9004 2071-8217 2 2026 1-158

RAR RUS 9-21 Kiselev Alexey 0009-0000-9892-249X Mozhaisky Military Space Academy Bondarenko Vasily vasja13012004@gmail.ru 0009-0002-2999-9631 Mozhaisky Military Space Academy Tatarenko Daniil daniil_tatarenk@mail.ru Transformation of the cyber threat paradigm: deepfake as a determinant of risk escalation in social engineering attacks The article explores how artificial intelligence technologies, particularly deepfake, are fundamentally altering the nature of social engineering attacks. Whereas attackers previously exploited human gullibility through text and voice, they can now mimic biometric and behavioral characteristics in real time, blurring the line between authenticity and deception. Drawing on data from 2024–2026, the study demonstrates that deepfake has evolved from a technological experiment into a systemic threat to the credibility of digital content. Special attention is devoted to the vulnerabilities of current detection methods, which are shown to lag significantly behind the rapid advancement of generative models. The paper proposes a comprehensive set of measures – ranging from multi-layered technical safeguards to legal reforms – designed to shift the cybersecurity paradigm from reactive defense to proactive control. 343.34 Cybersecurity deepfake social engineering cyber threats artificial intelligence generative adversarial networks fake detection protection measures disinformation and economic damage https://jisp.spbstu.ru/article/2026.26.1/ pib_2.pdf

RAR RUS 22-29 0000-0002-7160-1845 RTK IB LLC; Financial University under the Government of the Russian Federation Kuznetsov Aleksandr 1283_my@mail.ru The method for selecting technical implementation of incident response measures Considering the increasing importance of timely response to information security incidents, the method for selecting technical implementation of information security incident response measures without the involvement of a response team is proposed. The method considers specified constraints on provided mandates and the coverage of response tools. Unlike known methods, this method considers the selection problem as an integer (boolean) linear programming problem. The terms of the objective function are logical variables for the information security incident localization that included into response plans. Thereby minimizing the time spent for information security incident localization. 004.056 Response tool response team incident (containment) localization automated response action mandate response plan https://jisp.spbstu.ru/article/2026.26.2/ pib_2.pdf

RAR RUS 32-48 0009-0007-7389-0429 Ufa University of Science and Technology Mikhanko Anton mikhanko45@gmail.com 0000-0002-3096-3102 Ufa University of Science and Technology Mashkina Irina profmashkina@mail.ru A method for determining typical time characteristics of security events based on statistical data for correlation analysis tasks The article presents a method for determining typical time parameters of information security events based on the analysis of event logs. The method is focused on processing inter-event intervals and makes it possible to identify characteristic temporal patterns of functioning of sources of security events. The proposed approach includes sampling time intervals, identifying the structural gap between event and inter-session intervals, filtering outliers using the interquartile range, and determining typical values based on clustering and group analysis. To account for the variability of the data, an estimate of the mean and standard deviation is used, followed by a division into interval windows. A numerical experiment has been conducted based on data from real-world event logs, confirming the method’s operability when analyzing sources with different event generation rates. The experiment was conducted on logs of the OPC server, Windows Server, PostgreSQL database management system. The results obtained demonstrate the method’s stability to outliers, multimodal distributions, and the presence of zero intervals. The developed method can be used in the construction of correlation rules in SIEM systems, as well as in the tasks of behavior analysis and detection of anomalies in the information security infrastructure. 004.056.5 Information security event logs SIEM time intervals event intervals log analysis anomaly detection interquartile range clustering statistical analysis event correlation behavioral analysis https://jisp.spbstu.ru/article/2026.26.3/ pib_2.pdf

RAR RUS 49-59 0009-0001-3348-5038 St. Petersburg State University of Telecommunication Named After Professor M. A. Bonch-Bruevich Nemchinov Alexander sasha01082004@gmail.com 0000-0002-2009-5460 Peter the Great St. Petersburg Polytechnic University Ovasapyan Tigran otd@ibks.spbstu.ru 0009-0002-7321-7430 Peter the Great St. Petersburg Polytechnic University Zhukovskii Evgeniy bugaev.va@edu.spbstu.ru

Russia, 195251, St. Petersburg, Polytechnicheskaya str., 29

Detecting anomalies in security events based on statistical analysis and large language models The possibilities of using large language models and statistical methods to automate the detection of anomalies in OS security events are investigated. A method for detecting anomalies is proposed that allows to automatically identify significant deviations and form their interpretation. A software prototype implementing this method has been developed and tested. 004.056 Statistical analysis large language models anomaly detection https://jisp.spbstu.ru/article/2026.26.4/ pib_2.pdf

RAR RUS 60-69 0009-0009-1677-8355 Saint-Petersburg State Marine Technical University Larionova Ekaterina cf.82@mail.ru Saint-Petersburg State Marine Technical University Bunas Irina ik070889@gmail.ru 0000-0001-6695-2328 St. Petersburg State Marine Technical University Garkushev Alexander sangark@mail.ru 0000-0001-9665-0128 Peter the Great St. Petersburg Polytechnic University Suprun Alexander afs54@inbox.ru

Russia, 195251, St. Petersburg, Polytechnicheskaya str., 29

Psychological effects of work in Security Operations Center (SOC) systems: burnout, cognitive load, and the role of AI-assistants The article examines the psychological consequences of analysts’ work in a Security Operations Center (SOC), including chronic stress, professional burnout, and related cybersecurity errors. Burnout is considered as an operational risk that increases the likelihood of incidents and reduces decision effectiveness. Modern AI solutions for SOCs (LLM assistants, agentbased systems, and behavioral models) and their limitations are analyzed. The paper discusses monitoring of the operator’s functional state, the structure of incident analysis, and mechanisms for limiting AI influence in order to preserve manageability and responsibility. The practical applicability of the proposed approach is demonstrated, where the reliability of operator decision-making is supported by an AI-assisted loop. 004.056 SOC professional burnout alert fatigue cognitive load cybersecurity AI-assistants human factors https://jisp.spbstu.ru/article/2026.26.5/ pib_2.pdf

RAR RUS 70-81 0009-0002-7398-5069 Peter the Great St. Petersburg Polytechnic University Milyutin Nikita milyutin.na@edu.spbstu.ru 0000-0002-2009-5460 Peter the Great St. Petersburg Polytechnic University Ovasapyan Tigran otd@ibks.spbstu.ru 0000-0001-8206-2915 Peter the Great St. Petersburg Polytechnic University Ivanov Denis ivanov@ibks.spbstu.ru Deobfuscation of malicious software using LLVM intermediate representation The problem of automating deobfuscation of malicious software is considered. A method based on the LLVM intermediate representation is proposed that combines dynamic unpacking with tracing, hybrid (traceassisted) restoration of the control flow graph and iterative devirtualization. A software prototype has been developed that implements the proposed method. An experimental evaluation was carried out, confirming the applicability of the approach to removing class obfuscation: packaging, control flow distortion, instruction obfuscation, and code virtualization. 004.056 Obfuscation deobfuscation LLVM IR devirtualization unpacking control flow graph recovery https://jisp.spbstu.ru/article/2026.26.6/ pib_2.pdf

RAR RUS 82-91 0000-0002-9899-2778 Peter the Great St. Petersburg Polytechnic University Platonov Vladimir plato@ibks.spbstu.ru 0009-0004-9032-4961 JSC “InfoTeX” Skiba Daroslav daroslav.skiba@yandex.ru IoT data augmentation using generative adversarial networks The article investigates the problem of critical class imbalance in intrusion detection systems (IDS) for Internet of Things (IoT) networks. A comparative study of data augmentation methods was conducted, evaluating five generative adversarial network (GAN) architectures (CopulaGAN, CTGAN, CTAB-GAN+ and modified versions of MCWGAN-GP and TMG-GAN) against traditional approaches (SMOTE, random oversampling). The study shows that data augmentation (as a data preprocessing stage) enables the restoration of the LightGBM classifier’s performance in critical imbalance scenarios, increasing the F1-macro score from 0.03 to 0.81. 004.032.26 Data augmentation generative adversarial networks data deficiency intrusion detection system Internet of Things https://jisp.spbstu.ru/article/2026.26.7/ pib_2.pdf

RAR RUS 92-112 Bauman Moscow State Technical University Shaikhanov Artem artem.shaykhanov@gmail.com Recognizing function prologues in binary files with recurrent neural networks The article discusses the problem of recognising function prologues in binary files, which is one of the key subtasks of software reverse engineering. The proposed approach is to use a recurrent neural network that processes byte sequences of a binary file. A comparative analysis of existing neural network models for function recognition was conducted, and their advantages and limitations were identified, which made it possible to justify the choice of a simple and reproducible RNN architecture. The obtained results allow to make conclusions about the influence of model hyperparameters on the quality of model recognition. These hyperparameters correspond to the features of the machine architecture and binary file formats. The experiments were performed on binary files of the ESP32 microcontroller with Xtensa Little Endian architecture and STM-32WBA6 microcontroller of Cortex-M33 core with ARMv8-M architecture using both standard and random alignment, which made it possible to evaluate the model’s resistance to changes in the structure of binary data. Based on the developed model, an extension for the IDA Pro disassembler has been implemented, demonstrating the practical applicability of the proposed approach in real reverse engineering tasks. 004.056 Reverse engineering recognition binary file function prologue recurrent neural network IDA Pro https://jisp.spbstu.ru/article/2026.26.8/ pib_2.pdf

RAR RUS 113-120 Peter the Great St. Petersburg Polytechnic University Gavva Georgij gavva.gd@edu.spbstu.ru 0000-0002-9732-0099 Peter the Great St. Petersburg Polytechnic University Kalinin Maxim max@ibks.spbstu.ru

Russia, 195251, St. Petersburg, Polytechnicheskaya str., 29

Protection against adversarial attacks based on a dynamically reconfigurable ensemble of machine learning models The paper reviews the problem of protecting machine learning models from adversarial attacks. A protection method is presented based on a dynamically reconfigurable ensemble of classifiers with a failure mechanism that combines a random combination of heterogeneous sub-models, online analysis of forecast variance, simulation of a plausible attack response, and a decoy model mechanism. Analysis of the consistency of outputs in the ensemble and failure to issue the most probable output reduces the effectiveness of an attacker when analyzing feedback received from the target model and generating adversarial samples. An experimental evaluation conducted on the UNSW-NB15 dataset showed that the developed method maintains high initial accuracy of the protected model under adversarial attacks (85–95 %) with a minimal decrease of 1–3 percentage points. The method can eliminate up to 98 % of attacks, significantly exceeding the performance of similar widely used methods. 004.056 Protection of machine learning ensemble of models classification mechanism for rejecting adversarial attacks https://jisp.spbstu.ru/article/2026.26.9/ pib_2.pdf

UNK RUS 121-137 0000-0001-9659-1244 Peter the Great St. Petersburg Polytechnic University Poltavtseva Maria potavtseva@ibks.spbstu.ru 0009-0007-3203-6007 Peter the Great St. Petersburg Polytechnic University Vasilyeva Anastasia vamp.be.live@gmail.com Protection of AI/ML federated learning systems from poisoning attacks Federated artificial intelligence learning systems are susceptible to attacks that allow an attacker to change their behavior, just like conventional AI/ML solutions. The most effective of such attacks today is the poisoning attack. At the same time, the protection of federated learning systems is complicated by the possibility of collusion between the participants. In such circumstances, it becomes especially difficult to detect and prevent attacks. The solution of this problem is the purpose of the presented work. The study suggests a method to ensure the protection of federated learning systems from poisoning attacks using collusion, based on a combination of known and proven protection methods. The selected methods of filtering and reliable aggregation have been modified to take into account possible collusion of the training participants. The correctness and effectiveness of the proposed method is confirmed by practical experiments, which make it possible not only to prove its effectiveness, but also to identify the limitations of the developed solution. 004.04 Information security artificial intelligence machine learning supply chains poisoning attacks https://jisp.spbstu.ru/article/2026.26.10/ pib_2.pdf

RAR RUS 138-148 0000-0001-6178-6420 National Research University Higher School of Economics Bogdanov Dmitry bogdanovds@rambler.ru On the impact of discretization on the practical secrecy of keys, formed by the interval scheme Often the key bits generated by physical random number generators are not realizations of jointly independent uniformly distributed random variables, which gives rise to the concept of “practical key secrecy”. For some physical random number generators this deviation is caused by the discreteness of time measured by electronic components. In this paper, for a physical random number generator model based on the interval scheme, we obtain bounds on the practical secrecy of keys taking into account the impact of measurement time discretization. 004.056.55 Physical random number generators random processes probabilistic model practical key secrecy interval scheme https://jisp.spbstu.ru/article/2026.26.11/ pib_2.pdf

RAR RUS 149-157 57200960264 0000-0001-6289-3295 Russian State Hydrometeorological University Sikarev Igor sikarev@yandex.ru

Russia, 192007, St. Petersburg, Voronezhskaya str., 79

0000-0002-6419-0072 St. Petersburg State University of Aerospace Instrumentation Tatarnikova Tatiana Tm-tatarn@yandex.ru Visual cryptography innovations method Proposed innovative method of visual cryptography using route permutation for small image file size and regular change of encryption keys. It is proposed to take one pixel of the image as one encryption element, to abandon sequential movements and to use a twodimensional space of dimension n×n for moving pixels. Application scenarios of the proposed innovative visual cryptography algorithm are proposed, such as storing biometric data in a secure form, sharing secrets, and preprocessing images for block encryption. The proposed visual cryptography algorithm is evaluated. 003.26 Visual cryptography route permutations image method software application https://jisp.spbstu.ru/article/2026.26.12/ pib_2.pdf