Abstract
Processing large amounts of data in real time for identifying security issues pose several performance challenges, especially when hardware infrastructure is limited. Managed Security Service Providers (MSSP), mostly hosting their applications on the Cloud, receive events at a very high rate that varies from a few hundred to a couple of thousand events per second (EPS). It is critical to process this data efficiently, so that attacks could be identified quickly and necessary response could be initiated. This paper evaluates the performance of a security framework OSTROM built on the Esper complex event processing (CEP) engine under a parallel and non-parallel computational framework. We explain three architectures under which Esper can be used to process events. We investigated the effect on throughput, memory and CPU usage in each configuration setting. The results indicate that the performance of the engine is limited by the number of events coming in rather than the queries being processed. The architecture where 1/4th of the total events are submitted to each instance and all the queries are processed by all the units shows best results in terms of throughput, memory and CPU usage.
Highlights
Over the last decade, with the increase in computer applications and services, the need for processing larger quantities of data has increased
This paper evaluates the performance of a security framework OSTROM built on the Esper complex event processing (CEP) engine under a parallel and non-parallel computational framework
In a cloud based Managed Security Service Provider (MSSP), we have mainly looked at Security Information and Event Management (SIEM) as a Service deployed over the cloud
Summary
With the increase in computer applications and services, the need for processing larger quantities of data has increased. Data is generated from various sources, including social networks and media, mobile devices, internet transactions and networked devices and sensors This enormous increase to process large quantities of information introduces scalability challenges in large distributed systems. There is a need to offer innovative ways of data processing in a managed SIEM solution that can handle several thousand events per second without compromising the real time processing ability. It is important to make best use of the computing resources for providing service as per the service level agreement (SLA) and to keep the costs low For the latter option, performance becomes an even bigger issue as the events per second increase significantly with the addition of more clients. This paper evaluates the performance of a security framework OSTROM built on the Esper complex event processing (CEP) engine under a parallel and non-parallel computational framework.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
