Real-time Intrusion Detection in Network Traffic Using

Real-time Intrusion Detection in Network Traffic Using Adaptive and Auto-scaling Stream Processor Gobinath Loganathan∗ , Jagath Samarabandu† and Xianbin Wang‡ Department of Electrical and Computer Engineering The University of Western Ontario London, Ontario, N6A 5B9, Canada ∗ [email protected], † [email protected], ‡ [email protected]

Abstract—Advanced intrusion detection systems are beginning to utilize the power and flexibility offered by Complex Event Processing (CEP) engines. Adapting to new attacks and optimizing CEP rules are two challenges in this domain. Optimizing CEP rules requires a complete framework which can be ported to stream processors because a CEP rule cannot run without a stream processor. External dependencies of stream processors make CEP rule a black box which is hard to optimize. In this paper, we present a novel adaptive and functionally autoscaling stream processor: “Wisdom” with a built-in hybrid optimizer developed using Particle Swarm Optimization, and Bisection algorithms to optimize CEP rule parameters. We show that an adaptive “Wisdom” rule tuned by the proposed optimization algorithm is able to detect selected attacks in CICIDS 2017 dataset with an average precision of 99.98% and an average recall of 93.42% while processing over 2.5 million events per second. The proposed distributed functionally autoscaling deployment mode consumes significantly fewer system resources than the monolithic deployment of CEP rules.

I. I NTRODUCTION Complex Event Processing (CEP) is a reactive programming paradigm used in responding to real-time events based on predefined rules. Stream processors provide the necessary infrastructure to develop and deploy CEP rules for a wide range of applications including intrusion detection [1], healthcare [2], fleet management [3], and power grid [4]. In all these domains, constructing a CEP rule often requires a domain expert who knows how to mine complex events out of a stream of raw events. Some recent studies have proposed automatic CEP rule generation using unsupervised machine learning algorithms to replace domain experts by machines [5]–[8]. Machine learning algorithms require a lot of preprocessed data and training time. Moreover, the proposed solutions are based on frequent patterns which are not useful in anomaly detection scenarios like intrusion detection. Instead, the traditional way of defining CEP rules based on human cognition with the support of domain-specific facts is easier than mining rules from training data. Even though humans are experts in logical reasoning, we are poor in handling numbers. For example, it is easy for a domain expert to say that “a CEP rule to detect FTP brute force attack must look for a lot of failed login attempts within a short period of time”, but he/she requires manual inspection of training data to quantify the number of failed attempts and the shortest time interval to consider. Analyzing training data to find those

threshold values is a tedious and time-consuming task for humans. In a volatile domain like intrusion detection, such threshold values are subject to change frequently. Therefore, an optimization algorithm to find optimal threshold values for a CEP rule can relieve domain experts from spending time in analyzing training data. Furthermore, such an algorithm can be used in runtime to continuously optimize CEP rules based on the dynamicity of the environment. Optimizing CEP rules using available optimization algorithms requires dynamic stream processors (stream processors which allow runtime query modification) to try different threshold values without restarting the stream processor. Even though Esper and Apache Flink support CEP variables, they do not provide a built-in mechanism to optimize queries defined using variables [9], [10]. Abadi et al. proposed the first fully dynamic stream processor: “Borealis” years ago [11]. However, none of the existing commercial stream processors offer dynamic operators comparable to “Borealis” [9]–[12]. These stream processors focus on performance optimization and scalability than query optimization. Even though stream processors can distribute and scale operators, not all stateful operators are horizontally scalable [13]. Especially when it comes to dynamic CEP operators, it is hard to track and atomically update them in a horizontally scaled environment. Another dynamic complex event processor: iCEP does not reach the throughput benchmark set by commercial stream processors [6]. We believe these limitations are keeping commercial stream processors away from dynamic and adaptive CEP. In this paper, we propose a new steam processor: “Wisdom” developed with the following features: (1) dynamic without compromising the performance, (2) adaptive using Particle Swarm Optimization and Bisection algorithms, (3) distributed and functionally auto-scaling as an alternative to horizontal scaling. We use the term “functionally auto-scaling” to mean the ability of “Wisdom” stream processor to start new rules to add more features or to stop unwanted rules to reduce resource consumption. We tested our stream processor using three CEP rules defined by domain experts and optimized by “Wisdom” using packets arrived within a 10 minutes interval to detect FTP brute force attack, HTTP Slow Header Denial of Service (DoS) attack, and Port Scan probe. “Wisdom” was able to detect the selected attacks with an average precision

of 99.98% and an average recall of 93.42% which is better than the maximum precision of 80% and maximum recall of 90% obtained by Turchin et al. after training their adaptive CEP rule using the entire dataset. “Wisdom” is able to process 2.5 million events per second in a single thread environment which is significantly better than the throughput of iCEP and comparable with commercial stream processors. We also show that the proposed functionally auto-scaling deployment consumes fewer system resources compared to traditional monolithic deployment without compromising the accuracy. II. BACKGROUND A. Dynamic Complex Event Processor In a dynamically changing environment, static CEP rules become obsolete very soon. Redeploying new rules for every change in the environment reduces the uptime of the system. Moreover, dynamicity is one of the primary requirements for adaptive complex event processing so that system can automatically adjust the flow of events without redeploying the rule. Borealis stream processing engine developed by Abadi et al. supports dynamic query modification and performance optimization at runtime using separate control flows [11]. A similar approach is used by Bhargavi et al. in their dynamic complex event processor to deploy CEP rules without restarting the stream processor [14]. B. Complex Event Processing Rule Mining Mousheimish et al. proposed automatic predictive CEP rule mining from classified multivariate time series data [5]. The learning algorithm first searches for subsequences across a time series input. The length of possible subsequences is limited by user-defined lower and upper bounds. A CEP rule is built using subsequence with the highest accuracy after removing redundant parts from the sequence. However, this approach is limited by user-defined sequence lengths and limited CEP rule templates which are not guaranteed to fit all use cases. Margara et al. developed iCEP which can generate expressive CEP rules using time window, selector, logical operator, pattern, and aggregator [6]. iCEP learns interesting events and time frame followed by aggregators and filters, and finally parameters and sequences in an independent threephase pipeline. In this approach, errors made in an early stage of the pipeline can propagate and affect the following learners. For example, if time window learner fails to capture all necessary events, sequence learner cannot learn a meaningful sequence at the end of the pipeline. Isolated learning phases of iCEP fail to address the correlation between CEP operators. Therefore, the rule generated by iCEP may not perform well in a highly correlated domain. CEP rule mining based on similarity match was proposed by Lee et al. [7]. In this work, authors cluster event sequences, extract a complex event based on similarity across sequences from the same cluster and finally generate a complex event pattern using Markov Transition model. Their clustering algorithm calculates the distance between two sequences based on

the cosine similarity between individual events. The attribute to calculate cosine similarity is determined by domain experts. Mehdiyev et al. used Elitist Pareto-based Multi-Objective Evolutionary Algorithm to select event attributes and Fuzzy Unordered Rule Induction Algorithm to classify events [8]. In this research, the authors compared their algorithm with other classification algorithms. However, they did not propose how to convert the output of their algorithm to a CEP rule and admit that generating CEP rules using their classifier will be a difficult challenge to address. All above CEP rule mining methodologies were developed with an intention to replace domain experts with machines [5]–[8]. However, they rely on false assumptions like raw events not being complex, TimeWindow being enough to collect events in all scenarios, or a single CEP rule template being able to represent all complex events. These assumptions oversimplify the problem and do not capture the real world requirements. Furthermore, these solutions mainly focus on generating rules for commonly occurring patterns. In anomaly driven domains like intrusion detection, such patterns represent legitimate traffic on which we are not interested. Hence rules developed for frequent patterns may not work well for detecting anomalous traffic. C. Parameter Tuning Turchin et al. defined CEP rules based on probability score of selected attributes and tuned threshold values using Discrete Kalman Filter based on expert feedback and event history [15]. The concept of tuning rule parameters and the application of adaptive rules to detect attacks in DARPA 1999 dataset are close to our research. Therefore, we have chosen this research as a benchmark to compare the results we obtain. However, their contribution to CEP rule optimization may not be widely applicable because their rules neither use any CEP operators nor follow CEP semantics. Instead, they calculate anomalous probability score of request length, response length, possible “SYN” error, and hostname for each packet. A packet is classified either as an anomaly or not by comparing the total score of these four attributes with two threshold values. Therefore, this rule does not address any problems we raised in Section III-A3. Bayesian Optimization is widely being used by researchers for hyperparameter optimization and black-box optimization [16]. In this method, an unknown objective function is mapped into a prior belief and sequentially refined by a Bayesian posterior update [16]. Snoek et al. used Bayesian Optimization to tune machine learning hyperparameters [17]. It is also used by Pooyan et al. to optimize the performance of Apache Storm stream processor [18]. Among the populationbased optimization algorithms, Genetic Algorithm (GA) and Particle Swarm Optimization (PSO) are widely being used for hyperparameter tuning [19], [20]. GA and PSO optimized a selected set of problems with equal accuracy in a test conducted by Hassan et al. [21]. Though GA has been successfully applied for optimization problems, it is inefficient for applications with highly correlated parameters [20]. In

TABLE I P ERFORMANCE COMPARISON OF “W ISDOM ” WITH COMMERCIAL 0.8

STREAM PROCESSORS USING A FILTER QUERY IN A SINGLE THREAD ENVIRONMENT

0.6

0.4

0.2

Stream Processor

Throughput

Latency

0.0 300

Apache Flink WSO2 Siddhi Wisdom Esper

6,711,544 3,811,876 2,543,299 2,247,807

events/sec events/sec events/sec events/sec

100 216 332 334

nanoseconds nanoseconds nanoseconds nanoseconds

addition, GA is much more complex to implement than PSO. Therefore, we have chosen Bayesian Optimization and PSO for our experiment. Hosseini et al. used PSO algorithm to optimize Multiple Criteria Linear Programming (MCLP) algorithm used to detect DoS attacks in KDD CUP 1999 dataset [22]. Even though the use case (intrusion detection) and optimization algorithm are the same as our research, the actual contribution of Hosseini et al. is optimizing MCLP in which the problem is already in an optimizable format with variables. We are focusing on optimizing CEP rules which are black-box functions and require additional steps to convert them into optimizable problems. Furthermore, Hosseini et al. used MCLP for anomaly-based detection in KDD CUP 1999 dataset and we use CEP for signature-based detection in CICIDS 2017 [23] dataset. Therefore, we compare our final results with Turchin et al. because both of us are solving the CEP rule optimization problem. III. M ETHODOLOGY A. Wisdom Architecture We developed an adaptive and functionally auto-scaling stream processor: “Wisdom” with the following goals (1) dynamic without compromising performance, (2) functionally auto-scaling, and (3) optimizable CEP rule. 1) Dynamicity and Performance: In our early attempts, we tried to modify existing open source stream processors: Apache Flink [10] and WSO2 Siddhi [12] to make them dynamic. The underlying static data structure to represent events in these stream processors are designed for high throughput and low latency and did not allow us to implement dynamic operators. Authors of iCEP dynamic complex event processor claim that their complex event processor can analyze “thousands of events in a few minutes” [6]. Our underlying architecture using Observer design pattern and Mediator design pattern [24] to implement variables and dynamic CEP operators yields performance comparable to commercial stream processors as given in Table I and significantly better performance than iCEP. 2) Functionally Auto-scaling: In intrusion detection systems, some attack detectors may need more resources than others. For example, a DoS attack detector may need more system resources than an SQL attack detector due to the large amount of traffic involved in a DoS attacks. Distributing and scaling a stream processor at the operator level can cause to coordination problems in CEP operators depending on the

80

100

Fig. 1. Made-up profit function representing a CEP rule optimization problem to test Bayesian Optimization and Particle Swarm Optimization

order of events. Therefore, we have designed “Wisdom” using microservice architecture [25] to deploy each CEP rule as a microservice with required memory and CPU allocation. Each “Wisdom” instance can be controlled via exposed RESTful [26] admin service endpoints. We also have developed a service named “Wisdom Manager” to start, stop and control “Wisdom” instances automatically. Using the @app annotation, “Wisdom Manager” can be informed to start a query only if specific streams receive events in the system. Though “Wisdom” can be used as a Java library, for functionally autoscaling, we recommend distributed deployment of “Wisdom” instances with Apache Kafka [27] for intermediate communication. 3) Optimizable CEP Rule: Threshold values in a CEP rule can be an integer, a real number or a constant. Considering all possible constants as a list of candidates, they can be mapped into integer values. These numbers may or may not have lower and upper bounds. For example, the minimum no of packets threshold in Figure 3 has a lower bound 0 because it is a count but not an upper bound. However, these parameters are correlated with each other in such a way that they cannot take all possible values in the space. According to these facts, a CEP rule optimization problem can be defined as max/min s.t

f (x1 , x2 , x3 , ..., xn ) AX ≤ B xϵR

where A is a rational matrix and B is a rational vector. A CEP rule is a discontinuous function which takes streams of events as input and optionally generates complex events as output. Therefore, it is hard to fit a CEP rule itself in an optimization problem. Instead, f is a continuous profit or loss function defined using the output of a CEP rule in such a way that optimizing f will optimize the CEP rule. This way, optimizing CEP rule can be defined as a Mixed Integer Linear Programming (MILP) problem if f is linear or Mixed Integer Non-Linear Programming (MINLP) problem if f is non-linear. Both MILP and MINLP are NP-Hard problems so finding a solution in polynomial time is not always feasible [28], [29]. The profit or loss function f is a black box of correlated variables because its output depends on the underlying CEP

TABLE II C OMPARISON OF BAYESIAN AND PARTICLE S WARM OPTIMIZATION ALGORITHMS USING THE PROFIT FUNCTION SHOWN IN F IGURE 1

Initial points/Swarm size Maximum iterations Avg. execution time (seconds) Avg. optimal points (x, y) Avg. Profit

Fig. 3. Optimizable Wisdom query to detect FTP brute force attack def stream PacketStream; def stream FTPBruteForceAttackStream;

Bayesian

Particle Swarm

@config(trainable=true, minimum=100, maximum=60000, step=-1) def variable time_threshold = time.sec(1);

100 10 255.788 8.742, 409.921 0

100 10 0.029 20.681, 199.919 0.998

@config(trainable=true, minimum=3, maximum=1000, step=1) def variable count_threshold = 50; from PacketStream filter ‘FTP[Control]’ == protocol and ‘530 Login incorrect’ in data partition by destIp window.externalTimeBatch(’timestamp’, $time_threshold) aggregate count() as no_of_packets filter no_of_packets >= $count_threshold select srcIp, destIp, no_of_packets, timestamp insert into FTPBruteForceAttackStream;

Fig. 2. Hybrid CEP rule optimization algorithm using Particle Swarm Optimization and Bisection algorithms

rule. We developed a simple profit function as shown in Figure 1 to simulate the behavior of an imaginary CEP rule which generates output only if its threshold values are closed to 20 and 200, and optimized the function using Bayesian Optimization and PSO algorithms. As shown in Table II, PSO outperforms Bayesian Optimization in both performance and accuracy. PSO starts with random initial points and quickly converges to the optimum point once a particle finds an improvement in profit. Though Bayesian optimizer had some initial points closed to the optimum point, it was distracted by the plateau where profit is 0 and spent more time on building the prior model. From this test, we conclude that PSO is better than Bayesian Optimization for CEP parameter tuning. PSO can find an optimum or closed to an optimum result. However, an actual CEP rule may have more than one optimum points adjacent to each other. For example, the above imaginary CEP rule may produce the same output for threshold values in between 20−25 and 200−250. Depending on the requirement we may be interested in either the upper bound or the lower bound. For example, we prefer to have minimum time threshold and maximum count threshold for the CEP rule given in Figure 3 to reduce latency and false positives. Therefore, we implemented a hybrid optimization algorithm using PSO and Bisection algorithms as shown in Figure 2. PSO is used to find optimal values, and Bisection algorithm is used to push them towards desired boundaries. If the step size of Bisection algorithm is smaller than the user-defined step value, user-defined step value is used by the algorithm to avoid slow convergence. Though some CEP parameters do not have a minimum or a maximum bound, our optimization algorithm requires a domain expert to limit the range to find a solution in polynomial time. The minimum value, maximum value,

Input Feeder

Input

Wisdom Application Output

Parameters

Loss Function

Total Loss

Input: f unction, constraints, steps Output: optimal values 1: optimal values, loss ← P SO(f unction, constraints) 2: for all val ∈ optimal values do 3: val ← Bisection(f unction, val, constraints[val], step[val]) 4: end for 5: return optimal values

Optimization Algorithm

Fig. 4. Wisdom Optimizer architecture in which the Input Feeder and Loss Function must be defined by the user

and step size can be tailored into Wisdom query using @conf ig(trainable = true, ...) annotation as shown in Figure 3. To cope with integer values, we round the real numbers generated by the optimization algorithm to integer numbers before assigning them to a CEP rule. Figure 4 depicts the architecture of “Wisdom Optimizer”. In this architecture, “Input Feeder” and “Loss Function” must be defined by domain experts depending on the domain requirements. “Wisdom Application” is the runtime environment compiled from a “Wisdom” query and the “Optimization Algorithm” is the implementation of the algorithm given in Figure 2 with additional features to coordinate with “Wisdom” applications. B. Evaluation We conducted two tests: (1) to compare the accuracy of proposed optimization approach with the results obtained by Turchin et al. [15] and (2) to demonstrate the advantage of functionally auto-scaling stream processor in a resourcelimited environment. 1) Test 1: We developed three “Wisdom” rules1 to detect HTTP Slow Header DoS attack, FTP brute force attack and Port scanning. All three rules have two optimizable variables: time threshold and count theshold. We also developed a loss function as given in Figure 5 to calculate loss based on the number of true positive packets detected by stream processor. Developed “Wisdom” rules were optimized using packets arrived within a random 10 minutes interval from CICIDS 2017 dataset. The optimized rules were used to detect attacks in original packet capture files. 1 The “Wisdom” stream processor and queries used in Test 1 and Test 2 are available at https://slgobinath.github.io/wisdom

TABLE III AVERAGE PRECISION , RECALL AND TRAINING TIME OF W ISDOM QUERIES IN T EST 1

Fig. 5. Loss function used to tune Wisdom queries in Test 1

CEP Rule

Precision

Recall

Training Time

100% 100% 99.95%

99.61% 96.85% 83.80%

47 sec 54 sec 46 sec

FTP brute force Slow Header DoS Port scan

500

500

400

Memory (MB)

450

Memory (MB)

Input: output events, exp src ip Output: loss Initialize: 1: loss ← 1, 000, 000 2: for all event ∈ output events do 3: if attacker ip ̸= event[‘src ip′ ] then 4: loss += event[‘no of packets′ ] ∗ 10 5: else 6: loss −= event[‘no of packets′ ] ∗ 10 7: end if 8: end for 9: return loss

400

300

200

350 100

300 0 0

500

1000

1500

2000

0

500

Time (Seconds)

Wisdom Manager Start/Stop

Port Scan Detector

FTP Brute-force Detector

Start/Stop

Start/Stop

HTTP Slow Header

(a)

Streams Throughput PossibleBruteForceStream

PossiblePortScanStream

Wisdom Instances

HTTP Slow Header Detector

PossibleDosStream

Filter Query

1000

1500

2000

Time (Seconds) FTP Brute Force

Port Scan

Wisdom Instances

HTTP Slow Header

Packet Filter

FTP Brute Force

Port Scan

(b)

Fig. 7. Memory consumption of “Wisdom” instances in (a) manual deployment and (b) functionally auto-scaling deployment

Apache Kafka Simulated Stream of Packets

System Calls

Fig. 6. Functionally auto-scaling deployment of “Wisdom” queries

2) Test 2: Test 2 was developed to show the effectiveness of functionally auto-scaling stream processor in intrusion detection. Deploying all three rules developed in Test 1 requires three “Wisdom” instances to run all the time. Instead, we developed a filter query to filter incoming packets which can be part of HTTP Slow Header DoS attack, FTP brute force attack or Port scanning. Rest of the attack specific CEP operations were defined in separate rules1 and deployed as standalone “Wisdom” applications (see Figure 6). In this setup, all these queries were deployed as separate processes without any memory limitation in the same machine to reduce the complexity. However, they can be deployed across multiple servers in a production environment. If there is a possibility of any of these attacks, “FilterQuery” sends the packet to the relevant output stream. “Wisdom Manager” monitors those output streams and starts relevant rules if an event is inserted into those streams. If there is no input for an attack detector for a long time, “Wisdom Manager” will stop the attack detector. To simulate real-time behavior, we read pcap files having: no attack, FTP brute force attack, HTTP Slow Header attack, and Port Scan in order. To the best of our knowledge, none of the existing stream processors support functionally auto-scaling deployment. Therefore, the memory consumption of functionally auto-scaling deployment was compared with manual deployment where all three “Wisdom” instances were deployed without enabling the functionally auto-scaling feature. IV. R ESULTS All three rules were optimized within a minute using the proposed optimization algorithm. The time taken to optimize a CEP rule is highly determined by the amount of training data. As given in Table III, adaptive CEP rules optimized

by the proposed optimization algorithm are able to detect selected attacks with a minimum precision of 99.95% and a maximum precision of 100%. The minimum recall was 83.80%, and the maximum recall was 99.85%. We have observed that the precision is highly depending on how well the query is defined by the domain expert. Recall depends on thresholds defined by the optimization algorithm which in turns depends on the quality of training data. Manual inspection of training data caused to 83.80% recall revealed that the random 10 minutes interval we chose contains less number of port scanning packets. Turchin et al. obtained a maximum precision of 80% and a maximum recall of 90% with their probability-based CEP rule optimized using Kalman Filter after training the system using the complete dataset [15]. Based on these results, we conclude that our optimization algorithm and proposed methodology outperform the probability-based CEP rule tuned by Kalman Filter. In Test 2 manual deployment, the overall memory consumption of all “Wisdom” instances was between 450 - 500 megabyte (MB) from the beginning to end (see Figure 7a). In functionally auto-scaling deployment, “Wisdom Manager” started Port scanning detector from the beginning as depicted in Figure 7b because there were packets matching Port scanning filter even in legitimate traffic. FTP brute force detector and HTTP Slow Header were started only after the simulation of those attacks. FTP brute force detector was stopped after the attack, but HTTP Slow Header detector was stopped and started a few times due to some matching packets throughout the remaining time. However, those packets were not reported by DoS detector as attacks. Functionally auto-scaling deployment missed 0.04% packets in FTP brute force attack and 0.01% packets in HTTP Slow Header attacks. No packets were missed in Port scan probe. The distributed deployment can be a reason for this event loss. However, in the real world, it is not required to detect all packets which are part of an attack. Instead, an

IDS should be able to detect an attack as early as possible and prevent further requests from the suspected attacker. Therefore, the tradeoff of packet loss for resource utilization is negligible in a resource-limited environment. V. C ONCLUSION In this research, we have developed an adaptive and functionally auto-scaling steam processor which can optimize its queries for accuracy, start new rules to add more features or stop unwanted rules to reduce resource consumption. We have shown that PSO is better than Bayesian Optimization for CEP rule optimization using a simulated loss function. The high precision and recall obtained in our test indicate that domain experts are better than machines in mining CEP rules. However, the proposed optimization algorithm improves the accuracy of CEP rules defined by domain experts by tuning parameters. We also have shown that the proposed functionally auto-scaling deployment mode consumes less resource than monolithic deployment. As future work, we plan to test the proposed stream processor in detecting complex attacks like Advanced Persistent Threat (APT) using a honeynet. ACKNOWLEDGMENT We gratefully acknowledge financial support from Western Engineering, and National Science and Engineering Research Council, Canada in conducting this research. R EFERENCES [1] M. Ficco and L. Romano, “A generic intrusion detection and diagnoser system based on complex event processing,” in 2011 First International Conference on Data Compression, Communications and Processing, June 2011, pp. 275–284. [2] M. Blount, M. R. Ebling, J. M. Eklund, A. G. James, C. McGregor, N. Percival, K. Smith, and D. Sow, “Real-time analysis for intensive care: Development and deployment of the artemis analytic system,” IEEE Engineering in Medicine and Biology Magazine, vol. 29, no. 2, pp. 110–118, March 2010. [3] S. Nielsen, C. Chambers, and J. Farr, “Fleet management systems and methods for complex event processing of vehicle-related information via local and remote complex event processing engines,” Jun. 25 2013, uS Patent 8,473,148. [4] J. Hazra, K. Das, D. P. Seetharam, and A. Singhee, “Stream computing based synchrophasor application for power grids,” in Proceedings of the First International Workshop on High Performance Computing, Networking and Analytics for the Power Grid, ser. HiPCNA-PG ’11. New York, NY, USA: ACM, 2011, pp. 43–50. [5] R. Mousheimish, Y. Taher, and K. Zeitouni, “Automatic learning of predictive cep rules: Bridging the gap between data mining and complex event processing,” in Proceedings of the 11th ACM International Conference on Distributed and Event-based Systems, ser. DEBS ’17. New York, NY, USA: ACM, 2017, pp. 158–169. [6] A. Margara, G. Cugola, and G. Tamburrelli, “Learning from the past: Automated rule generation for complex event processing,” in Proceedings of the 8th ACM International Conference on Distributed Event-Based Systems, ser. DEBS ’14. New York, NY, USA: ACM, 2014, pp. 47–58. [7] O.-J. Lee and J. E. Jung, “Sequence clustering-based automated rule generation for adaptive complex event processing,” Future Generation Computer Systems, vol. 66, pp. 100 – 109, 2017. [8] N. Mehdiyev, J. Krumeich, D. Werth, and P. Loos, “Determination of event patterns for complex event processing using fuzzy unordered rule induction algorithm with multi-objective evolutionary feature subset selection,” in 2016 49th Hawaii International Conference on System Sciences (HICSS), Jan 2016, pp. 1719–1728. [9] EsperTech Inc, “Esper - espertech,” apr 2018. [Online]. Available: http://www.espertech.com/esper/

[10] The Apache Software Foundation, “Apache flink: Scalable stream and batch data processing,” apr 2018. [Online]. Available: https: //flink.apache.org/ [11] D. J. Abadi, Y. Ahmad, M. Balazinska, M. Cherniack, J. hyon Hwang, W. Lindner, A. S. Maskey, E. Rasin, E. Ryvkina, N. Tatbul, Y. Xing, and S. Zdonik, “The design of the borealis stream processing engine,” in CIDR, 2015, pp. 277–289. [12] S. Suhothayan, K. Gajasinghe, I. Loku Narangoda, S. Chaturanga, S. Perera, and V. Nanayakkara, “Siddhi: A second look at complex event processing architectures,” in Proceedings of the 2011 ACM Workshop on Gateway Computing Environments, ser. GCE ’11. New York, NY, USA: ACM, 2011, pp. 43–50. [13] S. Jayasekara, S. Kannangara, T. Dahanayakage, I. Ranawaka, S. Perera, and V. Nanayakkara, “Wihidum: Distributed complex event processing,” Journal of Parallel and Distributed Computing, vol. 79-80, pp. 42 – 51, 2015, special Issue on Scalable Systems for Big Data Management and Analytics. [14] R. Bhargavi, R. Pathak, and V. Vaidehi, “Dynamic complex event processing - adaptive rule engine,” in 2013 International Conference on Recent Trends in Information Technology (ICRTIT), July 2013, pp. 189–194. [15] Y. Turchin, A. Gal, and S. Wasserkrug, “Tuning complex event processing rules using the prediction-correction paradigm,” in Proceedings of the Third ACM International Conference on Distributed Event-Based Systems, ser. DEBS ’09. New York, NY, USA: ACM, 2009, pp. 10:1– 10:12. [16] B. Shahriari, K. Swersky, Z. Wang, R. P. Adams, and N. de Freitas, “Taking the human out of the loop: A review of bayesian optimization,” Proceedings of the IEEE, vol. 104, no. 1, pp. 148–175, Jan 2016. [17] J. Snoek, H. Larochelle, and R. P. Adams, “Practical bayesian optimization of machine learning algorithms,” in Proceedings of the 25th International Conference on Neural Information Processing Systems - Volume 2, ser. NIPS’12. USA: Curran Associates Inc., 2012, pp. 2951–2959. [18] P. Jamshidi and G. Casale, “An uncertainty-aware approach to optimal configuration of stream processing systems,” CoRR, vol. abs/1606.06543, 2016. [19] F. H. F. Leung, H. K. Lam, S. H. Ling, and P. K. S. Tam, “Tuning of the structure and parameters of a neural network using an improved genetic algorithm,” IEEE Transactions on Neural Networks, vol. 14, no. 1, pp. 79–88, Jan 2003. [20] Z.-L. Gaing, “A particle swarm optimization approach for optimum design of pid controller in avr system,” IEEE Transactions on Energy Conversion, vol. 19, no. 2, pp. 384–391, June 2004. [21] R. Hassan, B. Cohanim, O. De Weck, and G. Venter, “A comparison of particle swarm optimization and the genetic algorithm,” in 46th AIAA/ASME/ASCE/AHS/ASC structures, structural dynamics and materials conference, 2005, p. 1897. [22] S. M. Hosseini Bamakan, B. Amiri, M. Mirzabagheri, and Y. Shi, “A new intrusion detection approach using pso based multiple criteria linear programming,” Procedia Computer Science, vol. 55, pp. 231 – 237, 2015, 3rd International Conference on Information Technology and Quantitative Management, ITQM 2015. [23] I. Sharafaldin, A. Habibi Lashkari, and A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” 01 2018, pp. 108–116. [24] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, “Design patterns: Abstraction and reuse of object-oriented design,” in Software Pioneers: Contributions to Software Engineering, O. M. Nierstrasz, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1993, pp. 406–431. [25] I. Nadareishvili, R. Mitra, M. McLarty, and M. Amundsen, Microservice Architecture: Aligning Principles, Practices, and Culture. O’Reilly Media, Inc., 2016. [26] L. Richardson and S. Ruby, RESTful web services. ”O’Reilly Media, Inc.”, 2008. [27] The Apache Software Foundation, “Apache kafka,” apr 2018. [Online]. Available: https://kafka.apache.org/ [28] P. Bonami, M. Kilinc¸, and J. Linderoth, “Algorithms and software for convex mixed integer nonlinear programs,” in Mixed Integer Nonlinear Programming, J. Lee and S. Leyffer, Eds. New York, NY: Springer New York, 2012, pp. 1–39. [29] R. Hemmecke, M. K¨oppe, J. Lee, and R. Weismantel, Nonlinear integer programming, 2010.