Case Study and Performance Evaluation
We deployed the SAQL system in an enterprise environment comprising 100 hosts (generating around 2500 system events per second). We evaluate the SAQL system in the following two aspects:
We performed a series of realistic attacks in the deployed environment. Specifically, our attacks include (1) an APT attack that penetrates into the enterprise and steals user information, (2) a SQL injection attack for a common web server configuration, (3) a Bash shellshock command injection attack on Apache server, and (4) a representative set of suspicious behaviors constructed from security experts' knowledge. In total, we constructed 17 SAQL queries to detect these attacks, and evaluate a variety of runtime metrics (e.g., throughput, detection latency, CPU, memory).
We evaluated the system performance in handling multiple concurrent queries. Specifically, we constructed 64 micro-benchmark queries and monitor the usage of system resources during execution.