SAQL Language Design

The SAQL language conceptualizes low-level system execution as a series of high-level event (<subject, operation, object> tuple) that are interrelated by attribute and temporal relationships. This serves as a unified backbone for expressing behavioral rules for system behaviors. Furthermore, SAQL provides novel constructs of stateful computation over sliding windows, which greatly enriches the language expressiveness, facilitating the specification of advanced anomalies. Specifically, SAQL supports the specification of four types of anomaly models: rule-based models, time-series models, invariant-based models, and outlier-based models.