Advances, Systems and Applications
Table 7 Summary of existing works on using CEP for cyber security purposes
Paper | Year | Threat | Methodology | Pros (+) & Cons (−) |
|---|---|---|---|---|
[88] Aniello et al. | 2011 | Stealthy port scan | Architecture of IDS which uses CEP engine (Esper) is proposed. An algorithm for detecting SYN port scan to check for any malicious behaviour of host activities is implemented. | + High detection and low false positive rates were achieved. - Only one type of cyber attack was considered. |
[89] Cheng et al. | 2011 | Network service | NEPnet monitoring system which can process events for anomaly detection is proposed. NEPnet is built on CEP to support variety of event correlations by creating a tree-based monitoring net for anomaly detection. | + NEPnet can detect anomaly with high speed compared to Esper CEP engine. - Requires pre-defined rules. |
[90] Gad et al. | 2013 | DoS attack, SYN flooding | CEP (Esper) is used for network analysis and surveillance to effectively filter undesired information and infer high-level information. | + Possibility to effectively deduce meaningful high-level data in network analysis and surveillance with means of CEP. - No analysis for accuracy of intrusion detection. |
[56] Jun et al. | 2014 | LAND attack | Integration of IDS with CEP (Esper) to quickly react to any hacking attacks and malicious activities in IoT network environments. | + Works smoothly in real time and performs well in detecting abnormalities. - No analysis for accuracy of intrusion detection. |
[91] Jayan et al. | 2014 | DoS attack, buffer overflow | Method for pre-processing a vast input for CEP engine is described. The method aims to extract only relevant data that concerned the CEP engine (Esper). | + CEP rules are built based on risk taxonomy to find the attack patterns. - The rules can be very long. |
[92] Mohan et al. | 2015 | SYN flood, port Scans, LAND, NTP flood, Back, Neptune, POD, Smurf and Teardrop attacks. | Hybrid IDS and CEP by integrating the output of host IDS and network IDS into the CEP module. The host and network features are dynamically updated when a threshold is crossed. KDD99 dataset is used for testing the system. | + System is evaluated in term of CPU, RAM usage and compared with other works in term of detection rate. - Sophisticated set of pre-defined rules are used. |
[93] Vegh et al. | 2016 | Private keys, authentication | System that provides hierarchical access to data via a digital signature algorithm is proposed. The system aims to detect and prevent attacks using WSO2 CEP. | + Digital signatures for access control are used by the model. - No performance evaluation of the proposed system is conducted. |
[57] Cardoso et al. | 2018 | UDP flood, SYN flood ICMP flood and ports scan attacks | DDoS detection system (called CEPIDS) capable of identifying malicious traffic in real-time IoT environments using CEP rules is proposed and tested using Raspberry Pi. | + Tested on a Raspberry Pi 3, achieved good accuracy in detecting attacks, good CPU and RAM usage to enable it for IoT compared with Bro and Snort IDSs. - Higher lost packet rate compared to Snort IDS, but lower than Bros IDS. |
[94] Devi et al. | 2021 | TCP SYN ACK, TCP SYN flood, LAND, ICMP and UDP floods attacks | Cloud-based DDoS detection and defence system by CEP is proposed to handle traffic from various attack sources and correlate the event patterns with real-time traffic in order to protect the cloud from DDoS attacks. | + System achieved high detection accuracy, and defense system uses dropping attack traffic IPs as remediation action to protect the cloud from any DDoS attacks. - Detection is limited to known attack pattern only. |
[55] Lima et al. | 2022 | SYN flood attack (TCP), and denial of service attack | Intrusion detection and prevention system (IDPS) based on CEP (Esper) called Beholder is proposed and used for IoT applications that use MQTT and CoAP protocols. The work uses CEP technology to process messages exchanged between IoT devices in order to identify patterns that could be used in a cyber attack. | + The performance of the system is compared with Snort IDS. - Only few attacks are considered, and new CEP rules to detect other types of attacks in MQTT and CoAP applications are needed. |