Event-driven Principles and Complex Event Processing for Self-adaptive Network Analysis and Surveillance Systems

Abstract

Event-driven approaches and Complex Event Processing (CEP) have the potential to aid in tackling the complex requirements and challenges of monitoring contemporary computer networks. The applicability of such methods, however, depends on, e.g., architectural considerations, data processing performance, or usability. In this thesis, we study the applicability of event-driven principles and CEP for analyzing and surveying computer networks and present ways for improving the applicability of these paradigms. The main contributions that are presented and discussed in this thesis are: an analysis of important properties of network analysis and surveillance, the introduction of a corresponding Event-driven Architecture (EDA) for addressing these requirements, the empirical evaluation of the proposed EDA using a prototype implementation, the development of cooperative and self-adaptive methods for addressing performance and usability issues, and the development of techniques for improving the integration of components implemented in different languages in event-driven systems.

Assuring and maintaining the proper operation of computer networks is as crucial as assuring the proper operation of the Information Technology (IT) systems they connect. However, collecting and analyzing information about computer networks, which is required for assuring their proper operation, is increasingly challenging because of, e.g., the growing logical and spatial extent of computer networks, accelerated changes in computer network structures and network traffic, or near real-time requirements. Furthermore, a wide variety of methods for network analysis and surveillance exists and for acquiring comprehensive information at optimal resource requirements these various methods have to be combined with a converging approach.

Based on the results of an analysis of important properties and requirements for network analysis and surveillance, we propose an approach which leverages event-driven paradigms such as EDA and CEP for addressing the complex mix of requirements in this field and for enabling convergence of the various existing methods. We evaluate our proposed approach with a case study and performance benchmarks using a prototype. Our results show that our approach is a good fit for addressing the complex mix of requirements and that it is feasible from a performance perspective. In contrast to other related recent research, which is limited to specific use cases, we propose a generic and versatile event-driven approach for universal network analysis and surveillance.

Moreover, we present techniques for further improving network analysis and surveillance. While our general approach already constitutes an important improvement, we also propose and investigate further innovations. Based on the evaluation of our approach, we consider distributed operation, usability, performance in distributed deployments and of sensors, integration of data sources, and the interoperation of implementations in different programming languages in event-driven systems as most important aspects for further improvement.

For improving the operation, usability, and performance in distributed contexts, we develop an approach for cooperative and self-adaptive data acquisition using the example of packet capturing. In order to research ways for advancing the operation of sensors and integration of data sources, we use the example of packet capturing with the Java Virtual Machine (JVM), for which we develop and analyze various improvements at various abstraction levels such as data extraction via a Domain Specific Language (DSL) or self-adaptive adjustments based on performance constraints. Even though packet capturing with the JVM was already employed in other research, these studies only consider the overall systems such that neither the specific implications of JVM-based packet capturing nor methods for improving the performance in this scenario were discussed in detail yet. Furthermore, we analyze the impact of programming language barriers in event-driven systems and present a batch-based approach for increasing the data exchange throughput.

In conclusion, we improve the state-of-the-art of network analysis and surveillance. Our work aims on taking the next step towards holistic network analysis and surveillance by addressing distribution, convergence, usability, and performance aspects. We demonstrate the benefits and evaluate the applicability of event-driven data processing paradigms and show how self-adaptivity and cooperation can further improve the capabilities.