A new mathematical model of risk-oriented security management in Internet of Things (IoT) networks is proposed. The model combines a graph-autoregressive approach to load forecasting with a decision-making mechanism based on the Conditional Value-at-Risk (CVaR) indicator. The study aims to improve the cyber resilience of IoT networks by integrating spatio-temporal traffic analysis, information security indicators, and economic risk assessment. It is proved that existing methods and models for predicting and detecting anomalies are focused mainly on time series. However, they do not take into account the topological structure of IoT networks and the relationships between nodes, which reduces their effectiveness. The developed graph-autoregressive model simultaneously takes into account the time dependence of traffic and the spatial correlation between network nodes through the Laplacian of the graph. Based on the forecast residuals, the level of anomaly and the probability of an attack are estimated, taking into account behavioral and network security indicators. A risk-oriented decision-making module is proposed that uses CVaR as a criterion for the optimal choice of protective actions. This allowed the defense system to focus on the worstcase scenarios of high-cost attacks, minimizing potential losses. Experimental testing on the data of a smart home-type IoT network confirmed the effectiveness of the proposed model. A comparative analysis with classical approaches (ARIMA, LSTM, Isolation Forest) showed an increase in load prediction accuracy by 15% and an improvement in attack detection quality (F1-score) by 7-10%. The scientific novelty of the work is the synthesis of a graph-autoregressive model with risk-oriented optimization, which takes into account both spatial and temporal changes in the network and economic aspects of security management. The practical significance lies in the possibility of using the model as an analytical module in IoT monitoring and cybersecurity systems for automated selection of countermeasures in real time.
Over the past decades, the Internet of Things (IoT) technology has become an integral part of many
business processes in various fields - from household smart home systems to industrial complexes
and critical infrastructure [
Unlike classical IT systems, the IoT environment has a much higher degree of heterogeneity. This makes existing information security methods focused on centralized architectures ineffective. Moreover, the large number of connected IoT network sensors and actuators has created new attack vectors. These include remote control over nodes, data spoofing, distributed denial-of-service (DDoS) attacks, the use of IoT devices in botnets, and more. As a result, IoT networks have become one of the most vulnerable components of modern cyber-physical systems.
It should be noted that most existing anomaly detection and monitoring systems for IoT networks
operate in a reactive mode. They only detect deviations after an incident has actually occurred. Such
solutions are based mainly on statistical indicators or fixed thresholds. That is, a priori, such solutions
reduce their effectiveness in using statistical indicators in the case of targeted low-intensity attacks
or changes in device behavior over time. At the same time, the development of machine learning
(ML) and time series analysis methods has opened up opportunities for the synthesis of flexible
hybrid models capable of predicting the future state of an IoT network and identifying potential
threats at the stage of their formation. It should be noted that most of the research in the field of IoT
device security is currently focused on time dependencies. These studies do not take into account
the spatial structure of the IoT network. Meanwhile, the interconnections between nodes
topological, informational, and behavioral - have a significant impact on the parameters of attacks.
For example, compromising a central router or a node with a high degree of centrality will lead to
an avalanche of threats to neighboring devices. Therefore, an integrated approach that combines
time series analysis, network graph structure, and information security indicators is a relevant topic
[
The issue of decision-making in cyber defense systems also requires special attention. In most cases, the choice of countermeasures is made without taking into account the expected risks or possible consequences for the quality of service (QoS). This can potentially lead to excessive resource consumption, downtime, or even loss of communication between nodes. In this vein, it is advisable to apply risk-oriented methods. These methods are able to take into account both the probability of an attack and the potential damage in case of its realization. One of these criteria is Conditional Value-at-Risk (CVaR). This indicator will allow to focus the protection strategy on the worst-case scenarios with high losses, increasing the cyber resilience of the system. That is why it is relevant to develop adaptive risk-oriented models that combine predicting the behavior of the IoT system with threat detection and selecting optimal preventive actions to ensure network security.
Modern methods of load forecasting in IoT networks are mostly based on time series analysis, which allows to model traffic dynamics and identify periodic patterns in the functioning of individual devices. However, such approaches, despite their technical maturity, have a number of limitations that significantly reduce their effectiveness in cybersecurity tasks for distributed infrastructures. The main drawback is that most models focus exclusively on time dependencies and do not take into account the spatial structure of the IoT network - its topology, the nature of connections between nodes, the intensity of interaction, and the correlation of the behavior of individual devices. As a result, the models ignore the interaction of nodes, which can be crucial when failures or attacks spread across the network.
Another significant limitation of classical approaches is the lack of mechanisms to take into account information security policies and device behavior. In most existing traffic forecasting systems, security factors are not integrated into the analytical core, but are treated as external conditions. This leads to the fact that the breach detection system cannot timely differentiate technical deviations from potentially malicious activity. In particular, even modern machine learning algorithms used in the field of IoT monitoring do not always take into account events detected by Intrusion Detection Systems (IDS) or Security Information and Event Management (SIEM) platforms. As a result, the analytical system is unable to synthesize a holistic picture of network security and correctly assess the likelihood of cyberattacks.
Another critical aspect is the limitations of existing anomaly detection methods, which mostly rely only on statistical analysis of deviations in traffic or device behavior from the average. While such approaches can identify individual atypical events, they do not provide sufficient contextual depth to detect complex, multi-stage attacks that propagate through interconnected network nodes. As a result, the system responds to incidents mostly after the fact, when the damage has already been done and the ability to prevent or localize threats is limited.
The lack of integrated risk-oriented decision-making mechanisms is another significant problem with modern IoT cybersecurity systems. The vast majority of existing solutions focus on recording attacks or breaches, but do not include components capable of quantitatively assessing the risk of their occurrence or predicting potential losses. In such conditions, security administrators are unable to strategically plan actions to minimize losses or prioritize responses. In particular, the lack of formalized models based on criteria such as CVaR makes it impossible to assess worst-case scenarios, which is especially dangerous for systems with critical resources and limited computing power.
Together, these factors form a scientific and practical problem, which is the lack of a comprehensive model capable of simultaneously predicting load, detecting anomalies, and assessing the risk of attacks, taking into account the topological and behavioral characteristics of IoT networks. Solving this problem requires the integration of machine learning, graph analysis, and risk theory methods into a single analytical system focused on adaptive cyber defense management in dynamic, distributed Internet of Things environments.
Analyzing cyberattacks on IoT networks and developing effective methods for detecting them is one
of the most relevant issues in the field of cybersecurity. Existing research is mostly focused on the
use of machine learning (ML) methods to detect anomalies and cyber threats. In particular, the
authors of [
A number of studies focus on the development of specific models and approaches. For example,
in [
As the analysis of previous publications has shown, most applied research focuses on the use of
machine learning algorithms for classification and anomaly detection, including the following works:
Inuwa M. M. and Das R. [
On the other hand, publications in recent years have demonstrated a clear shift to graph-based
methods. In several papers, such as [
A separate area of research is publications containing models based on autoregression and their
extension for graphs. Classical AR/ARIMA models work well for one-dimensional time series, but do
not take into account topology. Instead, recent methods and models to "graph-autoregressive" or AR
for sequences of graphs allow to formalize both temporal and spatial dependencies [
Another important component is risk-oriented decision-making. VaR and CVaR metrics have long
been used in financial and operational risk management [
Finally, it is important to consider data dynamics. It is the behavior of IoT devices and traffic profiles
that change over time. In recent years, online algorithms and ensemble approaches have emerged
that have adapted to drift and allowed to maintain the quality of detecting atypical behavior in
streaming data. This is typical of recent work on online attack detection for IoT [
The purpose of this study is to create and substantiate a mathematical model for load forecasting and incident detection in IoT networks with the subsequent formation of a system of optimal management actions based on a risk-oriented approach. The use of the CVaR criterion as a basis for decision-making allows not only to estimate expected losses but also to model the impact of extreme, rare, but potentially catastrophic events, which significantly increases the level of cyber resilience of IoT infrastructures.
Thus, the study is aimed at developing a comprehensive analytical tool capable of integrating temporal, spatial, and behavioral aspects of IoT networks in order to timely predict traffic anomalies and prevent critical disruptions in their operation. To achieve this goal, it is necessary to solve a number of interrelated scientific and applied tasks: • improvement of the graph-autoregressive load forecasting model, which would take into account both the temporal patterns of traffic changes and the spatial relationships between individual IoT network nodes. This combination makes it possible to describe not only local dependencies, but also global correlations between devices operating within a single digital environment. • integration of behavioral and network indicators of information security into the model, which are necessary to quantify the probability of attacks on IoT network nodes. This involves building a weighted loss function that takes into account the criticality of nodes, their role in the overall system topology, and the statistical rarity of attacks. This approach is designed to strike a balance between the accuracy of load forecasting and the effectiveness of information security incident detection, which will simultaneously optimize both network resources and the process of responding to potential threats. • development of a decision-making module that will use Conditional Value-at-Risk as an optimization criterion in the process of assessing and minimizing loss risks. The use of CVaR in this context enables the system to respond adaptively to changing threat levels, paying particular attention to scenarios with high potential for harm but low probability of occurrence. Thus, the module will contribute to the implementation of the principles of adaptive security management and the formation of strategies aimed at minimizing both direct and indirect consequences of cyberattacks.
Together, these tasks form a comprehensive research concept that combines elements of mathematical modeling, risk theory, and cybernetic control within a single analytical architecture. Implementation of the proposed methodology makes it possible to increase the efficiency of IoT where V = 1,..., Nis the set of nodes in the IoT network; t is the set of edges at time t; W RNN t + is the matrix of link weights (for an IoT network, these are bandwidth, delay, reliability, etc.).
For the node v V at time t, we enter the following parameters: load vector y1(v) = ( yt(,v1) ,..., yt(,vd)y ) Rdy , where dy is the number of IoT network load metrics; vector of exogenous security indicators of the IoT network x1(v) = ( xt(,v1) ,..., xt(,vd)y ) Rdx , where d x is the number of IS indicators (atypical IPs, port entropy, authentication errors, etc.); attack label at(v) 0,1, a1(v) = 1 IoT network node compromised.
coefficient matrices; p where yt is IoT network load; xt
Then we use a graph-autoregressive model to predict the load:
p q yˆt+1 = Al yt−1 + Bl xt−1 −t Lt yt , l=1 l=0
IS indicators; Lt = Dt −Wt is Laplacian of the graph (1); Al , Bl memory depth of load time series (AR part); q memory depth of exogenous features; t
regularization matrix.
st(+v1) = (rt(+v1) ) t(v)−1rt(v) , rt+1 = rt+1 − yˆt+1, ,
where rt(v) is the threshold obtained from the theory of extreme values [
We assume that the feature vector t(+v1) includes anomalies, IoT network security indicators, and aggregated neighborhood metrics. Then we estimate the probability of an attack by logistic regression (4): network monitoring systems, reduce the likelihood of failures, and ensure the stable functioning of critical components in the dynamic and unpredictable conditions of the information environment.
Gt = (V , t ,Wt ) ,
t(+v1) = ( wt(+v1) ) , ( z ) =
where t(+v1) 0,1 is the probability of an attack on node v at time t+1; t(+v1) is the feature vector of
node v at time t+1; ( z ) is a sigmoid activation function that converts a linear combination of
features wt(+v1) into a probability in the range [
Thus, equation (4) reflects a fundamentally important approach to assessing the risk of an attack on an IoT network node. The probability of compromising a particular node is determined not only by the level of anomalies in its own behavior, i.e., deviations from typical activity patterns, but also by the broader context of network interaction. This means that the modeling process includes additional information security (IS) indicators, such as query frequency, data exchange intensity, delay indicators, communication channel stability, and information about the behavior of the nearest neighbors in the network topological graph. This approach provides a more complete reflection of the interdependencies between nodes, which allows for the effects of "chain reactions" or "cascading failures" that are typical in many IoT environments. (1) (2) (3) (4)
Using logistic regression as a basic method to estimate the probability of an attack has the added benefit of making the results interpretable. The model coefficients can be viewed as weights that characterize the contribution of each indicator to the overall risk. This makes it possible not only to predict the probability of an incident, but also to explain analytically which parameters (for example, increased latency, increased traffic, or decreased regularity of interaction) are critical to the current state of security. In this way, the model becomes not just an assessment tool, but a means of intelligent decision support in IoT cybersecurity systems.
It should be emphasized that the above submodels - load forecasting (2), anomaly detection (3), and attack probability assessment (4) - are not isolated components but rather an interconnected three-tiered system in which each level enhances the accuracy and reliability of the other. However, for their effective integration, it is necessary to agree on optimization criteria that will ensure the unity of functioning of the entire model architecture. This problem is solved by formalizing a single loss function.
The loss function (5) is a generalized optimization criterion that simultaneously takes into account three key security aspects: load forecasting accuracy, attack classification quality, and coherence (consistency) of forecasts between adjacent nodes in the graph. This approach minimizes not only local errors in the behavior of individual nodes, but also global inconsistencies in the structure of network interaction, which is especially important for distributed IoT systems with a large number of loosely connected components.
Additionally, a regularization term was introduced into the loss function to control the model complexity. This solution ensures resistance to overfitting, avoids overfitting to the specifics of individual nodes, and guarantees the generalizability of the model on new data samples. Regularization also serves as a stabilizer of the learning process, which is especially important when working with large, heterogeneous IoT data sets with high noise and lack of complete labeling.
Thus, the integration of the three submodels within a joint optimization approach forms a coherent analytical framework in which forecasting, detection, and risk assessment function as a single system. As a result, the general problem statement takes on a form that allows describing the entire process of managing the security of an IoT network in terms of a single risk function optimized in accordance with the CVaR principles. This opens up opportunities for further automation of monitoring processes, adaptive learning, and strategic decision-making in the field of cybersecurity of distributed infrastructures.
min () Lpred +det Ldet +graph graph +reg 2 , 2 (5) where Lpred is the Huber loss; Ldet is the cross-entropy; graph is graph regularisation; 2 is the 2 L2- norm of the model parameter vector ; det 0 is the balance between the task of predicting and detecting attacks;
graph 0 is the influence coefficient of graph regularisation; reg 0 is the regularisation parameter for checking the model complexity.
Note that even accurate load forecasting and correct assessment of the probability of an attack on an IoT network is not the ultimate goal of the model. Therefore, let's move on to the procedure of forming management decisions that minimise expected losses. Such decisions depend not only on the estimated probability of an attack. They also depend on the potential losses in the event of an IS incident, the costs of preventive actions, and penalties for degradation of quality of service (QoS). In other words, it allows us to choose a protection strategy. We consider this an optimization task, taking into account economic and service factors. The corresponding cost function for the node is as follows. For the selected action ut(+v1) :
Cos tt(v) (u ) = t(+v1)ci(nvc) + ca(vct) (u ) + QoS SLA(pve)nalty (u ) , where ci(nvc) is the potential damage of an IS incident at node v ; t(+v1) is the predicted probability of (6) the penalty for QoS; SLA(pve)nalty is the QoS penalty for node v .
The value function formulated in (6) allowed us to estimate the expected costs for different options for the IoT network protection system. However, it should be no ted that rare but catastrophic incidents should also be taken into account. In this case, the average costs do not reflect the real risk. To this end, we use Conditional Value-at-Risk (CVaR) as a criterion for the optimal solution. This allows us to focus the model on the worst-case scenarios with high IoT network restoration costs. Thus, the choice of action for the node at time is formalised as follows: ut(+v1) = arg min CVaR (Cos tt(v) (u)) ,
uU where (0,1) is the level of trust; CVaR scenarios.
Network behavior and the nature of attacks change over time. Therefore, the model requires regular updating of parameters based on new data, with the gradual "forgetting" of outdated information. To do this, we use a stochastic gradient descent with a forgetting factor. This allows us to strike a balance between stability and speed of adjustment:
t+1 = t −Lotnline + forget (t − t−1 ), where t is the vector of model parameters (autoregression coefficients, logistic regression weights, regularisation parameters, etc.) at time t ; 0 is the learning rate; Lonline is the loss function t calculated on the last mini-batch of data at time t; Lonline is the gradient of the loss function t relative to the parameters t ; forget (0,1) is the coefficient of reducing the influence of old observations.
That is, expression (8) describes the real-time update of the model. New data affect the parameters through the gradient Lonline . And the coefficient forget gradually reduces the weight of old t observations so that the model remains relevant when the IoT network changes.
Figure 1 shows a conceptual diagram of the model for detecting and predicting attacks in IoT networks.
Below is also a pseudo-code structure to illustrate the model. This pseudo-code details the main stages and logic of the proposed model. According to the model, it contains several interconnected stages. These are load forecasting, attack probability assessment, and decision making. // Input: // G = (V, E, W): IoT network graph, where V are nodes, E are edges, W is adjacency matrix. // Y_hist: Historical load vectors for each node. // X_hist: Historical exogenous security indicator vectors for each node. // U: Set of possible protective actions. // alpha: Confidence level for CVaR. // Hyperparameters for loss function and forgetting. // Output: // u_t+1: Optimal protective action for each node at time t+1. // Stage 1: Load Forecasting and Anomaly Detection function ForecastAndDetect(G_t, Y_t, X_t): // 1.1 Calculate Graph Laplacian L_t = D_t - W_t // D_t is the degree matrix // 1.2 Forecast next-step load using the graph-autoregressive model // Equation (2) y_hat_t+1 = sum(A_l * y_t-l) for l=1 to p + sum(B_l * x_t-l) for l=0 to q - Gamma_t * L_t * y_t ⋅100% attack (7) (8) // 1.3 Calculate the anomaly score // Equation (3) for each node v in V: r_t+1_v = y_t+1_v - y_hat_t+1_v
S_t+1_v = (r_t+1_v)^T * (Sigma_t_v)^-1 * r_t+1_v return y_hat_t+1, S_t+1 // Stage 2: Attack Probability Assessment function AssessAttackProbability(y_hat_t+1, S_t+1, X_t, neighbors_data): // 2.1 Construct feature vector phi_t+1 // Feature vector includes anomaly scores, security indicators, and aggregated neighbor metrics.
for each node v in V:
phi_t+1_v = concat(S_t+1_v, X_t_v, aggregate(neighbors_data)) // 2.2 Estimate attack probability using logistic regression // Equation (4) for each node v in V:
pi_t+1_v = sigma(w^T * phi_t+1_v) return pi_t+1 // Stage 3: Model Optimization function OptimizeModel(Y_hist, X_hist, pi_t+1): // 3.1 Define the weighted loss function // Combines prediction accuracy, classification quality, and graph consistency // Equation (5) L_pred = HuberLoss(y_t+1, y_hat_t+1) L_det = CrossEntropy(a_t+1, pi_t+1) R_graph = GraphRegularization(...) Regularizer = ||Theta||_2^2 L_total = L_pred + lambda_det * L_det + lambda_graph * R_graph + lambda_reg * Regularizer // 3.2 Update model parameters using online learning with a forgetting factor // Equation (8)
Theta_t+1 = Theta_t - Theta * gradient(L_online_t, Theta_t) + lambda_forget * (Theta_t - Theta_t1) infrastructure - a router, a video surveillance camera, a door lock, a garage door.
For each node, a dataset was taken containing load time series with a duration of 50 steps. These cycles reflected the periodic operation of the devices, as well as occasional anomalies. The anomalies were garage door opening, smoke detector triggering, etc. Key network nodes, such as the router and the video surveillance camera, are described in the initial dataset as having a stable background load with a few random fluctuations. The experimental setup included three stages: 1. Prediction of the load using a graphical autoregressive model that takes into account spatial and temporal dependencies. 2. Detection of anomalies based on the forecast residuals, followed by estimation of the Mahalanobis distance and application of adaptive thresholds. 3. Assessment of the probability of an attack and decision-making using the integration of IS indicators and a management module based on the Conditional Value-at-Risk (CVaR) criteria, see expression (7). of anomalies, deep LSTM method for time series.
MAE (mean absolute error of the forecast) and F1-score (quality of attack detection) were used as metrics for comparison. The comparison results are presented in Table 1.
According to the comparative analysis, the proposed method showed an improvement in the quality of load forecasting by about 15%. The accuracy of attack detection increased by 7-10% compared to existing methods. Thus, the comparison of the model with others confirmed the feasibility of simultaneously taking into account spatial and temporal dependencies and risk-oriented optimization based on CVaR.
The results of the computational experiment (Fig. 2) convincingly prove the effectiveness and functional viability of the proposed model. During the analysis of time series, it was found that the model correctly describes both stable background processes characteristic of constantly active devices (in particular, a network router or video surveillance system) and periodic, cyclical patterns of behavior of household devices, such as a thermostat or refrigerator. The high accuracy of modeling these patterns confirmed that the developed approach is capable of reproducing the real dynamic processes inherent in heterogeneous IoT networks.
The use of a risk-oriented concept based on the Conditional Value-at-Risk (CVaR) indicator has made it possible to expand the classical risk assessment paradigm. This approach takes into account not only the average expected losses, but also the probability of the most critical attack scenarios on the network infrastructure. This provides a more realistic modeling of the potential consequences of cyberattacks and forms the basis for making informed decisions in security systems aimed at minimizing losses in the worst possible conditions.
Despite the overall effectiveness of the model, the experiment revealed a number of methodological limitations. First, the use of a linear graph autoregressive structure limits the model's ability to represent complex nonlinear relationships between network nodes. This reduces the accuracy of predictions in situations where traffic is chaotic or stochastic in nature. Second, the current stage of the study did not take into account the real attributes of network traffic, such as packet types, protocol features, and delay metrics. Including such characteristics in future work could significantly increase the model's informativeness. Third, to increase the model's applied reliability, it needs to be tested on large open or corporate datasets containing real attack labels, including DDoS, port scanning, or malware injection scenarios.
The scientific novelty of the study lies in several key aspects. First, the graph autoregressive model for forecasting load in IoT networks has been improved, allowing simultaneous consideration of traffic time dependencies and spatial correlations between nodes through the graph Laplacian. This integration has made it possible to adequately describe the interdependent behavior of network elements, identify cross-correlation effects, and improve the accuracy of short-term forecasts.
Second, a method has been developed for integrating behavioral and network indicators of information security into the process of assessing the probability of an attack. Unlike classical models, a weighted loss function is proposed that takes into account the criticality of nodes and the frequency of abnormal events. This approach provides a flexible balance between load prediction accuracy and cyber incident detection quality, which is especially important for resourceconstrained IoT systems.
Third, a decision-making module based on the Conditional Value-at-Risk risk criterion has been implemented. This component allows for the consideration of not only average scenarios, but also extreme scenarios. The use of CVaR makes it possible to adapt the threat response process to real conditions of high uncertainty, providing an additional level of resilience for IoT networks against rare but potentially catastrophic attacks.
The practical value of this research lies in the creation of a prototype analytical tool that can be integrated into IoT network monitoring systems for early detection of information security incidents and prediction of peak loads during attacks. The proposed implementation allows automating the threat detection process, increasing the efficiency of computing resources, and reducing the system's response time to potential incidents.
The CVaR-based decision-making software module deserves special attention. It can be integrated into IoT cyber defense systems for automated selection of the optimal threat response strategy. This minimizes financial losses, reduces service downtime, and increases network continuity even in the event of complex attacks.
In the future, the model is expected to be integrated into automated IoT cybersecurity management systems. The research results can be used to enhance the functionality of modern Security Information and Event Management (SIEM) systems that process telemetry data streams in real time. Integrating the proposed solutions into such platforms will improve the accuracy of event classification, reduce the number of false alerts, and improve the overall analytical transparency of monitoring processes.
In the course of the study, a model for load forecasting and incident detection in IoT networks based on the integration of temporal and spatial traffic characteristics was developed and tested. The proposed approach provides a new level of analytical depth, as it allows simultaneously taking into account the behavioral patterns of nodes, their interconnections in the graph structure of the network, and the temporal dynamics of events. The results of the experimental modeling showed the system's ability to correctly reproduce both background stable processes and cyclic patterns of household IoT devices, as well as to effectively record deviations that may indicate potential cyberattacks.
The use of the Conditional Value-at-Risk (CVaR) criterion in the decision-making module made it possible to shift the focus from average risk assessments to the analysis of unlikely but critically dangerous scenarios. This approach enhances the system's ability to respond in advance to events that could lead to significant financial or operational losses, thereby strengthening the resilience of the network infrastructure to extreme impacts.
It has been confirmed that the integration of graph and autoregressive model components improves the accuracy of forecasting in environments with a high level of traffic heterogeneity, which is inherent in most IoT systems. This combination allows modeling not only direct but also indirect connections between nodes, reflecting complex topological and behavioral patterns of the network.
An additional scientific result is the development of a weighted loss function that takes into account the importance of each node and the frequency of certain types of attacks. This strikes a balance between the priority of threat detection and the need to maintain network efficiency in normal operation. Thus, the model can be adapted to various use cases, from home smart networks to industrial IoT segments. The practical significance of the results is manifested in the possibility of implementing the prototype analytical module in existing IoT network monitoring systems. This will not only increase the level of situational awareness but also ensure automated decision-making in real time. The introduction of the CVaR module into cybersecurity systems opens up prospects for building adaptive response strategies that can minimize the consequences of attacks even in the event of unpredictability.
Prospects for further research are to extend the model by taking into account the full attributes of traffic, including protocol characteristics, packet size, and time delays. In addition, an important area of future work is the use of deep learning methods to model nonlinear dependencies between node behavior and incident development. Significant attention will be paid to scalability issues, i.e., testing the model's performance on large industrial datasets and in real environments where data volumes are growing exponentially.
Equally relevant is the issue of integrating the developed model into SIEM ecosystems. This approach will combine the model's analytical capabilities with existing mechanisms for collecting and correlating security events. This will create the basis for the formation of new generations of intelligent risk management systems that will provide not only reactive but also proactive management of cyber threats in IoT environments. Thus, the results obtained form a scientific and practical basis for the further development of adaptive decision support systems in the field of cyber defense. The proposed model can become the basis for creating a universal analytical core that will provide high accuracy of anomaly detection, the ability to predict their development and make effective decisions in complex dynamic IoT environments.
The authors have not employed any Generative AI tools.