Logic-Driven Cybersecurity: A Novel Framework for System Log Anomaly Detection using Answer Set Programming

TL;DR

This paper tackles the problem of anomaly detection in evolving system logs by proposing an ASP-based framework that encodes security policies as logical predicates, enabling explainable alerts. It demonstrates the approach on a real-world Linux log dataset, defining multiple anomaly patterns (e.g., brute-force, privilege escalation, network anomalies) and converting logs into ASP facts for reasoning. The results show that a single ASP run can identify diverse anomalies with transparent, rule-based explanations, highlighting the method's potential for computer forensics and adaptive cyber intelligence. The work also discusses limitations (dataset size, timing resolution, rule specificity) and outlines future directions, including hybridizing with machine learning and real-time processing to enhance practicality.

Abstract

This study explores the application of Answer Set Programming (ASP) for detecting anomalies in system logs, addressing the challenges posed by evolving cyber threats. We propose a novel framework that leverages ASP's declarative nature and logical reasoning capabilities to encode complex security rules as logical predicates. Our ASP-based system was applied to a real-world Linux system log dataset, demonstrating its effectiveness in identifying various anomalies such as potential brute-force attacks, privilege escalations, frequent network connections from specific IPs, and various system-level issues. Key findings highlight ASP's strengths in handling structured log data, rule flexibility, and event correlation. The approach shows promise in providing explainable alerts from real-world data. This research contributes to computer forensics by demonstrating a logic-based paradigm for log analysis on a practical dataset, opening avenues for more nuanced and adaptive cyber intelligence systems.