Mathematical Approaches Transform Cybersecurity from Protoscience to Science

Abstract

The area of cybersecurity problems has reached the stage of becoming a science. This raises questions about the connection between the mathematical theories used in cybersecurity research and their relation to the methodology for experiments and conceptual models synthesized from the academic community. This research proposes an analytical review of the mathematical ideas used in applied cyber-security and theoretical explorations. This meta viewpoint is dedicated to standard mathematical theories applied in cybersecurity issues. The ground of the work is methodological problems relating to the validation of experiments and models with mathematical ideas in the cybersecurity exploration of digital space. This research emphasizes the application of game theory, catastrophe theory, queuing systems, and Markov chains. The methods are shown without claiming to be exhaustive. The goal is to review the currently established implementation of mathematical approaches to cybersecurity. A spectrum of possibilities for applying mathematical apparatus in future research for cybersecurity is given. After a review of the literature for each presented mathematical approach, we expose a list of problematic areas in which this has already been implemented.

1. Introduction

The digital world is growing at an exponential rate. This process faces regulatory gaps [1,2], staff shortages [3,4], new fields with diversified technologies [5,6], and sophisticated malicious actors. New areas with inherent technological specifics regarding hardware platforms and software applications are being developed. Communication protocols are becoming more and more multifarious. Cloud technologies, containers, virtual reality, augmented reality, and DLT (distributed ledger technology) can be widely applied to develop smart homes, smart cities, smart cars, and intelligent transport systems, and OT (operating technology), which has appeared as a synergy of ICS/SCADA and IoT in critical infrastructures.

Since the development of conventional information systems and networks, malicious actors have extended their cyber-attacks on cloud services and critical infrastructure. Logically, in the coming years, their attention will be focused on intelligent transport systems [7], which have become part of smart cities [8], on developing nanotechnologies that are embedded in clothing and the human body [9], and the next emerging or future cutting-edge technologies.

The cybersecurity product industry, institutional efforts, scientific researchers, and law enforcement are lagging in terms of resisting sophisticated cyber attackers. We share the perception about the superiority of hackers against cyber defenders [10].

Attention to this problem is exacerbated by a lack of transparency, visibility, and understanding when implementing security in developing, integrating, deploying, and using digital technologies. Controlling manufacturers’ decisions makes managing security risks in products and their capabilities and expertise when managing these risks are insufficient [11].

The massive impact of cybersecurity issues on the cyber–physical world confirms the need for research and opens new questions in relation to systematizing scientific approaches in this problem area. An essential component for the development of every scientific area is mathematics.

This review was prompted by our view of the need to establish the body of the mathematical methods that are applied to cybersecurity research and studies. We believe that this is necessary for the emergence of the problematic area of cyber security from the status of a protoscience. This article aims to clarify the issue of the place, scope, and content of mathematical methods applied in cyber security research. It offers theoretical advancement in the systematization of these mathematical methods and theories that are applied in scientific research of the cybersecurity area. It also provides a new perspective on the diversity of the mathematical theories applied and proposes a direction for the next steps in an effort to lift cyber security from the status of a protoscience. A sub-goal of this work is determining the role of mathematical methods in situating the science of cyber security.

In confirmation of our understanding of cyber security as a proto-science, we share the opinion that the basic principles in the problem area of cyber security have not yet been clarified, despite the perceptions that have been expressed in many sources. The increase in the complexity of the cyber–physical world clearly leads to a violation of Occam’s principle, and our empirical experience shows that at the bottom of cyber incidents and risk management are the problems that relate to the organization of continuously growing information systems and networks. Another example of a problematic principle is stealth.

We consider that the foundations for new science in a particular thematic direction of research are laid based on accumulated practical experience and scientific experiments, and if an agreement has been reached within academic circles about:

• The ground principles;
• Consistent, complete, and relevant categorical apparatus with definitions of the basic terms covered;
• A set of scientific methods that are applied to research the problem area;
• The ability of the methods to predict phenomena and validate conceptual models.

The limitations of this review are as follows: (1) we focus only on the components of scientific methods that concern applicable cybersecurity-specific mathematical techniques, and (2) we only mention an incomplete list of the conventional mathematical domains surrounding information and communication technology, such as combinatorics, statistics, and graph theory. These are also applied in many pieces of cybersecurity research but are well-known and presented in university courses.

Cybersecurity is present in the software engineering family. As a member of the family of engineering sciences in the cybersecurity area, a variety of inherent exploration methods are applied. For example, issues with a categorical apparatus are under the attention of the working groups CWE/CAPEC UEWG, as per [12,13].

Given the efforts to clear the categorical apparatus, the terminology is yet to be adequately explained. We lean on the transitional state of cybersecurity research practice as a protoscience, accepting that this conclusion is also supported by Kotte’s work and the chosen definition of science therein [14]. From there, it can be seen that protoscience can become science and purge itself of the accumulated imperfections that characterize pseudoscience.

Cybersecurity is often associated with finding the needle in the haystack. Computer networks generate large volumes of traffic per day. Detecting small malware pieces causing abnormal traffic is a complicated task. The situation is the same when malicious actions are seen in a server farm, an integrated corporate complex of information systems, or a smart city with many interconnected critical infrastructures with OT. Various mathematical techniques can be used to create methods for analyzing cybersecurity data.

Practitioners work hard against high-profile attacks and vulnerabilities, but threats constantly emerge [15]. Evolving threats include malware, viruses, trojans, spyware, ransomware, adware, botnets [16,17], phishing and social engineering [18]; SQL injection [19]; insider threats [20], Distributed Denial-of-Service (DDoS) attacks [21,22,23]; Advanced Persistent Threats (APTs) [24,25]; Man-in-the-middle attacks [26,27].

The line of information security moves close to that of cybersecurity. At its core, information security has as its subject the organizational problems of protecting information systems and networks at a strategic corporate level. The term cybersecurity is presented in [28,29,30]. According to their conclusions, information security is a sup majority of cyber security [28,29,30]. Although the two terms are often used synonymously in practice, the context usually is clear. Discussions around relations between information and cyber security are presented in [2,3,31].

An example of the efforts to clear up terminology can be found in [32]. It shares the understanding of the difference between security engineering and security intelligence. Cyber-defense can be understood as security engineering with a family of methods. Security science is concerned with detecting the traces of attackers once they are positioned in information systems and networks.

Two main classes of effects are observed in cyberattacks. The first is an anomaly. It is characterized by the deviations in the behavior of software applications and the malicious traffic generated by the malware. The second class covers changes in the state of applications and the system environment due to the impact of exploits and payloads. Based on the techniques applied to the two types of attacks, the detection of cyberattacks can be classified as anomaly-based and signature-based [33]. Methods relating to anomaly detection techniques are effective against unknown types of attacks and signatures that can be applied to known malware [34].

Without entering into an in-depth meta-discussion about the relationships between the categories, our work systemizes mathematical approaches that apply to cybersecurity research.

The following lines comment on the main problems with the contradictions in the terms and the confusion in their conceptions.

A class of problems is associated with the lack of communication between cybersecurity experts and software developers [35] and the need for incorporating security practices into a DevOps software development lifecycle. Those issues led to the concept of DevSecOps related to collaboration between the development and the security teams from the idea of the operations stage [36].

The study of the sources further strengthened our belief about the need for a holistic approach from a science methodology viewpoint to research the existing gaps. This need is also confirmed by [37,38,39,40,41], lessons learned from cybersecurity incidents with SolarWinds [42], unpatched GitHub servers [43], and the need for proactive security [44]. The impact of cyber-attacks on interconnected critical infrastructure can be seen from the incidents with PipeLine [45].

Creating models of large complexes of information systems and networks with real installed platforms is expensive and time-consuming. Even more inefficient is constructing cyber defense testbeds of such laboratory structures. The possibilities of mathematical approaches are effective in these cases. Depending on the expertise of the modelers, they can be applied to model and predict the behavior of cybersecurity systems, validate conceptual models, etc.

Mathematical methods have proven effective in various applications of proactive actions, cybersecurity technologies, security incidents management, and investigations. We believe that these methods need to be systematized, further developed, and enriched in terms of their use for in-depth research in the field of cybersecurity. Such an initiative could support the formation of the content of academic disciplines in doctoral programs and increase opportunities for successful research and development work in companies.

The requirements we have in mind for choosing mathematical methods for this review are the following:

• Methods that have been successfully applied in the scientific research on cyber security;
• Methods that have been repeatedly used in different areas of cybersecurity;
• Methods that are possibly accessible and can find a place in educational courses.

Our research findings from the literature show that such methods are used mainly from 2013–2015.

2. Motivations and Methodology

A system’s mathematical model represents an abstract description of its particular properties. The problems with mathematical modeling are relevancy and scope (range).

Regarding relevance, we believe that choosing an appropriate mathematical approach for modeling and validating certain qualities of cyber defense systems and cyber-attacks depends on the researchers’ heuristics. This empiricism depends on the experience gained. This view correlates with the purpose of this article.

Range capabilities lie between two end states. If the scope describes the problem’s properties, it can extend the model’s complexity with many details and becomes unsolvable. Another extreme is if the mathematical model is straightforward, it cannot predict and study the properties of the system. These mathematical models can be related to cyberattacks which have different goals. This way, victimized systems can be analyzed, system forecasts can be made, system information can be retrieved, verified, and future predictions can be made.

This article reviews the valuable mathematical methods applied in cybersecurity research activities. The task was conducted by checking the literature sources that focus on basic mathematical approaches from different mathematical theories, presenting several examples of the most used mathematical models of information systems and networks’ security, and systematizing the implementations of those theories in cybersecurity research areas.

The literature review covers applications in cybersecurity of the following mathematical approaches: Game theory with dynamic optimization and Bellman’s principle, Catastrophe theory, and the Queue theory of Markov processes with Kolmogorov equations.

The research task of our work was to find a reasonable answer to the next methodological question. Which mathematical methods are already used and validated for research and can be a component in establishing the science of cyber security?

The contributions of this research include justifying the current state of the cyber security problem area as a protoscience: an extension of the latest studies in the domain of cybersecurity science. These contributions have been fulfilled by checking articles with the most commonly applied mathematical methods in cyber security. The assumption of the efficacy of these methods is based on their application in the reviewed literature. A proposal for new terms CyberSecMath and Cyber Security Engineering is made in Section 5: Results and Conclusions of Mathematical Methods Implementation.

The sections are organized as follows. Section 3 focuses on the literature review, and Section 4 presents the most used mathematical methods in cybersecurity research. Section 5 summarizes the usage of mathematical methods in different cyber-security areas, and the conclusions summarize the findings. Finally, Section 6 consists of a discussion and offers possibilities for future research.

3. The Literature Review and Related Activities

The cyber protection of complex integrated information systems and networks is becoming more complicated. Building labs and testbeds to research such scenarios is a high-profile challenge. There is a shortage of cybersecurity expertise. The lack of specialists profiled in cyber defense is particularly noticeable. These are the conditions in which the academic community conducts and publishes research.

This part consists of a simple statistical analysis of related works. We note the achievements in the establishment if basic standard categorical apparatus with the National Vulnerabilities Data Base, Common Vulnerability Scoring System (CVSS) [46], MITRE ATT@CK taxonomy, STIX, TAXII, CyBOX, OpenIOC [47,48,49].

We observed issues with the terminological discrepancy commented on in [15,50,51]. We considered how the developing science of cybersecurity needs a categorical apparatus that is complete, consistent, and correct. The next step was to consolidate a set of appropriate mathematical instruments that would be applicable to suitable cases. Mathematical approaches were our focus. Defining an adequate set of mathematical practices can power and drive intensive research.

Part of the considered mathematical approaches was presented with applicable specifics in the reliability and availability engineering field in the book [52]. The analogy with its problematics gave rise to the proposed cyber security engineering category at the end of the section results and conclusions. This work presents the analytical and modeling techniques currently used. It contains standard approaches to nascent methods: binary decision diagrams, dynamic fault trees, Bayesian belief networks, stochastic Petri nets, non-homogeneous Markov chains, semi-Markov processes, and phase-type expansions [52].

Traditional mathematical approaches to cybersecurity problems include elements of set theory, probability theory, statistics, and graph theory [53,54,55,56,57]. In recent years, researchers have applied ideas from artificial intelligence, neural networks, graphs, game theory, and Markov chains.

The light research from Scopus with a search string “cybersecurity_X”, where X is from the set {game theory, probability, Bayesian} shows {228, 41, 99} the sources respectively. The other sources contain applied approaches from Combinatorial mathematics, probabilities, and statistic [58], graphs theory [59], neural networks [60,61], fuzzy logic and fuzzy sets [62,63], and group theory in cryptography [64,65,66].

The first preliminary research question was about the publications and authors’ use of mathematical approaches. We received the relations between authors using the intersection with the search string “mathematical model cybersecurity” and “mathematical model cyber security” through Scopus services and VOSviewer. The results are presented in the tables in Figure 1 and Figure 2. Five clusters are highlighted with different colors, in which the families of the leading authors are noted. Their research can be found through sections combining the top authors’ surnames with the indicated search string.

Additional proof for this work is a part of articles mentioning mathematical approaches in the cybersecurity area. The search in January 2022 only in Scopus with the terms “cybersecurity” and “cyber security” showed more than 20,000 results for every one of them. The number of articles with mathematical approaches was ~400 for intersections presented in the whole set, which is about 2 percent.

4. Mathematical Approaches to Cybersecurity

We believe that the selected mathematical methods can be considered established in cyber security research. This set is aligned with the view of the requirements for models in applied cybersecurity from [14], the presented literature review, and our accumulated practical experience from building and researching real cyberdefense systems.

4.1. Game Theory

Game theory is based on participants known as players. It refers to the clash between malicious individuals and cybersecurity experts in cybersecurity. Each side can choose from various actions, which can be limited or endless. The outcomes or profits depend on the selected strategy of the player. These actions are referred to as strategic games.

A two-player matrix game with zero-sum is a game where the sum of the profits of both players equals zero:

$$v_1+v_2=0,$$

(1)

If both players select a mixed strategy $x=\left(x_1, x_2, x_3, \dots , x_m\right)$ for $y=\left(y_1, y_2, y_3, \dots , y_m\right),$ then, the profit of the first player is the mathematical expectation:

$$E\left(x,y\right)={\displaystyle \sum }_{i=1}^m{\displaystyle \sum }_{j=1}^n{a}_{ij}{x}_i{y}_j$$

(2)

where $E\left(v_1\right)$ is the expected value of the first player’s profit, $x$ and $y$ are the mixed strategies of the first and second players, respectively, and $a_{ij}$ is the profit of the first player when choosing strategy $i$ and the second player chooses strategy $j$. Here, the sums were calculated for $i$ and $j$ and all possible strategies in the game.

Let $X$ and $Y$ represent the sets comprising the mixed strategies for players $x$ and $y$, respectively.

The inquiry pertains to the presence of optimal strategies $x^{*}$ and $y^{*}$ for the first and second players, respectively, ensuring maximal expected profit (or minimal loss) for the first player while considering the best possible moves by the opponent.

As follows by the Minimax theorem of game theory, there exist optimal strategies for $x^{*}$ and $y^{*}$ i.e., the solution to a zero-sum matrix game is as follows:

$$maxmin{E}_{xϵX,yϵY}\left(x,y\right)=minmax{E}_{xϵX,yϵY}\left(x,y\right)=E\left(x^{*},y^{*}\right)=v$$

(3)

where $\forall$x ∈ X and $\forall$y ∈ Y are fulfilled

$$E\left(x^{*},y\right)\le E\left(x^{*},y^{*}\right)\le E\left(x,y^{*}\right),$$

(4)

The game’s price is the saddle point number $\upsilon =E\left(x^{*},y^{*}\right)$ [56]. The presented results are interpreted by one assailant and one guard in a digital environment. There always exists an optimal strategy for defense and a corresponding attack [53].

The processes we considered were dynamic, and they developed over time. For this reason, we specified that all processes started from $t=0$.

We also considered a different approach where $L$ assailants attack $N/L$ digital assets of the defensive players (Figure 3).

Applying the Hamilton-Jacobi-Bellman model,

$$\widehat{V_L^0}\left(x\right)=\underset{u_i\in L}{\max } \lim \left\{{\displaystyle \sum }_{i\in L}^{ }log{u}_i+\epsilon \widehat{V_L^0}{\left(\epsilon x-{\displaystyle \sum }_{i\in L}^{ }{u}_i-{\displaystyle \sum }_{i\in N\backslash L}^{ }\widehat{u_L^0}\right)}^{\alpha }\right\}$$

(5)

$$\widehat{V_L^{ }}\left(x\right)=\underset{\widehat{u_i^{ }}\in N\backslash L}{max}\lim \left\{{{\displaystyle \sum }}_{i\in L}log\widehat{u_i^{ }}+\epsilon \widehat{V_L^{ }}{\left(\epsilon x-{{\displaystyle \sum }}_{i\in L}{u}_i-{{\displaystyle \sum }}_{i\in N\backslash L}\widehat{u_i^{ }}\right)}^{\alpha }\right\}$$

(6)

to solve the equation, we used the following substitution:

$${\widehat{V}}_L\left(x\right)={\widehat{A}}_{L}logx+{\widehat{B}}_L$$

(7)

$${\widehat{V}}_i\left(x\right)={\widehat{A}}_{i}logx+{\widehat{V}}_i$$

(8)

Flow control could be defined as follows:

$$u_i=y_i^{K}x,i\in L$$

(9)

Since we considered all players to be homogeneous, the Bellman equation gave the optimal solution for each player:

$${\widehat{u}}_i=\widehat{y_i^k}x,$$

(10)

where $u_i$ is a class of players using the corresponding strategy $x$ with weight coefficients. We needed to find the following coefficients to obtain the optimal solution:

$$V_i^k=\frac{1-a}{k\left(1+\left(n-k\right)\left(1-a\right)\right)}\delta x$$

(11)

where $x_t$ ≥ 0 is the action of the player at time t, $\alpha \in \left(0, 1\right),$ which corresponds to the winning item parameter, $0<\delta <1$ is the discounting coefficient, and $i=0,\dots ,n$а $u_{it}\ge 0$ represents the value of the payoff for player $i$, $i=i,\dots ,n$ in moment t. We introduced $a=\alpha \delta$ $n$ as the number of players, with $k$ players in a coalition, and $k<n$. In the complete Bellman equation, which describes a dynamic process, we used the variable $t$, which represents time. In our case, we only mentioned that the process was dynamic and could be described more complexly with an integral or a system of differential equations to simplify the equations. For more information, see Mazalov [56]

$$\widehat{V_L^{ }}\left(x\right)=\frac{k}{1-a}logx-\frac{1}{1-\delta }\widehat{B_L^{ }}$$

(12)

$$B_L=k\left(\frac{1}{1-a}log\left(\frac{\delta }{1+\left(n-k\right)\left(1-a\right)}\right)+log\left(1-a\right)+\frac{a}{1-a}log\left(a\right)-log\left(k\right)\right)$$

(13)

4.2. Game Theory Use Case and Analysis

An example of game theory is the prisoner’s dilemma [67]. If two suspects were suspected by the police of having committed a serious crime, unfortunately for them, they would only have proof of a slight. They lock the two up in two separate rooms. There are several scenarios:

• If both are silent, they receive a light fine;
• If one is silent and the other speaks, the quiet person receives a severe sentence, and the other is released;
• If they both speak, they will receive a severe sentence.

In many Operations Research (OR) operations [67], it is necessary to solve OR tasks related to decision-making problems in conditions of uncertainty. Uncertainties can be conditions for performing operations or conscious actions of the opponent on which the operation’s success depends. Uncertainties about one degree or another can be related to the procedure’s success. Success does not always depend on the complete exhaustion of one indicator or the effectiveness of the operations.

When solving various practical tasks from the study of operations, it is necessary to analyze situations in which two or more warring parties change their pursued goals on which the success of the process depends. Such operations can be called conflict operations.

Each immediate situation from practice is complex, and the analysis is one of the many insignificant factors. A spiral mathematical apparatus called game theory was developed from the need to analyze such situations. In order to analyze such models, it is necessary to ignore secondary factors on which the games’ success does not depend; this model can be called a game.

We formalized the rules already implemented in games such as checkers, chess, etc.

Suppose we had a game of two participants, A and B, with opposite interests. By game, we mean an event or sequence of actions or moves by A and B. To analyze the game, it is necessary to form the rules of the game, i.e., a system of conditions governing:

• The possible variants of game actions;
• The volume of information about each side of the other player’s behavior;
• The result (exit) from the game, which we could obtain from the specific actions of the players.

There are sharply differentiated opinions regarding the appropriate analysis method of interrupted phenomena in mathematics to study interruption. Additional methods include crash theory, chaos theory, fractal geometry [68], synergistic theory [69], self-organizing criticality [70], rotating glass theory, and emerging complexity [71].

Another aspect of looking at one cyber system is the transition from one state to another.

Many researchers see interruptions as fundamental to the nature of non-linear dynamic systems. In a shared plan, the theory of interruption is a theory of bifurcations, where they appear as a subset. In the context of a dynamic system’s asymptotic behavior, Poincaré posed the question of structural stability. If a slight disturbance is introduced to the system, will its long-term behavior remains approximately consistent, or will a substantial alteration occur? The latter implies that the system is structurally unstable and has encountered a bifurcation point.

In cybersecurity, game theory can be used to model the interaction between hackers (attackers) and users (defenders). In such a scenario, hackers attempt to penetrate the system while users make efforts to protect it.

We considered two players: a hacker (H) and a user (U). They could choose between different strategies. The hacker could choose to attack (A), not attack (NA), and the user could choose to defend (D) or not defend (ND) their system.

The payoff matrix might look similar to this:

	U: D	U: D
H: A	(−CH, −CU)	(GH, −LU)
H: NA	(0, 0)	(0, 0)

Here C_H and C_U are the costs for the hackers and users, respectively, G_H is the gain for hackers upon a successful attack, and L_U is the loss of users upon a successful attack.

The goal of the hackers is to maximize their gain, while the purpose of the users is to minimize their loss. Game theory can be used to find the Nash equilibrium between these two parties, indicating the optimal strategies that hackers and users should follow.

A simple example of two bodies is the speed of running a missile traveling far from the ground. This is about 6.9 miles per second: a bit of a before value for this system. The rocket falls back to earth at a speed less than this, while at a greater rate than this one, it can escape into space. It is no exaggeration to say that the bifurcations theory is the mathematics of interruption [72].

4.3. Catastrophe Theory

Catastrophe theory, in mathematics, is a set of methods that are used to study and classify how a system can undergo sudden significant changes in behavior as one or more variables that control it constantly change. Catastrophe theory is generally considered a branch of geometry, as variables and the resulting behavior are depicted as curves or surfaces, and the official development of the theory is attributed mainly to the French topologist Rene Tom.

Many physical systems can be described as potentially dependent on control parameters. If we do not include the time factor, the system must be static, and we must work with the Elementary Catastrophic theory. Otherwise, we must describe a system of dynamic equations that uses gradient methods from the bifurcation theory.

According to Arnold’s book [73], ‘The Change in the Phase Space of a System’, the following variants may arise:

A. When the parameter changes from the equilibrium position, a limit cycle is born (with a radius of the order √ε when the parameter’s value differs from the bifurcation one by ε). Equilibrium stability proceeds into a cycle, while equilibrium itself becomes unstable (Figure 4).

B. In equilibrium, an unstable limit cycle dies; the area of attraction of the equilibrium position decreases to zero, after which the cycle disappears, and its instability is transferred to equilibrium.

A. In equilibrium, an unstable limit cycle dies; the area of attraction that Poincare noticed, alongside A. Andronov and his students, even before the war (in 1939), proved that positions merge with the unstable, as described above, in addition to the loss of stability in the equilibrium. The methods of loss of stability are just as described in type A or B in the ordinary one-parameter families of systems with two-dimensional phase space; no other types of loss in stability occur. It was later proven that in phase space systems with a larger dimension, the loss of stability of the equilibrium positions with a change in one parameter occurred in one of the ways described. In the directions of all additional coordinate axes, the balance remains attractive with a change in the parameter [73].

If the equilibrium position is in a steady state or is a steady state in the real system, then when the parameter changes in cases A and B, the following phenomena can be observed.

B. After the loss of equilibrium stability, the steady state is the oscillatory periodic regime; the amplitude of the vibrations is proportional to the square root of the super-criticality. The difference between the parameter and the critical value is that at which the equilibrium loses its stability [55].

Catastrophe theory is a mathematical approach to studying discontinuities or sudden shifts in behavior in complex systems. One of the most basic models in catastrophe theory is the cusp catastrophe model, represented by the equation $V\left(x,a,b\right)=-ax-b{x}^2+\frac{x^4}{4}$.

$V\left(x,a,b\right)$ represents the potential function, $x$ is the system’s state variable, and $a$ and $b$ are control parameters. The potential function exhibits a local minimum, indicating the system’s stable equilibrium state. When control parameters change, the equilibrium state can shift suddenly, leading to catastrophe.

In the context of cybersecurity, $x$ could represent the security level of a system, $a$ could represent the attacker’s capabilities, and $b$ could represent the defender’s efforts to protect the system. By analyzing the behavior of the potential function and its derivatives, it is possible to identify the conditions under which a sudden shift in the security state might occur, potentially leading to a catastrophic security breach.

To make the presentation of catastrophe theory more rigorous, the equations describing the equilibrium points, derivatives, and other relevant properties of the cusp catastrophe model should be included and discussed in the context of cybersecurity.

To continue applying catastrophe theory in cybersecurity, we explored how we could analyze catastrophic changes in the security of a system using the cusp catastrophe model.

A sample model for applying catastrophe theory in cybersecurity:

• Finding equilibrium points: The equation $\frac{\partial V\left(x,a,b\right)}{\partial x}=0$ can be solved to find the equilibrium points of a system. This shows at what values of $x$ the system is in equilibrium.
• Analyzing the stability of equilibrium points: the second derivative $\frac{{\partial }^{2}V\left(x,a,b\right)}{\partial {\mathrm{x}}^2}$ can be examined at the equilibrium points. If the second derivative is positive, the equilibrium point is stable; if it is negative, it is unstable.
• To study the changes in equilibrium points with changes in control parameters $a$ and $b$, how the equilibrium points differ as $a$ and $b$ change can be analyzed. This provides information on potential catastrophic system security changes when attackers increase their capabilities or defenders change their protection efforts.
• Proposing countermeasures or strategies, based on the catastrophe theory analysis, strategies can be suggested for defenders to prevent catastrophic changes in the system’s security or cope with them when they occur.

An anomaly detection method based on the modified catastrophe theory and focusing on accidental change in cloud network traffic is presented in [74]. The model presented illustrates the Swallowtail catastrophe visualization. This is a simple example. To describe a dynamic system, partial differential equations can be used.

The following research concerns the use of catastrophe theory to detect saturation attacks. The cusp catastrophe model for saturation detection can be effectively applied for DoS attacks against SDN (Software Defined Network). Khatibzadeh et al. explored the cusp catastrophe model to reveal anomalies in the traffic, using the distance between the observed point and the Bifurcation set [75]. Analogically from applying the catastrophe theory in the ecological area [76], we proposed the term cyber pollution presented in [10].

4.4. Theory of Queuing

The tail theory is one of the fastest-growing areas of applied mathematics. Any need to perform an activity in queue theory is called a “request” or “customer”. Services should be seen as the performance of some kind of activity aimed at satisfying a need. The object that serves the application is called a service device (apparatus) or “service channel”. The maximum number of requests that can be serviced simultaneously determines the omission of the service system.

A characteristic feature of this system is that requests can be received irregularly. When studying the system, it turns out that due to a number of random reasons and factors, the number of requests in a given time interval is a random variable. The period that covers the beginning and end of the service (i.e., the time during which the request is serviced) is called the service time.

One of the basic concepts of public service theory is the flow of requests entering the service system. In the following statement, we called it a tributary. We could distinguish this flow from the outflow (i.e., the flow of requests leaving the system). Another key feature that determines how a service device processes requests is accessibility. It determines the health of the service device. In practice, we found many examples of different service mechanisms. To successfully deal with these possible situations, researchers do not always need just to know their solution; it is enough to have a more complete set of methods that do not use the queuing theory.

The physical system S has four possible states S₁, S₂, S₃, and S₄. Figure 5 shows the graph of states and transitions and their intensities.

This system can be in the following states: S₁-upright; S₂-faulty stopped, fault sought; S₃-the repair is completed; S₄ preparations are underway for the launch of the computer.

On the left are the derivatives of the probabilities. There are as many members on the right as arrows to connect the state with other states. If the arrow goes out of state, the corresponding member has a minus sign (Figure 5). If the arrow enters the state, the sign is “plus”. Each term is equal to the product of the density of transition probabilities corresponding to the given arrow multiplied by the probability of the state from which the arrow comes out:

$$\frac{\partial p_1\left(t\right)}{\partial t}=\lambda {}_{12}{}^{ }p{}_1+\lambda {}_{13}{}^{ }p{}_1{}^{ }-\lambda {}_{31}{}^{ }p{}_3{}^{ }$$

(14)

$$\frac{\partial p_2\left(t\right)}{\partial t}=-\lambda {}_{12}{}^{ }p{}_1-\lambda {}_{32}{}^{ }p{}_3{}^{ }+\lambda {}_{24}{}^{ }p{}_2{}^{ }$$

(15)

$$\frac{\partial p_3\left(t\right)}{\partial t}=-\lambda {}_{13}{}^{ }p{}_1+\lambda {}_{31}{}^{ }p{}_3{}^{ }-\lambda {}_{32}{}^{ }p{}_3{}^{ }+\lambda {}_{41}{}^{ }p{}_4{}^{ }$$

(16)

$$\frac{\partial p_4\left(t\right)}{\partial t}=-\lambda {}_{24}{}^{ }p{}_2+\lambda {}_{41}{}^{ }p{}_4{}^{ }$$

(17)

Usually, researchers are focused on traditional aspects of a phenomenon, which are entirely unfettered in detail. An analogy that explains the cybersecurity situation is presented in [77]. In thermodynamics, the behavior of gas in a box, assuming it contains $x$ molecules has been studied. The gas’s state is considered a point of the six-dimensional phase space. They are not intrigued by the accuracy or phase space point that the gas occupies. In case they succeed in determining that with certainty at this point, it brings no benefits. For applications and research, it is sufficient to consider the gas state as a function of three parameters: temperature, volume, and pressure and the study of the relationship between them. This also includes equations of motion in phase rise and the relationship between these parameters.

In the same way, cybersecurity deals with highly complex phenomena. It is a natural characteristic of integrated information systems and networks. Many of these details are not exciting or cannot be observed. Here is a place where mathematical models inherently isolate most exterior details and are constructed appropriately to allow for needed abstractions. We have focused on the most used mathematical theories in the presented work. In essence, these models have the potential to simulate different properties of the studied systems. Processes can also lead to several natural and powerful abstraction operators. The resultant calculations correspond to those observed by an external observer. They serve to validate the model by comparing it with the behavior of the existing system. Successful validation is a prerequisite for conducting large-scale studies of system behavior. The choice of the mathematical approach remains heuristic and depends on the background of the modeler.

Use cases exist for analyzing attack efficiency and validating the model with the queueing theory [78,79]. RESLab analyses the challenges of incorporating MiTM (Man in The Middle) attacks under disparate polling rates and a set of DNP3 (Distributed Network Protocol 3) outstations for a voluminous power grid using the queuing theory [80].

5. Results and Conclusions of Mathematical Methods Implementation

This article presents basic mathematical approaches to computer security analysis and the ability to perform validation, simulations, and predict the behavior of information systems and the communication networks under attack.

The central part of the reviewed articles is dedicated to attacks from the side of hackers. The lack of mathematical models implemented in cyber protection is a common weakness that needs the research community’s attention. The reason for this is the complexity of modern information systems and networks in a rapidly changing cyber-physical environment. A set of sample mathematical theories use cases is presented in

Table 1. Mathematical theories use cases.

Mathematical Approach	Cybersecurity Area	Scientific Publications
Fourier transformation for periodicity detection	Network security, anomaly detection, discovering APT malware	[81,82,83,84]
Stochastic Petri Nets	Cyber-physical systems security evaluation	[85,86,87]
Terminal sliding-mode (TSM) theory	Cyber-attack detection	[88,89,90]
Group theory, number theory, algorithm complexity	Encryption	[66,91,92]
GWO based on MANN	Neural networks	[82,93,94]
Information theory, entropy	Information security evaluation method	[95,96,97,98]
Set theory, probability theory, statistics, and graph theory	Common cybersecurity issues	[53,54,55,56],
linear algebra over the field of complex numbers, probability theory, information theory	Quantum key distribution (QKD) and quantum supremacy	[99,100,101,102,103]

. For example, the first publication is dedicated to the finding of malevolent repeated actions in a massive volume of legal network traffic [81].

Our recommendations for future work include research on the successful application of mathematical approaches in cybersecurity. The hypothesis behind this view is that they can be applied to analogical cases when managing changes in cybersecurity systems of information systems and networks.

We contend that a successful cyber security professional must be skilled with the instruments of the core academic fields of Science, Technology, Engineering, and Maths (STEM) and that the ability to model is essential for designing the cyber defenses of the expanding information systems and networks of today.

We propose introducing these two categories based on our long-term experience implementing large-scale cyber defense schemes and the presented review and interpretation of its results.

The first one is CyberSecMath which relates to the scope of the presented mathematical approaches. The second is a Cyber Security Engineering category. This proposal is related to the clear separation of engineering and research activities achieved in recent years. The content of this category covers all planning, organization, and technical implementation activities incorporating cyber security measures following regulatory measures. We believe that the importance of this category for cybersecurity protoscience lies in clarifying the two-way relationship between research and practice.

According to our vision, the heuristically evolved procedural approaches developed in naturally influenced methods [104] or in quantum computing, for example, fully homomorphic algorithms and software security [105], are positioned within the scope of the term Cyber Security Engineering.

The proposed paper addresses well-established mathematical theories in conventional cybersecurity research. From the perspective of meta-science, cutting-edge technologies are of interest when systematizing mathematical theories applied to the study of cybersecurity problems. In particular, these include quantum computing, quantum networks, and quantum sensors. Use cases include linear algebra over the field of complex numbers, probability theory, mathematical statistics, and information theory. These theories can be applied in models for QKD and quantum threats related to the decryption and the breaking of crypto algorithms when used in pre-quantum digital technologies, as shown in the last row of Table 1.

6. Discussion

This proto-scientific state leads toward two directions for development. The first direction can be further spread in the capacities for observation, collection, and the design of model-based experiments, and according to Popper [106] and Kott [14], to build the necessary qualities for actual science. Or it can remain protoscience in a mystique state. The last one is characterized as pseudoscience. Its techniques and practices are “neither fundamentally understood nor rigorously reliable”.

Looking at cyber security through the lens of the literature review, we can conclude that it is necessary to consolidate knowledge and (1) the revision of the basic principles, (2) outline the theoretical framework with consistency, correctness, and completeness of terminology, (3) aggregate methodological approaches about experiments, and (4) systematize mathematical methods. This conclusion includes not only technical sides and does not exclude the physiological and social issues related to adversaries and cybersecurity incidents. It outlines further directions for future research.