Bayesian Attack Model (BAM)

Advanced cybersecurity decision intelligence for OT environments using explainable machine learning to detect and respond to adversarial activity.

The Bayesian Attack Model (BAM) aggregates observer experiences of anomalous events across OT environments to provide actionable decision intelligence. Developed by Sandia National Laboratories under contract with Battelle Energy Alliance, LLC and the United States Department of Energy, BAM uses explainable machine learning tools to comprehensively analyze anomalous host-based, network-based, and physical environment observables.

The primary benefit of aggregating a wide range of observables is to enhance the cybersecurity incident response process via earlier detection of adversarial activity and more effective response. Successful interruption of an OT cyber-attack may result in averting significant consequences including loss of revenue, damage to property, and loss of safety to facility staff and the public.

Core Features

Adversary Behavior Identification

  • Analyzes observable input to calculate the probability of early, middle, late, and impact adversary behavior
  • Also calculates the probability of all MITRE ATT&CK for ICS tactics/techniques
  • Training data: 27 CyOTE Precursor Analysis Reports

BAM Dashboard

  • Interactive dashboard displaying the probability of adversary behavior over time
  • Identifies exceedance of organizational risk thresholds
  • Quickly displays the probability of all MITRE ATT&CK for ICS techniques

Export Capabilities

  • JSON: structured data format containing the probability of MITRE ATT&CK for ICS tactics/techniques
  • STIX 2.1–aligned JSON for representing observables (with BAM-specific extensions) to support integration with downstream tooling
  • Integration-ready outputs
  • Support for downstream analysis tools

Standards & Data Model (STIX 2.1)

BAM ingests a modified STIX 2.1–based object to represent anomalous observables in a structured, interoperable way. The object is extended with analyst-informed attributes such as the normal frequency of occurrence of the observable and the likelihood of the observable event given that an associated MITRE ATT&CK for ICS technique is occurring. These attributes help BAM translate collected events into probabilistic evidence for attack-phase inference.

Observables Input
Host-based Events
Network Traffic
Physical Sensors
Process Anomalies
MITRE ATT&CK Mapping
Awaiting input...
Attack Phase Likelihood
Early Phase 0%
Middle Phase 0%
Late Phase 0%
Impact Phase 0%

Live demonstration: Observable evidence → MITRE ATT&CK mapping → Probabilistic behavior classification

Try BAM + ACE (Pilot Demo Sandbox)

This sandbox illustrates what users go through to operationalize OT/ICS observables: (1) structure observables, (2) map observables to likely MITRE ATT&CK for ICS techniques (ACE classifier), (3) infer attack phase likelihood with BAM, and (4) anticipate plausible next techniques (ACE Markov model). The widget can run in Demonstration Mode (no backend) or be wired to pilot APIs for real inference.

Inputs

Input Configuration
Use STIX 2.1–aligned objects if available. The demo supports BAM-style extensions (frequency-of-occurrence and conditional likelihood).
API mode calls your inference endpoints. Demo mode simulates outputs to show workflow and UI.
Tip: If users don't know the technique(s), run ACE Classify first. If they do, you can include them directly in the JSON.
Status: Ready Idle
Privacy note: For a pilot, consider storing only aggregated metrics (missing fields, modes used, errors, output confidence) unless users explicitly opt in to share payloads.

Outputs

Run "ACE: Classify TTPs" to see likely MITRE ATT&CK for ICS techniques.
Run "BAM: Infer Phase" to see Early/Middle/Late/Impact likelihood.
Run "ACE: Predict Next TTPs" to see plausible next steps (technique transitions).
After a run, this panel summarizes which inputs were most influential.
Pilot API Mode: Wire these actions to your services (validate → classify → BAM infer → Markov predict) to observe user friction and coverage gaps.

Security Operations Center (SOC) and Observable Integration

BAM is designed to incorporate any observable event that could indicate anomalous activity affecting OT/ICS processes and systems—including signals that traditional SOC, SIEM, and threat hunting tools often miss (e.g., operator observationsprocess deviations, and OT sensor/controls evidence). BAM translates this diverse evidence into probabilistic, MITRE ATT&CK for ICS–aligned decision intelligence that can inform investigations, hunts, and response actions

How to Use BAM with Your Own Threat Hunting Capabilities

BAM is intentionally compatible with common hunting approaches and tool stacks. The goal is to bring OT-specific and human/process observables into the same analytic loop as detection rules and telemetry, then apply probabilistic reasoning to guide the hunt.

1

Collect and Normalize Observables

  • Include operator/maintenance observations and OT/process evidence alongside logs and detections
  • Represent observables in a structured format (STIX 2.1–aligned with BAM extensions where applicable)
  • Capture frequency-of-occurrence and context (what “normal” looks like)
2

Map to ATT&CK for ICS Hypotheses

  • Associate observables with candidate techniques (one-to-many is expected)
  • Use rules/detections (e.g., IDS/analytics) as additional evidence rather than sole truth
  • Maintain traceability: which observables support which hypotheses
3

Prioritize with Probabilistic Inference

  • Use BAM’s phase likelihood and technique probabilities to focus hunts where risk is rising
  • Compare outputs to organizational risk thresholds to decide when to escalate
  • Reduce time spent chasing weak signals by combining multiple evidence types
4

Operationalize Outputs

  • Export enriched STIX/JSON objects to case management, SIEM enrichment, or hunt notebooks
  • Document rationale: what evidence drove the decision and why
  • Use results to refine playbooks, hunts, and evidence collection priorities

Demonstrated in INL ICS 311 “Detect the Attacker”: OPTIC + CATCH + BAM working together to support hypothesis-driven OT threat hunting.

Resources and Documentation

HOU.SEC.CON Recorded Presentation

Watch the recorded presentation to learn more about BAM’s capabilities and real-world applications.

Watch Video →

IEEE Transactions on Information Forensics and Security

Read the peer-reviewed publication detailing BAM’s methodology and results.

Read Paper →

BAM User Story

Detailed user story documentation available upon request.

Request Access →

Presented at S4x25

BAM was presented at the S4x25 conference, highlighting its application to OT cyber threat detection and probabilistic attack phase inference.

Watch Presentation →

INL ICS 311 – Detect the Attacker Course

BAM was demonstrated as part of the INL ICS 311 “Detect the Attacker” course, including a live demonstration and supporting instructional materials.

Request Access →

STIX 2.1 Integration Notes

Request access to guidance on BAM’s STIX 2.1–aligned observable object and BAM-specific extensions used for downstream interoperability.

Request Access →

Detect the Attacker (INL ICS 311)

Threat hunting perspective and integrated demonstration of OPTIC, CATCH, and BAM in the INL ICS 311 “Detect the Attacker” OT Threat Hunting course.

Request Access →

OPTIC (CyOTE)

CyOTE Operational Process for Trigger Identification and Comprehension (OPTIC) supports structured identification and contextualization of triggers.

Learn More →

CATCH (CyOTE)

Collection and Analysis of Telemetry for CyOTE Heuristics (CATCH) supports telemetry collection and analysis to surface candidate anomalous events.

Learn More →