HYBRID ARCHITECTURE OF A DECISION SUPPORT SYSTEM FOR DETECTION AND ASSESSMENT OF CYBER RISKS IN CRITICAL INFRASTRUCTURE OBJECTS

Abstract

The article investigates the problem of integrating neural network-based anomaly detection methods with formalized risk assessment mechanisms and decision support models within critical infrastructure environments. The introduction substantiates the relevance of ensuring cyber resilience of critical infrastructure under conditions of increasing attack complexity, expanding attack surfaces, and the limitations of traditional security systems. The problem statement identifies key limitations of existing neural network approaches, including the lack of contextualization, risk-oriented interpretation, and automated recommendation generation mechanisms. The literature review systematizes contemporary approaches to LSTM-, autoencoder-, and transformer-based anomaly detection, as well as methods for dynamic cyber risk assessment. The research objective is formulated as the development of a hybrid architecture that integrates behavioral anomaly detection, aggregation of anomaly scores into an integral risk indicator, and automated response scenario generation. The proposed multi-layer architecture includes a Data Layer, Neural Detection Layer (LSTM Autoencoder), Risk Aggregation Layer (top-k aggregation with asset criticality coefficient), and a Decision Support Layer with a threshold-based recommendation model. The computation of anomaly scores, integral risk, and management action functions is formally defined. Experimental validation was conducted on the BETH dataset using two evaluation modes: Normal-only and Mixed. In the Mixed mode, the model achieved ROC-AUC = 0.874 and PR-AUC = 0.828 at the window level, and Session ROC-AUC = 0.8235 after risk aggregation. The Action Precision metric of 0.9333 confirms the effectiveness of the incident prioritization mechanism. Low latency (~0.35 ms) demonstrates suitability for near real-time application. The conclusions demonstrate that integrating a neural anomaly detector with a risk-oriented decision support model improves interpretability, reduces false escalations, and ensures adaptability to different data regimes.