Bulletin of V.N. Karazin Kharkiv National University, series «Mathematical modeling. Information technology. Automated control systems»

Analysis of the implementation of the combined Suricata intrusion detection system with a machine learning model

Maksym Blinov — 2025-10-27

Relevance. The study presents a comparative analysis of intrusion detection and prevention systems (IDS/IPS) functioning with and without artificial intelligence (AI) integration. Conventional signature-based systems such as Suricata effectively detect known threats but often fail to recognize new or modified attack patterns. Therefore, integrating AI technologies offers a promising way to enhance adaptability and minimize false positives.

Objective. The study aimed to evaluate the efficiency of the open-source Suricata system in two configurations: a standard mode using signature-based detection and a modified version enhanced with a machine learning module. The goal was to determine how AI affects detection accuracy, response time, and alert reliability under various cyberattack scenarios, including DoS and brute-force attempts. The experiment was performed in a virtualized environment consisting of three nodes: Kali Linux as the attacker, Windows 10 as the target, and Suricata as the monitoring system.

Research Methods. Methods of statistical modeling and comparative analysis were applied. In its base form, Suricata relied solely on predefined rules, while in the AI-extended version, an analytical module employing the Random Forest algorithm processed log data to classify network events. The model was trained on labeled datasets containing normal and malicious traffic, using extracted statistical and protocol-level features.

Results. Analysis showed that the baseline Suricata achieved a detection rate of 87–92% and precision of 80–85%, generating excessive alerts during DoS simulations. After AI integration, the number of alerts decreased more than threefold, the detection rate increased to 93–96%, and precision rose to 90–94%. Additionally, the average response time was reduced to 1–1.5 seconds.

Conclusions. Integrating machine learning algorithms into the capabilities of Suricata IDS significantly increased its efficiency, reduced the number of false positives, and improved the system's ability to adapt to new cyber threats. The results confirm that combining a signature approach with AI-based analytics provides a more reliable and intelligent approach to modern network security.

UML-Oriented Information Technology for Continuous Maximum Coverage Problems with Arbitrary-Shaped Objects

Yehor Havryliuk — 2025-10-27

Relevance. Continuous maximum coverage problems with arbitrary-shaped objects play a crucial role in geographic information systems, monitoring platforms, logistics services, security systems, spatial data analysis, and decision-support solutions. The growing volume of data, dynamic environments, and high model complexity require formalized, modular, and scalable information technologies. UML, as a modeling standard, enables formal architectural descriptions of software solutions, ensuring reliability, reproducibility, and transparency of implementation.

Purpose. To develop a UML-oriented information technology for solving continuous maximum coverage problems that incorporates an architectural model, data structures, information flows, functional components, and UML specifications of modules supporting coverage-based systems.

Methods. The study employs object-oriented and structural modeling techniques, UML diagramming (Use Case, Class, Activity, Sequence, Component, Composite Structure, State Machine, Deployment), architectural design methods, principles of modularity, dependency inversion, component decomposition, and approaches used in building scalable information systems.

Results. A complete UML specification of the architecture of an information technology for maximum coverage problems has been constructed: external interaction scenarios, classes, components, operation sequences, system behavior and state logic, infrastructural links, and deployment structure have been defined. An integrated three-tier architecture (presentation, application logic, and data layers) has been formed. Principles for constructing modules for spatial analytics, optimization, coverage criterion computation, scenario management, visualization, and data interfaces have been described. The UML models provide a formalized structure that enables the development of scalable and reproducible IT solutions for coverage problems.

Conclusions. The developed information technology provides structural, behavioral, and architectural formalization of a maximum coverage system. UML-oriented modeling improves architectural transparency, reduces risks of integration errors, and ensures scalability and reusability of components. The obtained UML models may serve as a methodological foundation for building intelligent GIS platforms, optimization services, monitoring systems, and real-time analytical solutions.

Computer modeling of liquid sloshing in tanks with baffles

Vasyl Gnitko — 2025-10-27

Research Objective. The objective of this study is to develop numerical methods for analyzing the stability of fluid motion in tanks equipped with various types of internal baffles.Relevance. The investigation of fluid motion stability in tanks with horizontal and vertical baffles is of significant theoretical and practical importance for many fields — from aerospace and aviation to marine and ground-based liquid storage (e.g., fuels, process fluids, chemical reagents). The presence of baffles substantially alters the sloshing behavior: they affect the frequency spectrum of the free surface, vortex structures, energy localization, and the emergence of resonant modes. Improper consideration of these effects may lead to reduced safety, increased dynamic loads on the structure, and degraded performance of the overall system. Experimental studies of such processes are often technically complex, costly, and potentially hazardous. Testing real liquid volumes requires large-scale facilities, high material and equipment expenses, as well as rigorous safety measures when dealing with flammable, aggressive, or explosive substances. Therefore, the development of accurate mathematical models, numerical algorithms, and simulation methods for fluid motion in baffled tanks is of particular relevance. Computer-based modeling provides a safe and relatively low-cost means to explore a wide range of fluid behavior regimes.

Research Methods. The study employs methods from potential theory and singular integral equations, the boundary element method (BEM), the subdomain method, and the method of prescribed normal forms.

Results. Systems of one-dimensional singular integral equations were derived to determine the velocity potential. Basis functions were obtained, specifically the free surface oscillation modes, which were then used to solve the problem of forced oscillations. The influence of combined horizontal and vertical excitations was analyzed for tanks of various designs — both without baffles and with vertical or horizontal baffles. Regions of stable and unstable fluid motion were identified. It was found that the presence of baffles significantly reduces the amplitude of free surface oscillations.

Conclusions. The obtained results demonstrated that the use of horizontal and vertical baffles has a significant impact on the stability of fluid motion in tanks, specifically by considerably reducing the amplitude of free surface oscillations. The data obtained may be applied to improve the reliability and safety of tank systems across various engineering domains, particularly in aviation, space, marine, and energy industries.

Controlling LEDC timers of the ESP32 microcontroller using registers

Daniiel Horenko — 2025-10-27

Relevance. This paper examines precise generation and control of pulse-width modulation (PWM) signals using the LEDC (LED PWM Controller) subsystem of the ESP32 microcontroller via direct register access. As embedded real-time systems increasingly require fine timing control in LED drivers, motor control and power electronics, standard high-level driver APIs can be insufficient. Direct register manipulation of LEDC enables more precise tuning of frequency, resolution and pulse timing, which is critical for synchronization-sensitive applications.

Objective. To analyze the capabilities of ESP32 LEDC timers when configured through direct register writes, to experimentally evaluate the accuracy and stability of generated PWM signals across representative configurations, and to provide practical recommendations for optimizing LEDC parameters in applied embedded projects.

Methods. The investigation employed low-level register programming under Espressif’s ESP-IDF on an ESP32-DevKitC V4 (WROOM-32D). Time-domain characteristics of the PWM outputs were measured with a Logic Analyzer (24 MHz sampling, 8 channels). The study combined theoretical derivations of PWM frequency and period based on clock source, divider (DIV) and counter resolution (RES) with implementation of direct register sequences to configure HSTIMER0 and HS channel 0, and comparative measurements for eighteen distinct configurations covering multiple RES, DIV and DUTY values.

Results. The register-based control method enabled generation of high-frequency PWM in the MHz range with close agreement between calculated and measured values. Across tested configurations the maximum relative deviation did not exceed ±0.03% for frequency and period, and ±0.6% for pulse high-time (duty width). Increasing counter resolution improved duty-cycle granularity, while the prescaler DIV produced a linear change in PWM frequency. The experimental limitations observed at the highest frequencies are attributable to the finite sampling capability of the measurement equipment.

Conclusions. Direct register access to the LEDC allows for obtaining deterministic, high-precision PWM signals with minimal parameter update latency, making them suitable for applications in robotics, power electronics, and other systems with high synchronization requirements. Further research is recommended on the influence of alternative clock sources, low-speed LEDC modes, integration with ISR/FreeRTOS, and extending the approach to other timers and channels.

Architecture, software implementation and results analyzing of the usage an intelligent tool for configuring microservice applications

Dmytro Zinov’ev — 2025-10-27

Actuality. Developing applications with a microservice architecture requires effective configuration management under varying load conditions, reliability, fault tolerance, and scalability requirements. This creates a need for intelligent adaptive configuration tools that can operate in near-real time mode.

Goal. To create an intelligent tool for adaptive management of MCA configurations with a decision-making module based on Case-Based Reasoning (CBR), design its architecture, make a software implementation, as well as experimentally evaluate the work on a test site and compare several CBR methods.

Research methods. The basic concepts of MSA configuration processes are clarified; a polygon with three services (auth, product, order) and performance requirements (≤1000 simultaneous requests, average latency ≤200 ms) is designed. Adaptive microservice configuration management is implemented as a microservice with REST API (FastAPI) and a precedent database (PostgreSQL); QoS, resource, "cost" and adaptability metrics are used. Five CBR methods are investigated: K-Nearest Neighbors, Weighted KNN, Feature-Based Retrieval, Cluster-Based Retrieval, Indexing & Hashing. A series of measurements of configuration selection time for a precedent database of 50–1000 records with averaging over 100 runs is conducted.

Results. The subsystem correctly identifies states and applies relevant configurations for different scenarios (low/medium/high/peak), meeting the requirement of a matching time of ≤0.5 s. The Indexing & Hashing method demonstrated the highest performance (≈27.6–50.3 ms for 50–1000 precedents); KNN has a linear time growth, and Weighted KNN provides controllability due to metric weights. The implemented web interface provides monitoring and manual/automatic mode of applying changes in real time.

Conclusions. The proposed architecture and software implementation of the CBR tool confirm the practical feasibility of adaptive configuration of the MCA and create a basis for managed solutions that are scaled by data. Further directions are outlined: evolution of the case base with online learning, multi-criteria optimization (performance/reliability/cost/energy efficiency), deeper integration with orchestrators and service mesh and increased explainability of solutions.

Application of a genetic algorithm to solve the problem of scaling hydrogen systems

Dmytro Kotenko — 2025-10-27

The work aims to develop a robust tool for scaling hydrogen systems and their energy consumption using a genetic algorithm.

Relevance. The most common method of hydrogen production is water electrolysis, which requires a sufficient amount of electricity. If electricity sources are insufficient, this can put additional strain on the power grid, especially during peak consumption periods. Since 87% of hydrogen plants currently use hydrogen on-site (instead of generating it and then transporting it for use), there is a need for optimization in this area to improve energy efficiency and sustainability.

Current research analyzes the improvement of hydrogen systems in terms of the cost-effectiveness of systems using renewable energy sources and the reduction of hydrogen logistics costs by applying linear programming and particle swarm optimization methods.

However, these works are mainly focused on hydrogen production systems based on a single electrolyzer and do not aim to assess the feasibility of using multiple units. As a result, the topic of cost optimization and maintenance strategies for multi-electrolyzer systems remains less explored, as well as the related problem of their dispatching.

Research methods. Stochastic methods were used to solve the problem of finding the best startup queue for electrolysis units, and the effectiveness of the genetic algorithm for solving this problem was tested.

Results. A model for optimizing the peak power consumption of an electrolysis system was built, and the configuration evaluation function and objective function for system optimization were determined. The choice of a stochastic optimization method is justified by checking the objective function for the properties necessary for the effectiveness of traditional optimization methods, namely, continuity, differentiability, smoothness, and convexity. The effectiveness of the genetic method was tested in comparison with the gradient descent method on examples with different configurations of electrolyzers (similar and different types).

Conclusions. These calculations have confirmed that the genetic algorithm has stable results and is effective in finding the global optimum, while the gradient descent may stop at local minima and require additional adjustments to achieve the optimal solution.

Using the genetic algorithm method, we obtain results that give an approximate optimal result for a fixed number of steps. This approximate result, as shown in the problem with the placement of 10 electrolyzers, gives significant results — the peak electricity consumption has decreased by almost 40%.

Further research can be aimed at improving the parameters of the algorithm, in particular, adaptive tuning of the mutation and crossover operators to increase the convergence rate.

Machine Learning Approaches to Malware Detection in RAM

Yevhen Lanin — 2025-10-27

Relevance. In the current context of constantly growing cyber threats, the problem of detecting malicious software that can operate covertly in RAM using fileless attack techniques has become particularly relevant. Traditional antivirus solutions based primarily on signature-based approaches prove ineffective against modern advanced persistent threats (APT) and new modified threats. This makes it essential to develop innovative approaches to malware detection based on behavioral pattern analysis in RAM using machine learning methods.

Goal. Development and testing of an automated malware detection system through RAM dump analysis using machine learning methods, as well as comparative evaluation of the effectiveness of various classification algorithms for multi-class threat type detection.

Research methods: comparative analysis of machine learning algorithms, static analysis of memory dumps, multi-class classification, experimental validation on the Obfuscated-MalMem2022 dataset containing over 58,000 records with 58 Windows process features. Models were evaluated using accuracy, precision, recall, and F1-score metrics with weighted averaging.

Results. A fully functional technological pipeline was created for automated processing and classification of RAM dumps, including modules for data preprocessing, feature engineering, machine learning, and results evaluation. A comparative analysis of 13 machine learning algorithms was conducted, including classical methods (Random Forest, Gradient Boosting, Decision Tree, k-NN, SVM) and neural network architectures (Wide & Deep Network, CNN). It was established that the Random Forest algorithm demonstrates the best results for the multi-class malware classification task with an accuracy of 85.49% and F1-score of 85.52% at a training time of 1.3 seconds. The developed system is implemented in Python using scikit-learn libraries (for classical ML models), TensorFlow/Keras (for neural networks), and pandas (for data processing).

Conclusions. The study confirmed the high effectiveness of classical machine learning methods, particularly ensemble algorithms, for malware detection in RAM dumps. The developed Random Forest-based model provides an optimal balance between classification accuracy (85.52% F1-score), training speed (1.3 s), and computational efficiency, demonstrating significant advantages over neural networks in this context. The developed system has high practical significance and can be integrated into forensic platforms, cybersecurity incident monitoring systems, and expert systems for automated threat detection and accelerated incident analysis. The research results confirm the feasibility of using machine learning methods to create defense systems against modern cyber threats that operate exclusively in RAM.

Mathematical models of simple signals modulation for algebraic separation of noise in information communication systems

Olha Melkozerova — 2025-10-27

The article is a continuation of the work [1] about the separation of the useful signal from the noise and the works [2,3], in which a method for solving systems of linear algebraic equations using QR decomposition based on the Gram-Schmidt method was proposed. The work is relevant because on the frequency axis of information communication systems it is impossible to find a section free from interference, it is always necessary to count on the case that the noise is in the entire available frequency range, a description of some sources of this noise is given in the introduction to this article. The development of modern information and communication systems is impossible without the use of mathematical models, because this affects the cost of research and is a prerequisite for the creation of research stands. The goal of this work is to build models for representing useful signals, an important direction in this is compliance with the criteria of mathematical models: adequacy, flexibility, acceptable complexity. The benefit from modeling can be obtained only under conditions when the correct (adequate) reflection of the properties of the original is ensured, and the problem of the complexity of research on real objects is also removed. Therefore, the work is extended in the direction of constructing analytical mathematical models of simple signals using modulation methods: amplitude, frequency, phase. The work contains graphs with a time sweep of simple signals, construction formulas and parameters, which include frequency, symbol rate and transmission period of one symbol, and also provides a verbal description of the demodulation process to assess the correctness of the modulation graphs. Therefore, the result of the work is analytical mathematical models that have adequacy and acceptable complexity, they can also be used to construct more complex models, for example, constructing a quadrature modulation model, where a change in two parameters is observed: amplitude and initial phase. Based on the results of the work, it can be concluded that the work is relevant, has a goal, result and direction of further research, which will be determined by mathematical models for constructing an interference system based on Fourier series and sinc functions, their additive addition to the useful signal, with the subsequent use of matrices of systems of linear algebraic equations (SLAE) and a comparison of the results obtained with conventional methods of the demodulation process, which are based on the use of correlation integrals.

Chatbot model for personal computer configuration using NLP methods

Oleksii Novikov — 2025-10-27

Objective: to improve the convenience and efficiency of selecting personal computer components by using a Telegram chatbot with NLP methods to process user requests.

Research Methods: methods of natural language processing NLP were used to interpret user queries and generate chatbot responses; methods for building dialogue systems; and approaches to organizing software components. The Telegram chatbot was implemented based on a client-server architecture, where the client side provides interaction with the user on Telegram, and the server side handles data processing and PC component selection logic. The implementation used the following technologies: Python programming language, the python-telegram-bot library for creating the chatbot, NLP tools for analyzing and interpreting user queries, and fuzzy matching to improve search results.

As a result, a Telegram chatbot was created to automate the process of selecting components for personal computers, taking into account individual user needs and preferences. The system allows users to quickly receive recommendations for selecting PC components such as CPU, GPU, RAM, storage, motherboard, and power supply, considering price category, intended purpose (gaming, work, multimedia), and desired specifications. The chatbot provides a convenient interaction through Telegram, while the server side handles request processing, text analysis, and generating optimal configurations using NLP methods and fuzzy matching. For natural language processing, the libraries and tools used include Stanza, NLTK (tokenization, stemming, lemmatization), and TextBlob; for fuzzy search, RapidFuzz was applied. Using Python and the python-telegram-bot library ensures reliable system performance, flexibility in scaling, and the ability to quickly update the component database.

Conclusions: The developed Telegram chatbot allows automating the selection of PC components according to individual user needs and preferences. The system enables component selection for various use cases — gaming, work, multimedia, budget or high-performance configurations, and more. This allows users to quickly receive optimal recommendations, reduces the likelihood of errors when assembling configurations, and simplifies the component selection process. The developed system improves user convenience, optimizes the component selection process, promotes more efficient user interaction with the system.

Impact of decoding methods in LLMs on the correctness of agent action planning in virtual environments

Ihor Omelchenko — 2025-10-27

Relevance: The knowledge and skills acquired by Large Language Models (LLMs) from training data can be applied to the task of action planning for autonomous agents. The classical approach to text generation can violate the syntax of a JSON plan, making it difficult or even impossible to parse and use such a plan. A potential solution to this problem is the application of the Grammar-Constrained Decoding (GCD) method, which restricts the set of possible texts for generation according to a specified grammar.

Goal: To investigate the impact of the Grammar-Constrained Decoding (GCD) method (with and without reasoning) compared to classical Unconstrained Decoding (UCD) on JSON schema compliance, accuracy, and planning time for various LLMs in the Minigrid virtual environments.

Research methods: Research methods are computational experiments and comparative analysis. The studied LLM sequence decoding methods are Unconstrained Decoding (UCD) and Grammar-Constrained Decoding (GCD). The planning quality metrics used were: syntactic validity (compliance with the grammar/JSON schema), planning duration, and accuracy of plan generation.

Results: This work proposes the use of Grammar-Constrained Decoding (GCD) for agent action planning tasks that utilize Large Language Models (LLMs). A dataset of plan examples was prepared for the Minigrid environments: SimpleKeyDoor, KeyInBox, and RandomBoxKey. A comparison was conducted between Unconstrained Decoding (UCD), Grammar-Constrained Decoding (GCD), and GCD with reasoning across 10 open LLMs (from the Qwen3, DeepSeek-R1, Gemma3, and Llama3.2 families). Using the GCD method ensured the validity of the generated plans according to the grammar specified by the JSON schema. A reduction in planning time was achieved for the Qwen3:4b model by a factor of 17-25 and for the Qwen3:30b model by a factor of 6-8, by limiting the number of tokens in the reasoning chains. On average, the application of the GCD decoding method improved the accuracy of plan generation.

Conclusions: This research demonstrates that the Grammar-Constrained Decoding (GCD) method is effective in action planning tasks with LLMs. The GCD method guarantees the syntactic validity of plans according to the JSON schema, which is difficult to achieve with the UCD method. The GCD method also allows for the flexible determination of the length of reasoning chains through grammar rules, thereby controlling the planning duration.