AIQL Language Design

To enable security analysts to perform effective attack investigations, AIQL provides concise syntax that describes a behavior as a series of activities, where each activity is represented using an event pattern in the format of {subject-operation-object}. To ease the task of specifying relationships among activities, AIQL provides a syntax to directly support two major types of relationships: attribute relationships and temporal relationships. Besides, AIQL provides constructs of sliding time window with common aggregation functions and the access to history states, to specify frequency-based queries for finding abnormal behaviors. To concisely express dependency tracking, AIQL provides dependency query syntax that expresses a sequence of events with temporal dependencies in the form of an event path. Based on the AIQL grammar (Grammar 1), we leverage ANTLR 4 to implement the lexer and the parser.