HYBRID METHOD FOR ASSESSING CYBERRISKS OF CRITICAL INFRASTRUCTURE OBJECTS USING MACHINE LEARNING

Abstract

The article proposes a hybrid approach to assessing cyber risks of critical infrastructure facilities, which combines a multi-criteria weighted sum model (WSM), machine learning methods, and elements of fuzzy logic. The relevance of the study is due to the increasing complexity of cyber threats in modern cyber-physical systems, where traditional expert risk assessment methods do not provide sufficient adaptability to dynamic changes in the environment. The proposed approach is focused on integrating operational cyber monitoring data with classical risk assessment mechanisms to increase the accuracy, adaptability, and interpretability of results. The model is based on the weighted sum method, which provides a transparent assessment structure and the possibility of expert adjustment of criteria and weighting coefficients. Unlike traditional models, the work uses an extended criteria structure that includes not only the probability of threat realization and the criticality of the impact, but also the level of exposure and the level of vulnerability. The vulnerability criterion is presented as an aggregated composition of subcriteria that take into account CVSS scores, exploit availability, update status, and system configuration security. The study formalizes the mechanism for integrating ML modules into the risk assessment model. Classification, clustering, anomaly detection, regression, and time series analysis methods are used to analyze SIEM/XDR telemetry data, event logs, and network traffic. The results of ML modules are aggregated in the form of an integral ML indicator that is used to adaptively adjust the assessment of the probability of threat implementation. To ensure controlled integration of machine learning, a confidence factor is introduced for the ML layer, which allows balancing between expert assessments and automated analysis.

The practical value of the proposed approach lies in the possibility of building adaptive decision support systems in the field of cybersecurity that are capable of combining expert knowledge, technical characteristics of vulnerabilities, and the results of telemetry data analysis.