Advances, Systems and Applications
Table 9 Summary of existing works on integrating CEP with ML/DL
Paper | Year | Threat type | Applied for | Methodology | Techniques used |
|---|---|---|---|---|---|
[109] Margara et al. | 2014 | None | Bus traffic monitoring scenario | iCEP framework is proposed to learn hidden causality between the received events and situations to recognise from historical traces, and use them to automatically create CEP rules. | Ad-hoc learning algorithm |
[111] Mehdiyev et al. | 2015 | None | Daily routine movement activities dataset | ML techniques are used to replace the manual identification of rule patterns. | Rule-based data mining methods: One-R, PIPPER, PART, Ridor and DTNB. |
[118] Mousheimish et al. | 2017 | None | Wafer, ECG and Robots datasets | Data mining based method is proposed to learn predictive CEP rules automatically from multivariate time series. | Data mining method: Shapelets algorithm |
[122] Lee et al. | 2017 | None | Stock trade system (NASDAQ) | SCARG framework is proposed to automatically create rules. Complex sequence events are collected and then clustered. Each cluster is graphically modelled by probabilistic model. | KNN Markov model |
[123] Roldan et al. | 2020 | Cyber | UDP, TCP and Xmas post scans, and DoS attack | MEdit4CEP model-driven approach is used to establish data connection between IoT network and both the CEP engine and ML techniques | Linear regression, and support vector regression (SVR) |
[110] Simsek et al. | 2021 | None | Air pollution dataset | ARECEP framework is proposed to extract CEP rules from unlabelled IoT data. (1) DL algorithms are used to label theses data as normal or anomalous. (2) The anomalous data are transformed into rules by using rule-based mining approaches. | Rule-based methods: DT, PART, ONE-R, JRIP, RIDOR, NNge or FURIA. ML/DL methods: autoencoder, CNN, RNN, LSTM, CNN-LSTM or GRU |
[125] Xi et al. | 2021 | Physical | Terrorist activities in urban environment | Counter-terrorism early warning system was designed by combining CEP with ML to provide timely response and awareness of potential threats. | Intelligence perception (smart sensors), intelligence identification (features) and intelligence inference (CEP+ML). |
[126] Roldán et al. | 2021 | Cyber | Subscription fuzzing, disconnection wave, TCP syn scan, UDP scan, Xmas scan and Telnet connection | Framework is proposed to integrate CEP with ML, where ML is used to enable automatic generation of CEP patterns from categorized or uncategorised data for classifying attacks or detecting anomalies. Dataset extracted from network using MQTT. | PCA is used for dimensionality reduction. Threshold value is generated based on standard deviations, mean and variance explained of the components, then Siddhi CEP engine is used to generate patterns. |