Logic-Driven Cybersecurity: A Novel Framework for System Log Anomaly Detection using Answer Set Programming

TL;DR

This paper introduces a logic-based framework using Answer Set Programming for detecting anomalies in system logs, enhancing cybersecurity by enabling flexible, explainable, and effective identification of various cyber threats.

Contribution

The paper presents a novel ASP-based framework for log anomaly detection, leveraging logical reasoning to improve flexibility and explainability over traditional methods.

Findings

Effective detection of cyber anomalies like brute-force attacks and privilege escalations

ASP's ability to handle structured log data and complex security rules

Potential for explainable and adaptive cyber threat alerts

Abstract

This study explores the application of Answer Set Programming (ASP) for detecting anomalies in system logs, addressing the challenges posed by evolving cyber threats. We propose a novel framework that leverages ASP's declarative nature and logical reasoning capabilities to encode complex security rules as logical predicates. Our ASP-based system was applied to a real-world Linux system log dataset, demonstrating its effectiveness in identifying various anomalies such as potential brute-force attacks, privilege escalations, frequent network connections from specific IPs, and various system-level issues. Key findings highlight ASP's strengths in handling structured log data, rule flexibility, and event correlation. The approach shows promise in providing explainable alerts from real-world data. This research contributes to computer forensics by demonstrating a logic-based paradigm for log analysis on a practical dataset, opening avenues for more nuanced and adaptive cyber intelligence systems.