Gespeichert in:
| 1. Verfasser: | |
|---|---|
| Format: | Recurso digital |
| Sprache: | |
| Veröffentlicht: |
Zenodo
2026
|
| Schlagworte: | |
| Online-Zugang: | https://doi.org/10.5281/zenodo.18655669 |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| _version_ | 1866901911824760832 |
|---|---|
| author | Gurbanaliyev I. |
| author_facet | Gurbanaliyev I. |
| contents | <p><span lang="EN-US">Security Information and Event Management (SIEM) pipelines excel at collecting and correlating telemetry, yet incident outcomes often remain hard to interpret operationally: analysts can see <em>what happened</em>, but not clearly <em>what would need to be different</em> for the incident to be prevented, downgraded, or resolved faster. This paper proposes a log-driven counterfactual explanation approach tailored to cyber incidents detected in SIEM environments. We define counterfactuals as minimally invasive, operationally feasible changes to log-evidenced conditions (e.g., identity posture, authentication controls, network segmentation, endpoint hardening, alert routing) that would plausibly alter the incident outcome produced by a detection/correlation model. </span></p> <p><span lang="EN-US">Building on established counterfactual explanation principles—actionability, proximity, and diversity we adapt them to the constraints of security logs: temporal ordering, entity relationships (user-host-resource), and policy immutables. We present an end-to-end architecture for generating counterfactuals inside SIEM pipelines, including log normalization, incident graph construction, model-agnostic counterfactual search with security constraints, and human-readable “playbook-style” outputs. We also propose evaluation criteria for SOC usage (validity, feasibility, cost, stability, and analyst utility) and outline realistic scenarios such as credential compromise, lateral movement, and cloud misconfiguration. The approach aims to improve triage speed, support defensible post-incident learning, and enable “what-if” hardening decisions without exposing model internals.</span></p> |
| format | Recurso digital |
| id | zenodo_https___doi_org_10_5281_zenodo_18655669 |
| institution | Zenodo |
| language | |
| publishDate | 2026 |
| publisher | Zenodo |
| record_format | zenodo |
| spellingShingle | LOG-DRIVEN COUNTERFACTUAL EXPLANATIONS FOR CYBER INCIDENTS IN SIEM PIPELINES Gurbanaliyev I. SIEM, cybersecurity, incident response, explainable AI, counterfactual explanations, log analytics, SOC operations, causal reasoning, security graphs <p><span lang="EN-US">Security Information and Event Management (SIEM) pipelines excel at collecting and correlating telemetry, yet incident outcomes often remain hard to interpret operationally: analysts can see <em>what happened</em>, but not clearly <em>what would need to be different</em> for the incident to be prevented, downgraded, or resolved faster. This paper proposes a log-driven counterfactual explanation approach tailored to cyber incidents detected in SIEM environments. We define counterfactuals as minimally invasive, operationally feasible changes to log-evidenced conditions (e.g., identity posture, authentication controls, network segmentation, endpoint hardening, alert routing) that would plausibly alter the incident outcome produced by a detection/correlation model. </span></p> <p><span lang="EN-US">Building on established counterfactual explanation principles—actionability, proximity, and diversity we adapt them to the constraints of security logs: temporal ordering, entity relationships (user-host-resource), and policy immutables. We present an end-to-end architecture for generating counterfactuals inside SIEM pipelines, including log normalization, incident graph construction, model-agnostic counterfactual search with security constraints, and human-readable “playbook-style” outputs. We also propose evaluation criteria for SOC usage (validity, feasibility, cost, stability, and analyst utility) and outline realistic scenarios such as credential compromise, lateral movement, and cloud misconfiguration. The approach aims to improve triage speed, support defensible post-incident learning, and enable “what-if” hardening decisions without exposing model internals.</span></p> |
| title | LOG-DRIVEN COUNTERFACTUAL EXPLANATIONS FOR CYBER INCIDENTS IN SIEM PIPELINES |
| topic | SIEM, cybersecurity, incident response, explainable AI, counterfactual explanations, log analytics, SOC operations, causal reasoning, security graphs |
| url | https://doi.org/10.5281/zenodo.18655669 |