DeepXplain: XAI-Guided Autonomous Defense Against Multi-Stage APT Campaigns

TL;DR

DeepXplain is an explainable deep reinforcement learning framework designed for multi-stage APT defense, integrating provenance-based graph learning and explanation signals directly into policy optimization to improve trustworthiness and effectiveness.

Contribution

It introduces the first framework to incorporate explanation signals into reinforcement learning specifically for APT cyber defense, enhancing transparency and performance.

Findings

Improved stage-weighted F1-score from 0.887 to 0.915

Increased success rate from 84.7% to 89.6%

Higher explanation confidence (0.86) and fidelity (0.79)

Abstract

Advanced Persistent Threats (APTs) are stealthy, multi-stage attacks that require adaptive and timely defense. While deep reinforcement learning (DRL) enables autonomous cyber defense, its decisions are often opaque and difficult to trust in operational environments. This paper presents DeepXplain, an explainable DRL framework for stage-aware APT defense. Building on our prior DeepStage model, DeepXplain integrates provenance-based graph learning, temporal stage estimation, and a unified XAI pipeline that provides structural, temporal, and policy-level explanations. Unlike post-hoc methods, explanation signals are incorporated directly into policy optimization through evidence alignment and confidence-aware reward shaping. To the best of our knowledge, DeepXplain is the first framework to integrate explanation signals into reinforcement learning for APT defense. Experiments in a realistic enterprise testbed show improvements in stage-weighted F1-score (0.887 to 0.915) and success rate (84.7% to 89.6%), along with higher explanation confidence (0.86), improved fidelity (0.79), and more compact explanations (0.31). These results demonstrate enhanced effectiveness and trustworthiness of autonomous cyber defense.