See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/326969312

Real-Time Intrusion Detection in Network Traffic Using Adaptive and Auto-

Scaling Stream Processor

Conference Paper · December 2018

DOI: 10.1109/GLOCOM.2018.8647489

CITATIONS READS
5 336

3 authors, including:

Gobinath Loganathan Xianbin Wang

The University of Western Ontario The University of Western Ontario
5 PUBLICATIONS   10 CITATIONS    451 PUBLICATIONS   7,197 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

DR-NET View project

A customizable Network Intrusion Detection dataset creating framework View project

All content following this page was uploaded by Gobinath Loganathan on 14 December 2018.

The user has requested enhancement of the downloaded file.

 Real-time Intrusion Detection in Network Traffic
Using Adaptive and Auto-scaling Stream Processor
Gobinath Loganathan∗ , Jagath Samarabandu† and Xianbin Wang‡
Department of Electrical and Computer Engineering
The University of Western Ontario
London, Ontario, N6A 5B9, Canada
∗ lgobinat@uwo.ca, † jagath@uwo.ca, ‡ xianbin.wang@uwo.ca
Abstract—Advanced intrusion detection systems are beginning
to utilize the power and flexibility offered by Complex Event Pro-
cessing (CEP) engines. Adapting to new attacks and optimizing
CEP rules are two challenges in this domain. Optimizing CEP
rules requires a complete framework which can be ported to
stream processors because a CEP rule cannot run without a
stream processor. External dependencies of stream processors
make CEP rule a black box which is hard to optimize. In
this paper, we present a novel adaptive and functionally auto-
scaling stream processor: “Wisdom” with a built-in hybrid
optimizer developed using Particle Swarm Optimization, and
Bisection algorithms to optimize CEP rule parameters. We
show that an adaptive “Wisdom” rule tuned by the proposed
optimization algorithm is able to detect selected attacks in
CICIDS 2017 dataset with an average precision of 99.98% and
an average recall of 93.42% while processing over 2.5 million
events per second. The proposed distributed functionally auto-
scaling deployment mode consumes significantly fewer system
resources than the monolithic deployment of CEP rules.
I. I NTRODUCTION
Complex Event Processing (CEP) is a reactive program-
ming paradigm used in responding to real-time events based
on predefined rules. Stream processors provide the neces-
sary infrastructure to develop and deploy CEP rules for a
wide range of applications including intrusion detection [1],
healthcare [2], fleet management [3], and power grid [4]. In
all these domains, constructing a CEP rule often requires
a domain expert who knows how to mine complex events
out of a stream of raw events. Some recent studies have
proposed automatic CEP rule generation using unsupervised
machine learning algorithms to replace domain experts by
machines [5]–[8]. Machine learning algorithms require a lot
of preprocessed data and training time. Moreover, the pro-
posed solutions are based on frequent patterns which are not
useful in anomaly detection scenarios like intrusion detection.
Instead, the traditional way of defining CEP rules based on
human cognition with the support of domain-specific facts
is easier than mining rules from training data. Even though
humans are experts in logical reasoning, we are poor in
handling numbers. For example, it is easy for a domain expert
to say that “a CEP rule to detect FTP brute force attack must
look for a lot of failed login attempts within a short period
of time”, but he/she requires manual inspection of training
data to quantify the number of failed attempts and the shortest
time interval to consider. Analyzing training data to find those
threshold values is a tedious and time-consuming task for
humans. In a volatile domain like intrusion detection, such
threshold values are subject to change frequently. Therefore,
an optimization algorithm to find optimal threshold values for
a CEP rule can relieve domain experts from spending time in
analyzing training data. Furthermore, such an algorithm can
be used in runtime to continuously optimize CEP rules based
on the dynamicity of the environment.
Optimizing CEP rules using available optimization algo-
rithms requires dynamic stream processors (stream processors
which allow runtime query modification) to try different
threshold values without restarting the stream processor. Even
though Esper and Apache Flink support CEP variables, they
do not provide a built-in mechanism to optimize queries de-
fined using variables [9], [10]. Abadi et al. proposed the first
fully dynamic stream processor: “Borealis” years ago [11].
However, none of the existing commercial stream processors
offer dynamic operators comparable to “Borealis” [9]–[12].
These stream processors focus on performance optimization
and scalability than query optimization. Even though stream
processors can distribute and scale operators, not all stateful
operators are horizontally scalable [13]. Especially when it
comes to dynamic CEP operators, it is hard to track and
atomically update them in a horizontally scaled environment.
Another dynamic complex event processor: iCEP does not
reach the throughput benchmark set by commercial stream
processors [6]. We believe these limitations are keeping com-
mercial stream processors away from dynamic and adaptive
CEP.
In this paper, we propose a new steam processor: “Wisdom”
developed with the following features: (1) dynamic without
compromising the performance, (2) adaptive using Particle
Swarm Optimization and Bisection algorithms, (3) distributed
and functionally auto-scaling as an alternative to horizontal
scaling. We use the term “functionally auto-scaling” to mean
the ability of “Wisdom” stream processor to start new rules
to add more features or to stop unwanted rules to reduce
resource consumption. We tested our stream processor using
three CEP rules defined by domain experts and optimized by
“Wisdom” using packets arrived within a 10 minutes interval
to detect FTP brute force attack, HTTP Slow Header Denial
of Service (DoS) attack, and Port Scan probe. “Wisdom” was
able to detect the selected attacks with an average precision
of 99.98% and an average recall of 93.42% which is better
than the maximum precision of 80% and maximum recall of
90% obtained by Turchin et al. after training their adaptive
CEP rule using the entire dataset. “Wisdom” is able to process
2.5 million events per second in a single thread environment
which is significantly better than the throughput of iCEP
and comparable with commercial stream processors. We also
show that the proposed functionally auto-scaling deployment
consumes fewer system resources compared to traditional
monolithic deployment without compromising the accuracy.
II. BACKGROUND
A. Dynamic Complex Event Processor
In a dynamically changing environment, static CEP rules
become obsolete very soon. Redeploying new rules for every
change in the environment reduces the uptime of the system.
Moreover, dynamicity is one of the primary requirements
for adaptive complex event processing so that system can
automatically adjust the flow of events without redeploy-
ing the rule. Borealis stream processing engine developed
by Abadi et al. supports dynamic query modification and
performance optimization at runtime using separate control
flows [11]. A similar approach is used by Bhargavi et al. in
their dynamic complex event processor to deploy CEP rules
without restarting the stream processor [14].
B. Complex Event Processing Rule Mining
Mousheimish et al. proposed automatic predictive CEP
rule mining from classified multivariate time series data [5].
The learning algorithm first searches for subsequences across
a time series input. The length of possible subsequences is
limited by user-defined lower and upper bounds. A CEP rule
is built using subsequence with the highest accuracy after
removing redundant parts from the sequence. However, this
approach is limited by user-defined sequence lengths and
limited CEP rule templates which are not guaranteed to fit
all use cases.
Margara et al. developed iCEP which can generate expres-
sive CEP rules using time window, selector, logical operator,
pattern, and aggregator [6]. iCEP learns interesting events
and time frame followed by aggregators and filters, and
finally parameters and sequences in an independent three-
phase pipeline. In this approach, errors made in an early stage
of the pipeline can propagate and affect the following learners.
For example, if time window learner fails to capture all
necessary events, sequence learner cannot learn a meaningful
sequence at the end of the pipeline. Isolated learning phases
of iCEP fail to address the correlation between CEP operators.
Therefore, the rule generated by iCEP may not perform well
in a highly correlated domain.
CEP rule mining based on similarity match was proposed
by Lee et al. [7]. In this work, authors cluster event sequences,
extract a complex event based on similarity across sequences
from the same cluster and finally generate a complex event
pattern using Markov Transition model. Their clustering algo-
rithm calculates the distance between two sequences based on
the cosine similarity between individual events. The attribute
to calculate cosine similarity is determined by domain experts.
Mehdiyev et al. used Elitist Pareto-based Multi-Objective
Evolutionary Algorithm to select event attributes and Fuzzy
Unordered Rule Induction Algorithm to classify events [8]. In
this research, the authors compared their algorithm with other
classification algorithms. However, they did not propose how
to convert the output of their algorithm to a CEP rule and
admit that generating CEP rules using their classifier will be
a difficult challenge to address.
All above CEP rule mining methodologies were developed
with an intention to replace domain experts with machines
[5]–[8]. However, they rely on false assumptions like raw
events not being complex, TimeWindow being enough to
collect events in all scenarios, or a single CEP rule template
being able to represent all complex events. These assumptions
oversimplify the problem and do not capture the real world
requirements. Furthermore, these solutions mainly focus on
generating rules for commonly occurring patterns. In anomaly
driven domains like intrusion detection, such patterns repre-
sent legitimate traffic on which we are not interested. Hence
rules developed for frequent patterns may not work well for
detecting anomalous traffic.
C. Parameter Tuning
Turchin et al. defined CEP rules based on probability
score of selected attributes and tuned threshold values using
Discrete Kalman Filter based on expert feedback and event
history [15]. The concept of tuning rule parameters and the
application of adaptive rules to detect attacks in DARPA
1999 dataset are close to our research. Therefore, we have
chosen this research as a benchmark to compare the results we
obtain. However, their contribution to CEP rule optimization
may not be widely applicable because their rules neither
use any CEP operators nor follow CEP semantics. Instead,
they calculate anomalous probability score of request length,
response length, possible “SYN” error, and hostname for each
packet. A packet is classified either as an anomaly or not by
comparing the total score of these four attributes with two
threshold values. Therefore, this rule does not address any
problems we raised in Section III-A3.
Bayesian Optimization is widely being used by researchers
for hyperparameter optimization and black-box optimization
[16]. In this method, an unknown objective function is
mapped into a prior belief and sequentially refined by a
Bayesian posterior update [16]. Snoek et al. used Bayesian
Optimization to tune machine learning hyperparameters [17].
It is also used by Pooyan et al. to optimize the performance of
Apache Storm stream processor [18]. Among the population-
based optimization algorithms, Genetic Algorithm (GA) and
Particle Swarm Optimization (PSO) are widely being used
for hyperparameter tuning [19], [20]. GA and PSO optimized
a selected set of problems with equal accuracy in a test
conducted by Hassan et al. [21]. Though GA has been
successfully applied for optimization problems, it is inefficient
for applications with highly correlated parameters [20]. In
 TABLE I
P ERFORMANCE COMPARISON OF “W ISDOM ” WITH COMMERCIAL
STREAM PROCESSORS USING A FILTER QUERY IN A SINGLE THREAD
ENVIRONMENT
Stream Processor Throughput Latency
Apache Flink 6,711,544 events/sec 100 nanoseconds
WSO2 Siddhi 3,811,876 events/sec 216 nanoseconds
Wisdom 2,543,299 events/sec 332 nanoseconds
Esper 2,247,807 events/sec 334 nanoseconds
addition, GA is much more complex to implement than
PSO. Therefore, we have chosen Bayesian Optimization and
PSO for our experiment. Hosseini et al. used PSO algorithm
to optimize Multiple Criteria Linear Programming (MCLP)
algorithm used to detect DoS attacks in KDD CUP 1999
dataset [22]. Even though the use case (intrusion detection)
and optimization algorithm are the same as our research, the
actual contribution of Hosseini et al. is optimizing MCLP in
which the problem is already in an optimizable format with
variables. We are focusing on optimizing CEP rules which are
black-box functions and require additional steps to convert
them into optimizable problems. Furthermore, Hosseini et
al. used MCLP for anomaly-based detection in KDD CUP
1999 dataset and we use CEP for signature-based detection
in CICIDS 2017 [23] dataset. Therefore, we compare our final
results with Turchin et al. because both of us are solving the
CEP rule optimization problem.
III. M ETHODOLOGY
A. Wisdom Architecture
We developed an adaptive and functionally auto-scaling
stream processor: “Wisdom” with the following goals (1)
dynamic without compromising performance, (2) functionally
auto-scaling, and (3) optimizable CEP rule.
1) Dynamicity and Performance: In our early attempts,
we tried to modify existing open source stream processors:
Apache Flink [10] and WSO2 Siddhi [12] to make them
dynamic. The underlying static data structure to represent
events in these stream processors are designed for high
throughput and low latency and did not allow us to imple-
ment dynamic operators. Authors of iCEP dynamic complex
event processor claim that their complex event processor
can analyze “thousands of events in a few minutes” [6].
Our underlying architecture using Observer design pattern
and Mediator design pattern [24] to implement variables
and dynamic CEP operators yields performance comparable
to commercial stream processors as given in Table I and
significantly better performance than iCEP.
2) Functionally Auto-scaling: In intrusion detection sys-
tems, some attack detectors may need more resources than
others. For example, a DoS attack detector may need more
system resources than an SQL attack detector due to the large
amount of traffic involved in a DoS attacks. Distributing and
scaling a stream processor at the operator level can cause
to coordination problems in CEP operators depending on the
0.8
0.6
0.4
0.2
0.0
300
80
100
Fig. 1. Made-up profit function representing a CEP rule optimization
problem to test Bayesian Optimization and Particle Swarm Optimization
order of events. Therefore, we have designed “Wisdom” using
microservice architecture [25] to deploy each CEP rule as a
microservice with required memory and CPU allocation. Each
“Wisdom” instance can be controlled via exposed RESTful
[26] admin service endpoints. We also have developed a
service named “Wisdom Manager” to start, stop and control
“Wisdom” instances automatically. Using the @app annota-
tion, “Wisdom Manager” can be informed to start a query
only if specific streams receive events in the system. Though
“Wisdom” can be used as a Java library, for functionally auto-
scaling, we recommend distributed deployment of “Wisdom”
instances with Apache Kafka [27] for intermediate commu-
nication.
3) Optimizable CEP Rule: Threshold values in a CEP rule
can be an integer, a real number or a constant. Considering
all possible constants as a list of candidates, they can be
mapped into integer values. These numbers may or may not
have lower and upper bounds. For example, the minimum
no of packets threshold in Figure 3 has a lower bound 0
because it is a count but not an upper bound. However, these
parameters are correlated with each other in such a way that
they cannot take all possible values in the space. According to
these facts, a CEP rule optimization problem can be defined
as
max/min f (x1 , x2 , x3 , ..., xn )
s.t AX ≤ B
xϵR
where A is a rational matrix and B is a rational vector.
A CEP rule is a discontinuous function which takes streams
of events as input and optionally generates complex events
as output. Therefore, it is hard to fit a CEP rule itself in
an optimization problem. Instead, f is a continuous profit or
loss function defined using the output of a CEP rule in such
a way that optimizing f will optimize the CEP rule. This
way, optimizing CEP rule can be defined as a Mixed Integer
Linear Programming (MILP) problem if f is linear or Mixed
Integer Non-Linear Programming (MINLP) problem if f is
non-linear. Both MILP and MINLP are NP-Hard problems so
finding a solution in polynomial time is not always feasible
[28], [29].
The profit or loss function f is a black box of correlated
variables because its output depends on the underlying CEP
 TABLE II
C OMPARISON OF BAYESIAN AND PARTICLE S WARM OPTIMIZATION
ALGORITHMS USING THE PROFIT FUNCTION SHOWN IN F IGURE 1
Bayesian Particle Swarm
Initial points/Swarm size 100 100
Maximum iterations 10 10
Avg. execution time (seconds) 255.788 0.029
Avg. optimal points (x, y) 8.742, 409.921 20.681, 199.919
Avg. Profit 0 0.998
Fig. 2. Hybrid CEP rule optimization algorithm using Particle Swarm
Optimization and Bisection algorithms
Input: f unction, constraints, steps
Output: optimal values
1: optimal values, loss ← P SO(f unction, constraints)
2: for all val ∈ optimal values do
3: val ← Bisection(f unction, val,
constraints[val], step[val])
4: end for
5: return optimal values
rule. We developed a simple profit function as shown in
Figure 1 to simulate the behavior of an imaginary CEP rule
which generates output only if its threshold values are closed
to 20 and 200, and optimized the function using Bayesian
Optimization and PSO algorithms. As shown in Table II, PSO
outperforms Bayesian Optimization in both performance and
accuracy. PSO starts with random initial points and quickly
converges to the optimum point once a particle finds an
improvement in profit. Though Bayesian optimizer had some
initial points closed to the optimum point, it was distracted by
the plateau where profit is 0 and spent more time on building
the prior model. From this test, we conclude that PSO is better
than Bayesian Optimization for CEP parameter tuning.
PSO can find an optimum or closed to an optimum
result. However, an actual CEP rule may have more than
one optimum points adjacent to each other. For example, the
above imaginary CEP rule may produce the same output for
threshold values in between 20−25 and 200−250. Depending
on the requirement we may be interested in either the upper
bound or the lower bound. For example, we prefer to have
minimum time threshold and maximum count threshold
for the CEP rule given in Figure 3 to reduce latency and false
positives. Therefore, we implemented a hybrid optimization
algorithm using PSO and Bisection algorithms as shown in
Figure 2. PSO is used to find optimal values, and Bisection
algorithm is used to push them towards desired boundaries.
If the step size of Bisection algorithm is smaller than the
user-defined step value, user-defined step value is used by
the algorithm to avoid slow convergence.
Though some CEP parameters do not have a minimum
or a maximum bound, our optimization algorithm requires
a domain expert to limit the range to find a solution in
polynomial time. The minimum value, maximum value,
Fig. 3. Optimizable Wisdom query to detect FTP brute force attack
def stream PacketStream;
def stream FTPBruteForceAttackStream;
@config(trainable=true, minimum=100, maximum=60000, step=-1)
def variable time_threshold = time.sec(1);
@config(trainable=true, minimum=3, maximum=1000, step=1)
def variable count_threshold = 50;
from PacketStream
filter ‘FTP[Control]’ == protocol and ‘530 Login incorrect’ in data
partition by destIp
window.externalTimeBatch(’timestamp’, $time_threshold)
aggregate count() as no_of_packets
filter no_of_packets >= $count_threshold
select srcIp, destIp, no_of_packets, timestamp
insert into FTPBruteForceAttackStream;
Input Feeder Input
Wisdom
Application
Loss Function Output
Total Loss
Parameters
Optimization Algorithm
Fig. 4. Wisdom Optimizer architecture in which the Input Feeder and Loss
Function must be defined by the user
and step size can be tailored into Wisdom query using
@conf ig(trainable = true, ...) annotation as shown in
Figure 3. To cope with integer values, we round the real
numbers generated by the optimization algorithm to integer
numbers before assigning them to a CEP rule. Figure 4 depicts
the architecture of “Wisdom Optimizer”. In this architec-
ture, “Input Feeder” and “Loss Function” must be defined
by domain experts depending on the domain requirements.
“Wisdom Application” is the runtime environment compiled
from a “Wisdom” query and the “Optimization Algorithm” is
the implementation of the algorithm given in Figure 2 with
additional features to coordinate with “Wisdom” applications.
B. Evaluation
We conducted two tests: (1) to compare the accuracy of
proposed optimization approach with the results obtained by
Turchin et al. [15] and (2) to demonstrate the advantage
of functionally auto-scaling stream processor in a resource-
limited environment.
1) Test 1: We developed three “Wisdom” rules1 to detect
HTTP Slow Header DoS attack, FTP brute force attack and
Port scanning. All three rules have two optimizable variables:
time threshold and count theshold. We also developed a
loss function as given in Figure 5 to calculate loss based
on the number of true positive packets detected by stream
processor. Developed “Wisdom” rules were optimized using
packets arrived within a random 10 minutes interval from
CICIDS 2017 dataset. The optimized rules were used to detect
attacks in original packet capture files.
1 The “Wisdom” stream processor and queries used in Test 1 and Test 2
are available at https://slgobinath.github.io/wisdom
 Fig. 5. Loss function used to tune Wisdom queries in Test 1 TABLE III
AVERAGE PRECISION , RECALL AND TRAINING TIME OF W ISDOM
Input: output events, exp src ip QUERIES IN T EST 1
Output: loss
Initialize: CEP Rule Precision Recall Training Time
1: loss ← 1, 000, 000 FTP brute force 100% 99.61% 47 sec
2: for all event ∈ output events do Slow Header DoS 100% 96.85% 54 sec
3: if attacker ip ̸= event[‘src ip′ ] then Port scan 99.95% 83.80% 46 sec
4: loss += event[‘no of packets′ ] ∗ 10
5: else
6: loss −= event[‘no of packets′ ] ∗ 10 500 500

400

7: end if 450

Memory (MB)

Memory (MB)
300

8: end for
400

200

9: return loss
350

100

300

0 500 1000 1500 2000 0 500 1000 1500 2000

Time (Seconds) Time (Seconds)

Wisdom Start/Stop FTP Brute-force Wisdom Instances HTTP Slow Header FTP Brute Force Port Scan Wisdom Instances HTTP Slow Header Packet Filter FTP Brute Force Port Scan
Manager Detector
Start/Stop Start/Stop

Streams Throughput
(a) (b)
Port Scan PossibleBruteForceStream HTTP Slow Header
Detector Detector Fig. 7. Memory consumption of “Wisdom” instances in (a) manual deploy-
PossiblePortScanStream
Filter Query
PossibleDosStream ment and (b) functionally auto-scaling deployment
Apache Kafka

Simulated Stream of Packets System Calls

by the proposed optimization algorithm are able to detect

Fig. 6. Functionally auto-scaling deployment of “Wisdom” queries
2) Test 2: Test 2 was developed to show the effectiveness
of functionally auto-scaling stream processor in intrusion
detection. Deploying all three rules developed in Test 1
requires three “Wisdom” instances to run all the time. Instead,
we developed a filter query to filter incoming packets which
can be part of HTTP Slow Header DoS attack, FTP brute
force attack or Port scanning. Rest of the attack specific
CEP operations were defined in separate rules1 and deployed
as standalone “Wisdom” applications (see Figure 6). In this
setup, all these queries were deployed as separate processes
without any memory limitation in the same machine to
reduce the complexity. However, they can be deployed across
multiple servers in a production environment. If there is a
possibility of any of these attacks, “FilterQuery” sends the
packet to the relevant output stream. “Wisdom Manager”
monitors those output streams and starts relevant rules if an
event is inserted into those streams. If there is no input for an
attack detector for a long time, “Wisdom Manager” will stop
the attack detector. To simulate real-time behavior, we read
pcap files having: no attack, FTP brute force attack, HTTP
Slow Header attack, and Port Scan in order. To the best of
our knowledge, none of the existing stream processors support
functionally auto-scaling deployment. Therefore, the memory
consumption of functionally auto-scaling deployment was
compared with manual deployment where all three “Wisdom”
instances were deployed without enabling the functionally
auto-scaling feature.
IV. R ESULTS
All three rules were optimized within a minute using the
proposed optimization algorithm. The time taken to optimize
a CEP rule is highly determined by the amount of training
data. As given in Table III, adaptive CEP rules optimized
selected attacks with a minimum precision of 99.95% and
a maximum precision of 100%. The minimum recall was
83.80%, and the maximum recall was 99.85%. We have
observed that the precision is highly depending on how well
the query is defined by the domain expert. Recall depends
on thresholds defined by the optimization algorithm which
in turns depends on the quality of training data. Manual
inspection of training data caused to 83.80% recall revealed
that the random 10 minutes interval we chose contains less
number of port scanning packets. Turchin et al. obtained
a maximum precision of 80% and a maximum recall of
90% with their probability-based CEP rule optimized using
Kalman Filter after training the system using the complete
dataset [15]. Based on these results, we conclude that our op-
timization algorithm and proposed methodology outperform
the probability-based CEP rule tuned by Kalman Filter.
In Test 2 manual deployment, the overall memory con-
sumption of all “Wisdom” instances was between 450 - 500
megabyte (MB) from the beginning to end (see Figure 7a).
In functionally auto-scaling deployment, “Wisdom Manager”
started Port scanning detector from the beginning as depicted
in Figure 7b because there were packets matching Port
scanning filter even in legitimate traffic. FTP brute force
detector and HTTP Slow Header were started only after the
simulation of those attacks. FTP brute force detector was
stopped after the attack, but HTTP Slow Header detector was
stopped and started a few times due to some matching packets
throughout the remaining time. However, those packets were
not reported by DoS detector as attacks.
Functionally auto-scaling deployment missed 0.04% pack-
ets in FTP brute force attack and 0.01% packets in HTTP
Slow Header attacks. No packets were missed in Port scan
probe. The distributed deployment can be a reason for this
event loss. However, in the real world, it is not required to
detect all packets which are part of an attack. Instead, an
IDS should be able to detect an attack as early as possible
and prevent further requests from the suspected attacker.
Therefore, the tradeoff of packet loss for resource utilization
is negligible in a resource-limited environment.
V. C ONCLUSION
In this research, we have developed an adaptive and
functionally auto-scaling steam processor which can optimize
its queries for accuracy, start new rules to add more features
or stop unwanted rules to reduce resource consumption. We
have shown that PSO is better than Bayesian Optimization
for CEP rule optimization using a simulated loss function.
The high precision and recall obtained in our test indicate that
domain experts are better than machines in mining CEP rules.
However, the proposed optimization algorithm improves the
accuracy of CEP rules defined by domain experts by tuning
parameters. We also have shown that the proposed function-
ally auto-scaling deployment mode consumes less resource
than monolithic deployment. As future work, we plan to test
the proposed stream processor in detecting complex attacks
like Advanced Persistent Threat (APT) using a honeynet.
ACKNOWLEDGMENT
We gratefully acknowledge financial support from Western
Engineering, and National Science and Engineering Research
Council, Canada in conducting this research.
R EFERENCES
[1] M. Ficco and L. Romano, “A generic intrusion detection and diagnoser
system based on complex event processing,” in 2011 First International
Conference on Data Compression, Communications and Processing,
June 2011, pp. 275–284.
[2] M. Blount, M. R. Ebling, J. M. Eklund, A. G. James, C. McGregor,
N. Percival, K. Smith, and D. Sow, “Real-time analysis for intensive
care: Development and deployment of the artemis analytic system,”
IEEE Engineering in Medicine and Biology Magazine, vol. 29, no. 2,
pp. 110–118, March 2010.
[3] S. Nielsen, C. Chambers, and J. Farr, “Fleet management systems and
methods for complex event processing of vehicle-related information
via local and remote complex event processing engines,” Jun. 25 2013,
uS Patent 8,473,148.
[4] J. Hazra, K. Das, D. P. Seetharam, and A. Singhee, “Stream computing
based synchrophasor application for power grids,” in Proceedings of
the First International Workshop on High Performance Computing,
Networking and Analytics for the Power Grid, ser. HiPCNA-PG ’11.
New York, NY, USA: ACM, 2011, pp. 43–50.
[5] R. Mousheimish, Y. Taher, and K. Zeitouni, “Automatic learning of
predictive cep rules: Bridging the gap between data mining and complex
event processing,” in Proceedings of the 11th ACM International
Conference on Distributed and Event-based Systems, ser. DEBS ’17.
New York, NY, USA: ACM, 2017, pp. 158–169.
[6] A. Margara, G. Cugola, and G. Tamburrelli, “Learning from the
past: Automated rule generation for complex event processing,” in
Proceedings of the 8th ACM International Conference on Distributed
Event-Based Systems, ser. DEBS ’14. New York, NY, USA: ACM,
2014, pp. 47–58.
[7] O.-J. Lee and J. E. Jung, “Sequence clustering-based automated rule
generation for adaptive complex event processing,” Future Generation
Computer Systems, vol. 66, pp. 100 – 109, 2017.
[8] N. Mehdiyev, J. Krumeich, D. Werth, and P. Loos, “Determination of
event patterns for complex event processing using fuzzy unordered rule
induction algorithm with multi-objective evolutionary feature subset
selection,” in 2016 49th Hawaii International Conference on System
Sciences (HICSS), Jan 2016, pp. 1719–1728.
[9] EsperTech Inc, “Esper - espertech,” apr 2018. [Online]. Available:
http://www.espertech.com/esper/
View publication stats
[10] The Apache Software Foundation, “Apache flink: Scalable stream
and batch data processing,” apr 2018. [Online]. Available: https:
//flink.apache.org/
[11] D. J. Abadi, Y. Ahmad, M. Balazinska, M. Cherniack, J. hyon Hwang,
W. Lindner, A. S. Maskey, E. Rasin, E. Ryvkina, N. Tatbul, Y. Xing,
and S. Zdonik, “The design of the borealis stream processing engine,”
in CIDR, 2015, pp. 277–289.
[12] S. Suhothayan, K. Gajasinghe, I. Loku Narangoda, S. Chaturanga,
S. Perera, and V. Nanayakkara, “Siddhi: A second look at complex
event processing architectures,” in Proceedings of the 2011 ACM
Workshop on Gateway Computing Environments, ser. GCE ’11. New
York, NY, USA: ACM, 2011, pp. 43–50.
[13] S. Jayasekara, S. Kannangara, T. Dahanayakage, I. Ranawaka, S. Per-
era, and V. Nanayakkara, “Wihidum: Distributed complex event pro-
cessing,” Journal of Parallel and Distributed Computing, vol. 79-80,
pp. 42 – 51, 2015, special Issue on Scalable Systems for Big Data
Management and Analytics.
[14] R. Bhargavi, R. Pathak, and V. Vaidehi, “Dynamic complex event
processing - adaptive rule engine,” in 2013 International Conference
on Recent Trends in Information Technology (ICRTIT), July 2013, pp.
189–194.
[15] Y. Turchin, A. Gal, and S. Wasserkrug, “Tuning complex event pro-
cessing rules using the prediction-correction paradigm,” in Proceedings
of the Third ACM International Conference on Distributed Event-Based
Systems, ser. DEBS ’09. New York, NY, USA: ACM, 2009, pp. 10:1–
10:12.
[16] B. Shahriari, K. Swersky, Z. Wang, R. P. Adams, and N. de Freitas,
“Taking the human out of the loop: A review of bayesian optimization,”
Proceedings of the IEEE, vol. 104, no. 1, pp. 148–175, Jan 2016.
[17] J. Snoek, H. Larochelle, and R. P. Adams, “Practical bayesian opti-
mization of machine learning algorithms,” in Proceedings of the 25th
International Conference on Neural Information Processing Systems
- Volume 2, ser. NIPS’12. USA: Curran Associates Inc., 2012, pp.
2951–2959.
[18] P. Jamshidi and G. Casale, “An uncertainty-aware approach to
optimal configuration of stream processing systems,” CoRR, vol.
abs/1606.06543, 2016.
[19] F. H. F. Leung, H. K. Lam, S. H. Ling, and P. K. S. Tam, “Tuning
of the structure and parameters of a neural network using an improved
genetic algorithm,” IEEE Transactions on Neural Networks, vol. 14,
no. 1, pp. 79–88, Jan 2003.
[20] Z.-L. Gaing, “A particle swarm optimization approach for optimum
design of pid controller in avr system,” IEEE Transactions on Energy
Conversion, vol. 19, no. 2, pp. 384–391, June 2004.
[21] R. Hassan, B. Cohanim, O. De Weck, and G. Venter, “A comparison
of particle swarm optimization and the genetic algorithm,” in 46th
AIAA/ASME/ASCE/AHS/ASC structures, structural dynamics and ma-
terials conference, 2005, p. 1897.
[22] S. M. Hosseini Bamakan, B. Amiri, M. Mirzabagheri, and Y. Shi,
“A new intrusion detection approach using pso based multiple criteria
linear programming,” Procedia Computer Science, vol. 55, pp. 231 –
237, 2015, 3rd International Conference on Information Technology
and Quantitative Management, ITQM 2015.
[23] I. Sharafaldin, A. Habibi Lashkari, and A. Ghorbani, “Toward gener-
ating a new intrusion detection dataset and intrusion traffic characteri-
zation,” 01 2018, pp. 108–116.
[24] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, “Design patterns:
Abstraction and reuse of object-oriented design,” in Software Pioneers:
Contributions to Software Engineering, O. M. Nierstrasz, Ed. Berlin,
Heidelberg: Springer Berlin Heidelberg, 1993, pp. 406–431.
[25] I. Nadareishvili, R. Mitra, M. McLarty, and M. Amundsen, Mi-
croservice Architecture: Aligning Principles, Practices, and Culture.
O’Reilly Media, Inc., 2016.
[26] L. Richardson and S. Ruby, RESTful web services. ”O’Reilly Media,
Inc.”, 2008.
[27] The Apache Software Foundation, “Apache kafka,” apr 2018. [Online].
Available: https://kafka.apache.org/
[28] P. Bonami, M. Kilinç, and J. Linderoth, “Algorithms and software for
convex mixed integer nonlinear programs,” in Mixed Integer Nonlinear
Programming, J. Lee and S. Leyffer, Eds. New York, NY: Springer
New York, 2012, pp. 1–39.
[29] R. Hemmecke, M. Köppe, J. Lee, and R. Weismantel, Nonlinear integer
programming, 2010.