Comprehensive Evaluations

In addition to the case study, we further performed four major types of attack behaviors in our deployed environment and collected system monitoring data (738 GB):

• Multi-step attack behaviors that involve multiple steps to penetrate into an enterprise network, enumerate administrator credentials, and steal information (a1-a5)

• Dependency tracking behaviors that track the origins of Chrome & Java update executables, and perform impact analysis of malicious scripts (d1-d3)

  • d1: causal dependency tracking of origin of Chrome update executable

  • d2: causal dependency tracking of origin of Java update executable

  • d3: impact analysis of a malicious script

• Real-world malware behaviors from VirusSign (v1-v5)

• v1: 7dd95111e9e100b6243ca96b9b322120.vir, Trojan.Sysbot

• v2: 425327783e88bb6492753849bc43b7a0.vir, Trojan.Hooker

• v3: ee111901739531d6963ab1ee3ecaf280.vir, Virus.Autorun

• v4: 4e720458c357310da684018f4a254dd0.vir, Virus.Sysbot

• v5: 7dd95111e9e100b6243ca96b9b322120.vir, Trojan.Hooker

• Abnormal system behaviors in enterprise systems based on security experts' knowledge (s1-s6)

  • s1: command history probing

  • s2: processes except Apache listening to port 80

  • s3: frequent network accesses

  • s4: processes erasing traces from system files

  • s5: network access spike

  • s6: abnormal file accesses

In total, we composed 19 AIQL queries. We evaluate (1) the conciseness improvements of AIQL queries over SQL, Neo4j Cypher, and Splunk queries; (2) the scheduling improvements of the AIQL system over the SQL scheduling in PostgreSQL and Greenplum.