NEPnet: A scalable monitoring system for anomaly detection of network service

Anomaly detection is very important for modern network service. Yet it is still a big challenge to conduct effective anomaly detection due to the high rate of service data and the complex correlations among them. Owing to the powerful query language and performance potential, complex event processing (CEP) is very suitable for this situation. In this paper, we present NEPnet, a high-performance and scalable monitoring system, which can process events for anomaly detection of network service in real time. NEPnet is based on CEP and provides a SQL-like language supporting various event correlations. On accepting pre-defined queries as input, NEPnet builds a tree-based monitoring net for detailed anomaly detection. Considering the anomaly features of network service, the monitoring net utilizes limit trigger, predicate index and route table for different types of processing nodes in it. Our preliminary experiment results show that NEPnet can effectively detect anomaly of network service, with a high-speed of 100,000 events per second and 3~6 times faster than Esper, a general CEP engine.