@Article{cmc.2026.081752,
AUTHOR = {Hangyu Hu, Liangrui Zhang, Xiaowei Huang, Xingmiao Yao, Youyang Qu, Xia Wu, Guangmin Hu},
TITLE = {Logic-Aware Security Playbook Generation for SOAR Using Adversarial Representation Learning},
JOURNAL = {Computers, Materials \& Continua},
VOLUME = {},
YEAR = {},
NUMBER = {},
PAGES = {{pages}},
URL = {http://www.techscience.com/cmc/online/detail/27195},
ISSN = {1546-2226},
ABSTRACT = {With the evolution of information technology toward more advanced intelligence and automation, Security Orchestration, Automation, and Response (SOAR) has become a critical foundation for security incident handling, owing to its intelligent orchestration capabilities. Security playbooks, as the core mechanism for automated response in SOAR, require well-designed workflows and precise action matching to ensure efficient and accurate alert handling. However, with the rising sophistication of attacks and the expanding scale of security alerts, traditional expert-driven playbook recommendation approaches often degrade in recommendation quality or completely fail when existing playbook repositories cannot adequately cover unknown or novel alert scenarios. Generative Adversarial Network (GAN) offers a promising solution by capturing feature associations from existing playbooks and autonomously generating validated new playbooks tailored to previously unseen alert characteristics. Motivated by this, we propose a logic-aware, two-stage GAN-based playbook generation method in this paper. In the first stage, alert features are projected into a modeled playbook feature space to perform preliminary similarity matching. In the second stage, a hybrid strategy combining similarity-based recommendation and GAN-driven generation is used to produce and refine playbooks while preserving logical workflow integrity. Experimental results demonstrate that the proposed approach not only delivers high-precision playbook recommendations for known alert scenarios but also efficiently generates reliable playbooks for unseen alerts, achieving an average alert handling success rate of 86.55%, and thereby fulfilling response requirements in previously uncovered scenarios.},
DOI = {10.32604/cmc.2026.081752}
}