Complex Event Processing

From Wikipedia, the free encyclopedia

Complex event processing (CEP) consists in processing many events happening across all the layers of an organization, identifying the most meaningful events within the event cloud, analyzing their impact, and taking subsequent action in real time.

[edit]Conceptual description

Among thousands of incoming events, a monitoring system may for instance receive the following three from the same source: church bells ringing, the appearance of a man in a tuxedo with a woman in a flowing white gown, and rice flying through the air. Acomplex event is what this monitoring system may infer from these events: that a wedding is happening. CEP is a technique that helps discover complex events by analyzing and correlating other events:^[1] the bells, the man and woman in wedding attire and the rice flying through the air.

CEP relies on a number of techniques,^[2] including event pattern detection, event abstraction, event hierarchies, relationships between events (e.g., causality, membership, timing), and event-driven processes.

Commercial applications of CEP include algorithmic stock trading, credit card fraud detection, business activity monitoring, and security monitoring.^[3]

[edit]Related concepts

CEP is primarily used in Business Process Management (BPM) and related fields.

In Network Management, Systems Management, Application Management and Service Management, people usually refer instead to Event Correlation. As CEP engines, event correlation engines (event correlators) analyze a mass of events, pinpoint the most significant ones, and trigger actions. However, most of them do not produce new inferred events. Instead, they relate high-level events with low-level events.^[4]

In Artificial Intelligence, inferred information is typically produced by inference engines, e.g. rule-based reasoning engines. However, new information is usually not produced in the form of complex (i.e., inferred) events.

[edit]Example

A more systemic example of CEP involves a car, some sensors and various events and reactions. Imagine that a car has several sensors—one that measures tire pressure, one that measures speed, and one that detects if someone sits on a seat or leaves a seat.

In the first situation, the car is moving and the pressure of one of the tires moves from 45 psi to 41 psi over 15 minutes. As the pressure in the tire is reducing, a series of events containing the tire pressure is generated. In addition, a series of events containing the speed of the car is generated. The car's Event Processor may detect a situation whereby a loss of tire pressure over a relatively long period of time results in the creation of the "lossOfTirePressure" event. This new event may trigger a reaction process to note the pressure loss into the car's maintenance log, and alert the driver via the car's portal that the tire pressure has reduced.

In the second situation, the car is moving and the pressure of one of the tires drops from 45 psi to 20 psi in 5 seconds. A different situation is detected—perhaps because the loss of pressure occurred over a shorter period of time, or perhaps because the difference in values between each event were larger than a predefined limit. The different situation results in a new event "blowOutTire" being generated. This new event triggers a different reaction process to immediately alert the driver and to initiate onboard computer routines to assist the driver in bringing the car to a stop without losing control through skidding.

In addition, events that represent detected situations can also be combined with other events in order to detect more complex situations. For example, in the final situation the car was moving normally but suffers a blown tire which results in the car leaving the road and striking a tree and the driver is thrown from the car. A series of different situations are rapidly detected. The combination of "blowOutTire", "zeroSpeed" and "driverLeftSeat" within a very short space of time results in a new situation being detected: "occupantThrownAccident". Even though there is no direct measurement that can determine conclusively that the driver was thrown, or that there was an accident, the combination of events allows the situation to be detected and a new event to be created to signify the detected situation. This is the essence of a complex (or composite) event. It is complex because one cannot directly detect the situation; one has to infer or deduce that the situation has occurred from a combination of other events.

[edit]Types

Most CEP solutions and concepts can be classified into two main categories:

1. Computation oriented CEP
2. Detection oriented CEP

A computation oriented CEP solution is focused on executing on-line algorithms as a response to event data entering the system. A simple example is to continuously calculate an average based in data on the inbound events.

Detection oriented CEP is focused on detecting combinations of events called events patterns or situations. A simple example of detecting a situation is to look for a specific sequence of events.

[edit]Integrating CEP with BPM

Of course, rarely does the application of a new technology exist in isolation. A natural fit for CEP has been with BPM. BPM very much focuses on end-to-end business processes, in order to continuously optimize and align for its operational environment.

However, the optimization of a business does not rely solely upon its individual, end-to-end processes. Seemingly disparate processes can affect each other significantly. Consider this scenario: In the aerospace industry, it is good practice to monitor breakdowns of vehicles to look for trends (determine potential weaknesses in manufacturing processes, material etc). Another separate process monitors current operational vehicles life cycle and when appropriate decommissions at the end of their useful lives. Now one use for CEP is to link these separate processes, so that in the case of when the initial process (breakdown monitoring) discovers a malfunction based on metal fatigue (a significant event) an action can be created to exploit the second process (life cycle) to issue a recall on vehicles using the same batch of metal discovered as faulty in the initial process.

The integration of CEP and BPM must exist at two levels, both at the business awareness level (users must understand the potential holistic benefits of their individual processes) and also at the technological level (there needs to be a method by which CEP can interact with BPM implementation).

[edit]Academic research

• Aurora (Brandeis University, Brown University and MIT)
• Borealis (Brandeis University, Brown University and MIT)
• Cayuga (Cornell University)
• ETALIS (Forschungszentrum Informatik Karlsruhe and Stony Brook University)
• Global Sensor Networks (EPFL)
• NiagaraST (Portland State University)
• PIPES (University of Marburg)
• SASE (UC Berkeley/UMass Amherst)
• STREAM (Stanford University)
• Telegraph (UC Berkeley)
• epZilla (University of Moratuwa)
• ACAIA.org Acoustic Event Detection (AED) (Acoustic Computing for AI/AmI Applications)

[edit]See also

• Event correlation
• Event-driven architecture (EDA) is a software architecture pattern promoting the production, detection, consumption of, and reaction to events.
• Event Processing Technical Society (EPTS) is an event processing community of interest
• Event stream processing (ESP) is a related technology that focuses on processing streams of related data.
• Real-time computing CEP systems are typically real-time systems
• Real time enterprise
• Operational intelligence Both CEP and ESP are technologies that underpin operational intelligence.
• Pattern matching
• Rulecore
• WebSphere Business Events