Application of the Complex Event Processing system for anomaly detection and network monitoring

Gerard Frankowski, Marcin Jerzak, Maciej Miłostan, Tomasz Nowak, Marek Pawłowski


Protection of infrastructures for e-science, including grid environments and NREN facilities, requires the use of novel techniques for anomaly detection and network monitoring. The aim is to raise situational awareness and provide early warning capabilities. The main operational problem that most network operators face is integrating and processing data from multiple sensors and systems placed at critical points of the infrastructure. From a scientific point of view, there is a need for the efficient analysis of large data volumes and automatic reasoning while minimizing detection errors. In this article, we describe two approaches to Complex Event Processing used for network monitoring and anomaly detection and introduce the ongoing SECOR project (Sensor Data Correlation Engine for Attack Detection and Support of Decision Process), supported by examples and test results. The aim is to develop methodology that allows for the construction of next-generation IDS systems with artificial intelligence, capable of performing signature-less intrusion detection.


network monitoring; intrusion detection; anomaly detection; complex event processing

Full Text:



Balis B., Kowalewski B., Bubak M.: Leveraging Complex Event Processing for Grid Monitoring. In: Parallel Processing and Applied Mathematics, R. Wyrzykowski, J. Dongarra, K. Karczewski, J. Wasniewski, eds, Lecture Notes in Computer Science, vol. 6068, pp. 224–233. Springer, Berlin-Heidelberg, 2010.

Balis B., Kowalewski B., Bubak M.: Real-time Grid monitoring based on complex event processing. Future Generation Computer Systems, vol. 27(8), pp. 1103–1112, 2011.

Bereziński P., Pawelec J., Małowidzki M., Piotrowski R.: Entropy-Based Internet Traffic Anomaly Detection: A Case Study. In: Proceedings of the Ninth International Conference on Dependability and Complex Systems DepCoS-RELCOMEX. June 30 – July 4, 2014, Brunów, Poland, Advances in Intelligent Systems and Computing, W. Zamojski, J. Mazurkiewicz, J. Sugier, T. Walkowiak, J. Kacprzyk, eds, vol. 286, pp. 47–58. Springer International Publishing, 2014.

Bilge L., Dumitras T.: Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World. Proceedings of the 2012 ACM conference on Computer and communications security, pp. 833–844, 2012.

EGEE – Enabling Grids for E-sciencE, 2010.

Frankowski G., Jerzak M.: Advanced Architecture of the Integrated IT Platform with High Security Level. In: Multimedia Communications, Services and Security, Communications in Computer and Information Science, A. Dziech, A. Czyżewski, eds, vol. 287, pp. 107–117. Springer, Berlin-Heidelberg, 2012.

GÉANT: the pan-European research and education network, 2014.

Holzschuher F., Peinl R.: Performance of Graph Query Languages: Comparison of Cypher, Gremlin and Native Access in Neo4J. In: Proceedings of the Joint EDBT/ICDT 2013 Workshops, EDBT’13, pp. 195–204. ACM, New York, NY, USA, 2013.

Jerzak M., Wojtysiak M.: Distributed Intrusion Detection Systems – MetalDS case study. Computational Methods in Science and Technology, Special Issue (1), pp. 135–145, 2010.

Kliarsky A., Atlasis A.A.: Responding to Zero Day Threats, 2011.

Li B., Springer J., Bebis G., Gunes M.H.: A survey of network flow applications. Journal of Network and Computer Applications, vol. 36(2), pp. 567–581, 2013.

Lodi G., Aniello L., Luna G.A.D., Baldoni R.: An event-based platform for collaborative threats detection and monitoring. Inf. Syst., vol. 39, pp. 175–195, 2014.

Neo4j: Neo4j – The World’s Leading Graph Database, 2012.

Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant, 2014.

PIONIER, 2014.

Polish Platform for Homeland Security, 2014.

Poznań Supercomputing and Networking Center, 2014.

Robinson I., Webber J., Eifrem E.: Graph Databases. O’Reilly Media, Inc., 2013.

Storm, Distributed and fault-tolerant realtime computation, 2014.

Symantec Corporation: Internet Security Threat Report 2014, 2014.

The Apache Software Foundation: mod log config: CustomLog Directive, 2014.

WSO2 Carbon System, 2005.

WSO2 Siddhi CEP engine, 2005.



  • There are currently no refbacks.