The protection of military systems is becoming increasingly relevant during a real war, which changes its rules of the game in the arena of information and communication systems security and requires new technical solutions to increase this security. In modern cyberspace, there are a large number of various cyberattacks that negatively affect military information and communication systems and disrupt their ability to adapt and recover from each attack as a whole [ 1 ]. But what is significant in this context is the ability of the system to proceed to operate continuously due to the reliability of communication channels and stable information flows [ 2 ].

All modern military operations depend on modern cyber defense developments that can counteract real threats and guarantee the resilience of information and communication systems to intense cyberattacks [ 3 ]. The use of an information security management system allows you to maintain data confidentiality, ensures continuity of operations and supports overall operational efficiency at all stages of military operations. Information security management systems are also a control unit for detecting, preventing and blocking all possible threats and failures during the planning and implementation of combat missions [ 4 ].

In [ 4 ], a mathematical catastrophe theory is proposed to ensure the stability of the information security management system. It is found that different types of cyber incidents have their own impact on the stability and equilibrium of the system as a whole. The presence of risk zones on the plane of the system’s equilibrium points, which are critically important during sharp changes in the system states under the influence of cyber incidents, is established [ 5 ]. These results allow us to apply the mathematical catastrophe theory to increase the stability of the information security management system, which allows us to predict destabilization processes in the system.

Also important are the results of article [ 6 ], which presents the advantages and disadvantages of using a SIEM system using mathematical catastrophe theory to predict, detect, and prevent cyber incidents in integrated military training systems.

An important block for the information security management system is the decision-making stage regarding the identified threats. In article [ 7 ], a cluster analysis method was proposed to reduce the subjectivity of expert assessments in the process of identifying cyber threats.

Unfortunately, traditional methods used in information security management systems do not always quickly and accurately make decisions in critical situations in real time, therefore, there is a pressing task of creating an intelligent decision support system (IDSS) to ensure the cyber resilience of military information systems. These intelligent systems are aimed at improving the quality and speed of forecasting, detecting and preventing dynamic and complex cyber threats using modern artificial intelligence technologies [ 8–10 ]. Artificial intelligence and machine learning technologies use automated analysis of large amounts of data and predict threats based on real-time anomaly detection [ 11, 12 ]. The integration of human-machine interaction should also not be rejected, since military information and communication system operators should participate in making critical decisions, which will reduce the risk of errors that arise during the automated operation of IDSS [ 13, 14 ].

A review of modern scientific sources has shown a growing interest in the use of artificial intelligence in information security management systems, which allows analyzing large amounts of data, identifying vulnerabilities, and predicting possible cyber threats [15]. In [ 8 ], much attention is paid to deep learning models to increase the reliability of systems and the efficiency of processing multi-level data from various sources. However, the main requirement is systematic training based on the received data in real time, which contributes to the constant improvement of the quality of decision support and response to new cyber threats. In [16], semantic technologies and big data technologies in cyber security are investigated, which allow to increase the security indicators of information systems. Also, one should not forget about the combination of cloud technologies and the operability of peripheral systems, which allows the creation of hybrid architectures that ensure the transition to the creation of scalable, reliable and intelligent systems that are important for performing complex operations [ 11 ].

For rapid response to cyberattacks, risk assessment and creation of countermeasures in real time, [17] proposed to combine an ontological knowledge model, cognitive architecture and data analysis. An important component of an intelligent information security management system is a decision-making system, which often does not perceive the coordinated action of several cyber agents which use different ways of penetrating the system. In order for this system to respond to complex attacks in real time, [18] proposed to base the system on hierarchical modeling and Bayesian analysis for dynamically updating models and generating recommendations to ensure efficiency and resilience in real cyberthreat scenarios.

Researchers at the Netherlands Aerospace Center [19] propose a combined approach that combines the integration of artificial intelligence and modeling with simulation (M&S) to create an intelligent decision support system for military systems. This combination allows to increase the accuracy of predictions and the quality of decisions due to the previous results of actions, which are important for commanders during the planning of operations. This method also allows to reduce the cognitive load on military analysts and rapid response to changes in combat situations by creating new scenarios in real time. The approaches to build intelligent decision-making systems to ensure cyber resilience of military information systems, which are proposed in the works [ 8, 15–19 ], of course, have advantages, but in turn also have a number of negative indicators, such as excessive complexity of modeling cognitive processes and scaling in real time, complexity of agent interaction and risks of incorrect autonomous response without taking into account a single context, high dependence on data quality, as well as high complexity of calculations when expanding the functioning of the system, as well as limited realism of simulation in combination with high resource costs and dependence on the accuracy of the models used. All of these approaches (cognitive, Bayesian, stimulation, multi-agent) provide analysis and response to cyberattacks, but do not take into account the dynamic processes that lead to the loss of system stability. This article proposes the use of catastrophe theory and cluster analysis as an analytical center for DSS, which will ensure the transition from reactive to preventive management of cyber resilience of military information systems.

It is advisable to provide a comparative table of the use of different approaches for building an intelligent decision-making system to ensure the cyber resilience of military information systems (Table 1).

The development of an intelligent decision support system model to ensure cyber resilience of military information systems includes the catastrophe theory method to describe the nonlinear dynamics of system resilience and predict critical transitions in the SIEM module data streams, the cluster analysis method, namely the k-Means algorithm and DBSCAN to classify the operating modes of security states from stable to critical, which allows identifying anomalies that can cause catastrophic changes in the system. Statistical and temporal methods were used to predict bifurcation points as indicators of instability in the SIEM module. A multi-criteria optimization method was also used, which reflects the DSS component of the system and is responsible for decision-making based on indicators of minimizing risks, time and costs. Additionally, machine learning algorithms were used to detect anomalies and build adaptive models of the behavior of the entire system. The architecture and processes of the intelligent decision-making support system for ensuring cyber resilience of military information systems are presented using an activity diagram, a state diagram and a sequence diagram. The latter shows the logic of the analyst’s interaction with the intelligent modules of the system.

This article presents the development of an intelligent decision support system (IDSS) model to ensure cyber resilience of military information systems using classical and intelligent approaches to ensure rapid response and decision-making regarding detected cyberattacks. The proposed approach, which is based on the detection of dynamic changes in system states and differs from traditional ones that record events and reactions to already detected cyberincidents, is based on the principles of catastrophe theory. Catastrophe theory is appropriate to use to describe the behavior of complex systems at bifurcation points that occur when parameters change and lead to a sharp loss of stability. This approach involves not only detecting cyber incidents, but also allows predicting their consequences by analyzing state changes in the system [ 4, 6, 19 ]. To build a holistic analytical architecture, where all modules interact in real time, a phased approach was used, which consists of data collection and normalization, modeling, clustering, decision synthesis and, finally, quality control of decision-making, in the contour of which a person remains (Human in the loop).

To construct this model, the system is formally represented as a hybrid dynamic system with continuous and discrete blocks that model the state of stability, regime transitions, and decisionmaking.

The results of scientific research in [ 4, 6, 19 ] showed the feasibility of using nonlinear dynamics and mathematical catastrophe theory to build a model of an intelligent decision support system (IDSS) to ensure the cyber resilience of military information systems. This approach provides mathematical prediction of critical transitions under the influence of increasing cyberattacks, load or conflict of systems.

Nonlinear systems depend on initial conditions, as well as on the influence of external factors, which lead to sharp jumps or catastrophes in the stability of the system [20].

The state of nonlinear systems is given by the formula: d x = f ( x ; a , b )+ξ ( t ) , d t (1) where x ( t ) is an integral variable that shows the state of the system (level of cyberstability); a and b are system parameters responsible for the intensity of events, the level of cyber incidents; ξ ( t )shows noise or fluctuations in the data.

In [ 4 ], various types of catastrophes and the feasibility of using the “Butterfly” catastrophe type, which shows the transition from a stable to a variable state under the influence of five parameters, are proposed.

The general equation for the “Butterfly” catastrophe has the form

V ( x )=x 6+a x 4+b x 3+c x 2+dx , (2) correspond to equilibrium states and depend on the values of the parameters a , b , c , and d . In turn, when changing these parameters, the system can enter a state of “catastrophe,” that is, reach bifurcation points. This state is possible when modeling a situation when the number of cyber incidents jumps to critical values, which will lead to system failures.

The critical state of the system can also be indicated using the metric:

∆t = ∇2 V ( x t ; at , bt , c t , d t ) ∨→ 0 , which shows that the system is losing its equilibrium, the stage of activation of the response subsystem begins.

Mathematical catastrophe theory provides an opportunity to identify complex interdependencies between various cyber incidents and timely detect catastrophic changes in the state of the system. In turn, the gradient descent method, namely the analysis of the potential V x 1=x 2−η ∇ f ( x 2 ) , d x =0 , d t

V ( x t ; at , bt , c t , d t ) allows to identify risk areas in time and prevent changes in the system state.

In real conditions, the process of changing states in military information systems is carried out discretely, therefore, to model these transitions, a clustering method based on features of system behavior was used.

To describe the behavioral profile of the system at a point in timet , a multidimensional vector is used, which describes all the features that implement the corresponding collected data of the SIEM system, event logs, and telemetry of military subsystems, and is given by the formula: where x is a variable that determines the state of the system; a , b , c , and d are management parameters that correspond to cyber incident categories [ 4 ].

To determine the differential equation describing the change in the state of the system, the gradient descent method was used, which is used to find the minimum value of the function, namely, to reduce the potential and achieve a stable state of the system. The formula for the gradient descent step has the form:

where x 1 is the new variable value x ; η is the step variable; ∇ f ( x 2 ) is the gradient of a function f ( x ) at the point x 2.

Points, where

ϕ ( t )=[ λt , σ t2 , ρ 1 ,t , Sw t , Kt t , H t , δ t , pt , qt ], where λt is the number of cyberattacks per unit of time; σ t2 is the variance of events in a sliding window; ρ 1 ,t is the autocorrelation; S w tis the distribution asymmetry; Kt t is the kurtosis of the distribution; H t is the entropy of the state of the system; δ t is the distance to catastrophic state; pt is the normalized risk; qt is the trust level.

A set of vectors { ϕ 1 , ϕ 2 , ... , ϕ t } forms a set that describes the dynamic behavior of the system at a certain point in time. Using the k-means method [ 7 ], the set of vectors is divided into classes with common properties, i.e. clusters (3) (4) (5) (6) (7) S = { Stable , Degraded , Critical }.

D = ∑K ∑ ‖ ϕ i − μk ‖2 ,

k =1 ϕi∈Ck

Next, the distances between elements of one cluster are minimized and the distances between elements of different clusters are maximized, that is, the functional of the mean square distances is minimized (8) (9) where K is the number of clusters, С k is the set of points in a cluster k , μk is the cluster center. Thus, all vectors of the set { ϕ 1 , ϕ 2 , ... , ϕ t } will receive a cluster label after training the algorithm, which determines the state of the system s t ∈S with corresponding features, namely the Stable state includes low variance, low autocorrelation, and small entropy; state describes the average value of autocorrelation, increasing variability and increasing normalized risk; the Critical state describes high H t , σ t2 , pt and decreasing trust qt . Figure 1 presents an Activity Diagram that describes the state clustering process, namely how the system learns to determine the states of the system [21]. It is also necessary to take into account that the system may be affected by new cyber incidents that affect the change in the state of the system. Let the system be in a state at some point in time s t ∈S , then the probability of the system transitioning to the state s t +1 is determined by the formula: pi j =

N i j , ∑ N i j Where the elements pi j are estimated statistically taking into account historical data: where N i j is the amount observations during state transitions s i → s j .

Figure 2 shows a State Diagram that describes the states of the system depending on the elements pi j, that determine the rapid response of the subsystem to detected cyberattacks.

The clustering performed using the k-means method divides all available SIEM system data into behavioral characteristics, each of which plays its own role in the information system. As noted earlier, each cluster has its own center μk, which shows the state of the system and the distance ‖ ϕ t − μk ‖, which is a measure of the change in the state of the system [22].

There is a direct connection between clusters and the indicators used in the “Butterfly” type catastrophe. Thus, the Stable state can be obtained at a local minimum of the potential V ( x ) , i.e. at a point x s at

d Vd x(x ) =0 , d 2dVx(2x ) >0.

With these indicators, the system is in a stable state, where the parameters of the butterfly catastrophe a , b , c , and d are subject to minor fluctuations, which does not affect the loss of equilibrium of the system as a whole.

When the Degraded state is detected, the system is exposed to cyberattacks and its stability is compromised, but it still functions within its capabilities. In this region, the potential gradient is weak, which provokes the system to slow down to return to the equilibrium state after the cyberattack is detected. These changes are accompanied by changes in the parameters a , b , c , and d by the transition to a new minimum or the appearance of bifurcation points, i.e. the system becomes sensitive to random fluctuations.

The third state Critical determines the transition of the system into a catastrophic region, which will lead to a catastrophic state, namely a violation of the stability of the cyber system, characterized by a failure or loss of control by the control system. This state is mathematically (11) (12) shown by a change in the sign of the second derivative V ' ' ( x ) and the instability of the energy potential d 2dVx(2x ) → 0. (13)

At this point, the system is at a bifurcation point, which prevents the system from changing its current state. The combination of cluster analysis and catastrophe theory allows us to assess the stability of the system at a given point in time, as well as by calculating the distances to the detected bifurcation points, which make it possible to predict potential transition points between the system states.

The proposed model of an intelligent decision support system combines the interaction of an analyst and automated modules for responding to cyber incidents. Figure 3 presents a Sequence diagram, which shows the response logic of the entire system [22].

The proposed interaction between humans and artificial intelligence allows us to bring existing systems to a new intellectual level, as well as increase the detection and prediction of cyberattacks, which in turn will increase the accuracy and stability of the system when making decisions in complex operations.

The mathematical model of the intelligent decision-making system, which is presented in this work, is expedient to use to increase the cyber resilience of military information systems. This model combines nonlinear dynamic modeling, mathematical catastrophe theory, cluster analysis and elements of artificial intelligence into a single decision-making system. Each of the above approaches played an essential role at its stage. Thus, the “Butterfly” type catastrophe allows you to detect transitions between the states of the information system from Stable to Critical, which allows you to detect at early positions the approach of the system to critical or catastrophic states during the impact on the information system of various types of cyber incident

The use of cluster analysis, namely the k-means method, makes it possible to restore the state of the system based on real SIEM data at a certain point in time. To predict the probability of transitions between the states of stability, change and recovery, this model uses a mathematical model of the Markov chain, which allows assessing risks. There are also SOAR-responder and audit modules to regulate all actions, as well as a training block that allows for constant updating of models based on previous data.

The proposed model of an intelligent decision-making system combines mathematical modeling, learning, and human control, which provides robustness and transparency compared to traditional decision-making systems to ensure the cyber resilience of military information systems.

Further research will be aimed at integrating this model with real simulation systems, as well as addressing the issue of optimizing multi-criteria control parameters to increase the efficiency of decision-making in information security management systems.

Declaration on Generative AI While preparing this work, the authors used the AI programs Grammarly Pro to correct text grammar and Strike Plagiarism to search for possible plagiarism. After using this tool, the authors reviewed and edited the content as needed and took full responsibility for the publication’s content. [15] M. Adamantis, V. Sokolov, P. Skladannyi, Evaluation of State-of-the-Art Machine Learning Smart Contract Vulnerability Detection Method, Advances in Computer Science for Engineering and Education VII, vol. 242 (2025) 53–65. doi:10.1007/978-3-031-84228-3_5 [16] S. Shevchenko, Y. Zhdanova, O. Kryvytska, H. Shevchenko, Fuzzy Cognitive Mapping as a Scenario Approach for Information Security Risk Analysis, in: Cybersecurity Providing in Information and Telecommunication Systems II, vol. 3826 (2024) 356–362. [17] P. Theron, A Kott. Towards an Active, Autonomous and Intelligent Cyber Defense of Military Systems: the NATO AICA Reference Architecture, in: Int. Conf. on Military Communications and Information Systems. 2018. doi:10.1109/ICMCIS.2018.8398730 [18] S. Huang, C. M. Poskitt, L. K. Shar. Bayesian and Multi-Objective Decision Support for Real

Time Cyber-Physical Incident Mitigation, 2025. doi:10.48550/arXiv.2509.00770 [19] R. Uetz, et al, You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise

Networks, in: 33rd USENIX Conference on Security Symposium, 290, 2024, 5179–5196. [20] P. Skladannyi, et al., Modified Delta Maintainability Model of Object-oriented Software. in: Cybersecurity Providing in Information and Telecommunication Systems, vol. 3288 (2022) 117–124. [21] G. González-Granadillo, et al., Security Information and Event Management (SIEM): Analysis,Trends, and Usage in Critical Infrastructures, Sensors 21 (2021) 4759. doi:10.3390/s211447592 [22] B. D. Bryant, H. Saiedian, Improving SIEM Alert Metadata Aggregation with a Novel Kill Chainbased Classification Model. Comput. Secur. 94(2) (2020).doi:10.1016/j.cose.2020.101817