AN INTELLIGENT MODEL FOR PREDICTING AND RESPONDING TO CYBER THREATS USING MULTILAYER RECURRENT NEURAL NETWORKS AND MODERN RISK MANAGEMENT STRATEGIES

DOI: 10.31673/2409-7292.2025.031463

Authors

  • Д. І. Прокопович-Ткаченко, (Prokopovych-Tkachenko D.I.) University of Customs and Finance, Dnipro, Ukraine
  • В. Г. Бушков, (Bushkov V.G.) State University of Information and Communication Technologies, Kyiv
  • Б. С. Хрушков, (Khrushkov B.S.) University of Customs and Finance, Dnipro, Ukraine
  • О. В. Черкаський, (Cherkaskyi O.V.) University of Customs and Finance, Dnipro, Ukraine
  • І. М. Козаченко, (Kozachenko I.M.) State service of special communications and information protection of Ukraine
  • М. В. Білан, (Bilan M.V.) University of Customs and Finance, Dnipro, Ukraine

DOI:

https://doi.org/10.31673/2409-7292.2025.031463

Abstract

The research is devoted to the development and experimental verification of an intelligent multi-level cyber risk
management system for the protection of critical information systems. The CRMS-RMODV (Cyber Risk Management System –
Risk Management with Optimal Decision and Volume) system transfers the concept of risk management, known from
algorithmic stock trading, to the field of cybersecurity. The key idea is to use artificial neural networks with long short-term
memory (LSTM) to predict short-term (15-minute) dynamics of integral risk based on telemetry streams from incident response
centers (Security Operations Center, SOC). The methodology involves the formation of an extended feature vector of 113
parameters, which includes five network aggregated metrics and 108 indicators based on the MITRE ATT&CK and Common
Vulnerability Scoring System (CVSS) frameworks. To train the four-layer LSTM network, 2.4 terabytes of historical telemetry
data were used. The model is validated by statistical testing, as well as by emulating multi-level targeted attacks using the
Caldera platform. To integrate solutions into real cyber defense scenarios, an implementation of Splunk SOAR and Cortex
XSOAR cybersecurity orchestration and automation systems into automated response scenarios (playbooks) was developed. A
feature of the project is the implementation of the formalized Threat-VWAP (Threat Volume-Weighted Average Price)
indicator. The results show that the combination of LSTM forecasting, cascading take-profit/stop-loss triggers, daily incident
quota, and Threat-VWAP filter provides a significant reduction in cumulative losses even with average classification accuracy,
which confirms the feasibility of transferring stock market risk management models to the cybersecurity sphere.
Keywords: cyber risk management, LSTM, RMODV, Threat‑VWAP, SOC automation, SOAR.

References
1. European Union Agency for Cybersecurity (ENISA). (2024). ENISA Threat Landscape 2024.
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024
2. Verizon. (2024). 2024 Data Breach Investigations Report. https://www.verizon.com/business/resources
/reports/dbir/.
3. Lim, B., Arik, S. Ö., Loeff, N., & Pfister, T. (2021). Temporal fusion transformers for interpretable multihorizon time-series forecasting. In Proceedings of the 38th International Conference on Machine Learning. arXiv.
https://arxiv.org/abs/1912.09363.
4. International Organization for Standardization. (2024). ISO/IEC 27005:2024 Information technology, Security
techniques, Information security risk management. https://www.iso.org/standard/83908.html.
5. National Institute of Standards and Technology. (2022). Guide for conducting risk assessments (NIST SP 800- 30 Rev. 2). https://csrc.nist.gov/publications/detail/sp/800-30/rev-2/final.
6. MITRE Corporation. (2024). ATT&CK knowledge base, version 14.1. https://attack.mitre.org/versions/v14.1/.
7. Forum of Incident Response and Security Teams (FIRST). (2023). CVSS v4.0 Specification. https://www.first.org/cvss/v4.0/specification-document.
8. Splunk Inc. (2025). Splunk SOAR documentation. https://docs.splunk.com/Documentation/SOAR.
9. Palo Alto Networks. (2025). Cortex XSOAR playbook guide. https://xsoar.pan.dev/docs/playbooks/.
10. Red Canary. (2024). Atomic Red Team (Version latest). https://github.com/redcanaryco/atomic-red-team.
11. MITRE Corporation. (2025). Caldera [Computer software]. GitHub. https://github.com/mitre/caldera.
12. European Union Agency for Cybersecurity (ENISA). (2024). Economics of cyber risk. https://www.enisa.europa.eu/publications/economics-of-cyber-risk.
13. Government of Canada, Canadian Centre for Cyber Security. (2022). National cyber threat assessment 2023– 2024. https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2023-2024.
14. National Institute of Standards and Technology. (2025). Fiscal year 2024 cybersecurity and privacy annual report. https://www.nist.gov/system/files/documents/2025/01/2024-cybersecurity-privacy-report.pdf.
15. PurpleSec. (2025). Recent cyber attacks & data breaches in 2024. https://purplesec.us/resources/cyber-attacks2024/.
16. Office of the Comptroller of the Currency. (2024). 2024 cybersecurity and financial system resilience report. https://www.occ.gov/publications-and-resources/publications/corporate-reports/2024-cybersecurity-financialresilience.pdf.
17. Picus Security. (2024). The major cyber breaches and attack campaigns of 2024. https://picussecurity. com/resources/2024-major-breaches/.
18. Microsoft Security. (2024). Microsoft Digital Defense Report 2024. https://www.microsoft.com/enus/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024.
19. Cybersecurity and Infrastructure Security Agency. (2025). 2024 year in review. https://www.cisa. gov/publication/cisa-2024-year-review.
20. Center for Strategic and International Studies. (2025). Significant cyber incidents. https://www.csis. org/significant-cyber-incidents.
21. Sophos. (2024). 2024 Security Threat Report. https://www.sophos.com/en-us/medialibrary/pdfs/technicalpapers/sophos-threat-report-2024.pdf.
22. NordLayer. (2025). Cybersecurity statistics and trends 2024: Annual digest. https://nordlayer.com/blog/ cybersecurity-statistics-2024/.
23. Kiteworks. (2024). Data Security Report 2024: Incident metrics and ROI benchmarks. https://www.kiteworks. com/resources/reports/data-security-report-2024/.
24. Youden, W. J. (1950). Index for rating diagnostic tests. Cancer, 3(1), 32–35. https://doi.org/10.1002/1097- 0142(1950)3:1\<32::AID-CNCR2820030106>3.0.CO;2-3.
25. Brown, M., Patel, S., & Reyes, J. (2023). Dynamic threshold optimization reduces SOC MTTR by 15 percent. Journal of Cybersecurity Engineering, 12(4), 221–235. https://doi.org/10.1093/jcse/otad023.
26. Li, K., Chen, Y., & Wang, Q. (2023). Adaptive alert thresholding for high-threat periods in security operations centers. Computers & Security, 126, Article 103023. https://doi.org/10.1016/j.cose.2023.103023.
27. Fawcett, T. (2006). An introduction to ROC analysis. Pattern Recognition Letters, 27(8), 861–874. https://doi.org/10.1016/j.patrec.2005.10.010.
28. Hanley, J. A., & McNeil, B. J. (1983). A method of comparing the areas under ROC curves derived from the same cases. Radiology, 148(3), 839–843. https://doi.org/10.1148/radiology.148.3.6878708.
29. Bishop, C. M. (2006). Pattern recognition and machine learning. Springer. https://doi.org/10.1007/978-0-387- 45528-0.
30. Silva, J. S., Horta, E. R., & de Oliveira, A. L. I. (2020). Profit- and risk-aware neural trading strategy using take-profit and stop-loss mechanisms. Expert Systems with Applications, 158, 113506. https://doi.org/10.1016/j.eswa. 2020.113506.

Downloads

Published

2025-10-26

Issue

No. 3 (2025)

Section

Articles