BEGIN
%% 1. ІНІЦІАЛІЗАЦІЯ СЕРЕДОВИЩА
clear workspace
set random seed
define system version
define monitoring time step Δt = 5 minutes
define risk thresholds:
TH_LOW = 0.25
TH_WARNING = 0.45
TH_HIGH = 0.65
TH_CRITICAL = 0.75
define attack states:
S0 = "normal"
S1 = "early_anomaly"
S2 = "attack_preparation"
S3 = "active_attack"
define criticality levels:
K1 = "low"
K2 = "medium"
K3 = "high"
K4 = "critical"
%% 2. ФОРМУВАННЯ ОНТОЛОГІЧНОГО РІВНЯ БАЗИ ЗНАНЬ
% Онтологічний рівень описує сутності предметної області:
% об'єкти критичної інфраструктури, загрози, вектори атак,
% ознаки аномалій, рівні критичності та відношення між ними.
create list O_objects:
"SCADA_Controller"
"Telemetry_Gateway"
"Auth_Server"
"Database_Node"
"Edge_Router"
"Backup_Server"
"Sensor_Node"
create list O_sectors:
"energy"
"transport"
"water_supply"
create list O_threats:
"normal"
"low_intensity_probe"
"credential_stuffing"
"sql_injection_attempt"
"port_scanning"
"ddos_preparation"
"apt_initial_access"
"apt_lateral_movement"
"cyber_physical_sabotage"
create list O_attack_vectors:
"none"
"network"
"application"
"cyber_physical"
create list O_features:
"traffic_volume"
"failed_auth_count"
"port_scan_rate"
"protocol_entropy"
"cpu_load"
"memory_load"
"temporal_deviation"
"correlation_score"
"graph_centrality"
"model_uncertainty"
create ontology graph G_KB as directed graph
add nodes to G_KB from:
O_objects
O_sectors
O_threats
O_attack_vectors
O_features
criticality levels
add semantic relations:
"SCADA_Controller" -> "energy" relation = "belongs_to_sector"
"Telemetry_Gateway" -> "transport" relation = "belongs_to_sector"
"Database_Node" -> "water_supply" relation = "belongs_to_sector"
"port_scanning" -> "network" relation = "has_attack_vector"
"credential_stuffing" -> "application" relation = "has_attack_vector"
"apt_lateral_movement" -> "network" relation = "has_attack_vector"
"cyber_physical_sabotage" -> "cyber_physical" relation = "has_attack_vector"
"failed_auth_count" -> "credential_stuffing" relation = "indicates"
"port_scan_rate" -> "port_scanning" relation = "indicates"
"protocol_entropy" -> "ddos_preparation" relation = "indicates"
"temporal_deviation" -> "early_anomaly" relation = "indicates"
"correlation_score" -> "attack_preparation" relation = "indicates"
store G_KB in KnowledgeBase.Ontology
%% 3. ФОРМУВАННЯ РЕЛЯЦІЙНОГО РІВНЯ
% Реляційний рівень зберігає структуровані параметри:
% вузли, сектори, критичність, пороги, ваги ознак, типи загроз.
create table InfrastructureNodes with columns:
NodeID
ObjectType
Sector
CriticalityWeight
RedundancyLevel
IsCriticalNode
example rows:
N_001, "SCADA_Controller", "energy", 0.95, 2, true
N_002, "Edge_Router", "transport", 0.82, 3, true
N_003, "Database_Node", "water_supply", 0.76, 2, true
N_004, "Backup_Server", "energy", 0.41, 4, false
create table ThreatCatalog with columns:
ThreatID
ThreatClass
AttackVector
BaseSeverity
TypicalDuration
EarlyIndicators
example rows:
T_001, "low_intensity_probe", "network", 0.35, 30 min, ["port_scan_rate", "temporal_deviation"]
T_002, "credential_stuffing", "application", 0.55, 20 min, ["failed_auth_count", "correlation_score"]
T_003, "ddos_preparation", "network", 0.70, 15 min, ["traffic_volume", "protocol_entropy"]
T_004, "apt_lateral_movement", "network", 0.90, 60 min, ["graph_centrality", "correlation_score"]
T_005, "cyber_physical_sabotage","cyber_physical",0.95, 45 min, ["temporal_deviation", "SCADA_command_anomaly"]
create table FeatureWeights with columns:
FeatureName
Weight
NormalRangeMin
NormalRangeMax
NoiseSensitivity
example rows:
"traffic_volume", 0.10, 80.0, 180.0, 0.30
"failed_auth_count", 0.15, 0.0, 5.0, 0.45
"port_scan_rate", 0.18, 0.0, 0.08,0.55
"protocol_entropy", 0.12, 0.35, 0.65,0.40
"temporal_deviation", 0.20, 0.0, 0.25,0.50
"correlation_score", 0.20, 0.0, 0.30,0.60
"model_uncertainty", 0.05, 0.0, 0.20,0.35
store tables in KnowledgeBase.Relational
%% 4. ФОРМУВАННЯ СТОХАСТИЧНОГО РІВНЯ
% Стохастичний рівень описує імовірнісні переходи між станами:
% normal -> early_anomaly -> attack_preparation -> active_attack.
define Markov transition matrix P:
S0 S1 S2 S3
S0 [ 0.91 0.07 0.02 0.00
S1 0.18 0.62 0.17 0.03
S2 0.04 0.13 0.66 0.17
S3 0.01 0.04 0.12 0.83 ]
check each row of P:
if sum(row) != 1
normalize row
store P in KnowledgeBase.Stochastic.TransitionMatrix
define probability distributions for key features:
for each attack state:
estimate mean μ and standard deviation σ for:
traffic_volume
failed_auth_count
port_scan_rate
protocol_entropy
temporal_deviation
correlation_score
example:
normal:
risk_score μ = 0.16, σ = 0.06
temporal_deviation μ = 0.12, σ = 0.05
correlation_score μ = 0.10, σ = 0.05
early_anomaly:
risk_score μ = 0.39, σ = 0.08
temporal_deviation μ = 0.32, σ = 0.08
correlation_score μ = 0.30, σ = 0.09
attack_preparation:
risk_score μ = 0.65, σ = 0.09
temporal_deviation μ = 0.55, σ = 0.10
correlation_score μ = 0.57, σ = 0.10
active_attack:
risk_score μ = 0.84, σ = 0.07
temporal_deviation μ = 0.75, σ = 0.10
correlation_score μ = 0.78, σ = 0.09
store distributions in KnowledgeBase.Stochastic.FeatureDistributions
%% 5. ІМПОРТ ТА ПОПЕРЕДНЯ ОБРОБКА ДАНИХ
% Вхідні дані надходять із SIEM, IDS/IPS, NetFlow/IPFIX,
% журналів авторизації, SCADA-телеметрії та системних логів.
input raw data sources:
NetFlow logs
IDS alerts
SIEM events
Auth server logs
SCADA telemetry
System performance metrics
Infrastructure topology
for each source:
read data
remove duplicate records
synchronize timestamps
convert timestamps to timetable
aggregate data by Δt = 5 minutes
handle missing values:
if numerical feature is missing:
replace by rolling median
if categorical feature is missing:
replace by "unknown"
remove physically impossible values:
traffic_volume < 0
cpu_load > 100
memory_load > 100
port_scan_rate < 0
merge all sources by:
timestamp
NodeID
create unified table D_raw
%% 6. ОБЧИСЛЕННЯ ОЗНАК ДЛЯ БАЗИ ЗНАНЬ
for each record i in D_raw:
compute traffic_volume_mb
compute failed_auth_count
compute port_scan_rate:
number of unique destination ports / time window
compute protocol_entropy:
H = -sum(p_j * log2(p_j))
where p_j is probability of protocol j in current interval
compute cpu_load_pct
compute memory_load_pct
compute graph_centrality:
centrality value of NodeID in infrastructure graph
compute temporal_deviation:
deviation between current feature vector and historical baseline
compute correlation_score:
degree of simultaneous anomalies across several subsystems
compute source_reliability:
reliability score of the data source from metaknowledge
compute model_uncertainty:
uncertainty of neural or probabilistic model prediction
store computed features in table D_features
%% 7. РОЗРАХУНОК РИЗИК-СКОРИНГУ
for each record i in D_features:
normalize numerical features to interval [0, 1]
get feature weights from FeatureWeights table
risk_base =
w1 * traffic_volume_norm
+ w2 * failed_auth_count_norm
+ w3 * port_scan_rate_norm
+ w4 * protocol_entropy_norm
+ w5 * temporal_deviation_norm
+ w6 * correlation_score_norm
+ w7 * graph_centrality_norm
adjust by node criticality:
risk_criticality = risk_base * CriticalityWeight(NodeID)
adjust by source reliability:
risk_reliability = risk_criticality * SourceReliability
adjust by model uncertainty:
risk_final = risk_reliability + λ * model_uncertainty
clip risk_final to interval [0, 1]
assign RiskScore(i) = risk_final
if RiskScore < TH_LOW:
CriticalityLevel = "low"
else if RiskScore < TH_WARNING:
CriticalityLevel = "medium"
else if RiskScore < TH_CRITICAL:
CriticalityLevel = "high"
else:
CriticalityLevel = "critical"
store RiskScore and CriticalityLevel in D_features
%% 8. ЗАСТОСУВАННЯ ПРОДУКЦІЙНИХ ПРАВИЛ
% Продукційна логіка має вигляд:
% ЯКЩО {ознакові умови ∧ перевищення порогу ризику}
% ТО {формування попередження з рівнем критичності k}.
for each record i in D_features:
initialize WarningLabel = 0
initialize Explanation = empty list
RULE 1:
if RiskScore(i) >= 0.45 AND ...
temporal_deviation(i) >= 0.30 AND ...
correlation_score(i) >= 0.40
WarningLabel = 1
AttackStage = "early_anomaly"
add "стійке часове та кореляційне відхилення" to Explanation
RULE 2:
if port_scan_rate(i) >= 0.25 AND ...
protocol_entropy(i) >= 0.70 AND ...
RiskScore(i) >= 0.60
WarningLabel = 1
AttackStage = "attack_preparation"
ThreatClass = "port_scanning_or_ddos_preparation"
add "зростання сканування портів і зміна протокольної структури" to Explanation
RULE 3:
if failed_auth_count(i) >= 15 AND ...
correlation_score(i) >= 0.40 AND ...
RiskScore(i) >= 0.45
WarningLabel = 1
AttackStage = "early_anomaly"
ThreatClass = "credential_stuffing"
add "надлишкова кількість невдалих авторизацій" to Explanation
RULE 4:
if graph_centrality(i) >= 0.70 AND ...
temporal_deviation(i) >= 0.55 AND ...
correlation_score(i) >= 0.60 AND ...
RiskScore(i) >= 0.75
WarningLabel = 1
AttackStage = "active_attack"
ThreatClass = "apt_lateral_movement"
CriticalityLevel = "critical"
add "аномалія на топологічно важливому вузлі" to Explanation
RULE 5:
if ObjectType(i) == "SCADA_Controller" AND ...
AttackVector(i) == "cyber_physical" AND ...
RiskScore(i) >= 0.70
WarningLabel = 1
CriticalityLevel = "critical"
ThreatClass = "cyber_physical_sabotage"
add "ризик фізико-кібернетичного впливу на SCADA-рівень" to Explanation
store WarningLabel, AttackStage, ThreatClass, Explanation
%% 9. МАРКОВСЬКЕ УТОЧНЕННЯ СТАНУ
% Поточний стан уточнюється з урахуванням попереднього стану
% і матриці переходів P.
for each NodeID:
get chronological records for this node
initialize previous_state = S0
for each time step t:
get rule_based_state from production rules
get probability vector:
p_next = P(previous_state, :)
combine:
final_state_score =
α * one_hot(rule_based_state)
+ β * p_next
+ γ * neural_prediction_probabilities
final_state = argmax(final_state_score)
assign AttackStage(t) = final_state
previous_state = final_state
%% 10. ПІДКЛЮЧЕННЯ НЕЙРОМЕРЕЖЕВОГО РІВНЯ
% Нейромережевий рівень працює з тензором ознак X ∈ R^(T×N×F),
% де T – кількість часових інтервалів,
% N – кількість вузлів,
% F – кількість ознак.
construct tensor X:
dimensions:
T = number of time windows
N = number of infrastructure nodes
F = number of features
for each time t:
for each node n:
X(t,n,:) = feature vector of node n at time t
load or define neural model:
CNN block for local feature extraction
LSTM block for temporal dependencies
Transformer block for long-range dependencies
GNN block for infrastructure topology
if training mode:
split dataset:
training set = 80 %
validation set = 10 %
test set = 10 %
train neural model on X_train, Y_train
validate on X_val
test on X_test
else inference mode:
Y_prob = predict(neural_model, X_current)
store neural outputs:
class probabilities
predicted attack stage
model uncertainty
attention maps
gradient-based explanations
%% 11. ІНТЕГРАЦІЯ НЕЙРОМЕРЕЖЕВИХ РЕЗУЛЬТАТІВ І БАЗИ ЗНАНЬ
for each record i:
get rule_score from production rules
get stochastic_score from Markov model
get neural_score from neural model
get meta_score from source reliability and model uncertainty
integrated_risk =
a1 * rule_score
+ a2 * stochastic_score
+ a3 * neural_score
+ a4 * meta_score
normalize integrated_risk to [0, 1]
if integrated_risk >= TH_WARNING:
generate early warning
if integrated_risk >= TH_CRITICAL:
assign critical warning
create explanation:
list dominant features
list activated rules
list affected nodes
list probable threat class
list confidence value
store integrated results in KnowledgeBase.DecisionLayer
%% 12. ФОРМУВАННЯ ПОПЕРЕДЖЕННЯ
for each detected risky state:
create Warning object with fields:
WarningID
Timestamp
NodeID
ObjectType
Sector
ThreatClass
AttackVector
AttackStage
RiskScore
CriticalityLevel
Confidence
Explanation
RecommendedAction
if CriticalityLevel == "medium":
RecommendedAction = "посилити моніторинг вузла"
if CriticalityLevel == "high":
RecommendedAction = "перевірити журнали авторизації, мережеві сесії та IDS-події"
if CriticalityLevel == "critical":
RecommendedAction = "ізолювати вузол, активувати резервування, передати інцидент оператору SOC"
append Warning object to WarningLog
%% 13. ОНОВЛЕННЯ МЕТАЗНАНЬ
% Метазнання містять якість джерел, достовірність моделей,
% параметри невизначеності, версії моделей і регуляторні обмеження.
after each detection cycle:
evaluate data source quality:
completeness
delay
noise level
contradiction with other sources
update SourceReliability
evaluate model performance:
accuracy
precision
recall
F1
ROC_AUC
detection_time
false_positive_rate
false_negative_rate
update ModelReliability
if model uncertainty increases above threshold:
flag model for recalibration
if new threat pattern appears:
add new candidate threat to ThreatCatalog
if analyst confirms incident:
update labels in dataset
update production rule statistics
update Markov transition probabilities
%% 14. ЗБЕРЕЖЕННЯ БАЗИ ЗНАНЬ
save KnowledgeBase.Ontology as graph object
save KnowledgeBase.Relational as MAT-file and CSV tables
save KnowledgeBase.Stochastic as MAT-file
save KnowledgeBase.DecisionLayer as structured table
save WarningLog as timetable
save model parameters and version metadata
create digital audit log:
timestamp
data version
model version
activated rules
warnings generated
analyst feedback
%% 15. ВИХІДНІ РЕЗУЛЬТАТИ
return:
updated KnowledgeBase
WarningLog
RiskScore time series
AttackStage labels
ConfusionMatrix
PerformanceMetrics
ExplanationReport
END