enforce structural constraints by penalizing predictions based on node degree values. This component ensures that the predicted graph contains no branches. For $\widehat{Y}$, the predicted adjacency matrix, let $d_i^{\mathrm{out}}={\sum }_j\left({\widehat{Y}}_{ij}\right)$ be the out-degree of every node i and $d_i^{\mathrm{in}}={\sum }_j\left({\widehat{Y}}_{ji}\right)$ be the in-degree of every node i. We also define $\mathcal{A}=\{i\mid d_i^{\mathrm{in}}+d_i^{\mathrm{out}}>0\}$, where $\mathcal{A}$ is the active set of non-isolated nodes. To define ${\mathcal{L}}_{\mathrm{degree}}$, we compute:

$$\begin{array}{cc}\hfill P_{\mathrm{start}}& ={(\sum _{i\in \left|\mathcal{A}\right|}1[d_i^{\mathrm{in}}=0]-1)}^2\hfill \\ \hfill P_{\mathrm{end}}& ={(\sum _{i\in \left|\mathcal{A}\right|}1[d_i^{\mathrm{out}}=0]-1)}^2\hfill \\ \hfill P_{\mathrm{int}}& =\left(\sum _{i\in \left|\mathcal{A}\right|}1[d_i^{\mathrm{in}}\ne 1\vee d_i^{\mathrm{out}}\ne 1]\right)-2\hfill \end{array}$$

(8)

The three intermediary components penalize the network when it predicts a graph which contains (a) multiple potential start nodes ($P_{\mathrm{start}}$) or (b) multiple end nodes ($P_{\mathrm{end}}$) or (c) when intermediary nodes do not have exactly one incoming edge and one outgoing edge ($P_{\mathrm{int}}$). We average over batch size to compute the degree component, written as follows:

$${\mathcal{L}}_{\mathrm{degree}}={\displaystyle \frac{1}{N}}\sum _{n=1}^N\left(P_{\mathrm{start}}+P_{\mathrm{end}}+P_{\mathrm{int}}\right)$$

(9)

The degree component ensures that the predicted graph follows a structured, single-path format without branches. This is achieved by analyzing the in-degree and out-degree of each node in the active set, which represent the number of incoming and outgoing connections, respectively. If multiple nodes are identified as potential starting points (having no incoming edges) or multiple nodes are seen as ending points (having no outgoing edges), the model is penalized, and parameters are updated accordingly. Additionally, intermediary nodes should have exactly one incoming and one outgoing connection to maintain a proper sequence. The loss function sums up these penalties across all graphs in a batch, ensuring the network consistently learns to predict non-branching paths.

2.5.4. Cycle Component

The second component of ${\mathcal{L}}_{\mathrm{pinn}}$ is the cycle loss, which penalizes predicted graphs that contain cycles. This ensures that the predicted graph remains acyclic. Formally, let ${\overline{Y}}_{ij}$ be the scaled predicted matrix:

$${\overline{Y}}_{ij}={\displaystyle \frac{Y_{ij}}{{\sum }_i{Y}_{ij}+ϵ}}$$

(10)

and let ${\sum }_i{\left({\overline{Y}}^k\right)}_{ij}$ be the number of cycles of length k in $\overline{Y}$. To retrieve ${\mathcal{L}}_{\mathrm{cycle}}$, we compute the weighted sum for cycles of length $k=1,\dots ,K$ and average it over the batch size N, written as follows:

$${\mathcal{L}}_{\mathrm{cycle}}={\displaystyle \frac{1}{N}}\sum _{n=1}^N\left(\sum _{k=1}^K\left[{\displaystyle \frac{1}{k}}·\sum _i{\left({\overline{Y}}^k\right)}_{ij}\right]\right)$$

(11)

The cycle component prevents the presence of loops in the predicted graph. A cycle means that one can start from a node, follow the connections, and return to the same node. This is undesirable in our context, so the model is penalized if cycles are detected. Mathematically, this is achieved using the adjacency matrix of the graph: by raising this matrix to successive powers, we can count the number of paths of different lengths. If a sum of these paths indicates a cycle, a penalty is applied. This ensures that the predicted structure is strictly forward-moving, preventing redundant or circular paths.

2.5.5. Connectivity Component

The last component of ${\mathcal{L}}_{\mathrm{pinn}}$ is the connectivity loss, denoted as ${\mathcal{L}}_{\mathrm{connectivity}}$. Its purpose is to penalize predictions that contain more than one path. To achieve this, we use the algebraic connectivity [101] and the spectral properties of path graphs [102]. Formally, let $\mathbb{L}=D_{\mathrm{out}}-\widehat{Y}$ be the Laplacian of the graph, and let $\left\{{\lambda }_i\right\}$ be the eigenvalues of $\mathbb{L}$. We define C as the number of components in the graph, $ϵ\sim 0$ a small value, and $\Lambda$ an estimate of the maximum path length from the matrix $\widehat{Y}$:

$$\begin{array}{cc}\hfill C& =\sum _{i=1}^N\left(|{\lambda }_i|<ϵ\right),\Lambda =\sum _{ij}{\widehat{Y}}_{ij}+1\hfill \end{array}$$

(12)

If $\widehat{Y}$ only contains a path and isolated nodes, then we expect $C_{\mathrm{expected}}=\left|V\right|-\Lambda +1$ components in the graph. Based on this value, we can compute:

$$P_{\mathrm{component}}={\displaystyle \frac{{\left(C-C_{\mathrm{expected}}\right)}^2}{C_{\mathrm{expected}}^2}}$$

(13)

We know from spectral graph theory [102] that the expected eigenvalues of a path-graph of length $\Lambda$ should follow ${\left\{{\lambda }_i\right\}}^{*}=2-2cos(i\pi /\Lambda ),i=1,\dots ,\Lambda -1$. Thus, we define the second penalty component as the mean squared error of the expected and observed spectrum, written as follows:

$$P_{\mathrm{spectral}}={\displaystyle \frac{1}{\Lambda }}·\sum _{i=1}^{\Lambda }\left({\lambda }_i^{*}-{\lambda }_i\right)$$

(14)

Averaging over batch size N, we obtain the connectivity component loss, written as follows:

$${\mathcal{L}}_{\mathrm{connectivity}}={\displaystyle \frac{1}{N}}\sum _{n=1}^N\left(P_{\mathrm{component}}+P_{\mathrm{spectral}}\right)$$

(15)

The connectivity component ensures that the predicted graph consists of a single connected path rather than multiple disconnected segments. This is achieved using the Laplacian matrix, which describes the structure of the graph. The eigenvalues of this matrix provide information about how connected the graph is: in particular, the number of zero eigenvalues indicates how many separate components exist. If the number of components does not match the expected value for a properly connected path, the model is penalized. Additionally, spectral graph theory tells us the expected eigenvalues for an ideal path graph, so a second penalty is added if the observed eigenvalues deviate from this expected pattern. By enforcing these constraints, the model learns to generate graphs that form a single continuous sequence without fragmentation.

2.6. Start/End Node Training

When training for a start/end node classification task, ${\mathcal{L}}_{\mathrm{pinn}}$ is not required since the objective is to classify individual nodes rather than predict structured paths.

2.6.1. Encoder Self-Supervised Training

The encoder can either be trained end-to-end along with the graph convolution block or fine-tuned using a pre-trained graph convolution block. This second setting is useful when the graph convolution block has been pre-trained, e.g., for path prediction (see replication package, where flag freeze=False/True can be set to test both modes).

The encoder is trained in a self-supervised way using a decoder, i.e., a neural network with the exact same configuration but inverse. This encoder–decoder architecture is known as an “autoencoder”. Autoencoders [103] were introduced with the objective of learning to reconstruct an input signal with minimal error. The core idea behind autoencoders is to train a neural network that can generate low-dimensional representations in its intermediate layers, known as the latent space, denoted z. The encoder is responsible for learning the mapping $f:x\in \mathcal{X}\to z\in \mathcal{Z}$, which represents the latent space. The decoder is responsible for learning $g:z\in \mathcal{Z}\to x\in \mathcal{X}$, which reconstructs the input from the latent space. To train the autoencoder, the loss function $\mathcal{L}(·)$ measures the reconstruction error, i.e., minimizing the difference between $g\left(f\right(x\left)\right)$ and x over all training samples.

The autoencoder loss function ${\mathcal{L}}_{\mathrm{data}}^{\prime }$ can be written as follows:

$${\mathcal{L}}_{\mathrm{data}}^{\prime }={\left(\mathcal{H}-g\left(f\right(\mathcal{H}\left)\right)\right)}^2$$

(16)

The input to the encoder is the embedding matrix $\mathcal{H}$, and the output is the reconstructed version, denoted $\widehat{\mathcal{H}}$. Once the autoencoder is trained, we remove the decoder and serialize the encoder with a classification layer, forming the encoder–classifier block (see Figure 4), which is trained end-to-end while fine-tuning the encoder.

2.6.2. Classifier Supervised Training

With the encoder–classifier block (see Figure 4), our objective is to learn how to predict the end node given the start node, i.e., given $X_i=(A_i,F_i^{\prime })$, predict ${\widehat{F}}_i^{\mathrm{end}}$ where $F_i^{\prime }=F_i\setminus F_i^{\mathrm{end}}$, and given $X_i=(A_i,F_i^{\prime })$, predict ${\widehat{F}}_i^{\mathrm{start}}$ where $F_i^{\prime }=F_i\setminus F_i^{\mathrm{start}}$. During training, we mask the column vector corresponding to “End Node” or “Start Node” feature, thus obtaining $F_i^{\prime }=F_i\setminus F_i^{\mathrm{end}}$. The classifier is then trained to predict a vector $\widehat{Y}$, where only the entry corresponding to the start/end node should be set to $y=1$ after thresholding.

The loss function for the classifier is the Binary Cross Entropy (BCE) averaged over batch size N, i.e.,

$${\mathcal{L}}_{\mathrm{data}}={\displaystyle \frac{1}{N}}\sum _{n=1}^N\left({\displaystyle \frac{1}{\left|Y\right|}}\sum _i\left[Y_i-log\left(\widehat{Y_i}\right)+\left(1-Y_i\right)log\left(1-\widehat{Y_i}\right)\right]\right)$$

(17)

3. Results

This section presents our results. We discussed the last version of EPSS [57] in Section 1, which has a ROC-AUC score of $0.7795$ and F1 score of $0.728$. We evaluated our models against it, as one of our objectives is to extend EPSS’s functionality to full path prediction with at least equal performance.

3.1. Evaluation

We trained the full-path prediction architecture using K-fold cross-validation (see Appendix B) with $k=5$, meaning that in each epoch, the model was trained on 80% of the dataset, while the remaining 20% was used for testing. Each fold underwent training for 20 epochs. To evaluate performance, we measured the model’s F1 score (see Appendix C) and ROC-AUC score (see Appendix D) for each fold. K-fold cross-validation enhances the robustness of performance evaluation by ensuring that every data point is used for both training and validation. By averaging the results across all folds, this approach mitigates the impact of data variability and reduces the risk of biased performance estimates that could arise from a single train–test split. Additionally, it helps to assess the model’s generalizability, as it is trained and evaluated on multiple subsets of the dataset. The results are illustrated in Figure 6.

The following parameters were set: $\Phi =1$, $\Psi =1$, $\alpha =1, \beta ={10}^{-3}$, $\zeta =1$, batch size $N=64$, and initial learning rate $l={10}^{-3}$. As the loss component tends to be larger than the two others, setting $\beta$ to reduce its contribution to the loss helps to stabilize training. We used an exponential decay learning rate scheduler with decay rate $r=0.97$. This scheduler was responsible for reducing the learning rate every epoch (see replication package for details). We set the mask coefficient $w_c={10}^{-3}$, and the dropout probability in BMM SAGEConv layers was set to $=0.2$, meaning that each neuron had an equivalent probability of being “dropped out” of the loss computation during training, which helped to avoid overfitting. These hyperparameters were found to be optimal using the grid search strategy [104]. We trained all models on an NVIDIA GeForce GTX 1660 Ti GPU with 6GB of memory.

Having retrieved the ROC curves of the four models, we could compute Youden’s J statistic [99], which indicates the optimal threshold with respect to the prediction task. The thresholds obtained are shown in

Table 1. Performance benchmark of the path prediction architecture with and without physics-informed loss ${\mathcal{L}}_{\mathrm{pinn}}$. ${\mathcal{M}}_1$$(\Psi =1)$ uses the physics-informed loss, and ${\mathcal{M}}_1$$(\Psi =0)$ does not. ${\mathcal{M}}_2$ and ${\mathcal{M}}_3$ are the start-node and end-node predictors, respectively; the thresholds obtained using Youden’s J index of each model were used to compute F1 scores.

Model	Mean	Std.	Fold 1	Fold 2	Fold 3	Fold 4	Fold 5	Validation	Threshold
ROC-AUC Scores
${\mathcal{M}}_1$$(\Psi =1)$	0.9332	±0.0081	0.9300	0.9329	0.9201	0.9429	0.9402	0.9533	0.7189
${\mathcal{M}}_1$$(\Psi =0)$	0.8318	±0.0018	0.8296	0.8301	0.8319	0.8344	0.8328	0.8382	0.7311
${\mathcal{M}}_2$	0.8340	±0.1128	0.9490	0.9407	0.8276	0.6374	0.8328	0.9037	0.0162
${\mathcal{M}}_3$	0.8312	±0.1379	0.8335	0.9239	0.9155	0.5638	0.9195	0.8081	0.0247
F1 Scores
${\mathcal{M}}_1$$(\Psi =1)$	0.9177	±0.0082	0.9178	0.9326	0.9080	0.9170	0.9133	0.9308	0.7189
${\mathcal{M}}_1$$(\Psi =0)$	0.8166	±0.0088	0.8288	0.8136	0.8056	0.8250	0.8101	0.8191	0.7311
${\mathcal{M}}_2$	0.9154	±0.0928	0.9777	0.9640	0.9126	0.7368	0.9857	0.9780	0.0162
${\mathcal{M}}_3$	0.8644	±0.0964	0.8254	0.9370	0.9330	0.6913	0.9352	0.8214	0.0247

. Finally, the thresholds were set for each of the models, and we could measure the F1 score (see Appendix C for details). 

For path prediction (${\mathcal{M}}_1(\Psi =1)$), we obtained a final evaluation F1 score of $0.9308$ and ROC-AUC $=0.9533$, which is superior to the EPSS performance. For start/end node classification (${\mathcal{M}}_2,{\mathcal{M}}_3$), we obtained an F1 score of $0.9780$ and ROC-AUC of $0.9037$ for start node prediction and F1 score of $0.8214$ and ROC-AUC $=0.8081$ for end node prediction.

3.2. Ablation Study

Table 1 presents the performance of the path prediction architecture with and without ${\mathcal{L}}_{\mathrm{pinn}}$ across different folds of the dataset. The results show that the model ${\mathcal{M}}_1$, trained with the physics-informed loss, consistently outperforms the baseline model in every fold. Additionally, the evaluation metrics exhibit relatively low variability across folds, indicating that the model’s performance is stable and reliable.

3.3. Sensitivity Analysis

We conducted a sensitivity analysis with the objective of measuring the importance of each node feature and edge type in the architecture prediction. To estimate this value, we used the SHAP algorithm [105] (see Appendix F). Figure 7, Figure 8 and Figure 9 show the results of our analysis for ${\mathcal{M}}_1(\Psi =1)$, with the PIGNN and ${\mathcal{M}}_2$ and ${\mathcal{M}}_3$ the start-node and exit-node prediction models, respectively. Features and edge types are ordered on the Y-axis of each plot, in descending order. The dot colors indicate the value of the input (blue for values $<0$, red for values $\ge 0$), and the dot location on the X-axis indicates the influence of the value on the prediction.

For ${\mathcal{M}}_1$ (see Figure 7), (1) Open edges with low values—corresponding to edges that do not have a corresponding network route—are very influential in preventing concurrent edges from being included in the predicted attack path. It appears that the PIGNN learned this association, which is coherent with domain knowledge, as non-routed paths cannot be exploited by an attacker. (2) the AdminTo, ExecuteDCOM, GenericAll, CanRDP, and HasSession edges are also positively correlated with the prediction, meaning that such edges are perceived as likely to be part of the attack path by the neural network. This is also expected, as these edges correspond to easily exploitable lateral movement techniques, and as discussed in Section 2.1, the AdminTo and HasSession features are highly correlated with ground-truth attack paths. From the feature SHAP values, we can observe that (3) the Start Node property exhibits a large influence on the neural network depending on its value. This could be an indicator that the feature is used by the network to decide whether to include or exclude the nodes in the path. This makes sense, as any node with this attribute set is necessarily included in the path. (4) Most of the other features are centered around 0 with relatively narrow amplitude. Overall, these results seem to indicate that the network focuses largely on the edge types rather than node attributes, with the exception of the entry node.

For ${\mathcal{M}}_2$ (see Figure 8), the initial access node predictor, we can observe that ExecuteDCOM, AllowedToDelegate, MemberOf, GetChanges, and GetChangesAll are correlated with negative predictions. The last two are commonly associated with the Domain Admin, and as such, it appears that the network might have learned to associate nodes supporting these edges as less likely to be initial access nodes. Conversely, AdminTo edges are strongly correlated with positive predictions. This edge type is associated with a user account, and links to potential HasSession edges from the target system. It would make sense that the network learned to identify nodes followed by an AdminTo edge as likely initial access nodes for identity snowball attacks. Regarding node features, we can observe that operating system characteristics are correlated with positive predictions, while user account attributes, e.g., hasSpn, are negatively correlated with predictions.

For ${\mathcal{M}}_3$ (see Figure 9), the impact node predictor, we can observe the following: (1) Open, HasSession, and GetChanges are highly correlated with the decision—when the input node does not have these types of edges, it is less likely to be predicted as an initial access node. We can make the same observation for MemberOf edge type, but the correlation is weaker. Considering that the attack paths describe identity snowball attacks—meaning that the “optimal” exit node is the Domain Controller node—this node must have existing Open edges with all other nodes in the graph. As such, it makes sense that the network has learned to identify nodes with high counts of Open edges as likely exit nodes. The same observation applies to GetChanges, as these edges generally originate from DA nodes. Regarding features, the correlation with decision is fuzzier. Most features have a more centered impact, which means that their influence on the decision actually depends on the sample and does not exhibit a strong correlation with the decision.

4. Discussion

The results shown in Section 3 provide valuable insights into the research question outlined in Section 1. Our results indicate that generalizing over environments and adversary characteristics across multiple environments is feasible—even with a limited dataset—using physics-informed learning. Our results show that our approach achieves strong performance across all three risk assessment tasks discussed in Section 2.3: (1) deductive reasoning, e.g., identifying the ending of an attack path (consequence) given its starting point (cause), (2) inductive reasoning, e.g., determining the starting point of the attack path given its ending, or (3) a combination of both, e.g., identifying the full path when both the cause and consequence are fixed.

Based on our ablation study (see Section 3.2), it appears that incorporating physics-informed loss components enhances training efficiency with limited samples, aligning with existing research on PINNs, as discussed in Section 2.2. In our case, implementing the physics-informed loss increases the F1 score by more than 10%. When studying which features are impactful for the prediction models (see Section 3.3), we observed that edges were more important than most node attributes. This observation is promising for new research opportunities. As discussed in Section 1 and [54], we are currently studying data augmentation strategies based on CSKG. Such data augmentation techniques rely on topological representations of knowledge to represent information, which our network seems to be adapted to. These preliminary results are promising and pave the way for further research. In [54], we discussed ongoing experiments exploring the use of the Common Attack Pattern and Enumeration Catalogue (CAPEC) [106] as a source for data augmentation in a real environment. A key advantage of leveraging graph structures for augmentation is that the graph convolution block presented in Algorithm 1 can process the enriched data directly, without requiring modifications to the existing convolution block.

Certain design choices and reliance on automated tools currently impose limitations on the full potential of the proposed methods and dataset. Namely, constraints applied during data generation—such as restricting to identity snowball attacks, using fixed-size graphs, and maintaining a limited level of detail—were intentionally set to keep the problem tractable in this first experiment. Having established this proof of concept, we propose expanding the dataset in future research through data augmentation by collecting real-world data and introducing additional nodes and edges to the graph. From a broader perspective, we believe this research contributes insights that extend beyond security risk assessment. Our findings make a compelling case for incorporating more structural reasoning in the design of deep learning models. While the “model-agnostic” nature of neural networks remains a defining characteristic [107], our results suggest that crafting loss functions constrained by domain knowledge can enhance generalization.

5. Conclusions

In this paper, we investigated potential applications of Physics-Informed Graph Neural Networks (PIGNNs) for automated attack path prediction. In Section 1, we presented the motivations for this research. We developed three main research objectives: (1) building and releasing a dataset for experiments with Deep Neural Network (DNN)-based Attack Path Analysis (APA), (2) experimenting with the PIGNN for three risk assessment learning problems (inductive, deductive, and hybrid), and (3) reaching SoTA performance, which is evaluated against EPSS, the current SoTA for learning-based attack prediction.

Section 2 presented our methods for crafting our dataset along with an exploratory data analysis of potential biases and limitations. Then, we introduced our methods for building physics-informed neural networks. By leveraging graph-theory-based properties, we defined a physics-informed loss function, denoted by ${\mathcal{L}}_{\mathrm{pinn}}$, which penalizes the prediction model when the predicted path contradicts domain knowledge and expected path properties. We used this loss function to train two distinct architectures. The first is based on a Graph Neural Network (GNN) and multilayer perceptron (MLP) and aims at predicting full attack paths for a given environment, start node and end node. The second architecture we proposed also makes use of a GNN, along with an autoencoder (AE) designed to identify the most likely initial access nodes in the environment given an impact node or an impact node given the initial access node. While the full-path prediction architecture is useful for exploring potential risk scenarios with preset boundaries (e.g., as suggested in many risk management frameworks [4]), the start/end node classification architecture is also useful for incident response and threat analysis (e.g., an adversary has been spotted on a system, and the model can help to determine the initial access of the infection chain).

Section 3 presented our results after training the models using K-fold cross validation. We obtained a final evaluation F1 score of $0.9308$ and ROC-AUC $=0.9533$, which is superior to the EPSS performance. For start/end node classification, we obtained an F1 score of $0.9780$ and ROC-AUC of $0.9037$ for start node prediction and F1 score of $0.8214$ and ROC-AUC $=0.8081$ for end node prediction. We also included an ablation study, showing that the physics-informed loss function correlates to a model performance increase, and conducted a sensitivity analysis using SHAP. We observed that the full-path model relies more on the topological properties of the graph than the node properties, which is promising for CSKG-based data augmentation strategies. Finally, Section 4 discussed potential research opportunities emerging from this research, along with the limitations of our procedure.