M.V. Portyanko1, D.N. Prachev2, I.V. Zavodtsev3, M.A. Borisov4
1–3 Higher Military School named after Army General S.M. Shtemenko (Krasnodar, Russia)
4 Military Training Center at Moscow State University named after M.V. Lomonosov (Moscow, Russia)

1 portynko.max@mail.ru, 2 prachef.deniz@mail.ru, 3 nilrs@rambler.ru, 4 bma_mv@rambler.ru

The work is devoted to the study of methods for the formation of object-oriented response plans when identifying information security incidents at informatization facilities.

Today, the use of most security solutions in the field of information security does not fully protect against targeted attacks, which requires a constant increase in security capabilities. One of the areas for protection is the development of object-oriented response plans (playbooks), representing detailed algorithms for actions in case of emergency situations or a variety of specialized algorithms for a specific type of computer incident at an informatization facility. It has been proposed to achieve a solution to this problem by dynamically including a ready-made bundle in response plans: new indicators of compromise – appropriate actions to eliminate the consequences of the incident.

The purpose of the article is to test an improved technique for extracting new indicators of compromise through the use of a suffix probability tree. The proposed solution will make it possible to adapt the procedure for creating playbooks to changing types of information security incidents by dynamically including new indicators of compromise in them.

It has been proposed to improve the procedure for extracting and substantiating new indicators of compromise based on the anomaly detection method using a probabilistic suffix automaton. This approach makes it possible to obtain new indicators of compromise of computer incidents, including in a dynamic format, by comparing Markov chains of variable order formed by a series of examples (templates) of the operation of the studied objects in the sandbox. The study is based on the regular processes of the Astra Linux OS, which are described by a sequence of monitoring events generated during the operation of the operational system when performing typical tasks.

The methodology for creating targeted playbooks when detecting information security incidents has been supplemented with newly obtained data on critical system processes and compromise indicators obtained from monitoring data and indicating with a high degree of reliability a specific type of computer incident. The difference between the technique and the known ones lies in the additional use of the Markov chain comparison procedure of variable order, which describes patterns of normal and current behavior of objects (applications, operating system processes) in the form of probabilistic suffix trees to determine the type of incident and the artifact uniquely indicating it.

The adaptability of the formed simple suffix tree has been proposed to be achieved by modifying the algorithm for calculating empirical probabilities so that the contribution of earlier examples to the total empirical probability decreases with each step, and later examples are taken into account with large weight coefficients. At the same time, criteria adapted to this procedure have been introduced to assess the quality of the response plan being formed.

Portyanko M.V., Prachev D.N., Zavodtsev I.V., Borisov M.A. Methodology for developing targeted playbooks tailored to specific types of information security incidents. Neurocomputers. 2026. V. 28. № 1. P. 17–31. DOI: https://doi.org/10.18127/j19998554-202601-02 (in Russian)

1. V Rossii zafiksirovan chetyrekhkratnyj rost kiberatak na ob''ekty KII [Elektronnyj resurs]. URL: https://www.cableman.ru/content/v-rossii-zafiksirovan-chetyrekhkratnyi-rost-kiberatak-na-obekty-kii (data obrashcheniya: 17.11.2025). (in Russian)
2. GOST R 59709-2022. Natsional'nyj standart Rossijskoj Federatsii. Zashchita informatsii. Upravlenie komp'yuternymi intsidentami. Terminy i opredeleniya (utv. i vveden v dejstvie Prikazom Rosstandarta ot 29.11.2022 № 1375-st). M.: FGBU «Institut standartizatsii». 2022. (in Russian)
3. GOST R 59710-2022. Natsional'nyj standart Rossijskoj Federatsii. Zashchita informatsii. Upravlenie komp'yuternymi intsidentami. Obshchie polozheniya (utv. i vveden v dejstvie Prikazom Rosstandarta ot 29.11.2022 № 1376-st). M.: FGBU «Institut standartizatsii». 2022. (in Russian)
4. Baklanovskij M.V., Khanov A.R., Komarov K.M., Lozov P.A. Otsenka tochnosti algoritma raspoznavaniya vredonosnykh programm na osnove poiska anomalij v rabote protsessov. Nauchno-tekhnicheskij vestnik informatsionnykh tekhnologij, mekhaniki i optiki. 2016. T. 16. № 5. S. 823–830. (in Russian)
5. CODE RED 2026: Aktual'nye kiberugrozy rossijskikh organizatsij. Positive Technologies. 2025 [Elektronnyj resurs]. URL: https://www.ptse­curity.com/ research/analytics/russia-cyberthreat-landscape-2026 (data obrashcheniya: 09.11.2025). (in Russian)
6. Setevoj natisk krepchaet. Komersant''. 07.07.2025 [Elektronnyj resurs]. URL: https://www.kommersant.ru/doc/7870814 (data obra­shcheniya: 09.11.2025). (in Russian)
7. Prachev D.N., Portyanko M.V. Metodika formirovaniya tselevykh plejbukov, spetsializirovannykh pod konkretnye tipy intsidentov informatsionnoj bezopasnosti. Sb. materialov XV Mezhdunar. nauch. konf. «Tekhnicheskie i tekhnologicheskie sistemy» (20–22 noyabrya 2024 g.). Krasnodar: Izdatel'skij Dom – Yug. 2024. C. 181–189. (in Russian)
8. Zavodtsev I.V., Borisov M.A., Bondarenko N.N., Meleshko V.A. Utochnennyj sposob analiticheskogo modelirovaniya protsessov rasprostraneniya virusnogo programmnogo obespecheniya dlya otsenki zashchishchennosti ob''ektov informatizatsii. Computational Nanotechnology. 2022. T. 9. № 1. S. 11–20. (in Russian)
9. Zavodtsev I.V., Rybakov D.A., Boev S.F., Borisov M.A. Otsenka intsidentov bezopasnosti v informatsionnykh sistemakh s tekhnologiej kontejnernoj orkestratsii programmnogo obespecheniya. Informatsiya i kosmos. 2024. № 2. S. 121–126. (in Russian)
10. MITRE ATT&CK. Containers matrix [Elektronnyj resurs]. URL: https://MITRE.com (data obrashcheniya: 19.09.2025).
11. Sazonov K.V., Tatarka M.V., Shuvaev F.L. Metod sokrashcheniya razmernosti veroyatnostnykh suffiksnykh derev'ev. Informatsiya i kosmos. 2018. № 3. S. 55–61. (in Russian)
12. Karkkainen Ju., Sanders P., Burkhardt S. Linear work suffix array construction. Journal of the ACM. 2006. V. 53. № 6. P. 918–936.
13. Zavodtsev I.V., Borisov M.A., Bondarenko N.N., Meleshko V.A. Modelirovanie ugroz bezopasnosti informatsii i opredelenie ikh aktual'nosti dlya informatsionnykh sistem ob''ektov informatizatsii federal'nykh organov ispolnitel'noj vlasti. Computational nanotechnology. 2022. T. 9. № 1. S. 106–114. (in Russian)
14. R-Forge [Elektronnyj resurs]. URL: https://r-forge.r-project.org/projects/pst (data obrashcheniya: 19.09.2025).