SPICES: 'Scalable processing and mining of complex events for security-analytics'.
The overall goal of SPICES is to design an open reusable platform specifically targeted towards security process monitoring, based on the notion of complex event processing (CEP). Within SOFT we envision (1) the design of a reactive CEP security language (2) The design of a change language which identifies new threats and attacks while the system is running; and (3) the implementation of a multi-pattern optimizer on top of a scalable (i.e. multicore), distributed (i.e. cloud) execution platform to manage the processing of a vast amount of events.
SPICES aims to do research that will result in a next-generation CEP framework that addresses: 1 Offline, automatic mining of CEP patterns from historical data (such as log files or event logs generated by IoT devices, operating systems and application servers). This allows a security expert to populate a monitoring system with meaningful descriptions that are based on actually occurring events. To deal with new attack patterns and to keep the patterns up to date with newly occurring events, this offline method will be used as a stepping stone towards an online method for maintaining the relevance of the mined patterns. A central point of focus will be the design and implementation of a dynamically reconfigurable CEP framework. CEP patterns will be learnt both online and offline and will be dynamically adaptable via meta-level programming techniques. 2 High-throughput processing of expressive event patterns on commodity hardware. This feature will be ob- tained by (a) fully exploiting the parallel processing capabilities of contemporary and commodity multi-core hardware and (b) designing novel, scalable expressive pattern processing and optimisation algorithms atop big data sets that perpetually change. A central point of focus will be the optimal execution of the online “continuous” queries that correspond to the to CEP patterns. Perpetual optimal (re)scheduling of query plans will be driven by multicore workload information as well as the aforementioned dynamic adaptation of CEP patterns.