SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection

Welcome to our project website! The SAQL system is a novel stream-based query system that takes as input, a real-time event feed aggregated from multiple hosts in an enterprise, and provides an anomaly query engine that facilitates the task of expressing anomalies based on expert knowledge. Our system provides a domain-specific query language, Stream-based Anomaly Query Language, which empowers security analysts to express models for rule-based anomalies, time-series anomalies, invariant-based anomalies, and outlier-based anomalies. Our system optimizes the execution of concurrent queries via enabling the sharing of intermediate execution results among queries. Our evaluation against a variety of realistic attack scenarios in the real-world enterprise environment demonstrates SAQL's utility in practical settings (expressiveness, low latency, high throughput, and low memory footprint).

On this website, you will find:

• • The motivation of the SAQL system and design challenges

  • The SAQL system architecture

  • The SAQL language design

  • Case study and performance evaluation

Please check out our USENIX Security'18 paper for more details!