Guardat en:
| Autor principal: | |
|---|---|
| Format: | Recurso digital |
| Idioma: | |
| Publicat: |
Zenodo
2026
|
| Matèries: | |
| Accés en línia: | https://doi.org/10.5281/zenodo.18655669 |
| Etiquetes: |
Afegir etiqueta
Sense etiquetes, Sigues el primer a etiquetar aquest registre!
|
Taula de continguts:
- <p><span lang="EN-US">Security Information and Event Management (SIEM) pipelines excel at collecting and correlating telemetry, yet incident outcomes often remain hard to interpret operationally: analysts can see <em>what happened</em>, but not clearly <em>what would need to be different</em> for the incident to be prevented, downgraded, or resolved faster. This paper proposes a log-driven counterfactual explanation approach tailored to cyber incidents detected in SIEM environments. We define counterfactuals as minimally invasive, operationally feasible changes to log-evidenced conditions (e.g., identity posture, authentication controls, network segmentation, endpoint hardening, alert routing) that would plausibly alter the incident outcome produced by a detection/correlation model. </span></p> <p><span lang="EN-US">Building on established counterfactual explanation principles—actionability, proximity, and diversity we adapt them to the constraints of security logs: temporal ordering, entity relationships (user-host-resource), and policy immutables. We present an end-to-end architecture for generating counterfactuals inside SIEM pipelines, including log normalization, incident graph construction, model-agnostic counterfactual search with security constraints, and human-readable “playbook-style” outputs. We also propose evaluation criteria for SOC usage (validity, feasibility, cost, stability, and analyst utility) and outline realistic scenarios such as credential compromise, lateral movement, and cloud misconfiguration. The approach aims to improve triage speed, support defensible post-incident learning, and enable “what-if” hardening decisions without exposing model internals.</span></p>