To address the weak interpretability and poor adaptability of rule-based log anomaly detection under dynamic network threats, this paper proposes a declarative anomaly detection method grounded in Answer Set Programming (ASP). It models structured system logs as logical facts and encodes multi-granularity security rules—such as brute-force attacks, privilege escalation, and anomalous connections—in predicate logic to enable event correlation and automated logical inference. The approach supports flexible specification and incremental updates of complex rules, generating interpretable alerts backed by complete causal chains. Experiments on real-world Linux system logs demonstrate an accuracy exceeding 92% and a false positive rate below 3.5%, significantly outperforming conventional statistical and machine learning–based methods. This work establishes a novel paradigm for building highly trustworthy, auditable cybersecurity analysis frameworks.

This study explores the application of Answer Set Programming (ASP) for detecting anomalies in system logs, addressing the challenges posed by evolving cyber threats. We propose a novel framework that leverages ASP's declarative nature and logical reasoning capabilities to encode complex security rules as logical predicates. Our ASP-based system was applied to a real-world Linux system log dataset, demonstrating its effectiveness in identifying various anomalies such as potential brute-force attacks, privilege escalations, frequent network connections from specific IPs, and various system-level issues. Key findings highlight ASP's strengths in handling structured log data, rule flexibility, and event correlation. The approach shows promise in providing explainable alerts from real-world data. This research contributes to computer forensics by demonstrating a logic-based paradigm for log analysis on a practical dataset, opening avenues for more nuanced and adaptive cyber intelligence systems.