Comprehensive Evaluations
In addition to the case study, we further performed four major types of attack behaviors in our deployed environment and collected system monitoring data (738 GB):
Multi-step attack behaviors that involve multiple steps to penetrate into an enterprise network, enumerate administrator credentials, and steal information (a1-a5)
Dependency tracking behaviors that track the origins of Chrome & Java update executables, and perform impact analysis of malicious scripts (d1-d3)
d1: causal dependency tracking of origin of Chrome update executable
d2: causal dependency tracking of origin of Java update executable
d3: impact analysis of a malicious script
Real-world malware behaviors from VirusSign (v1-v5)
v1: 7dd95111e9e100b6243ca96b9b322120.vir, Trojan.Sysbot
v2: 425327783e88bb6492753849bc43b7a0.vir, Trojan.Hooker
v3: ee111901739531d6963ab1ee3ecaf280.vir, Virus.Autorun
v4: 4e720458c357310da684018f4a254dd0.vir, Virus.Sysbot
v5: 7dd95111e9e100b6243ca96b9b322120.vir, Trojan.Hooker
Abnormal system behaviors in enterprise systems based on security experts' knowledge (s1-s6)
s1: command history probing
s2: processes except Apache listening to port 80
s3: frequent network accesses
s4: processes erasing traces from system files
s5: network access spike
s6: abnormal file accesses
In total, we composed 19 AIQL queries. We evaluate (1) the conciseness improvements of AIQL queries over SQL, Neo4j Cypher, and Splunk queries; (2) the scheduling improvements of the AIQL system over the SQL scheduling in PostgreSQL and Greenplum.