AIQL - Enabling Efficient Attack Investigation from System Monitoring Data

Welcome to our project website! The AIQL system is a novel query system that collects system monitoring data as attack provenance and assists attack investigations by efficiently querying risky system behaviors from the data. Out system provides a domain-specific query language, Attack Investigation Query Language, which empowers security analysts to write concise and expressive behavioral queries for investigating advanced sophisticated attacks. Our system optimizes the query execution based on domain data characteristics, allowing queries to be executed efficiently over massive system monitoring data (124x speed-up compared to relational database system PostgreSQL, and 157x speed-up compared to graph database system Neo4j).

On this website, you will find:

• Motivation of the AIQL system and design challenges

• The AIQL system architecture

• End-to-end efficiency improvements with an APT attack case study: we performed a case study of an APT attack on the deployed environment, and evaluated the efficiency improvements of the AIQL system over relational database system PostgreSQL and graph database system Neo4j.

• Conciseness improvements: we evaluated the conciseness improvements of AIQL queries against SQL, Neo4j Cypher, and Splunk SPL queries on four major types of attack behaviors: (1) multi-step attack behaviors; (2) dependency tracking behaviors; (3) real-world malware behaviors; (4) abnormal system behaviors.

• Scheduling improvements: we further evaluated the efficiency improvements offered by the AIQL query execution scheduling, and compared against SQL scheduling in PostgreSQL and Greenplum.

• A system demo video

Please read our USENIX ATC'18 paper for more details!