Theoretical and Applied Cybersecurity

Bit-sliced Algorithm for the 512-point Number Theoretic Transform

Illia Kripaka, Andrii Fesenko — Mon, 17 Nov 2025 00:00:00 +0200

A method for computing the 512-digit number theoretic transform used in the Vershyna digital signature scheme, employing bitwise digit operations, is proposed. The correctness of the developed algorithm and its efficient constant-time performance have been proven.
The obtained results indicate that the proposed approach is adaptive and can be applied to computations with other polynomials. This enables its easy integration into various cryptosystems to ensure protection against side-channel attacks. The proposed method does not require changes to the digital signature scheme itself, introducing modifications only to the polynomial multiplication function.

Method of Security Evaluation of the LBlock-like Ciphers against Differential Cryptanalysis

Oleksii Yakymchuk, Mykhailo Lopatetskyi — Mon, 17 Nov 2025 00:00:00 +0200

This paper considers the problem of estimating the security of the lightweight block cipher LBlock against differential cryptanalysis. We formalize the process and present two algorithms of computing upper bounds for differential probabilities. The baseline algorithm provides approximate estimates based on the number of active S-boxes, while the refined algorithm incorporates the full probability distributions of S-box differentials, yielding significantly better bounds.

To illustrate the efficiency of the proposed methodology, we introduce a modified version of LBlock with 8x8 S-boxes, which has lower computational complexity and allows experimental evaluation on our resources.We consider different linear permutations of encryption round, analyzing affect the estimates produced by both algorithms.The results demonstrate that the refined algorithm achieves much smaller maximum bounds (below 2^-40 in the best cases) compared to the baseline approach and provides a more accurate characterization of security against differential cryptanalysis.

Overall, the proposed algorithms make it possible to efficiently evaluate the provable security of LBlock-like ciphers
against differential cryptanalysis.

Information Security Challenges in an Enterprise-Grade Software Development Lifecycle

Kamil Mahomedov — Mon, 17 Nov 2025 00:00:00 +0200

In an era of escalating cyber threats and digital complexity, the integration of information security into the software development lifecycle (SDLC) is imperative for building trustworthy enterprise-grade software systems. This literature review synthesizes and critically evaluates over 30 scholarly and industry sources to identify current practices, frameworks, and tools for SLDC implementation. It explores prominent cybersecurity frameworks, such as Microsoft’s SDL, OWASP SAMM, NIST SSDF, and assesses how well they accommodate modern cloud security practices within contemporary SDLCs. Special attention is given to the DevSecOps paradigm, which integrates automated security checks and developer engagement into continuous integration and delivery pipelines, and to SBOMs as a means of exposing and managing third-party component risks in complex supply chains. Findings reveal persistent challenges related to integration with agile workflows, cost, lack of standardized metrics, and organizational resistance (i.e. the human factor). The overall result is the amalgamation of software security best practices extracted from the examined literature into a concise overview to assist further research in this area. The paper concludes with a call for more adaptable, scalable, and measurable security practices that align with modern software development methodologies aimed at facilitating the enterprise-grade integration and delivery of code.

Some Properties of RX-Differential Probabilities for an Operation that Approximates Modular Addition

Nikita Korzh — Mon, 17 Nov 2025 00:00:00 +0200

In this paper, we consider RX-analysis for the NORX mixing operation, a logic-only surrogate for modular addition used in ARX/LRX designs.
Given established closed-form RX-probability expressions and feasibility conditions, we characterize the distribution of RX-probabilities over random RX-differentials,
provide a constructive algorithm that, for fixed input differences and rotation value, enumerates the admissible output differences and simultaneously yields their cardinality,
together with a maximization method for identical-input cases.

An Iterative Algorithm for Interdependent Estimation of Node and Link Weights in Corporate Networks for Cyber Risk Analysis

Lesia Alekseichuk, Dmytro Lande — Mon, 17 Nov 2025 00:00:00 +0200

The paper proposes a new iterative algorithm MRRW-PageRank (Mutually-Reinforced Risk-Weighted PageRank) for assessing cyber risks in corporate information systems based only on network topology. The algorithm solves the problem of determining link weights, which remains insufficiently solved in existing approaches to centrality analysis. Unlike traditional methods, where link weights are given or assumed to be the same, MRRW-PageRank establishes an interdependence between the importance of nodes and the probability of using paths to them, which models the nature of malicious paths. Node weights are updated according to the modified PageRank based on weighted links, and link weights are recalculated as a function of the importance of the target node and its input degree. The process is repeated iteratively until convergence. The algorithm is implemented as a codeless prompt based on a minimal logical framework, which provides the ability to execute in no-code environments and integrate with LLM agents. A simulation on a model network with 12 objects is presented, demonstrating the effectiveness of the method in prioritizing critical resources and identifying vulnerable penetration paths. The proposed approach is especially relevant at the stages of system design, topology audit, or initial security assessment, when there is no empirical data on vulnerabilities or behavior.

Cybersecurity of Intellectual Information Aggregation Processes into Digital Archives

Yuriy Tsyrulnev — Mon, 17 Nov 2025 00:00:00 +0200

The article addresses the problem of cybersecurity in intellectual information aggregation (IIA) processes within digital archives, which arise during the automated collection, structuring, semantic enrichment, and analysis of heterogeneous data using artificial intelligence (AI), machine learning (ML), and large language models (LLMs). The study focuses on identifying vulnerabilities of IIA processes and their mathematical formalization across stages such as digitization, image processing, optical character recognition (OCR), classification, indexing, and archival system creation. Particular attention is given to formalizing cyber threats, including unauthorized access, integrity violations, metadata forgery, adversarial attacks on AI/ML models, data manipulation, prompt injection, data exfiltration, and digital signature forgery. For each threat category, mathematically grounded countermeasures are proposed, including encryption, multi‑factor authentication, monitoring, anomaly detection, access control, metadata protection, and adversarial training. The paper emphasizes the emergent properties of combined defenses, highlighting the resilience of digital archives against cyber threats that arise from the interaction of individual safeguards. The proposed models can be applied to the assessment and strengthening of information system security in the context of state and societal digital transformation. Practical aspects of implementing digital archive creation processes have been validated through patented solutions for converting large collections of paper documents into digital information resources [15]. To support the functioning of intellectual information aggregation processes, specialized software packages are employed, the modules of Digital Docs^® Technology, registered as a copyrighted work [16]. Practical deployment of the proposed solutions is carried out within the activities of DIGITAL DOCS^®, registered as a trademark [17].

Automating Cybersecurity Decision‑Making with AI and the Analytic Hierarchy Process

Igor Svoboda — Mon, 17 Nov 2025 00:00:00 +0200

Cybersecurity decisions in large organizations routinely require the integration of heterogeneous qualitative and quantitative considerations. The Analytic Hierarchy Process (AHP) offers a principled framework for such multi-criteria settings, yet reliance on human expert panels constrains scalability and cadence. This study examines whether large language model (LLM) agents can substitute for human panels within AHP without compromising methodological discipline. Seven GPT-4 personas are instantiated as virtual experts and coordinated by an AHP guide to structure and evaluate defenses against social-engineering attacks on a corporate data center. The agents elicit criteria and sub-criteria, construct pairwise comparison matrices, and synthesize priorities under standard AHP procedures. Aggregated judgments exhibit strong internal coherence (top-level consistency ratio CR = 0.016; λ_max = 7.13), yielding a stable ranking of alternatives: comprehensive employee training (0.2774), advanced intrusion detection (0.2240), cloud-based data backup (0.1938), targeted refresher training for security staff (0.1795), and physical barrier enhancements (0.1254). The results indicate that GPT-4 agents can emulate expert judgment for multi-criteria cybersecurity decisions at materially lower cost than human panels, while preserving the methodological rigor of AHP.

A Formal Model for Constructing Sensitive Data Graphs from Cyber Reports using Large Language Models

Viktor Turskyi — Mon, 17 Nov 2025 00:00:00 +0200

Unstructured cyber threat intelligence (CTI) reports present major challenges for systematic analysis, particularly when accuracy and reliability are critical. This paper introduces a formal, four-stage mathematical model for constructing canonical knowledge graphs from sensitive textual data. The model integrates the advanced extraction and reasoning capabilities of GPT-5 with deterministic rule-based inference and network analysis to bridge the “formalization gap” between probabilistic large language model (LLM) outputs and verifiable analytical structures. Using a corpus of 204 official CERT-UA incident reports as a test case, the methodology successfully normalized thousands of raw entities, identified central threat actors and high-value targets, and revealed distinct operational ecosystems within Ukraine’s cyber threat landscape. Theoretically, the study contributes a replicable and mathematically defined framework for integrating next-generation LLMs into formalized knowledge graph pipelines. Practically, it provides a scalable and reliable tool for analysts in cybersecurity, national security, and related fields, enabling the transformation of unstructured reports into actionable intelligence.

Determination of Cyberattack Parameters on the Measurements System of Critical Infrastructure Facility

Mon, 17 Nov 2025 00:00:00 +0200

The paper solves the problem of detection and researching the parameters of stealth attacks on the linear Kalman filter data measurement system that bypasses the standard fault diagnosis detector. The relevance of the research is determined not only by the importance of solving cyber security problems, but also by the active use of the Kalman filter in large industrial power supply networks to evaluate the indicators of system nodes, in industrial automation systems, and others. A cyber attack on the measuring system of the Kalman filter is under consideration, the purpose of which is to disrupt the normal functioning of the filter by distorting the measurement signal, which is a mandatory component of the filter. The filtering system is equipped with a fault detector, which detects the presence of an attack on the measurement signals. The condition of the attack is invisibility for the fault detector, that is, the attacker implements a class of stealth attacks on the integrity of the information that circulates and is processed in the system. The task of finding a distorted measurement signal was solved using the variational optimization method and the gradient method of the fastest descent. A computational experiment was conducted, the quantitative characteristics of the algorithm were obtained and analyzed. The proposed method and the corresponding algorithm for determining the parameters of stealth attacks on the measurement system of critical infrastructure objects can be used to solve the problems of testing cyber defense systems.

Recovering S-boxes from the Differential Distribution Table and Aﬃne Equivalence Classes of S-boxes with Respect to Modular Addition

Stepan Yershov, Serhii Yakovliev — Mon, 17 Nov 2025 00:00:00 +0200

This paper considers the problem of S-box recovery from its differential distribution table (DDT) with respect to modular addition. We describe the structure of DDT for affine S-boxes and affine transformations of S-boxes. We found some unexpected internal symmetry in DDT w.r.t. modular addition, which holds for other algebraic operations, but not for bitwise addition (XOR). We describe two classes of affine transformations (affine shifts) which preserve the structure of DDT. For a recovery of S-box from its DDT we propose a backtracking-based algorithm, which is moderately effective for medium-size S-boxes. We apply our algorithm for three-bit S-boxes and describe the structure of their DDT equivalence classes; among other things, it was shown that affine shifts do not cover all DDT equivalence class members.

Detecting the operation of keyloggers using the dendritic cell algorithm with multiple resolutions

Hennadii Shybaiev, Leonid Galchynskyi — Mon, 17 Nov 2025 00:00:00 +0200

Throughout time, criminologists (or their colleagues in history) have tried to develop the most reliable methods of protecting information. Currently, the most common method of information processing is the computer, so today's information protection specialists face the task of protecting data in computers, in which the most common method of information input is data input from the keyboard by the user. Keystroke logging, also known as keylogging, consists in intercepting keystroke codes from the user. This data may contain passwords, personal correspondence, or other confidential information. Therefore, it is very important to pay attention to this method of user interaction with your "machine", because it is through this method that an attacker can steal information directly from the keyboard. Unlike traditional malware such as worms or viruses, some types of keyloggers cannot be detected by modern antivirus protection methods.

The paper presents the results of a study of the application of the dendritic cell algorithm with multiple resolutions for the task of determining the presence of a keylogger in the system. Based on the simulation, a new effective model for determining the presence of a keylogger is proposed.