bg
Cybersecurity
08:18, 19 July 2026
views
7

Russian Researchers Develop Software to Analyze the Evolution of Cyberattacks Over Time

Researchers at the National Research Nuclear University MEPhI have developed a hybrid AI architecture, TA-BN-ODE, designed to detect sophisticated cyberattacks by analyzing attacker behavior over time rather than isolated events. The system models activity across timescales ranging from microseconds to months by combining neural ordinary differential equations, spatiotemporal point processes, Bayesian uncertainty estimation, and a large language model.

Tests involving 19 million network activity records showed the architecture achieved 99% detection accuracy for known attacks and 87.6% for previously unseen threats, compared with 42% for conventional approaches. The model occupies just 9.2 MB of memory, processes more than 12 million events per second, and delivers results in less than 0.1 seconds.

The research represents a significant scientific and technological advance at the intersection of artificial intelligence and cybersecurity. At this stage, however, it remains a research prototype rather than a commercial product and has not yet been deployed in production environments.

If successfully commercialized, the technology could reduce the risk of data breaches and service disruptions while serving as the foundation for Russian cybersecurity solutions protecting critical infrastructure, industrial enterprises, banking systems, and telecommunications networks. The architecture could also be adapted for distributed environments and Internet of Things (IoT) deployments.

A Compact Model

One promising direction is integrating the architecture into Russian-developed SIEM, NDR, and EDR platforms, as well as security operations centers (SOCs). Industrial organizations and government agencies are the primary targets, as each accounted for 15% of successful cyberattacks in 2025. Overall, the number of reported incidents increased by 37% compared with 2022, while the share of attacks causing operational disruption rose from 31% to 47%. Because of its compact footprint, the model can be deployed not only in data centers but also at the network edge, including industrial controllers, IoT devices, and isolated environments.

Before deployment, the architecture will require validation using real-world Russian network traffic, along with assessments of false-positive rates, resilience against evasion techniques, and the explainability of its decisions for SOC analysts. Integration with domestic cybersecurity platforms and certification under Russia's critical information infrastructure (CII) requirements will also be necessary.

The technology's export potential depends on its evolution into a commercial product. Once productized, the architecture could attract interest across the CIS, the Middle East, and Asia. Russian software exports reached an estimated $5.9 billion to $6.2 billion in 2025, with approximately 30% to 40% of that total going to CIS markets.

Among the architecture's principal strengths are its compact design and its ability to run entirely on local infrastructure. Its current limitations include the need for localization, validation using production data, and competition from established cybersecurity platforms.

Strengthening AI-Based Cyber Defense

In 2024, BI.ZONE integrated machine learning algorithms into its Secure DNS platform to identify sophisticated domain generation algorithm (DGA) domains used by malware. That work demonstrated how AI could uncover previously unknown attack indicators within specific segments of network traffic. Meanwhile, Positive Technologies continued developing autonomous SOC capabilities along with its MaxPatrol BAD and MaxPatrol O2 platforms. In those products, machine learning supports behavioral analytics, reduces false positives, and correlates isolated security events into complete attack chains.

Globally, Microsoft introduced Copilot for Security, an AI assistant designed to support incident investigations and log analysis. The broader market has increasingly embraced large language models to automate routine SOC analyst workflows. In Russia, Positive Technologies expanded the use of machine learning and large language models across its MaxPatrol portfolio in 2025, including SIEM, BAD, PT NAD, and PT Sandbox. Those systems use AI to identify previously unknown malware and partially automate incident response.

At the same time, attention has increasingly shifted toward protecting AI systems themselves. In 2025, graduate students at ITMO University, working with Raft, introduced Hive Trace, a platform for monitoring generative AI applications and defending them against prompt injection attacks, data leakage, and abuse by LLM-based agents.

Backing Russian Cybersecurity Developers

The MEPhI research reflects a broader shift toward analyzing attacker behavior and multi-stage attack scenarios rather than isolated security events. Its defining feature is the integration of continuous temporal modeling, uncertainty estimation, and large language model capabilities within a single compact architecture.

Over the next two to three years, pilot projects are expected with Russian cybersecurity vendors and major infrastructure operators, particularly in manufacturing, energy, telecommunications, and the public sector.

Commercial success will depend on the architecture's performance under real-world operating conditions, its ability to reduce false positives, and successful integration into SOC workflows. If further development proves successful, the technology could become either a standalone security module or a core component of Russian-developed SIEM and NDR platforms.

Russia already has strong developers working in antivirus protection, incident monitoring, endpoint security, network security, and threat intelligence. However, the market is gradually moving beyond the initial phase of urgently replacing foreign products and entering a more mature stage. Customers are beginning to evaluate not only whether a solution is domestically developed, but also its practical effectiveness, interoperability, cost, and its proven ability to reduce cyber risk
quote
like
heart
fun
wow
sad
angry
Latest news
Important
Recommended
previous
next