DeepXplain: XAI-Guided Autonomous Defense Against Multi-Stage APT Campaigns
This work addresses the need for trustworthy autonomous defense in cybersecurity, though it builds incrementally on prior models like DeepStage.
The paper tackles the problem of opaque decisions in deep reinforcement learning for autonomous cyber defense against multi-stage APT campaigns by introducing DeepXplain, an explainable DRL framework that integrates explanation signals into policy optimization, resulting in improvements such as stage-weighted F1-score from 0.887 to 0.915 and success rate from 84.7% to 89.6%.
Advanced Persistent Threats (APTs) are stealthy, multi-stage attacks that require adaptive and timely defense. While deep reinforcement learning (DRL) enables autonomous cyber defense, its decisions are often opaque and difficult to trust in operational environments. This paper presents DeepXplain, an explainable DRL framework for stage-aware APT defense. Building on our prior DeepStage model, DeepXplain integrates provenance-based graph learning, temporal stage estimation, and a unified XAI pipeline that provides structural, temporal, and policy-level explanations. Unlike post-hoc methods, explanation signals are incorporated directly into policy optimization through evidence alignment and confidence-aware reward shaping. To the best of our knowledge, DeepXplain is the first framework to integrate explanation signals into reinforcement learning for APT defense. Experiments in a realistic enterprise testbed show improvements in stage-weighted F1-score (0.887 to 0.915) and success rate (84.7% to 89.6%), along with higher explanation confidence (0.86), improved fidelity (0.79), and more compact explanations (0.31). These results demonstrate enhanced effectiveness and trustworthiness of autonomous cyber defense.