To improve the mechanism for detecting cyberattacks, a discrete probabilistic model with a firstorder Markov property was used. The model takes into account the current parameters of network traffic and the previous state of the system. This approach describes the inertia of processes inherent in cyberattacks and allows to formalize the temporal dependence between events.

Let's introduce the main notations and dependencies.

The state of the system at a point in time t is determined by the variable Yt 0,1 , its value can take two states: the active phase of the attack Yt = 1, indicating the need for prompt/immediate response, and the normal state of the network without signs of anomalies Yt = 0 .

The integral indicator of the anomaly is determined by a variable It indicating the level of traffic deviation from normal behavior [ 1-3 ].

Formally, the binary state of the system can be written as follows: = { 1 ∶ ℎ : (1) by:

The assessment of the current state of the system takes into account its previous state and makes it possible to analyze the context of events, as well as track the dynamics of traffic changes. The combination of network parameter states provides a comprehensive description of network behavior and reduces the risk of false positives [ 4-7 ].

The model for detecting dynamic traffic changes is based on the Bayesian approach using the Markov property. It assumes that the current state of the system is a function of the integral indicator of the anomaly It and the state of the system at the previous point in time Yt−1 . This approach allows to use the Markov property and take into account the nearest previous state of the system [2, 3, 5, 7,

The probability of the system being in the state of attack at a point in time, t taking into account the current value of the integral index of anomalies and the previous state of the system, is determined P(Yt = 1 It,Yt−1) =

P(It Yt = 1,Yt−1)  P(Yt = 1 Yt−1)

P(It Yt−1) (2) the integral indicator It corresponds to the standard behavior of the network. Under the normal state, the integral indicator fluctuates near the mean level, and under the condition of the attack, it observes a stable or increasing deviation from the norms.

P(Yt = 1 It,Yt−1) = f (It ;Yt ) (3) where Y is the threshold parameter that determines the boundary between states; f (It ;Y ) - a t t continuous or partial function, the specific form of which depends on the nature of network traffic, namely, small values of the integral indicator correspond to a low probability of an attack, in turn, exceeding the threshold gives a surge in probability growth.

In fact, (2) acts as a mechanism for converting multidimensional traffic characteristics into a single scale of confidence in observation and reduces it to a numerical estimate [0; 1].

P(Yt = 1 Yt−1) - a priori probability of the system going into an attack state, acts as a filter that allows to be sensitive to successive signs of threats and ignore random fluctuations that are not related to attacks [ 2-5, 8, 9 ]. P(It Yt−1) - normalization coefficient, which guarantees the correct scaling of the probability within [ 0, 1 ]. and provides correct interpretation. It reflects the probability of occurrence of the current value of the integral indicator It under conditions, if only known, the previous state of the system Yt−1 , regardless of the state of the system (norm-attack) at the present moment of time [ 2, 3, 5,6 ].

This approach combines information about past and current observations while maintaining adaptability to changes in traffic.

Due to the previous state of the system, the model displays the inertia of attacks, recognizes continuous or recurring threats, and minimizes false positive responses to single deviations.

Generalization of the three components P(It Yt = 1,Yt−1) in P(Yt = 1 Yt−1) P(It Yt−1) the structure of the Bayesian model with the Markov property allows to reasonably determine the presence of cyberattacks, taking into account both the current signs of the anomaly and the temporal dynamics of events [ 2, 3, 5, 9 ].

The proposed model is based on the assumption that the current state of the system Yt is determined only by the previous state Yt−1 and the integral anomaly indicator It calculated on the basis of a multiscale analysis of traffic parameters [ 5, 6, 8 ]. This reduces computational complexity, because the model analyzes only the last state and the current indicator without the need to store the entire history [ 4,5,6 ]. At the same time, the integral indicator It aggregates information from all key parameters of network traffic, thereby maintaining high accuracy in detecting attacks [ 6, 8 ].

Due to the use of the Markov property, time dependencies are reduced to one step, which corresponds to the inertial nature of many attacks (e.g., in the case of an ongoing cyberattack) [ 4, 5, 8 ]. The integral anomaly indicator It is calculated based on the deviations of normalized parameters of network traffic from multiscale trends, allowing the level of deviation from the norm to be estimated by a single metric [ 6,8 ]. The model also takes into account the previous state of the system Yt−1 , and determines if there has already been an attack, then even a moderate deviation of the indicator may indicate its continuation [ 3, 8, 9 ].

The use of the Markov property allows to significantly simplify the calculation of the total distribution in the detection model, limiting it only to the current and previous state of the system, without taking into account the full sequence of observations and formalized in the form of:

P(Yt, It Yt−1, It−1) = P(Yt Yt−1)  P(It Yt, It−1)  P(Yt−1 It−1) , (5) where is P(Yt Yt−1) the transient probability between the states of the system. It simulates the inertia of attacks and allows the model to distinguish short-term bursts from sequential threats [ 4, 5, 9 ]. P(It Yt, It−1) - conditional probability of observing the current value of the integral indicator, taking of the system state and anomaly level in the previous step [ 3,6 ].

The use of this approach allows: to reduce the amount of processed data on each cycle, thus ensuring high reactivity to real changes in traffic, to recognize sequential or renewed threats due to dynamic updating of dependencies between the current and previous state of the system [ 5, 8, 9 ].

This is an important step, because many attacks are periodic or protracted, and an accurate assessment of the probability of an attack at the moment t is possible only if the previous state of the system is taken into account Yt−1 and the indicator changes It relative to the background of previous observations [ 3, 8, 10 ].

In the proposed model, the probability that the system is in a state of attack at a point in time t is determined by a posteriori distribution, which is built on the basis of the total probability of features and the Markov property between the states of the system [ 2, 3, 5 ]. The a posteriori probability of detecting an attack is determined by the expression:

P(Yt = 1 It, It−1) =

P(It It−1,Yt = 1)  P(Yt = 1 Yt−1) , (6)

P(It It−1) where is P(It It−1,Yt = 1) the conditional probability of observing the anomaly indicator in the event of an attack, taking into account its previous value, which makes it possible to display the dynamics of traffic changes. P(Yt = 1 Yt−1) - transient probability reflects the tendency of the system to remain in the state of attack or switch to it from normal mode, P(It It−1) - normalization factor, which acts as a guarantee that the a posteriori probability will be scaled within [0; 1] [ 2, 3, 4, 5, 6, 8, 9 ].

The value obtained after the calculation P(Yt = 1 It, It−1) allows a decision to be made about the presence of an attack at a point in time t . If this probability exceeds a given adaptive or dynamically calculated threshold, then the system classifies the state of the system as an "attack".

The normalization factor in the model is defined as:

P(It It−1) =  P(It It−1,Yt = yt )  P(Yt = yt Yt−1) ,(7)

y{0,1} where: Yt = 0 - the system is not under attack, Yt = 1 - the system is under attack.

This expression provides a posteriori probability normalization and ensures that its value will be in the range 0;1 [ 2, 3, 5, 9 ]

This approach allows to focus on the current anomaly indicator and the previous state of the system, which greatly simplifies the computational load and the volume of previous observations. At the same time, the model remains sensitive to the key features of attacks, due to the combination of an integral indicator, preliminary observations, and probabilistic estimation of transitions between states. Thus, it strikes a balance between efficiency and accuracy, providing speed to respond to threats in real time and integrating the model into modern cybersecurity systems [ 4, 5, 6, 8, 9 ].

In the proposed model, transient probabilities form the structural basis of the Markov property and estimates the probability of the system being in the state of attack at the moment of time t , if its state is known at the previous moment of time t −1 [ 4, 9 ].

These probabilities are described using the matrix of transitions between the states of the system, where the system can be in one of two states: - the Yt = 1 system is attacked, Yt = 0 - the system is in a normal state.

Formally, the transition matrix has the form:

P(Yt = 0 Yt−1= 0) P =   P(Yt = 0 Yt−1= 1)

P(Yt = 1 Yt−1= 0)

 , (8) P(Yt = 1 Yt−1= 1)  occurred at the previous moment, P(Yt = 0 Yt−1= 0) is the probability that the system remains in a normal state.

Each element of this matrix reflects a scenario of transition between the "attack" and "normal" states. For example, P(Yt = 0 Yt−1= 1) - the probability of the start of an attack, or P(Yt = 1 Yt−1= 0) - the probability of ending the attack and returning to a normal state [ 5, 8, 9 ].

The values of the transition matrix are taken into account in the a posteriori probability formula P(Yt = 1 It , It−1) , where the component P(Yt Yt−1) is directly taken from the corresponding row and allows the model to take into account attack trends. For example, if the attacks are of a long-term nature, then the value P(1 1) will be high. Also, the values of the matrix are used to form a normalizing factor in the Bayesian calculation [ 2, 3, 5 ].

Transient probabilities can be estimated empirically by analyzing the frequency of transitions between "attack" and "normal" states in real or simulated sequences of network events. This approach allows the model to reflect the actual trends in the change in the state of the system, which were observed at previous moments of time [ 10-12 ].

In particular, the frequency of transitions from the normal state to the attack state P(Yt = 1 Yt−1= 0) , or vice versa - the completion of the attack P(Yt = 0 Yt−1= 1) can be statistically calculated and used to construct a matrix of transient probabilities, which plays the role of a probability filter between the current decision and the context.

The use of information from previous observations allows not only to adapt the model to the real profile of attacks in a particular environment, but also to mitigate the impact of single anomalies, namely to avoid false positives, increase resistance to short-term traffic fluctuations, and ensure logical consistency of decisions over time [ 8, 10, 12 ].

The next component of the cyberattack detection model is the probability of observations, P(It Yt = 1, It−1) it allows to simulate the dynamics of changes in network activity over time, taking into account the influence of the previous integral indicator and the current state of the system [ 5, 6, 8 ]. Determines how likely the observed value of the integral indicator is It at a point in time t , provided that the value of the previous level of the anomaly is known It−1 and the system is in an attack state Yt 0,1 [ 5, 6, 8 ].

Thanks to this component, the model is able to take into account not only the current deviation, but also the dynamics of anomalies of its increase or fade, which is important for detecting gradually deployed or masked attacks. And also increase the resistance of the model to short-term noise bursts [ 6, 8, 10, ].

The model can implement the probability of observations P(It Yt , It−1) as parametric or empirical modeling, which allows adapting to different network conditions and attack scenarios [ 5, 6, 12 ].

In the structure of the model, the component of conditional probability estimation is of special importance P(It Yt = 1, It−1) , which performs the function of analyzing the correspondence of the current situation in the network to the characteristic state of the attack [ 5, 6, 8 ].

Unlike well-known approaches, where conditional probabilities are modeled through distribution densities, this method implements a functional estimation approach that is flexible, easy to implement, and adaptive to the variable behavior of the network environment.

The integral indicator It summarizes the multi-scale deviations of traffic parameters from the average values, takes into account the number of threshold exceedances and the strength of the anomaly (for example, according to the Z-assessment) [ 6, 8 ]. It also briefly reflects the current state of the network and allows to assess how typical this value is for attacks, taking into account the previous dynamics [ 5, 8 ].

Since in (3) the function of conditional plausibility of the observation of the anomaly indicator was introduced, then we will consider its generalization for the case of dynamic modeling, taking into account also the previous level of anomalies It−1 . To do this, use the P(It Yt) = f (It ; ) where 0 0, 5; 0, 7 is a fixed sensitivity threshold that defines the boundary between a slight deviation and a pronounced anomaly [ 6, 8 ].

The function f ( It ) has the following properties: the value f ( It ) = 0 is interpreted as the absence of signs of attack by the current indicator; the value f ( It ) → 0 indicates a high degree of correspondence of observations to the pattern of the attacked state; the interval It  ( 0;1 is a linearly scaled "alarm zone" zone.

After converting the integral index It to probability using f (It ; ) , the model performs inertial smoothing with the estimate obtained on the previous cycle:

Pˆ (Yt = 1) = a  (It ) + (1− a)  Pˆ(Yt−1 = 1) (10) where  (0,1) is the coefficient of inertia, which determines the weight of new information in comparison with historical information; Pˆ (Yt−1 = 1) - estimation of the probability of an attack, calculated in the previous step [ 5, 6, 9 ].

This mechanism allows: to stabilize the behavior of the model in response to short-term bursts, to store an informative memory of recent anomalous states, to take into account the inertia of attacks, which in many cases are not instantaneous [ 8, 10, 14,15,16 ].

The effectiveness of the proposed model depends on the dynamics of the network environment. In case of frequent changes in attack types (for example, alternating flood-, low-rate- and applicationlevel attacks), or a high noise level, the model may temporarily lose accuracy, since it does not always have time to adapt to new traffic patterns. This can lead to a delayed reaction or an increase in the number of false positives and false negatives. To increase stability, it is necessary to implement dynamic parameter updates, threshold adaptation and additional mechanisms for classifying anomalies in real time.

Similarly, a high level of noise in network traffic (e.g., short-term spikes, broadcast storms, P(It Yt = 1, It−1) in such cases does not reflect a real threat but merely captures statistical deviation. To improve robustness under such scenarios, it is advisable to implement dynamic parameter updates for f ( It ) , adaptive thresholding for 0 , and additional classification or anomaly-type evaluation mechanisms operating in real time.

To assess the effectiveness of the proposed probabilistic, cyberattack detection model, a series of simulation experiments were conducted. These experiments analysed both typical normal traffic and attack models with inertial structure (e.g., DDoS, Low-rate DoS, APT). For each scenario, a traffic parameter set, an integral anomaly indicator, the system state, and the posterior probability of attack presence at a given time step were computed.

A demonstration version of the proposed model under conditions of mixed network load was implemented using a simulated scenario comprising 100 time steps of network traffic (Table 1). The test set included both phases of normal operation and three attack intervals (time steps 20 25, 45 55, and 75 78), along with two noise events (spikes at time steps 10 and 65), aimed at evaluating the ves.

The integral anomaly indicator It varied within the range 0.1; 0.9 , values within the range: 0.1; 0.9 were not registered as anomalies - even if they represented short-term spikes or background noise.

Values in the range 0, 6; 0, 75 were not sufficient for triggering detection on their own, but when accumulated could lead to attack identification.

Values exceeding 0, 75 even isolated occurrences - often triggered threat detection. A return of values below 0.6 was interpreted as the dissipation of the threat. However, if an attack

Step

I t f (It ) Yt State Step

I t f (It ) Yt State Step

I t f (It ) Yt State Step

I t f (It ) Yt State Step

I t f (It ) Yt

State had previously been observed, the posterior probability Yt could remain elevated due to the inertia mechanism, which retains memory of recent anomalous activity.

Values of It were transformed into the probability function f (It ) , which linearly scales deviations when It  0, 6 , when (9) Subsequently, the values are smoothed to Yt using the formula: a posteriori probability of attack Yt under simulated mixed network load conditions According to the modelling results, all three attack phases were successfully detected the indicator Yt exceeded the threshold during phases 20 25, 45 55, 75 78.

Short-term noise spikes (e.g. It = 0, 68 at 10th step) did not trigger false positives inertia-based smoothing kept Yt below the detection threshold. A single false positive was recorded at 65th step, resulting from the combined impact of a short-term noise fluctuation and a low inertia coefficient.