SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection
Welcome to our project website! The SAQL system is a novel stream-based query system that takes as input, a real-time event feed aggregated from multiple hosts in an enterprise, and provides an anomaly query engine that facilitates the task of expressing anomalies based on expert knowledge. Our system provides a domain-specific query language, Stream-based Anomaly Query Language, which empowers security analysts to express models for rule-based anomalies, time-series anomalies, invariant-based anomalies, and outlier-based anomalies. Our system optimizes the execution of concurrent queries via enabling the sharing of intermediate execution results among queries. Our evaluation against a variety of realistic attack scenarios in the real-world enterprise environment demonstrates SAQL's utility in practical settings (expressiveness, low latency, high throughput, and low memory footprint).
On this website, you will find:
The motivation of the SAQL system and design challenges
The SAQL system architecture
The SAQL language design
Case study and performance evaluation
Please check out our USENIX Security'18 paper for more details!