| ¡¡ | Chinese Journal of Computers Full Text |
| Title | ProSPer: A Proactive Event Monitor for General Purposes |
| Authors | LIU Jia-Hong WU Quan-Yuan |
| Address | (Institute of Network Technology & Information Security, School of Computer, National University of Defense Technology, Changsha 410073) |
| Year | 2009 |
| Issue | No.4(773¡ª783) |
| Abstract & Background | Abstract Network security monitor of large scale demands dynamic, continuous evaluation of security situation, proactive protection against approaching network risks. If the authors model security monitors as continuous Event Monitor Systems, that is to say, to correlate multiple events in complex temporal relationship and attribute logic relationship to richer semantic, more abstract complex event in security domain. Much works has studied to design complex event detection model but they lack the proactive capability to monitor event. Based on the assumption that temporal relationship does not improve the predictive ability of event monitor, the authors design a proactive event monitor system ProSPer for application domains like situation evaluation for network security and present a fast top-k based algorithm to detect complex events. Current event detection techniques require the fully read of relevant records, while the new method only needs partial read, thus this proactive capability is desirous. Keywords network security; event monitor; event stream processing; complex event; proactive capability Background Events play an important role in many computer systems. Network security events are obstacles to Internet development. The trend that organizations are linking system security monitoring efforts closely to real-time processes makes research and industrial community increasingly focus on the Event Stream Processing (ESP) and proactive network monitoring connection. Due to high speed arrival rate of events and vast volume of registered complex event queries, memory consumption and incremental event query evaluation demand a comprehensive dedicate ESP framework with security event detection in proactive, low-latency and high scalability. Much works have been studied to design complex event detection model but lack proactive capability to monitor events. Inspired by web information retrieval, and the recent research conclusion that the order of primitive events does not add prediction power to the detection algorithms, the authors present a proactive ESP monitor ProSPer (Proactive Stream Processor). Effective complex event detection is conducted on events arrival in time window. By incorporating statistics probability of events, every primitive event instances in a stream can affect the probability of current or forthcoming occurrence of a complex event. Due to the high volume of events and event expressions available respectively in the stream, they only consider the most probable occurring events according to some kind of indicator of uncertainty, that is the top-k monotone aggregation function they designed. Current event detection techniques require the fully read of relevant records, while the method only needs partial read, thus this proactive capability is desirous. Because event instances in time window are terms to query complex events, the top-k detection for ESP is multi-dimensional. The authors solve this by building inverted index lists in the database, access them on-demand during detection. To minimize costs for sorted and random accesses in top-k detection and improve processing efficiency, they re-use the smaller time window of detection. The authors justify performance by experiment results. The method focuses on efficient event detection, and as for further performance improvement, the authors need to improve data structure in memory and the detection algorithm. Also, to detect complex event with more predictive power and effectiveness, they need to consider more factors into the top-k detection, like the probability effects caused by order of primitive events. The authors gratefully acknowledge financial support from Project 863 under granted Nos.2006AA01Z451, 2007AA01Z474, the Ministry & Commission-Level Research Foundation of China under granted No.£Û2006£Ý634. |