39 seconds. That is the timelapse between two consecutive cyber attacks as of 2023. Meaning that by the time you are done reading this abstract, about 1 or 2 additional cyber attacks would have occurred somewhere in the world. In this context of highly increased frequency of cyber threats, Security Operation Centers (SOC) and Computer Emergency Response Teams (CERT) can be overwhelmed. In order to relieve the cybersecurity teams in their investigative effort and help them focus on more added-value tasks, machine learning approaches and methods started to emerge. This paper introduces a novel method, IsoEx, for detecting anomalous and potentially problematic command lines during the investigation of contaminated devices. IsoEx is built around a set of features that leverages the log structure of the command line, as well as its parent/child relationship, to achieve a greater accuracy than traditional methods. To detect anomalies, IsoEx resorts to an unsupervised anomaly detection technique that is both highly sensitive and lightweight. A key contribution of the paper is its emphasis on interpretability, achieved through the features themselves and the application of eXplainable Artificial Intelligence (XAI) techniques and visualizations. This is critical to ensure the adoption of the method by SOC and CERT teams, as the paper argues that the current literature on machine learning for log investigation has not adequately addressed the issue of explainability. This method was proven efficient in a real-life environment as it was built to support a company\'s SOC and CERT

翻译：摘要：39秒。这是截至2023年两次连续网络攻击之间的时间间隔。这意味着在你读完这篇摘要时，全球大约还会发生1到2起网络攻击。在网络安全威胁频率急剧上升的背景下，安全运营中心（SOC）和计算机应急响应小组（CERT）可能不堪重负。为减轻网络安全团队的调查负担，协助其专注于更高附加值的工作，机器学习方法开始涌现。本文提出了一种名为IsoEx的新方法，用于在受污染设备的调查过程中检测异常且可能存在问题的命令行。IsoEx构建于一组特征之上，这些特征利用了命令行的日志结构及其父子关系，从而实现了比传统方法更高的准确率。为检测异常，IsoEx采用了一种兼具高灵敏度与轻量性的无监督异常检测技术。本文的一个关键贡献在于对可解释性的强调，这通过特征本身以及可解释人工智能（XAI）技术与可视化的应用得以实现。这一点对于确保SOC和CERT团队采用该方法至关重要——本文认为，当前关于日志调查的机器学习文献尚未充分解决可解释性问题。该方法已在实际环境中被证明有效，因其设计初衷即为支持某公司的SOC与CERT工作。