DESIGNING A DECISION SUPPORT SYSTEM FOR THE WEAKLY FORMALIZED PROBLEMS IN THE PROVISION OF CYBERSECURITY

We devised a decision support system (DSS) for the weakly formalized problems of information protection and the provision of cybersecurity at the informatization objects. The system is based on the models that describe the tasks of information safety and cyberprotection in the conceptual and functional aspects. We described the process of compiling a knowledge base of DSS for the circumstances related to the detection of hard-to-explain attributes of anomalies and attacks. The DSS "Decision Support System of Management protection of information – DMSSCIS", which we designed, makes it possible to improve understanding of the analyzed situations that occur in the process of cyberprotection of mission critical computer systems. While tested at the enterprises, it was established that the "DMSSCIS" system enabled effective visualization and interpretation of results of current assessment of the revealed hard-to-explain attributes of anomalies and cyberattacks, as well as allowed us to describe current situation in the course of multistage targeted cyberattacks. It was established that the application of DSS "DMSSCIS" in the interaction with other systems for the intelligent recognition of illegitimate interference in the computer systems operations made it possible to improve efficiency of decision making on information security. While testing, it was found that the application of the "DMSSCIS" system allowed reducing the time required to inform persons, responsible for cybersecurity, about the incidents by 6.9–7.2 times.


Introduction
In connection with the growing number of complex targeted cyberattacks directed at the mission critical computer systems (MCCS), one of the vital problems of society is the information security (IS) and its component -cybersecurity (CS).When conducting targeted attacks, cybercriminals frequently are used unique harmful programs and methods of penetrating the MCCS (objects of cyberprotection -OBCP).Resisting a constant increase in the complexity of illegitimate actions on MCCS is possible, in particular, using the systems for the intelligent recognition of cyberattacks (SIRCA), equipped with the modules for decision support system (DSS).The architecture of the latter implies, as a rule, a system for intelligent data analysis (SIDA or Data Mining).SIRCA make it possible to reveal regularities in the dynamics of development of the OBCP states, combining the knowledge and experience of decision making by experts, as well as the SIDA computational potential.
Papers [7,8] examined Data Mining technologies in the problems of IS and CS that make it possible to reveal regularities in the evolution of situation, related to the protection of information (PI) at OBCP.The papers examined did not result in practical realization, in the form of applied SW.
Articles [9,10] analyzed a methodology of intelligent simulation, intended for the analysis and decision making in the insufficiently structured situations of PI.The studies were not implemented in either hardware or software realization.
The tasks of the CS provision at the occurrence of new classes of attacks, which are difficult to formalize and structure, prove to be complicated for the analysis and decision making support related OBCP IS [11].In this case, qualitative indicators [12] can represent parameters of the OBCP IS state, which is not always expedient.
In the opinion of authors [13,14], the analysis of MCCS protection and development of the plan to counteract targeted cyberattacks must be preceded by the stage of detecting the basic threats and vulnerabilities.In this case, as indicated by researchers, a task of the formalization of connections between the threats and the OBCP vulnerabilities remains challenging.
An essential shortcoming of articles [15,16] is the lack of architectural realization of DSS for the tasks of OBCP IS, which are difficult to formalize.As recognized by authors [16], the majority of similar DSS and ES have been at the stage of testing so far.
Papers [17,18] examined deficiencies of existing DSS and ES in the area of IS.Such deficiencies include the need for the presence of highly qualified experts while compiling a knowledge base (KB) and the field of knowledge (FOK), difficulties in the algorithmization of separate methods and models, impossibility to estimate the effectiveness of specific DSS and others.
Thus, taking into account the discussion in the papers examined, it is obvious that it is necessary to continue research into the practically implemented solutions for DSS in the field of OBCP IS.Similar studies, in particular, should focus on solving complex formalized untypical problems of PI, for example, in the processes of realization of multistage targeted cyberattacks.

The aim and tasks of the study
The aim of present work is the development of models and SW for DSS to manage IS, taken in the course of complex formalized untypical situations of realization of multistage targeted cyberattacks on MCCS.
To achieve the set aim, the following tasks were to be solved: -to devise a model for the description of metaknowledge for DSS about the weakly structured situations, related to the MCCS cyberprotection; -to develop and test a software program, which realizes the structurization of a complicated situation for IS, and its representation in the form of a set of interfaces that allow the visualization and interpretation of results.

Model for describing the metaknowledge in DSS for the provision of cybersecurity
Contemporary MCCS are usually well protected [1,3,17].In order to succeed, those attacking have to switch off or overcome protection in the process of realization of different classes of cyberattacks, Fig. 1.Thus, DSS as part of SIRCA should be designed for the continuous process of updating the knowledge base (KB).
Since the hardware-software complexes, which realize the mechanisms of adaptive cyberprotection (ACP) based on SIRCA and DSS, are still at the stage of creation, a formalized formulation of the problem for their development is formulated as follows.Initial data for such SIRCA are the data, which are contained in KB -REP (or the field of knowledge -FOK): where SYS are the data on the OBCP infrastructure (for example, topology, users, tools and the methods of protection and others); Events are the events, registered by SIRCA; TAI are the templates (scripts) [2][3][4]; NIS are the scripts for countering the attacks; gov are the decision rules at the detection of attacks [6,17].The problems, solved by SIRCA, are determined as follows.
Analysis of OBCP protection: where IOFP j -j is the index of OBCP protection; AT are the events, connected to the violation of IS; FS is the function, determined by the security policy (SP).Simulation of the transformation of situation in the process of attack realization: ESC cr =Model (SYS, TAI, AT, gov, T), where ⊂ cr ESC SYS is the critical element of OBCP; Model is the model of cyberattack in time -T.
Support of decisions to counter attacks, in particular, for the weakly formalized problems of the information protection: where ⊂ CM gov are the countermeasures; IOFP, IOFP rt are the current and reference value of OBCP protection, respectively.
A procedure of structurization of the situation, related to the task of supporting a decision for the provision of OBCP IS, is examined in the functional and structural contexts of the concept -the field of knowledge (FOK) of cybersecurity.
A variant of structural approach makes it possible to perform decomposition of the situation.This allows us to analyze the structural-functional relations of its constituent components (se i ).The selection of components (se i ) is realized in the course of interaction between DSS and SIRCA [17].The result of such an interaction is represented by hierarchical component "Part -Whole", PA, WH , where PA pa is the whole (set or alphabet (se i )), WH is the ratio "Part -Whole" on the alphabet = PA, i 1,...,n.For the variant of functional approach, the definition of situation determines the basic estimations of illegitimate interference in the MCCS work.It is accepted for all the components of situation ..,m is the set of apexes, AM i is the adjacency matrix (AM) of the directed graph (DG), which determines for each component (se i ) of the situation (pa i ) its functional structure.Using the experts, we build cognitive maps (COGM) (SI i , AM i ), which reflect the subjective treatment of regularities in the functioning of OCP element.Next, obtained COGM are grouped (SI, AM), where = ∪ i SI SI is the totality of attributes ("A") that characterize a change in the situation.
In the developed DSS we used a model of representation of the knowledge in the form of sign DG, as well as the field of knowledge (FOK) [19,20].FOK is assigned: by input information (factors -X) of the tasks for DSS; by conclusions (output data -Y); by a model (MO) that is used for the transformation of initial data into the conclusion.The model is described by systems SC pa , FS si , which reflect, accordingly, the structure of the situation and the regularities of OBCP SP realization.
COGM (SI, AM) are described in the functional system (FS) of FOK.In the process of COGM description, we applied the scale of informativeness "A" [21,22].For the description of COGM we also used methods for the identification of preferences of an expert (or a person who makes decision -DM), who analyzes the scripts of transformation of the situations (pa i ).
Using method [17], we obtained the ordered set ML ml of linguistic values (LV) of jth "A" ith judgment for zth number of LV, whose elements are represented in the range [0, 1].For each "A" judgment, we determined scale X ij .A scale point has linguistic interpretation ∈ ijz ij ml ML .For the situation when it is necessary to obtain the script of transformation of the situation, the initial data are: a set of factors { } = i SI si ; scale(s) of factors X ij ; the initial state of OBCP prior to the occurrence of analyzed situation X(t 0 )=(x 11 ,…,x nm ); AM = ijsl AM am , where i,s is the number of judgment, j,l is the number of "A" judgment, with numbers ∨ i s, respectively.
In a general case, it is necessary to determine addition vector "A" (AVA) ( ) ( ) ( ) and to track a change in the state of OBCP for the input factors of data X(t), (t+1),…, X(t+n) in moments t,…t+n.
For solving the problem, we employed a method of successive iterations, in the course of which AVA was determined from expression ( ) ( ) The state of OBCP in moment t+1 is characterized by equality X(t+1)=X(t)+V(t+1).
Each AM for the positive and negative components was transformed under the following conditions: if am 0 then am am , am am ; to positively determined dual AM Consequently, AVA of V(t) and predicted values of attribute(s) V(t+1) have dimensionality 2n, too.In this case, the rules of synthesis of initial AVA V'(t) with dimensionality 2n are satisfied: In vector the significance "A" ij si is determined by two components with index 2j that characterizes + ij v , as well as with index − 2j 1, which determines As a result of transposition of the AVA component for moments of time we obtained block matrix (BM).In the BM, the lines are the addition "A" in moments t, the columns are the addition "A" in the moment of time, which corresponds to column: The obtained matrix V t is applied in the subsystem for the prediction of transformation of the situation with OBCP IS.
The degree of mismatch of elements FOK -dis ij (t), taking into account papers [17,21,22], is determined by expression: where is the addition of positive and negative "A" in moments t, respectively.Parameter ij dis (t) characterizes trust of DM in the process of adding v ij (t) for si ij .For ≈ ij dis (t) 1 (a case when Tracking dynamics in the transformation of situation, while realization of illegitimate actions by the criminal in moments + X(t),...,X(t n), is expressed in DSS in the process of transformation by term: sgn v t 1 v t 1 max v (t 1),v (t 1) .
It is accepted that if inequality is valid, then the sign is valid, the sign is negative.Consequently, the transformation of situation in the course of prediction will be determined by tuple: where x (t 1) x (t) v (t 1); + ∈ + ij dis (t 1) DIS(t 1).
In the developed DSS, the transformation of situation is represented by matrix Matrix X t is used for the visual representation of the results, generated in the course of searching for solutions.
Solution of inverse problem (INPR) forms recommendations for DM that make it possible to transform current situation into the targeted state of OBCP.In this case, in the subsystem for the search for conclusions (SSC), we used transitive closure * AM of the doubled adjacency matrix = ′ ′ ijsl AM am .
In SSC, in particular when Parameters dis ij and v ij in DSS are determined using ratios (7) and (8), respectively.
The current state of FOK FS is determined by tuple: SI, X, X(0), AM .
A conceptual system (CS) of FOK as a part of DSS makes it possible to conduct structural-functional decomposition of situation PA, WH .Furthermore, it is used in the processes of interpretation of conclusions related to the scripts of transformation of the OBCP state, for example, in the course of realization of targeted cyberattacks.
Components of the situation are determined by the following parameters: where pa i is the identifier of concept (judgment); SI(pa i ) is the intension of concept SI si , SI(pa ) (x ,...,x ) ; CV(pa i ) is the scope of the concept (component of the situation, described in the model).
Concept pa i in DSS is mapped in space by a point with coordinates of "A" values.A feature space of attributes of the concepts is formed by the Cartesian product of scales of all "A" -U(pa i ).
In the CS model, CS the identifiers of concepts ∈ i pa PA are represented in the notional (semantic [23]) space U(pa i ).CS makes it possible to determine a set of semantic spaces U(PA) U(pa ),...,U(pa ) , and hierarchical component WH.Thus, the pair of concepts U(pa i ) and U(pa q ) is bound by relation WH.
For DSS, we performed structurization of the semantic space of concepts pa i in the format of representative clusters i CL of cybersecurity [24].Clusters and concepts are conjugated by relations "Classes -Sub-classes".
It is accepted in DSS that CV pa CV pa are satisfied.Conceptual clusters (CCL) in the semantic space of IS are defined in the interpretation of basic (or supporting) concepts B i pa (BC).BC determine the class of objects, analyzed with the aid of SIRCA and DSS, (for example, the class of attack), and the category of situation to which element pa is related.
The interval of values ( ) SI pa is the intension of BC; ( ) CV pa is the scope of BC.The scope of BC can be represented as a set of SP objects, for which values of "A" relate to the permissible.The permissible values, from the point of view of the analyst of information security (AIS), belong in the domain of permissible parameters of BC B i

AC(pa ).
A procedure of BC generalization is realized by removing repetitive "A" or their combinations.
It CV pa CV pa .An intention of BC and its abstractions forms a partially ordered set SI pa ,SI pa ,...,SI pa .
The formed set is a conceptual cluster of BC -i PA .The formed CCL make it possible to structure semantic space of CS.In the clusters, we determine transitions from BC B i pa to those generalized Ba i pa .In CS, the transitions are assigned by the tuple of vectors: pa CN(t), i.In the process of DSS operation, we determined rules for the CS transformation: 1) if, when predicting results of the course of a cyberattack, value of "A" concept exceeded the limits, permitted by BC, a new concept is formed; 2) new concepts generalize initial BC according to the attributes whose values deviate from those permitted.
The rules are formally represented as the reflection of FS state X(T) into the state of CS, that is, where UM UM is the vector of rules of BC transformation B i pa into generalized ∀ Ba i pa , i. Expression (11) provides DM with the possibility to interpret and generalize IS concepts, characterized by the set "A".
Thus, taking into account (11), a model for the representation of FOK is determined by tuple: and so on.The target vector indicates the direction and magnitude of changes in "A" attack from initial X(0) of OBCP into the targeted X P state.Controlling resources of SPI for MCCS are determined as: A set of conclusions is formed while solving INPR, that is, when changing the situation, which arose when a cyberattack was realized, from the current state into the targeted one.
In a number of situations, there are the precedents possible when there is no any solution.However, by changing the structure of cognitive model of the situation, it is possible to find a solution by using heuristic approach, in particular, by engaging experts on IS.
The search for solutions includes the following stages: -generation of conclusions; -structurization of conclusions for the functional mapping; -structurization of conclusions in the conceptual format.
The generation of conclusions is carried out when solving the INPR for the appropriate control circuits of IS.As a result, we obtain a set of solutions { } For the structurization of conclusions of functional mapping, the following criteria were applied: realizability of the solution within the framework of existing SPI; conflictness of the solution.
In a DSS, decision that was made A criterion of realizability, when applied to {D}, allowed us to divide conclusions into the subsets of realizable D R and non-realizable D N decisions.
Component of decision D cv is assigned by parameters v ij and c ij .In papers [22,25], the level of consonance in the problems of decision making about IS is assigned in the range c ij =0.5-0.65.Values below c ij <0,5 for making decisions D cv are considered to be conflicting [25].
The model of knowledge representation (expression (12) realizes the structurization of conclusions in the conceptual format.We shall assume that the dynamics of transformation of the situation X cv corresponds to each conclusion ∈ CC ,...,CC is formed by the conceptual graph of decisions (GD), Fig. 2, Table 1.

Fig. 2. Conceptual graph of decisions
Root apex of GD (level 0, L0) contains conclusions ∈ v D D, in which none of the attributes ("A") exceeds the limits, set by BC for OBCP IS.At L1 are decisions D v , in which not more than one "A" exceeded the limits of SP domain.At L2 are decisions D v , in which not more than two "A" exceeded the limits of SP domain.The conclusions of L2 generalize conclusions of L1 by "A", and so on.For the situation when values of "A" exceed the limits, established by SP, a new class of objects is determined, with the structure and variants of actions different from basic SP [4,6,17].
The search for structural solutions includes the following stages: -evaluation of alternative decisions; -assessment of prospects; -formation of decision.
A conclusion on prospects of the variant of actions starts from the root apex of DG.DM should be aware of the situation, abstracting from "A", by which the generalization is conducted.
The formation of conclusion is performed based on the estimation of alternatives of separate decisions.The estimation is carried out during the introduction of structural transformations to the situation model SI,X X(0) AM and subsequent solution of INPR for structure * * * SI ,X X(0) AM .

Table 1
Designation of the class of decision (CD)

Program realization of the decision support system
DSS is realized in the programming environment Rad Studio XE.User interfaces include the modules, which real-ize the operation of subsystems, demonstrated in Fig. 3.The methods employed in DSS, as well as models and algorithms, were described in papers [17,22,24].

Fig. 3. Subsystems and user interfaces of DSS
Interface for the formation of initial information is intended for setting "A", which reflect the situation, as well as the corresponding scale of estimating "A".A visualization of the transformation of the situation is represented in the form of sign DG (SI, AM), Fig. 4. Dark blue color denotes edges of DG, structurizing the fragments of the situation "Part -Whole", red color denotes fragments of the situation "Class -Sub-class".
A subsystem of DM preferences provides the possibility to reveal the degree of influence of each of "A" of anomalies or cyberattacks on other factors of IS.As the initial data, we used scale of informativeness "A" ij ML [17,24].Furthermore, DSS analyzes current values ijk ml , obtained based on DG (SI, AM).
If the variant of direct evaluation is selected, then degree of influence of "A" of cyberattack on the indicators of IS was calculated as follows: = с r ijsl ij sl am v v , where с ij v , r sl v is the addition of "A" characteristics of reason ("RE") and consequence ("CO"), respectively; i,s is the number of concept, j, l is the number of "A".
Fig. 5 shows a form for the interpretation of results of simulation of the indicator, which determines the degree of influence of the attributes of cyberattack on the current estimation of OCP IS.The form includes components that make it possible to formulate a question for an expert in the natural language, as well as components for changing the values of attributes of cyberattack in the context of bond of cause-effect ("RE-CO") and the degree of fuzziness in the answers.
If AIS considers it appropriate to conduct a paired comparison of the informativeness of attributes of cyberattack, for example, in the situation, which requires the refinement of attributes-reasons si tl , si sd and their influence on the bond of attribute-consequence ("A-CO"), the rank scale is used [5,8,24].A degree of influence of "A" of the attack on the indicators of OBCS IS was determined as follows: where β is the parameter that describes a degree of influence of the bond "A-RE" on "RE-CO".
In the situation when the contradictions are revealed while estimating IS, the module of correction is activated, which makes it possible to react in real time to the occurring errors in the assessment of state of the MCCS cyberprotection.DSS implies both manual and automated correction of the situation, for example, when an expert's estimation does not coincide with the estimation of the level of DSS IS and SIRCA.When corrected manually, an expert may change his choice, assigned at the previous step of paired estimation.A heuristic algorithm is employed during automated correction [3,5].
In the situation when quantitative characteristics of the bonds "A-RE" and "A-CO" are known, as well as functional correlations of "RE-CO" on the set "A-RE", DM may use a mode of functional dependence.
It is accepted: The force of influence of factors on IS is determined as sensitivity index for each of the arguments: The second one reflects the changes in states of IS X t .The described arrays are used by the subsystems of representation of the results of simulation, as well as in the process of supporting the decisions of DM.
The forms, shown in Fig. 6-8, visualize summarized results obtained in the process of simulation.The forms contain tables with parameters of increments from 0 ijk ml to v ijk ml .The forms also reflect the charts of dynamics in the transformation of values of attributes si ij .For example, Fig. 6 shows a chart of the change in situation in the course of assessing the development of DDoS attack on the resources of MCCS.The charts in Fig. 6 demonstrate results of evaluating the probability of service denial for several scripts of development of the situation in the course of DDoS attack.Additional option of DSS is the capability of generating a report that contains "RE-CO" diagrams.The diagrams reflect the changes that CS undergoes in the course of realization of different classes of attacks.The algorithm of diagrams formation is based on the isolation of zone with the registered max increments in the values of si ij for matrix V t .Thus, a fragment of maximum additions si ij creates causal connections, which make it possible for DM to interpret the transformations of bond "RE-CO", Fig. 7.
Fig. 8 shows an example of the interface of subsystem for the simulation of situation for the script of MCCS network virus infection.The form contains a digital indicator, which provides for the convenient format of representation of probabilistic parameters of the situation assessment based on an analysis of existing "A".
Intelligent support of DM decisions is provided by "Advising subsystem", Fig. 9.
In this case, DM is given a possibility, based on own knowledge and experience, to select governing "A" from the set of data, obtained while solving INPR.In the course of evaluating IS strategy, the search for solution D v is realized by the iterative process, which consists in the successive determining the elements of decision vector.Such an iterative search allows DM to form a set of variants of alternative decisions.The form contains components for the visualization of table of values of target "A".The form also contains a list of controlling "A" and a diagram that reflects the results of applying the actions, initiated by DM.
The interfaces of analyses of different scripts of the transformation of situation enable comparison of the results, in this case providing DM with convenient tabular or graphic variant of conclusions representation.

Results of testing the DSS
The testing of DSS "Decision Support System of Management protection of information -DMSSCIS" was carried out for MCCS of several transportation enterprises, the cities of Alma Ata, Astana (Republic of Kazakhstan), Kiev and Dnepr (Ukraine).
In the course of testing, we analyzed possibilities of supporting the decisions related to the probabilities of realization of actions by the intruder, who realizes cyberattacks on MCCS, Table 2.It was established that the application of DSS made it possible to reduce the predicted value of risk of overcoming IS contours by 5.5-6 %.
It was established in the process of testing that the realization of DSS "DMSSCIS" makes it possible to ensure an increase in the level of automation and centralization of the OBCP protection monitoring, as well as reduce the time required to inform persons, responsible for the information security, about the incidents by 6.9-7.2 times.

Discussion of results of DSS testing and prospects for further studies
DSS "DMSSCIS" has the following advantages when compared to the similar systems, which were previously used for the tasks of supporting AIS decisions at the analyzed enterprises.
First, the DSS provides DM with a convenient format for mapping the changes that OBCP IS undergoes in the course of realization of different classes of attacks.Second, the DSS enables intelligent support for the AIS decisions and the possibility to form alternative variants of decisions to counter attacks.
A specific shortcoming of the DSS is the fact that at the initial stage of operation, each MCCS -OBCP requires manual introduction of initial rules that describe conceptual clusters of IS.
Conducted research is the continuation of studies that were previously carried out by the International Kazakh-Turkish University named after H. A. Yassavi (Kazakhstan), by the European University and by the National Aviation University (Ukraine).Further development of research might be directed at improving the interaction of traditional mechanisms of OBCP IS, which, in particular, process primary information, and the DSS modules for decision making in the weakly formalized problems on the provision of cybersecurity.As a whole, the studies conducted confirmed effectiveness of the proposed models and DSS program package for improving the level of protection of the examined enterprises.

Conclusions
We devised a model for describing in the conceptual and functional aspect the process of formation and application of DSS KB for the circumstances related to the detection of specific hardto-explain attributes of anomalies and attacks, which makes it possible to improve understanding of the analyzed processes of MCCS cyberprotection.
We designed and tested the DSS "DMSSCIS" software package that realizes the structurization of complex situation for MCCS IS.DSS "DMSSCIS" makes it possible to visualize and interpret results of the current assessment of the revealed hard-to-explain attributes of anomalies and cyberattacks, as well as, based on a cognitive model, describe current situation in the course of realization of a multistage targeted cyberattack.It was established that the application of DSS "DMSSCIS" in combination with other systems for the intelligent recognition of illegitimate interference in the MCCS operation allows an increase in the quality of decisions in the field of cybersecurity.

Introduction
A constant growth of the volume of text information (TI), associated with the use of the Internet, leads to an increase in the need for automatic text processing of TI.The quality requirements for processing, primarily based on the use of modern information technologies, are at the forefront.Unfortunately, high quality software in the tasks of synthetic-analytical processing of multilingual text information in machine translation systems (MTS) exists only for narrow subject areas and cannot be easily adapted to a wide range of tasks.In addition, existing solutions mostly require post-editing and are oriented to professional translators, rather than ordinary users.
The relevance of present work is in the study of method of automatic syntactic analysis (ASA) of the text based on declarative representation of the rules of syntax com-binability and on the method of software distribution of analytical-synthetic processing of the natural language text (NLT) at MTS.

Literature review and problem statement
As shown by the analysis of theoretical and practical work in the field of MTS development, a lifetime problem of automatic translation is polysemy and uncertainty, the solution to which involves computer modeling of the process of understanding NLT, particularly evident for the Slavic languages due to rich morphology [1].
Model [2] was developed at Stanford University (United States) and has the title "semantics of advantages"; it is

DEVELOPMENT OF KNOWLEDGE-ORIENTED SYSTEM OF MACHINE TRANSLATION BASED ON THE ANALYTIC-SYNTHETIC TEXT PROCESSING L . L y t v y n e n k o
Postgraduate student* Е-mail: l.lytvynenko@gmail.com

O . N i k o l a i e v s k y i
Postgraduate student* Е-mail: a1.n1@yandex.ru

V . L a k h n o
Doctor of Technical Science, Associate Professor** Е-mail: lva964@gmail.com

Fig. 1 .
Fig. 1.Interrelation between the types of attacks, which are subject to analysis by the attributes of DSS ...,p , are assigned, the sets of input actions vectors are determined -{ } Ψ = D .It is accepted that for all ∈Ψ D , expression =  * D AM P. is realized.Variants of the INPR solution for D max and D min are presented in papers[21,22].Controlling influences D i , a "A" s ij are set by parameters v ij and d isij , that is, dis ,...,v ,dis .
pa ,...,pa are the identifiers of concepts within the framework of description of the situations; ) CV pa ,...,CV pa are the scopes of concepts ∈ ∀ Ba i ,WH, PA , CN t , CC t ,SV t .A problem on searching for conclusion and obtaining the solution is reduced to the development of strategy for the transformation of situation from the current state of IS to the targeted one.Thus, the INPR is solved.In the course of solving, ..,D , which form a vector of controlling influences (VCI).VCI corresponds to AVA, taking into account cognitive consonance (c)[25], that is, ,...,v ,c .Thus, each conclusion ∈ cv D D, is assigned with the corresponding state of OCP after a change in the situation in the functional mapping of FOK is represented by the structure of CS, that is, set of conclusions of CS corresponds to the set of decisions D in FS, that is, ,SV is the state of DSS CS.It is accepted that in the semantic space of CS, the coordinates of points, which determine acceptable characteristics of BC, are assigned by the state of situation X cv and by decisions D cv .It is possible that several values of BC and the solutions that correspond to them enter the domain, permitted by DM, at the same time.In this case, the combination of different decisions ∈ cv D D. is possible.Consequently, in the DSS CS, classes q pa D are formed.The class of the decision is characterized by tuple = the number of classes in CS.The content of classes { } 1 Q ..,D .The conclusion is accepted if there is at least one decision ∈ which were obtained while solving the INPR for the initial configuration of situation with OBCP IS.

Fig. 4 .
Fig. 5. Form for the interpretation of results of simulation

Fig. 6 .
Fig. 6.Form for evaluating the transformation of situation at a change in the attributes

Table 2
Results of testing the DSSParameters of information environment / Variants of AIS and DSS reactionAdopted designations: AC is the number of anomalous network incidents; AH is the number of anomalous incidents at host, AP is the number of anomalous incidents along the perimeters of MCCS SPI, P a is the probability of cyberattack