A Query System for Efficiently Investigating Complex Attack Behaviors for Enterprise Security

TL;DR

AIQL is a specialized query system designed for efficient investigation of complex attack behaviors in enterprise security, featuring a domain-specific language, optimized execution, and deployment in real-world environments.

Contribution

The paper introduces AIQL, a novel domain-specific query system with optimized execution tailored for attack investigation in enterprise security environments.

Findings

Successfully deployed AIQL on 150 hosts in NEC Labs.

Demonstrated AIQL's effectiveness in investigating APT attacks.

Enabled interactive attack investigation through a web UI.

Abstract

The need for countering Advanced Persistent Threat (APT) attacks has led to the solutions that ubiquitously monitor system activities in each enterprise host, and perform timely attack investigation over the monitoring data for uncovering the attack sequence. However, existing general-purpose query systems lack explicit language constructs for expressing key properties of major attack behaviors, and their semantics-agnostic design often produces inefficient execution plans for queries. To address these limitations, we build AIQL, a novel query system that is designed with novel types of domain-specific optimizations to enable efficient attack investigation. AIQL provides (1) domain-specific data model and storage for storing the massive system monitoring data, (2) a domain-specific query language, Attack Investigation Query Language (AIQL) that integrates critical primitives for expressing major attack behaviors, and (3) an optimized query engine based on the characteristics of the data and the semantics of the query to efficiently schedule the execution. We have deployed AIQL in NEC Labs America comprising 150 hosts. In our demo, we aim to show the complete usage scenario of AIQL by (1) performing an APT attack in a controlled environment, and (2) using AIQL to investigate such attack by querying the collected system monitoring data that contains the attack traces. The audience will have the option to perform the APT attack themselves under our guidance, and interact with the system and investigate the attack via issuing queries and checking the query results through our web UI.