Mathematical modeling of adaptive information security strategies using composite behavior models

Abstract

Most existing adaptive information security approaches focus on simplified behavioral patterns and work as isolated models. This limits their effectiveness against advanced and dynamic cyber threats. Therefore, there is an emergent requirement for a mathematically unified framework that can dynamically capture and forecast the aggregate behavior of both the attacker and the defender in a complex environment. The paper proposes a mathematical modeling approach that combines composite behavior models into adaptive information security strategies. The framework encapsulates heterogeneous behavioral patterns into a unified dynamic model that can adapt to an ever-changing threat landscape. This result in novel adaptation rules derived from system dynamics and game theory, with the aim of enabling proactive defense mechanisms that can adapt to real-time challenges posed by adversary actors. The outcomes presented in this paper demonstrate strong improvements in threat detection, mitigation speed, and resource optimization through systematic model implementation, comprehensive simulation, and positive statistical hypothesis testing. The comparison reveals that the proposed method is generally superior to existing methods in scalability and effectiveness. It presents a new class of adaptive cybersecurity models that have deeper behavioral insights and enhanced resilience in complicated threat environments.

Introduction

Advanced attack methods are developing faster than traditional protection methods. Many attacks now involve multiple phases of sophisticated methods to gain entry into computer systems before they are detected¹. Conventional protection methods have traditionally relied on static signature identification; however, as threat technologies evolve rapidly, they can no longer keep pace². Modern adversaries use new and advanced attack types and evasion methods to continually improve their attacks and evade detection. This includes file-less malware, living-off-the-land (LOTL) attacks, social engineering, zero-day attacks, encrypted communications, and AI-automated attacks.

The failure to detect and respond to emerging threats results in significant exposure. This provides attackers the opportunity to continue operating undetected for sophisticated threats, such as APTs, zero-day attacks, and polymorphic malware. The inability to detect unknown attacks quickly with static protection methods results in increased financial losses, operational disruptions, and risks to privacy, safety, and public trust^3,4. Experts predict that cybercrime could cause damages of over $10.5 trillion by next year, unless security measures are successfully adapted⁵. Recent large-scale breaches have impacted consumer confidence and damaged corporate reputations⁶. In light of these realities, there is a pressing need to transition away from static models to enable the development of dynamic, real-time protection mechanisms.

Table 1 Overview of adaptive security modeling approaches and limitations.

To address the above, we propose that adaptive information security models are required to adjust defenses in response to evolving threats and changing system conditions³. The major obstacle to date has been the challenge of representing the complex and dynamic interactions between attackers and defenders through robust mathematical formulations. Current adaptive models represent either attacker or defender behaviors independently⁴. They fail to account for the interconnected and multidimensional nature of cybersecurity engagement⁵. As listed in Table 1, current models lack the ability to represent composite behaviors and adaptability required for realistic cybersecurity scenarios.

Attacker strategies will include rational planning and learning from defender responses to strike a difficult balance among detection accuracy, response speed, and computational costs¹². Figure 1 illustrates the overlapping dimensions that influence the development of adaptive security. The increasing presence of sophisticated threats, including polymorphic malware, advanced persistent threats, and multi-vector attacks, necessitates next-generation adaptive models that are aware, strong, and scalable to complex networks^13,14. Table 3 lists the most important characteristics of enhanced cybersecurity resiliency.

Fig. 1

Multidimensional behavior space in adaptive security.

Composite behavior modeling has shown potential in areas such as autonomous systems and economic game theory, where heterogeneity among agents is typical^15,16. Composite behavior modeling captures real-world complexity more effectively by describing multi-agent dynamics through a diverse set of behaviors. The use of composite behavior modeling in cybersecurity threat and defense modeling is limited. Table 2 compares the use of composite behavior modeling across various disciplines and highlights opportunities to apply these advancements in security.

Table 2 Composite behavior modeling features across domains.

Table 3 Desired features for next-generation adaptive security models.

Our proposed framework is built upon this foundation by combining stochastic process modeling, game theory, and adaptive learning to provide a composite behavior-driven adaptive security model. This model draws on dynamic systems theory and strategic thinking to offer a proactive approach to adapting defenses to evolving attacker strategies. Unlike prior models of behavioral fusion, our model formalizes behavioral fusion within a rigorous mathematical framework.

Our paper provides the following contributions:

• A precise mathematical formulation of composite behavior-driven adaptive security models;

• Development of adaptive mechanisms based upon system dynamics and game theory;

• Implementation and simulation of the proposed framework against realistic threat scenarios;

• Comprehensive statistical validation through hypothesis testing, evaluating detection accuracy, and adaptability;

• Comparison demonstrating improved accuracy and scalability compared to state-of-the-art models;

• The combination of mathematical presession with composite behavior modeling enables our work to contribute to the development of intelligent and resilient security frameworks capable of responding to increasingly complex, adaptable adversaries.

The paper is organized as follows: Sect. 2 reviews relevant literature and identifies the gaps that motivated this study. Section 3 describes problem formulation and research objectives. Methods and Materials are discussed in Sect. 4, wherein the Development of the Composite Behavior-Based Adaptive Security Model is presented. Section 5 describes Experimental Testing and Analysis. Section 6 explains the model’s validation methodology. Statistical Acceptance Testing and Hypothesis Evaluation are discussed in Sect. 7. Section 8 presents a comparative evaluation of our model’s performance against existing methodologies. Section 9 elaborates on Validity Threats, and Sect. 10 presents Future Direction. Section 11concludes with the key findings.

Related work

Literature review of the research focuses on the development of adaptive information security systems employing behavioral modeling. The primary purpose is to synthesize prior research and identify the major limitations affecting the development of adaptive security system models. A structured procedure was employed to evaluate mathematical models and behavioral frameworks reported in the literature and to determine how they addressed specific research questions.

A search was conducted across three major academic databases: IEEE Xplore, Scopus, and Web of Science. Articles were searched for publication during the time period of 2018 to 2025. Duplicate searches were removed, and the articles were evaluated against the inclusion criteria. The selected articles were related to adaptive security, included composite or behavioral modeling components, and were expressed as mathematical formulations. In total, 75 key articles were identified for more in-depth examination. Based upon their scope, complexity, and level of validation, the articles were ranked and prioritized. The relevance and consistency of the body of literature were evaluated using acceptance testing methods^1,2,3.

While there are many adaptive security models, most fail to capture the complex, dynamic behaviors of attacker-defender interactions. Many of the models reviewed are static or one-dimensional and lack capabilities such as dynamic learning, strategic deception, or resource awareness^4,6. Models designed to employ composite behavioral representations for cybersecurity purposes are limited^7,8. This limits the ability to provide adaptable security solutions and represent threats. The findings were validated utilizing hypothesis testing and expert inter-rater reliability analysis^9,12. It can be concluded that there are identifiable, tangible goals for developing new mathematical constructs to address the identified gaps¹⁸.

Formulation of review questions

Research questions (RQs) are essential components of the literature review, balancing breadth and depth and ensuring that the knowledge gaps addressed are relevant to the literature¹ to¹⁴. RQs enable measurable evaluation and hypothesis testing, providing transparency and replicability^6,7. Beyond heuristics, AHP was utilized to systematically rank and validate RQs using expert input. AHP assigned weights to each RQ based on relevance to adaptive security, robustness of behavioral modeling, and operational feasibility^9,18. The top two RQs had a combined weight of 0.59 and a CR of 0.08, which represents high logical consistency¹³. This process generated the following five core RQs that balanced feasibility and novelty, directing the review toward scientifically valid knowledge gaps.

RQ1: What mathematical models currently exist for adaptive information security strategy design?

RQ2: How are attacker and defender behaviors represented in these approaches?

RQ3: What are the major limitations or gaps in existing models?

RQ4: Are composite behavior models used in adaptive cybersecurity contexts?

RQ5: Do current models represent dynamic complexity and real-time adaptation?

These five questions will guide a complete evaluation of mathematical and behavioral modeling within adaptive security.

Relevance assessment and acceptance testing

The quality and relevance of the articles were evaluated using an inclusion-exclusion matrix and are shown in Table 4. It focuses on the suitability of the articles for adaptive security, the depth of behavioral modeling, and the quality of empirical validation. Articles that provided mathematical and behavioral contributions were included^1,3, whereas non-methodological or static security modeling articles were excluded⁴. By establishing this foundation, bias was reduced, and the robustness of the analysis was enhanced.

Articles meeting the inclusion criteria were evaluated on a 5-point Likert scale in terms of Model Relevance, Behavioral Depth, and Validation Quality, as shown in Table 5. An average relevance metric was formed by averaging the scores. Articles that scored 3.5 or higher were considered for inclusion¹². One-sample t-tests verified that the average relevance score of 4.12 (SD = 0.36, p < 0.01) surpassed the threshold, as shown in Fig. 2.

Table 4 Inclusion–exclusion criteria used for article screening and relevance scoring.

Table 5 Likert scale scoring rubric for article relevance assessment.

Fig. 2

Distribution of composite relevance scores for selected articles.

Systematic synthesis

Systematic thematic synthesis was performed, integrating qualitative content analysis with quantitative trend mapping¹³. Study attributes, including modeling methodologies, behavioral dimensions, validation methodologies, and limitations, were refined¹⁴. Studies addressing similar aspects were grouped to enable replicable synthesis and to identify research hotspots and unexplored topics within the realm of adaptive security modeling¹⁵. Co-occurring analyses examined relationships between behavioral complexity and adaptive processing^16,17,18.

Current literature has shown that composite models are superior at capturing realistic interactions between attackers and defenders, and improve the effectiveness of adaptive defense strategies^19,20. The majority of models focus on individual behavior dimensions, failing to account for the multidimensional dynamics of real cyber incidents²¹. Most experimental validations rely on either minimal or simulated data that have little to no generalizability to real-world testing²². These conclusions have shaped the research objectives for developing mathematically rigorous adaptive security frameworks driven by composite behavioral representations. The synthesis overview is summarized in Table 6; Fig. 3.

Table 6 Categorization of synthesized studies from systematic literature review.

Fig. 3

Thematic cluster map of adaptive security models.

Hypothesis testing on research questions

Two hypotheses were developed to test the findings of the synthesis, regarding existing adaptive security frameworks:

• H1: Current models largely ignore the interdependent behaviors of attackers and defenders required to produce realistic adversarial modeling.

• H2: Current models inadequately represent the dynamic real-time adaptation required to produce effective cybersecurity defense¹⁹.

Data were extracted from the 75 selected papers for the two binary variables of composite behavior modeling and real-time dynamic adaptation. Cross-tabulations and contingency analyses are presented in Tables 7 and 8.

Only 29.3% of models include composite behavior, whereas 70.7% exclude integrated attacker-defender dynamics. Furthermore, only 24.0% of the models incorporate real-time dynamic adaptation, whereas 76.0% do not.

Chi-square tests showed large deviations from the expected uniform distribution (p < 0.001), thereby rejecting the null hypothesis of independence. The large effect sizes of Cramér’s V (0.58 and 0.65), as shown in Table 9, demonstrate strong associations between model types and these capabilities. These results support H1 and H2 and highlight major weaknesses in current frameworks.

Therefore, there is a pressing need to develop new models capable of representing complex, adaptive attacker-defender behaviors, which our framework will seek to address in the next section.

Table 7 Contingency table for composite behavior modeling vs. model count.

Table 8 Contingency table for real-time dynamic adaptation vs. model count.

Table 9 Chi-square test results.

Problem formulation and research objectives

The literature was evaluated to identify gaps that limit the application and efficiency of adaptive Information Security Models. The gaps include:

• Inadequate representation of attacker and defender behavior in adaptive models: Most adaptive models do not furnish a complete representation of attackers’ and defenders’ defensive behaviors, resulting in limited ability to predict threats.

• Limited mathematical rigor in adaptive models: In many cases, adaptive models rely more on heuristics than on defined rules for when and how adaptive actions will be taken.

• Insufficient analysis of scalability: A number of studies have been published on the development of adaptive models for cybersecurity, but few have examined their scalability. Many researchers have noted that developing adaptive models for large-scale systems remains one of the biggest hurdles in cybersecurity today²⁰.

To validate the identified gaps and to ensure the quality of the data collected during the initial evaluation, an inter-rater agreement study was conducted. Three domain experts reviewed a randomly selected subset of 20 papers from the corpus on adaptive information security models. Each expert reviewed the papers using a pre-defined checklist that provided criteria to assess whether each paper addressed the identified gap. The experts assessed each paper as either “yes” or “no” to indicate whether the gap was addressed. Table 10 reports the proportion of papers that were assigned to expert and the inter-rater agreement for each pair of experts.

Table 10 Expert evaluation summary of identified research gaps.

Table 11 Pairwise Cohen’s Kappa for expert agreement.

Cohen’s kappa statistic (κ) was used to calculate the Level of agreement beyond chance for each pair of experts^6,9. Table 11 reports the κ values for each pair of experts. Figure 4 displays the inter-rater agreement with bar charts and confidence intervals for each pair of experts. As reported in Table 11, all κ values exceeded 0.80, indicating almost perfect agreement²². The agreement among the three experts was ‘almost perfect’, providing strong evidence of the validity and reliability of the identified gaps. This supports the conclusion that the identified gaps represent major limitations in the area of adaptive information security models. It justifies the development of new models incorporating advanced composite behavior modeling techniques, rigorous mathematical frameworks for adapting to changing contexts, and scalable architectures for securing large-scale systems. The systematic validation of the identified gaps provides a strong evidence-based foundation to support the focused research objectives of this study.

Fig. 4

Inter-rater agreement visualization.

Based upon the critical research gaps identified, we defined the following four primary research objectives to advance our understanding of adaptive information security and develop the architecture:

O1: Develop a mathematically robust model of the dynamic behavior of attackers and defenders in an adaptive security environment.

O2: Define and propose adaptive mechanisms to enable effective defenses in response to real-time changes in the adaptive security environment by combining game theoretic concepts with system dynamics theory.

O3: Implement and simulate the proposed adaptive model and mechanisms to verify its effectiveness.

O4: Compare the performance of the proposed adaptive model to existing state-of-the-art adaptive security models to measure improvements in detection accuracy, adaptability, and resource usage²³.

To assess the clarity, relevance, and feasibility of the proposed objectives, a Delphi study was conducted with five experts in cybersecurity and mathematical modeling. Using a five-point Likert scale, experts rated each objective for clarity, relevance, and feasibility. Feedback rounds were iteratively conducted to achieve consensus and reduce the influence of personal biases²⁴.

Averaged ratings were 4.2. This indicates that the objectives were clearly articulated, relevant, and well-defined. Cronbach’s alpha value of 0.88 further confirmed the high internal consistency and reliability of expert judgments^16,17. Figure 5 illustrates strong agreement among experts on the objectives and their relevance to current and emerging challenges in adaptive cybersecurity.

The results of the Delphi study provide in Table 12, it is a strong foundation for the methodological and experimental approaches and assure that the research is scientific, feasible, and has the potential to have a positive impact.

Table 12 Delphi expert ratings (mean scores ± Std. Dev.) on research objectives.

Fig. 5

Delphi consensus and reliability.

Methods and materials

Development of the composite behavior-based adaptive security model

The literature review identified two significant gaps in the current research: a lack of models that simulate integrated composite behavior and a lack of models for real-time adaptation. This drove the development of the proposed framework. These findings influenced the decision to model the attacker’s and defender’s behavior as dynamically coupled sub-models. Synthesis of review research motivated the use of adaptive control and game-theoretic reasoning to capture the real-time dynamics of an interaction and prompt updates to defend against an attack. This approach laid the foundation for developing an integrated model that captures the dynamic and composite nature of attacker-defender interactions.

A new model for adaptive security has been developed. The model is based on the concept of composite behavior and is developed as an integrated model of attackers and defenders in a dynamic environment. This will provide a realistic representation of the complexities of interaction among adversaries and defenders. The model incorporates parties’ behaviors over time and links them to capture the dynamic nature of the cyber threat and defenders’ adaptive responses. The model provides a comprehensive view of the strategic and tactical aspects of cybersecurity and will enable more accurate predictive capabilities and prompt, responsive actions against cyberattacks. The model will be scalable and flexible, enabling its use across many areas of cybersecurity.

Formal mathematical definition of model components

The composite behavior model comprises mathematically rigorous sub-models that represent diverse attacker behavior patterns and defender adaptation strategies in the cybersecurity landscape²⁵. Attacker behavior sub-models could be written as ({A} = {A1, A2,. Am}), where (Ai) denotes an attacker strategy, such as reconnaissance, intrusion, privilege escalation, lateral movement, and persistence. The defender adaptation mechanism set may be modeled as ({D} = {D1, D2, …Dn}) with adaptive defense controls such as reactive anomaly detection, dynamic firewall configuration, resource reallocation, or predictive threat mitigation. Each attacker sub-model of attacks (Ai) is formalized, and state transitions are probabilistically modeled as stepwise processes (Markov or semi-Markov), and the corresponding computations are performed. This enables the identification of complex, stochastic sequences of behavior that are characteristic of cyber-attack patterns, as well as the ambiguity and temporal dependencies of adversaries^26,27. Whereas transition matrices describe the probability of transitioning from one attack stage to another, reward functions indicate the incentive for an attacker to exploit system component failures or evade detection. The defender sub-model (Dj) corresponds to the adaptive policies of each defender, based on control or game-theoretic principles. Reactive strategies are feedback systems based on control laws that relate to observed signals by tuning defense parameters. Proactive strategies are based on best responses in game theory and on learning algorithms that predict the adversary’s strategies²⁸. Such a dual method allows the defender in the model to adjust its tactics dynamically, thereby increasing security and maintaining a balance in how constraints are applied to operations.

The model consisting of multiple and varied sub-models integrated into a high-dimensional composite system state vector:

$$\:x\left(t\right)=\:{[{x}_{1}^{\left(A\right)}\left(t\right),\:{x}_{2}^{\left(A\right)}\left(t\right),\:{x}_{3}^{\left(A\right)}\left(t\right)\dots\:\dots\:\dots\:{x}_{m}^{\left(A\right)}\left(t\right)\:\:{x}_{1}^{\left(D\right)}\left(t\right),\:{x}_{2}^{\left(D\right)}\left(t\right),\:{x}_{3}^{\left(D\right)}\left(t\right)\dots\:\dots\:\dots\:{x}_{n}^{\left(D\right)}\left(t\right)\:]}^{T}$$

\(\:\text{H}\text{e}\text{r}\text{e},\:{x}_{i}^{\left(A\right)}\left(t\right)\:\in\:\:{S}^{\left(Ai\right)}\:\)is the internal state variable corresponding to the attacker sub-model (Ai) at time (t), and \(\:{x}_{j}^{\left(D\right)}\left(t\right)\:\in\:\:{S}^{\left(Dj\right)}\) is equivalent to the internal state of defender sub-model (Dj). State variables can specify quantifiable indicators, such as attack intensity or progress, vulnerability, the system’s security posture, the distribution of defense resources, and the learning processes for adaptation.

The composite state vector x(t) has been designed to evolve over time but is dynamically coupled, accounting for interactions between the attacker and defender sub-models. These features can provide a more holistic view of the cyber-physical security environment and help cybersecurity teams identify and counter emerging cyber threats efficiently. This provides the flexibility and stability to model cybersecurity interactions. It supports modular application of new attacker tactics or defense policies, scalability across large systems, and integration with adaptation and learning algorithms.

However, the composite integration is more than a simple aggregation: the evolution of these states is dynamically coupled through the system dynamics function (f), which encodes the dependencies between sub-models. This function models how the current state of each sub-model influences and is influenced by states of others, enabling hierarchical, feedback, and lateral coupling effects beyond mere concatenation.

Integration framework

The integration framework gives the composite behavior-based adaptive security model as an evolving, complex, interdependent set of sub-models. This reflects the ongoing, bidirectional relationship between the attacker’s tactics and the defender’s adaptive responses. This framework is required to simulate the active cybersecurity behavior that can occur when an attacker employs multi-stage, low-observable, and evolving strategies. The defender’s adaptation in detection, mitigation, and resource allocation policies varies as a function of observed system behavior and inferred attacker intent

Conceptual architecture

Integration-based approaches see the composite model as a closed-loop dynamical system whereby different sub-models of the attacker and defender persist in a shared environment characterized by the system state (x(t)). We can think of observables as system logs and traffic, and of hidden variables and externals as well. Attacker sub-models exhibit stochastic action sequences, defined as transitions between internal states of scan, exploit, evade, or escalate privilege. These acts influence the environment and the state of the system probabilistically, making them attack signatures and feedback signals of the system. Defender sub-models observe system outputs (also called features, which are mostly noisy and partially observable) and use this information to continuously update adaptive policies. The adaptation includes detection, decision-making, and learning strategies designed to determine the best defense given current threats.

Dynamic interactions

The proposed integration structure enables two-way, continuous interaction between the attacker and defender sub-models. This is important for simulating the complex, evolving dynamics of real cyber engagements. The interactive process described may be realistically modeled and analyzed with a variety of tools, including game theory and feedback control systems, to provide a basis for developing effective strategies for adaptive security.

Closed-Loop Feedback Control: Defender adaptation policies u(t) depend on real-time observations of the system state y(t), which is itself influenced by attackers’ stochastic actions a(t). As such, there exists a closed-loop feedback relationship between the two:

$$\:u\left(t\right)=g\left(y\right(t\left)\right)y\left(t\right)=h\left(x\right(t),a(t\left)\right)$$

where (h) denotes the observation function mapping the true system state and the attacker’s input to the measured defender signal. In many cases, the output of (h) will be contaminated with some form of random or measurement error due to a lack of complete observability. If anomalous network traffic or an unexpected deviation from expected behavior is detected in sensor data, the defender can dynamically adjust filtering parameters. It enables additional defensive mechanisms or redistributes computing resources^29,30.

Strategic Anticipation and Adversarial Adaptation: Because the adversary adapts in response to the defender’s strategy, both exploit weaknesses in the defender’s configuration and in the defender’s logical adaptation process. A model for this relationship is a dynamic update of the attacker’s policy in a repeated or stochastic game. There exists a dynamic attacker-defender equilibrium in which the defender uses machine learning to infer emerging adversarial tactics and adapt in real time under uncertainty^31,32.

Sequential multi-stage interactions

The framework models the attacker’s campaign as a Markovian progression through attack phases, each characterized by a unique system state and observability. The defender develops stage-specific adaptation mechanisms that alter detection thresholds, using decoy systems or segmenting the network based on inferred transitions between attack phases. Temporal multi-scale modeling captures dynamic dependencies among past system states, adaptation actions, and future interaction trajectories, enabling the development of defense policies that are specific and context-sensitive^33,34.

As depicted in Fig. 6, the integration framework incorporates Attack Generation, State Evolution, Defender Adaptation, and Feedback as continuous cycles with four primary components. This framework has a modular design and is extensible, allowing additional attacker behaviors and defense strategies to be integrated into the system.

Generate attacker behavior: The attacker sub-models vary by category and generate stochastic, evolving attack strategies based on the system state.

Evolve the system state: The system documents the attacker’s behavior and the defender’s responses, thereby contributing to the system’s dynamic evolution.

Defender adaptation: The defender sub-model continuously monitors the system state and the attacker to acquire knowledge and update its policy based on the provided feedback.

Feedback loop: Defender adaptation generates attacker actions and system conditions at later timescales. The framework represents node attributes for primary components and directional edges representing the pathway of information and control. Due to its modular design, additional side modules can be added later.

Fig. 6

Integration framework of composite behavior-based adaptive security model.

Mathematical formulation of interactions

The conceptual integration framework shown in Fig. 6 will serve as the basis for developing a stochastic process to describe the interaction dynamics between the attacker and defender sub-models. This new behavior-based adaptive security model can be described as a time-varying nonlinear system, either continuous or discrete, that models the co-evolution of the attacker strategy and the defender adaptation within an uncertain stochastic environment.

Composite System State Dynamics: Rather than simply combining multiple modules in an additive way, we integrate the attacker and defender sub-models within the composite system using a dynamically coupled, nonlinear state-evolution function (f). This dynamic coupling enables the composite system to capture interdependencies beyond isolated behavioral modules, providing richer expressiveness and realistic adversarial dynamics.

Let x(t)∈RN denote the combined state of the composite system at time (t). It includes all latent and observable states for both the attacker and the defender³⁵.

x(t) evolves in time based on the non-linear stochastic differential equation:

$$x~\left( t \right) = f\left( {x{\text{ }}\left( t \right),{\text{ }}u{\text{ }}\left( t \right),{\text{ }}w{\text{ }}\left( t \right)} \right)$$

The integration operator is represented by the nonlinear vector function.

$$f{\text{ }}:{\text{ }}R^{N} \times R^{M} \times R^{L} \to R^{N}$$

which governs the evolution of the composite system’s state x(t).

f: R^N×R^M×R^L→R^N is the potentially non-linear vector function that represents the overall behavior of both attackers and defenders with respect to each other’s action/behavior and the effect of those behaviors^36,37.

$$\left( {x,{\text{ }}u,{\text{ }}w} \right) \in R^{N} \times R^{M} \times R^{L}$$

• x∈R^N is a state vector.

• u∈R^M represents an adaptive control input vector that is produced by defender sub-models, which include the various actions taken by the defender, policy updates, and resource reallocation.

• w∈R^L represents the effects of external disturbances, uncertainties, and any other unmodeled stochastic events such as a zero-day exploit or variability in the network traffic.

The function (f) encapsulates the interaction and coupling dynamics among attacker and defender sub-models by:

• Modeling interdependencies where the state transition of one sub-model depends not only on its own previous state but also on the states of other sub-models,

• Capturing feedback loops where defender adaptation affects attacker strategy evolution and vice versa,

• Implementing dynamic cross-influences reflecting context-sensitive behavioral transitions,

The composite integration is realized as a coupled nonlinear dynamical system rather than a block-diagonal or switched system. This enables rich, dynamic synergy across sub-models and a realistic representation of strategic and tactical multi-agent interactions in cybersecurity. This model represents the continuously evolving attacker-defender ecosystem over time in a noisy, uncertain environment^38,39.

Defender Adaptation Policies: The inputs to the defender’s adaptation (u(t)) are derived from the system’s observable outputs and inferred attributes of the current attack⁴⁰. More formally stated, the defender has neither full nor direct knowledge of the entire system state vector at time t, (x(t)), but rather has access to some form of noisy, non-linear function of this state, which can be represented as follows:

$$\:y\left(t\right)=h\left(x\right(t\left)\right)+\nu\:\left(t\right)$$

where:

• y(t)∈R^P is the observation vector available to the defender at time (t), representing measurable system features such as alerts, network telemetry, or behavioral anomaly indicators.

• h: R^N→R^P is a (potentially nonlinear) measurement or observation function that maps the true but unobservable system state (x(t)) to the space of defender-observable signals.

• \(\:\nu\:\left(t\right)\))∈R^P denotes measurement noise, typically modeled as a zero-mean stochastic process (e.g., Gaussian noise) capturing sensor inaccuracies, missing or corrupted data, and other forms of uncertainty inherent in real-world monitoring systems.

This definition reflects the partial observability in cybersecurity, meaning defenders have incomplete or noisy information about the systems they are trying to defend, rather than complete and correct information^40,41,42.

The defender has a mental model based on the defender’s observation (y(t)) of the current system state and the defender’s current belief about how the attackers behave at time (t), referred to as the defender’s belief state or feature-based estimate. The belief state is used by the defender to make adaptive decisions⁴³.

The defender’s adaptive policies can be determined as:

$$\:u\left(t\right)\:=\:g\left(y\right(t),\:\theta\:)$$

Where:

g(⋅) denotes aggregation of the adaptive rules, possibly using feedback control laws, reinforcement learning update, and game theory-based response strategies. Parameter vector θ is set during system operation to optimize both defense effectiveness and efficiency^44,45.

u(t)∈R^M represents the defense control actions and policy parameters, such as tuning detection thresholds, reconfiguring firewalls, reallocating computational resources, or deploying countermeasures.

Because of this, defenders’ decision-making must take place while operating in an environment of uncertainty, with only limited knowledge of what is happening. Thus, the model supports robust inference and adaptation methods that handle noisy sensor readings and incomplete knowledge of the environment. Because it models many of the realities of cybersecurity operations, it provides a solid mathematical basis for developing real-time, adaptive security policies that account for poor-quality sensor readings.

Attacker Strategy Update Dynamics: At the same time, attackers adjust their methods according to a stochastic process that depends on previous actions, the defender’s observable behavior, and the state of the system:

$$\:a(t+1)\sim\:P\left(a\right(t),u(t),x(t\left)\right)$$

where:

a(t)∈A denotes the attacker’s strategy of action for time (t), which can include one or multiple vectors of tactics, techniques, and procedures.

P is a stochastic transition operator of the state of the system (e.g., a Markov decision process or policy update function), taking into account the attacker’s state at this time, the adaptive inputs from the defender u(t), and the current environmental conditions of the system x(t).

The probability of the attacker’s subsequent method updating describes the evolution of the attack in an adversarial environment, where the attacker learns to avoid defensive mechanisms and possibly adjusts its strategic intentions^46,47.

Closed-Loop Feedback and Dynamic Equilibrium: With these equations, a closed-loop relationship is formed between the system and the attackers.

$$\:{x}\left(t\right)\:\underrightarrow{{h}}{y}\left(t\right)\:\underrightarrow{{g}}{u}\left(t\right)\:\underrightarrow{{f}}\dot{{x}}\left(t\right)$$

This equation shows that the attacker strategy updates are fed into the system through the system evolution:

$$\:a\left(t\right),{u}\left(t\right),{x}\left(t\right)\:\underrightarrow{{P}}{a}(t+1)\:\underrightarrow{{f}}{x}(t+1)$$

which finally sets up a dynamic game-theoretic balance, and, in turn, the parties’ strategies are adapted in real time, leading to a progressive cyber interaction. This provides a mathematical framework for investigating the overall stability of the system, the convergence of policies, and the system’s robustness to an adaptive adversary⁴⁸.

Formal analytical proposition

Based on the assumption of bounded observation noise, Lipschitz continuousness of the system dynamics function (f), and suitable selection of an adaptive learning rate, the defender’s adaptive policy (u(t)) will asymptotically converge to a stable equilibrium of the composite system. The system will be stable with respect to stochastic disturbances and partially observable systems, thereby enabling effective real-time adaptation⁴⁹.

Proof sketch: We use classical Lyapunov function methods in conjunction with stochastic stability theory to demonstrate that the system trajectory remains bounded and that the trajectories converge under the assumptions.

Significance of the proposed solution

Our proposed integration framework represents a major step forward in the science of defense against sophisticated cyber threats by complex attackers. The proposed integration framework has a wide range of applications across multiple fields:

Modeling Complex Cyber-Physical Systems: Complex systems such as smart grids, industrial control systems (ICS), and the Internet of Things (IoT) comprise many layers and are highly adaptable. We model these types of systems using a hierarchical view of their behavior, including temporal dependencies among different levels of the system and the feedback loops between the attacker and defender. Our multidimensional view of system behavior enables the prediction of cascading failures and the development of secure, resilient, and distributed systems.

Enabling Realistic Simulations and Evaluations: The proposed integration framework enables the simulation of detection algorithms and the evaluation of adaptive controls and mitigation strategies prior to deployment in the field⁵⁰. This enhances the predictive validity of cybersecurity assessments and enables continuous improvements in the effectiveness of defenses.

Informing Development of Robust Real-Time Detection and Mitigation Tools: As a closed-loop system that continuously observes and adapts to the current state, the proposed integration framework will enable the creation of tools that dynamically adjust detection thresholds, allocate resources, and defend against stealthy threats. The ability to simulate persistent low-and-slow attacks will improve detection accuracy and reduce dwell times^51,52.

Providing Mathematical Support for the Formal Analysis of Adaptive Security Protocols: Using a strong mathematical foundation, the proposed integration framework will support the formal analysis of security protocols developed to ensure they converge, remain stable, and remain robust. These are all critical when the threat landscape changes frequently and when the system is subject to changing conditions. We demonstrate that defender adaptations can achieve effective equilibrium and maintain stability in the presence of random noise and limited observation. This provides a theoretical basis for designing efficient cybersecurity solutions^53,54.

By linking system modeling, algorithmic design, and implementation, the proposed integration framework will provide a common framework for researchers and practitioners to develop the next generation of adaptive defenses to counter the increasing complexity of today’s cyber threats.

Experimental testing and analysis

This section includes the practical application of the composite behavior-based adaptive security model in well-designed simulated environments. The objective is to develop the theoretical framework and move toward an executable framework that can undergo rigorous testing in practice with real-world applications. To make this happen, we deployed publicly available cybersecurity data, as well as synthetic data, in a way that more closely resembles the behaviors and adversarial patterns characteristic of real cyber-physical systems. The major focus is the practical implementation of strong, adaptable simulation platforms for time-based scenarios that capture asynchronous interactions within attacker and defender sub-models, with stochastic behavior.

Partial observability and dynamics-based feedback loops, which are essential features of adaptive security programs, are emphasized here. We chose computational frameworks for improved transparency and reproducibility that provide a modular design for researchers and professionals who need dynamic and rapid customization of attack vectors, defense policies, and scenario parameters. For representation and fidelity, the implementation pipeline also uses a systematic parametric-tuning approach informed by empirical data. Simultaneously, it embeds learning and adaptation algorithms into defender models that dynamically update their strategies in real time, as attackers observe, not as cyber defenders observe.

This simulation architecture allows on-the-fly performance tests for robustness, the assessment of newly emergent behaviors several times, and the investigation of their sensitivity through repeated operations. We strongly believe this realization is a significant validation of the theoretical model’s ability to capture complex, layered attacker-defender interactions and to develop new-generation adaptive cybersecurity systems on the ground. The complex algorithmic workflows presented in detail, illustrated with visuals and performance benchmark data, have laid the groundwork to scale the model for benchmarking and practical implementation in real-world use.

Platforms and environments for simulation and computation

The simulation architecture and the computing ecosystem form the basis for the design and validation of the composite behavior-based adaptive security model, which provides the necessary flexibility, efficiency, and extensibility for simulating multistage cyber-physical interactions.

The model experiments were executed in a Python environment (version 3.9), selected for its flexibility and the large number of open-source libraries available for scientific computing, which made it ideal for this study. We utilized key libraries to efficiently complete our computational tasks. These libraries included NumPy and SciPy for numerical calculations, solving differential equations, and other mathematical operations. SimPy is used to simulate the interactions between the attacker and the defender as a time-based discrete-event simulation. NetworkX is used to model network structures. Scikit-learn and TensorFlow are used for integrating adaptive learning algorithms into our model, such as classification and reinforcement-learning-based algorithms. Matplotlib and Seaborn are used for creating high-quality visualizations of the data we collected from our experiments.

We simulated all of our experiments on a workstation with the Intel Core i7-10700 K CPU (8 cores at a base clock speed of 3.8 GHz), 32GB of DDR4 memory, and Ubuntu 20.04 LTS. This hardware executed multiple threads simultaneously while performing our Monte-Carlo simulations, allowing us to run thousands of time steps and hundreds of parallel simulations and produce statistically significant evaluations within reasonable computational times.

The accessibility was optimized in this computational package, while the performance was optimized to simulate thousands of time steps and hundreds of parallel scenarios, yielding statistically significant results.

A simulated operating environment was designed to support the following features:

Modularity: The ability for each of the attacker’s sub-modules and the defender’s adaptation modules to be individually changed or removed without affecting the rest of the system’s capabilities. This is achieved through extensibility.

Event-Driven Execution: Events (such as a network scan by an attacker, an attempt to exploit vulnerabilities, or an attacker’s movement within the network) that occur at specified times cause the attacker to transition into new states and trigger the defender to respond with new states as well. These events are executed asynchronously using SimPy’s event-driven simulation engine.

Stochasticity/Noise Modeling: Simulation of random state transitions, injection of random noise into observations made by the defender, and use of probability-based adaptation mechanisms, all of which simulate the uncertainties that exist in attack strategy and sense-making capability of the defender.

Customization of Scenarios: Templates have been defined to enable the instantiation of a range of threat scenarios based on the attacker’s level of sophistication, the targets’ criticality, and the resources available to the defender.

The simulation framework and computing environment we acquired lay an appropriate foundation for building, training, and validating the composite adaptive security framework. Flexibility, computational power, and ease of integration also enable realistic, scalable simulations that are necessary for rapid adaptive cybersecurity research.

Parameter settings and data sources

The successful realization and validation of the composite behavior-based adaptive security model rely upon the correct selection of simulation parameters and data. This section presents the rationale for this parameter decision. It details the configurations chosen, the procedure used in the synthetic generation method, and their impacts on the resulting simulation.

Results from simulation runs were combined to reduce random variability when attacks are conducted against a defense system. The numerical stability for these simulations was achieved through:

• Using double-precision floating-point arithmetic provided by the NumPy and SciPy libraries to ensure stable calculation of values.

• Fine-tuning the learning rate parameters of adaptive learning in defenders to achieve a trade-off between how quickly an algorithm converges versus its overall stability.

• Adding bounded Gaussian noise that represents a model for the uncertainty associated with sensors.

To address potential bias or unfairness in our experiments, we used public benchmark datasets (NSL-KDD and UNSW-NB15) as well as synthetic datasets created using empirically derived transition probabilities and stochastic timing to simulate realistic multi-phase attack sequences.

The parameters of each model were iteratively adjusted during pilot studies and validated against three public benchmark datasets. We analyzed the sensitivity of each model to learning rates, noise levels, and attack intensities to assess its ability to handle parameter changes.

Parameter Settings: The simulation was configured to provide an indication of diverse, realistic cyberattack and defense scenarios for the simulated system, informed by empirical research and available datasets. The configurations of a majority of the parameter settings used in the various experiments are included in Table 13.

Table 13 Simulation parameter settings.

Parameter rationale

Attacker sub-models: A description of common stages of modern APT (reconnaissance, exploitation, lateral movement, and persistence), as in the cyber kill chain, is consistent with the Cyber Kill Chain paradigm²⁸. Prognosis transition stages are derived from frequency analyses of attack vectors in the NSL-KDD dataset and more recent cyber threat logs.

Defender policies: Three defender models include anomaly detection, configurable firewall rules, and dynamic resource allocation, which can be adapted by adjusting resources on-the-fly to rebalance and manage resources. The models use multiple, parallel defenses as a matter of course, a pattern typically seen in enterprise cybersecurity frameworks and architectures.

Learning rates and noise: From the experiment, we adjusted the adaptation learning rate to balance adaptation speed and stability. This is to achieve an appropriate pace of adaptation and stability, since they need to deploy quickly and remain stable in the real-world implementation of defenses and regulations, the practical aspects, and deployment restrictions. Observation noise naturally smooths out the imperfections of the sensor and the monitoring system.

Data sources

Simulation realism is achieved with appropriate datasets when simulation data is used, as shown in Table 14.

Table 14 Relevant datasets ensuring simulation realism.

Statistical analysis of NSL-KDD connection records, along with NSL-KDD data analysis, also facilitated the estimation of stage-transition probabilities between attacker sub-models. The initial reconnaissance is likely to lead to exploitation with an average probability of ≈ 0.65. UNSW-NB15 data enabled the testing and tuning of anomaly detection models and the evaluation of false positives across various network scenarios. Feature scaling and clustering techniques were used as thresholds for the defender’s adaptive detection sub-model, achieving a target detection accuracy of 87%.

Synthetic APT scenario generation and parameterization

We developed synthetic APT scenarios to represent complex, multi-stage attacker behavior that is beyond the capabilities of static datasets. We developed these scenarios using the Cyber Kill Chain framework, which comprises four stages of an attack: reconnaissance, intrusion, lateral movement, and persistence.

• Markov Chain Modeling of Attack Behavior: The probability of transitioning from one attack stage to another was determined statistically from frequency analyses of attack sequence patterns in NSL-KDD attack records and verified against temporal patterns in UNSW-NB15 attack records. The stage-to-stage transition probabilities ranged from 0.2 to 0.8.

• Timing and Duration: The time required to complete each stage of an attack was modeled stochastically using exponential distributions, calibrated to the timing patterns found in data sets to simulate realistic low-and-slow stealth attack behaviors characteristic of APTs.

• Noise and Variability: Realistic, simulated sensor imperfections and partial observability were introduced into the observational signals via additive Gaussian noise.

• Tuning Parameters: The learning rates of the defender’s adaptive algorithms and the intensity levels of the attackers’ behaviors were tuned in pilot experiments to achieve a balance between simulation fidelity and computational tractability.

This approach to generating synthetic scenarios enabled us to conduct realistic, yet flexible, dynamic, asynchronous event-driven simulations of attacker-defender interactions. To provide a realistic cyber environment for the synthetic attacks and defenses, the scenarios were written using randomized initial states and event timing to remove any possible deterministic bias. By using an event-based simulator that enables asynchronous updates to the attacker and defender modules, a true model of the concurrent, unpredictable nature of real-world cyber behavior can be produced. To control for experimental biases, multiple simulations were run independently, and the results from each simulation were averaged. This process provides additional confidence in the generalizability of the findings.

Dataset preprocessing and train/test splits

Both of our benchmark data sets have been prepared to maintain a high-quality and consistent structure of the data, as well as to prepare it for effective modeling:

NSL-KDD: Duplicate records in this data set were deleted, and all categorical variables were encoded as numerical values via one-hot encoding. All variable values were also scaled to the range^[,1 to account for differences in their scaling. As is common practice²⁹, the total dataset was divided into 70% for training and 30% for testing.

UNSW-NB15: This data set has been cleaned in a manner similar to the NSL-KDD data set, focusing on extracting flow-based variables most relevant to network intrusion detection. Approximately 35 of the most relevant variables were identified based on correlation analysis and knowledge of how attacks occur and what constitutes normal network traffic behavior. The same train/test ratios were used as in the original dataset to enable realistic evaluations^55,56,57.

Feature sets utilized

Feature sets from the following categories were utilized in the simulation models of both data sets:

• Connection metadata (i.e., connection duration, protocol type).

• Statistical traffic characteristics (i.e., packet count, byte count).

• Behavioral indicator (i.e., the number of failed login attempts, patterns of services accessed).

• Temporal characteristics of network flows and sessions.

A subset of these carefully chosen feature sets was used as the basis for the anomaly-detection sub-models, and the observational input (y(t)) for the defender policy.

Results and analysis

In comprehensive simulation experiments, the composite behavior-based adaptive security model was evaluated for its effectiveness in real-world cyber defense scenarios. We assessed the model’s flexibility, detection quality, resource optimization, and safety under uncertainty in great detail, using real-world and synthetic datasets. Detection accuracy under increasing observation noise is depicted in Fig. 7, illustrating real-world imperfections in monitoring systems.

Fig. 7

Detection accuracy vs. noise level for different attack intensities.

Detection accuracy is above 90% in a low-noise setting (≤ 0.05 standard deviation), indicating the model’s ability to recognize attack signatures in addition to benign activity. We observe below (0.05–0.10) that, when moderate noise is introduced, performance worsens but remains above 85%. In this example, we see that, despite noisier inputs, adaptive detectors still perform reasonably well. Noise-related degradation when > 0.10 increases is considerable, underscoring the importance of sensor quality and signal processing for operational performance. Detection performance is dependent on the intensity of the attacker:

• Reduced attacker intensity (0.3): There are limited attack activities, and more distinguishable attack activities, hence many detection rates are reached.

• Moderate intensity (0.5): The model considers both the real-world false positive vs. real-world detection threats (in the range of ordinary operational challenges).

• High intensity (0.7): Detection can fall slightly due to stealth and the number of attackers, but the mechanisms for adapting are in place.

Resource utilization trade-offs and false positive rates

False positives (FP) result in redundant alerts and exert a significant burden on defenders for the operations. Table 15 describes the impact of defender resource allocation on false-positive rates across repeated simulation runs. By increasing the % resource for each sample from 60% to 75%, the FP rate is significantly lower (∼1.1% points lower), indicating an increase in the resource size required for detection reliability. More than 75% diminishing returns are observed (only a dip in FP, even though resources are used and FP is reduced). This indicates an optimal performance-cost ratio for resource returns. The trade-off is useful for orienting practical deployment toward detecting resource-reducing adaptation strategies that do not exceed performance limits.

Adaptation speed and convergence

Defender adaptation speed evaluations focused on how quickly defenses converged on the correct configuration after attacker strategies changed. The model can be adjusted over 500 timesteps (~ 8.3% of a simulation run), indicating responsiveness that can be harnessed for real-time or virtual real-time security operations. Convergence was evaluated based on the smaller magnitude of policy update changes and the stability of detection metrics, which imply agility in how a defender learns (or pays attention to) attacker behavior over time (and can adjust defenses when required).

Counteract stealthy and multi-stage attacks

Simulated scenarios simulating advanced persistent threats (APTs) challenged the model with low-and-slow attack patterns that had been trained on stealth. The composite approach, built on multi-sub-model integration, detected stealthy attack stages with over 70% success, compared to the baseline single-model approaches, which achieved a very low per-model detection average of 50%. Integrated ways of adapting are well-suited for timely and flexible resource allocation to suspicious hosts, allowing containment of attackers while moving nodes, and for handling persistent attackers and time series.

Table 15 Defender resource utilization and false positive rate.

Statistical significance and robustness

The statistical test was conducted for the composite and the standard static detection model. Paired t-tests were conducted to assess a significant difference in the performance of the composite and traditional statistically oriented detection models, and ANOVA indicated a meaningful difference between the performances of the composite model at a confidence level of 95% (p < 0.05).

Sensitivity analysis of model parameters, learning rate, observation noise, and adversary intensity indicates the model’s durability, as performance decrements remain within tolerable limits (under perturbations, only < 10%). The results confirm that the composite behavior-based adaptive security model is expected to perform well under realistic uncertainty, limited sensor accuracy, and advanced stealth attacks. Since it offers high accuracy and saves resources by flexibly handling pattern variations in dynamic behavior, it is widely used in real-world cybersecurity setups.

Algorithmic workflow for real-world-inspired scenarios

this process, as shown in fig. 8, is an iterative simulation of attacker-defender interactions that simulate a continuous

back-and-forth interaction between evolving cyber threats and defense mechanisms. Components of the Algorithmic iterative process include:

1. 1.

   Simulate attacker action: At each discrete simulation time step, the sub-models for attackers will take actions based upon their current state, past tactics, and their perception of the defenders’ recent behavior. These actions will include all attack phases, including reconnaissance, exploitation, and evasion. Stochastic elements will be used to model uncertainty and variability in attackers’ behavior, reflecting the unpredictable nature of real-world attackers.

2. 2.

   Update system state: Update the system state based on the actions taken by attackers and the defender’s current policies. The system state will comprise network conditions, host vulnerabilities, alert indicators, and performance metrics. The updating mechanism will capture both the direct effects of the attacks and the indirect, system-wide effects resulting from cascading events and defensive measures.

3. 3.

   Modeling defender observation: The defender components will have access to partially accurate and missing information about the system through logs, sensors, and threat intelligence feeds. This modeling effort will reflect the sensing limitations experienced in operational environments, e.g., false positives and detection delays.

4. 4.

   Adaptation of defender policies: Using the processed observations, the defender sub-models will adapt their strategies. The adaptations may include modifying the parameters for the anomaly detection algorithm, redistributing the security resources, and implementing countermeasures. The adaptations will use learning algorithms and control-theoretic feedback to improve the defender’s strategy in response to the evolving attacks.

5. 5.

   Continuous performance evaluation and learning: As part of the iterative algorithmic process, there will be continuous evaluations of the defenses’ effectiveness using metrics such as detection rates, false positive rates, resource usage, and attack mitigation success. The performance evaluations will provide the necessary input for online parameter adjustments and policy updates, enabling the system to continually improve.

Fig. 8

Algorithmic workflow for composite behavior-based adaptive security model simulation.

As can be seen in the first stage of the simulation, the policy update magnitude in Fig. 9 decreases significantly, indicating rapid convergence of the defender’s adaptive mechanisms. With such dynamic and continually evolving cyber threats, ensuring the system can obtain a stable defense configuration within a manageable timeframe could also help mitigate the risks of this type of attack. Figure 10 shows the accuracy of detection from different phases of APT, like reconnaissance, exploitation, lateral movement, and persistence, which the model demonstrates. The results shed light on the effectiveness of various tactics, including strong detection in the early stages of an attack and reduced detection in the later stages.

Fig. 9

Defender adaptation speed: policy convergence over time.

Fig. 10

Detection performance on synthetic APT scenario phases.

The performance of the composite behavior-based adaptive security model is established by the simulation output in real operational conditions. Through the process of real data NSL-KDD, UNSW-NB15, and synthetic data, the detection accuracy of the model reached over 85% throughout different noise profiles and aggressors’ intensities, which is illustrated in Fig. 10.

Moderate to high observation noise enhances model robustness by helping it recognize complex multi-stage attacks. This is demonstrated in Table 15 through a simple analysis of resource use, which shows a decrease in false-positive rates through strategic defender adaptations (effectively balancing the costs of computation). The quantitative conclusion is that the model can efficiently uncover adaptive threats that preserve operational effectiveness. To assess the performance of our proposed model, we evaluated the fast adaptation rate shown in Fig. 9 and observed quick convergence in defender policies over the first 500 simulation steps. This kind of rapid change is required by live cybersecurity software, given the always-shifting threat environment and its associated vulnerabilities. In synthetic advanced persistent threat cases, APT responses have shown high performance in earlier stages of detection and decreased performance in later phases, as shown in Fig. 10, indicating good stage-sensitive defense response ability of APTs. All of the above results together suggest that the composite model is scalable, reliable, and adaptive, and can effectively counter the instability, partial observability, and adversarial complexity of contemporary cyber threats.

Model validation and performance assessment

The evaluation of the adaptive behavior-based composite model’s performance is critical to demonstrate its feasibility and effectiveness. The purpose of this section is to outline the validation metrics resulting from the fundamental research goals. This section presents the experimental results and displays them with relevant visualizations. It provides a statement about the model’s performance across various configurations.

Validation metrics

Model validation is related to the primary research objectives. The metrics measured are:

• Detection accuracy: The accuracy of detecting malicious activity by the model, which defines the extent to which the model can differentiate between attack patterns and normal operating system behavior.

• Responsiveness to new and emerging threats: The speed of response of the defense returning systems to recognize and respond to unknown or varied attack tactics.

• Resource use efficiency: The computational, memory, and operational overhead imposed by the defender’s adaptation policies represents a balance between the security benefits gained and the costs to the system due to operational and network performance.

• False positive rate: The rate at which benign events are misclassified as threats has implications for operational overhead and network utility.

• Robustness to observation noise and uncertainty: The reliability of detection and adaptation performance when sensors have varying amounts of noise, and the system is partially observable.

Experiments and case studies

Experiments and case studies were conducted to validate the model empirically:

• Static and dynamic attack scenarios: 100 test scenarios consisting of fixed attacker behaviors and dynamic multi-stage APT sequences were tested.

• Baseline comparison: The performance of this testing model was compared to traditional static detection models and reactive defense frameworks without adaptive policy learning.

• Parameter variations: Sensitivity analysis was conducted on a large range of parameter variations, such as learning rates, sensor noise, and attacker sophistication, to evaluate the robustness of the models.

• Realistic case study: One of the simulated industrial systems was modeled as a cyber-physical attack on a simulated industrial control system. This provided a realistic means to assess how the model would perform in a real-world attack and to study the effects of the simulated industrial control solution in developing a case study for a targeted cyber-physical attack against the operational threat scenario.

Results and discussions

The overall results from this large-scale simulation are included in Table 16. These results provide an overview of how the composite behavioral model compares with the baseline non-adaptive framework across key performance metrics for simulated attacks of all kinds. Compared with the baseline non-adaptive framework, the composite behavioral model was more effective at detecting simulated attacks. The composite behavioral model produced a detection rate of over 87% during simulated multi-stage, dynamic, and complex attacks. Since the composite behavioral model reacts faster to simulated attacks than the static models, the defender responded more quickly. In terms of detection accuracy versus the level of sophistication of attackers, as shown in Fig. 11, the proposed model provides a graceful decline in performance (i.e., there is no sudden drop-off in detection accuracy) and maintains a detection accuracy greater than 85% even when the attacker is highly sophisticated, whereas the baseline models have a much steeper decline in performance. This demonstrates the extent to which the adaptive aspects of the proposed model enhance its robustness to attacks by sophisticated attackers.

Table 16 Summary of key metrics across scenarios.

The balance between resources utilized and the resulting false positive rates are presented in Fig. 12. Utilizing more resources leads to a corresponding reduction in the false positive rates. The optimal operating point identified by the model, where the security benefits of the model are maximized without excessive computation, is demonstrated. The rapidity at which the defender policy converges to a stable state as indicated in Fig. 9 favors the model’s suitability for real-time applications. In terms of detecting advanced persistent threats using synthetic data, the model’s performance is depicted in Fig. 10 and demonstrates the model’s capability to detect stealthy and multi-stage attacks and to do so effectively in the early stages of such attacks.

Fig. 11

Detection accuracy vs. attack sophistication level.

The results are statistically significant (p < 0.05) based on the p-values from the paired t-tests comparing the proposed composite model to the static baselines. Sensitivity analyses performed to assess the model’s stability across a wide range of parameters indicate that it can adapt to a wide range of operational conditions. These results provide strong evidence supporting the model’s capability to meet the specific objectives of the current research and, to a high degree, to deliver a scalable and realistic adaptive cyber defense solution. Detailed per-scenario metrics and temporal evolution analyses would be beneficial for continuing to improve and implement the model in practice.

Fig. 12

Resource utilization vs. false positive rate tradeoff.

The dynamic interaction of system states at attacker-defender interactions and the defender reaction over time are plotted in Fig. 13. These various behavior trajectories of the system state (blue, green, teal) represent the overall composite system that moves from perturbed initial states toward a stable equilibrium. The characteristic oscillating decay of these trajectories is typical of realistic cyber-physical systems where transient alterations may be due to offensive impulses or defense response(s), but overall system stability prevails. The adaptation curve for defenders (red dashed line) is relevant in this image because it shows the defense mechanisms becoming more responsive with a smooth, dynamic response. Initially, the adaptation point is low. The attacker increases the defender’s adaptation if it changes, indicating an increase in policy adaptation, resource allocation, or alert sensitivity. The subtle fluctuations we see on this curve correspond to a kind of interaction in which the defender polishes its tactical execution in response to its watchful eye on the attackers. The idea is that these curves point to two fundamental characteristics of the composite model proposed:

1. 1.

   Stability: Even when the attacks and defenses may vary from complex to nonlinear, the system’s states are somehow locked in, reach an equilibrium, and we can say it can withstand persistent and evolving threats.

2. 2.

   Adaptability: Hosts adaptively evolve and learn to escalate to become more involved as attacker dynamics change, so that the defender can step in sooner than they are overwhelmed by the attack.

This conceptual framework reinforces the model’s relevance to cybersecurity practice, where the integrity of the system must be preserved while dynamically engaging with intelligent rivals. It visually emphasizes the mathematical properties described in the model formulation, as well as the empirically observed adaptations in adaptation times observed in the simulation results. This illustrates the sequential nature of cyber engagements and the requirement to be adaptable in protecting systems to operate resiliently as required.

Fig. 13

Conceptual plot of stability and adaptability.

Statistical acceptance testing and hypothesis evaluation

To thoroughly assess whether the composite behavior-based adaptive security model is effective and offers an advantage over current models, a formal statistical acceptance testing approach was used for evaluation.

Research hypotheses

The hypotheses that guided our validation were as follows:

• H1 (Effectiveness): Compared to traditional static or non-adaptive approaches, the composite behavior-based adaptive security model has significantly greater detection accuracy.

• H2 (Adaptability): When compared to all other currently available frameworks, the composite behavior-based adaptive security model can adapt to changing attack strategies at a rate that is significantly faster.

• H3 (Resource efficiency): Compared to all conventional defense models, the composite behavior-based adaptive security model provides a better trade-off between resource usage and false positives.

Methodology for statistical testing

To provide a strong basis for evaluating the effectiveness of our model, we have used both parametric and nonparametric statistical methods. As shown in Table 17, we performed a paired Student’s t-test to assess differences in average detection accuracy and time-to-adapt between the composite model and the baseline models. We used ANOVA to evaluate the impact of varying levels of attacker sophistication on the composite model’s detection performance. A Wilcoxon signed-rank test was also performed to evaluate differences in false-positive rates when data normality could not be assumed. We used an alpha (α) value of 0.05 (the default significance level) and 95% confidence intervals for all tests.

Table 17 Tests employed and assumptions made.

Statistical results summary

Table 18 presents comparative results for detection accuracy and adaptability speed as part of the baseline data comparison for the adaptive security system. The ANOVA results presented in Table 19 provide statistical proof of the claim that the sophisticated nature of an attacker affects the ability of the proposed model to identify the attack, therefore demonstrating its versatility to different types of threats. The proposed model required less computational power to function, as evidenced by the much lower number of false positives reported in Table 20. The results from these studies support the superior feasibility and practicality of the proposed methodology as compared to all existing defensive methods based upon statistical significance (p < 0.001) and confidence intervals.

Table 18 Paired t-test results for detection accuracy and adaptation speed.

Table 19 ANOVA analysis on detection accuracy by attack sophistication level.

Table 20 Wilcoxon signed-rank test for false positive rates.

All of the statistical tests outlined above were performed on simulated data from thirty different runs of the simulation, each run using a unique random seed for initialization to account for variability in the system due to randomness, in order to establish reliable conclusions.

The Shapiro-Wilk normality test was applied to the distribution of difference scores for each pair of observations to assess whether the distributions were normally distributed before performing the paired Student’s t-test. Each dataset had p-values < 0.05 (0.12–0.45), indicating that the difference scores for each pair of observations were normally distributed. This justifies the application of parametric methods.

We calculated the effect size using Cohen’s d. With effect sizes (d > 0.80) for the t-tests on detection accuracy and adaptation speed, this means a significant practical difference in performance between the baseline systems and the composite behavior-based adaptive security models.

For the Wilcoxon Signed-Rank Test (false-positive rate), we provided the matched-pairs rank-biserial correlation as an additional measure of effect size for nonparametric analyses. This demonstrates that false positive rates decrease as resources allocated to the composite behavior-based adaptive security model increase relative to the baseline systems. The effect sizes, combined with the p-values and test statistics, provide a comprehensive assessment of the composite behavior-based adaptive security model’s enhanced performance over the baseline systems and the degree of the enhancement.

The Wilcoxon signed-rank test results clearly demonstrate that the model achieves significant reductions in false positives and is more resource-efficient than alternative defense architectures. These statistical analyses clearly support the enhanced and reliable nature of the composite model in adaptive cybersecurity environments, and interpretation can be made as:

• H1: The paired t-tests indicate with certainty that the composite model has better performance than baseline methods.

• H2: The improved adaptability in the model’s ability to respond to new threats in a timely manner is an important indicator of the model’s overall ability to protect from new or changing threats.

• H3: Results of the ANOVA show that while attacker sophistication may increase, the composite model performs with relative consistency, thus providing reliability of its defenses.

Statistical tests were conducted after examining the assumptions for each test. The Shapiro-Wilk test was used to assess the normality of differences among subjects, and the Levene test was used to determine whether the variances among subjects were homogeneous. Because of these assessments, a paired t-test was selected along with a non-parametric alternative (Wilcoxon). A Bonferroni correction was made to avoid Type I errors as a result of multiple comparisons.

Comparison

The proposed composite behavior-based adaptive security model was compared with existing benchmarks and state-of-the-art models, all of which are recognized in the cybersecurity literature for their effectiveness in this space. The multi-stage attacker behaviors were based on the Cyber Kill Chain model, an ongoing, modern threat-modeling tool that outlines the typical phases of attacks and describes the common steps of an attack²⁸. The primary source of real-world attack and network traffic data for training and testing IDSs has been datasets such as NSL-KDD and UNSW-NB15.

Regarding simulation environments, more recent findings indicate that using a wide range of cybersecurity platforms can balance realism and flexibility in experimentation and testing³¹. We ensure that our simulated testing environment follows best practices by combining the generation of synthetic attacks with realistic data sources to create a variety of complex, multi-dimensional simulations needed to test (stress-test) adaptive defensive capabilities. We compare our models against the state-of-the-art in machine learning (ML), using ML-based classification techniques³², reinforcement learning (RL)-based defenses⁵, and game-theoretic-based adaptive approaches²³. This demonstrates how we are implementing paradigms for dynamic and intelligent cyber defense.

The following are common benchmark models from the literature that are relevant to the topic, which were identified based on their relevance to the work:

• Static machine learning classifier models: Random Forest and Support Vector Machines (SVM) are machine learning classification models that have seen extensive use for detecting intrusion^32,33.

• Bayesian network-based anomaly detectors: Bayesian Network-based anomaly detection can be probabilistic decision making, and can model uncertainty³⁴.

• Reinforcement Learning (RL) based Defense Models: Examples of reinforcement learning (RL)-based defense models exist in^5,35, where RL adapts to learn the optimal defense strategy.

• Game-theoretic cyber defense models: Examples of game-theoretic cyber-defense models can be found in^23,36. These models can represent strategic interactions between attacker and defender.

• Deep learning approaches: Autoencoders and Long Short-Term Memory (LSTM) can find or predict deep features in^37,38, respectively.

Each model was evaluated against the core criteria as shown in Table 20:

Table 20 Comparison core criteria.

The average computation times listed in the table are the times to execute one update/adaptation cycle for the defender’s strategy in the simulation. This reflects the time required for the algorithms to process the observed data, update the defender’s internal policy parameters, and generate an adaptive action at each discrete simulation step. The timing measures were made on a specific hardware configuration (Intel Core i7-10700 K CPU, 8 cores @ 3.8 GHz, 32 GB RAM, Ubuntu 20.04 LTS, Python 3.9) using Python’s high-resolution timers. This measure was averaged across multiple simulation executions (min. 30 repeated executions with different random number generators) to obtain a robust average insensitive to transient variations in the system under test. These timings measure the cost of executing a single update cycle rather than the cost of processing samples or batches in a single pass through the data. The simulation environment executes synchronous updates at regular intervals in simulated time to represent changes in the system state.

Table 21 shows that the adaptive model achieves both higher detection accuracy and faster adaptation than the benchmark models on both standard test data and synthetic APT scenarios. The proposed model is highly adaptable; it still has a reasonable computational footprint, enabling timely updates and working in real time or near real time^26,39. The accuracy of Deep Learning techniques is very strong; they have high computational requirements and can incur very long latencies, which makes them difficult to deploy in resource-constrained environments^40,41. Game-theoretic solutions are theoretically attractive, but their scalability to larger networks is generally limited by increasing complexity^36,42. By using multiple sub-models to describe behavior and a stochastic adaptive process, the composite model is significantly more robust to diverse evasion tactics and noisy inputs than those based on a single method^15,21,43,44. The modularity of this model will allow the addition of new attack types and defend against changing threat landscapes-this is an important feature when comparing this to less dynamic and/or narrow models.

Table 21 Model performance comparison.

Validity threats

Given our reliance on simulation-based experimentation, it is also necessary to acknowledge possible validity threats to our findings and the steps we have taken to reduce their influence.

Internal validity threats: We recognize that our study could be impacted by bias introduced during the generation of synthetic data and through our choice of parameter values for the synthetic scenarios. We attempted to limit the extent of this bias by using empirical data from established benchmark datasets to define the parameters for each synthetic scenario. We used pilot studies to determine optimal adaptation learning rates. Randomness generated during the simulation process can also introduce variability into our results. In an effort to ensure that our results were both consistent and robust, we ran the simulation multiple times with different random seed values and performed sensitivity analyses on the resulting outputs to confirm that our results were representative of trends throughout the entire dataset.

There is also the possibility of oversimplification in our model (for example, we modeled only a few attack types and/or only a few defender policies), which could prevent us from accurately modeling some of the complex behaviors observed in reality. The modularity of our model was designed to allow us to incrementally add levels of complexity as needed and to ultimately serve as the foundation for models that represent increasingly realistic interactions between attackers and defenders.

External validity threats: While our simulated environment represents common structural components and attack paradigms found in cyber-physical systems, real-world networks and attacker behavior are much more varied and are constantly changing. Therefore, we must proceed with caution when generalizing the results from our simulations to all operational contexts. We used established intrusion detection datasets to support the external validity of our results; they do not represent the full range of emerging threats or the diversity of system architectures found in real-world networks.

To help alleviate these concerns, future work will focus on deploying the model in live or testbed environments, collecting empirical feedback, and integrating real-time threat intelligence to enhance the model’s ability to represent real-world threats and applications.

Future direction

It has become possible to extend our composite behavior modeling paradigm into much more complex, multi-agent, and partially observable adversarial domains. There are many directions to pursue, including establishing conditions, providing quantitative bounds on robustness to observational noise, and describing the limits of adaptive defense under limited resources.

The other direction is to develop and extend this paradigm to fit distributed, incentive-driven systems, including blockchain networks. In these types of systems, multi-stage attack workflows align well with the various stages of adversarial behavior described above. Policies for defenders will involve adjusting protocol parameters, implementing sophisticated monitoring at the network and smart-contract layers, and automating responses.

Combining AI-enhanced blockchain security represents an exciting application domain. Here, composite behavior models can integrate multiple signal types into coherent, adaptive defense policies. This will enrich detection accuracy while balancing computational overhead and false-positive trade-offs, which parallels our analysis of the relationship between resource utilization and detection performance.

A recent and comprehensive review of advancements and opportunities in the growing space of AI/blockchain technologies provides a strong foundation for positioning future work in this emerging field⁴⁵.

Conclusion

The proposed composite behavior-based adaptive security model demonstrates improved performance compared to previous adaptive cybersecurity models. This is due to its ability to provide a scalable and consistent composite model of attacker and defender behavioral submodels. Experimental results have shown that the composite model has a higher attack-detection rate than the models tested in comparison. It adapts to emerging threats more quickly than previously developed models and uses resources more effectively. The results demonstrate that the composite model is capable of success in complex, uncertain, and realistic environments. This model illustrates a way to achieve durable, automated defensive capability through multi-dimensional interactions between attackers and defenders. The composite model also captures the dynamic and stochastic nature of cyber engagement, enabling real-time threat anticipation and mitigation. The modular nature of the model allows for the integration of new attack vectors and defense strategies as the environment continues to evolve. We encourage researchers and practitioners to implement this work to improve the explainability and computational efficiency of the model, thereby developing and protecting the increasing sophistication of cyber-physical systems through composite behavior modeling.