Abstract Digital twin technology is emerging as the cornerstone of proactive maintenance and monitoring of ICT/OT infrastructures. This paper discusses a security twin, an evolution of a digital twin that is a graph-based model, which acts as a dynamic inventory enriched with vulnerability intelligence and that can mirror complex ICT infrastructures to predict intrusions by threat agents without disrupting live production environments. This requires a high-fidelity synchronization between the infrastructure and the security twin, which remains a challenge mainly when active scanning cannot be employed. As an answer to the challenge, this paper introduces NotLine, a non-intrusive and fully automated platform that builds and updates a security twin through the continuous passive ingestion of multi-protocol network telemetry. NotLine leverages a distributed monitoring pipeline architecture to filter, normalize, and correlate heterogeneous traffic metadata in real time. NotLine maps these data to the security twin. The core innovation of NotLine lies in its integration of this live model with an AI-driven Monte Carlo simulation engine. The engine uses the security twin to generate the state transitions of a threat actor in an intrusion, as determined by the access rights and information they have acquired. This enables the quantification of risk exposure probabilistically and enables prescriptive analytics and preemptive remediation. We present an evaluation of NotLine in a production environment and show that a hypoexponential mathematical model characterizes the platform discovery pattern. According to this model, the platform maps most assets within 48 h; this confirms that NotLine provides a robust foundation for simulation-powered cybersecurity, bridging the gap between passive observation and proactive risk prediction, even if a long-tail monitoring period is critical to capture all infrastructure components.
Baiardi et al. (Wed,) studied this question.