Method for Detecting Anomalous States of a Control Object in Information Systems Based on the Analysis of Temporal Data and Knowledge

The problem of finding the anomalous states of the control object in the management information system under conditions of uncertainty caused by the incompleteness of knowledge about this object is considered. The method of classifying the current state of the control object in real time, allowing to identify the current anomalous state. The method uses temporal data and knowledge. Data is represented by sequences of events with timestamps. Knowledge is represented as weighted temporal rules and constraints. The method includes the following key phases: the formation of sequences of logical facts; selection of temporal rules and constraints; classification based on a comparison of rules and constraints. Logical facts are represented as predicates on event attributes and reflect the state of the control object. Logical rules define valid sequences of logical facts. Performing a classification by successive comparisons of constraints and weights of the rules makes it possible to more effectively identify the anomalous state since the comparison of the constraints reduces the subset of facts comparing to the current state. The method creates conditions for improving management efficiency in the context of incomplete information on the state of a complex object by using logical inference in knowledge bases for anomalous states of such control objects

Querying Streaming System Monitoring Data for Enterprise System Anomaly Detection

The need for countering Advanced Persistent Threat (APT) attacks has led to the solutions that ubiquitously monitor system activities in each enterprise host, and perform timely abnormal system behavior detection over the stream of monitoring data. However, existing stream-based solutions lack explicit language constructs for expressing anomaly models that capture abnormal system behaviors, thus facing challenges in incorporating expert knowledge to perform timely anomaly detection over the large-scale monitoring data. To address these limitations, we build SAQL, a novel stream-based query system that takes as input, a real-time event feed aggregated from multiple hosts in an enterprise, and provides an anomaly query engine that queries the event feed to identify abnormal behaviors based on the specified anomaly models. SAQL provides a domain-specific query language, Stream-based Anomaly Query Language (SAQL), that uniquely integrates critical primitives for expressing major types of anomaly models. In the demo, we aim to show the complete usage scenario of SAQL by (1) performing an APT attack in a controlled environment, and (2) using SAQL to detect the abnormal behaviors in real time by querying the collected stream of system monitoring data that contains the attack traces. The audience will have the option to interact with the system and detect the attack footprints in real time via issuing queries and checking the query results through a command-line UI.Comment: Accepted paper at ICDE 2020 demonstrations track. arXiv admin note: text overlap with arXiv:1806.0933