--- id: wiki-2026-0508-complex-event-processing-cep title: Complex Event Processing (CEP) category: 10_Wiki/Topics status: verified canonical_id: self aliases: [CEP, Event Stream Processing, 복합 이벤트 처리] duplicate_of: none source_trust_level: A confidence_score: 0.88 verification_status: applied tags: [cep, streaming, event-driven, flink, esper] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: java framework: flink --- # Complex Event Processing (CEP) ## 매 한 줄 > **"매 stream of simple events → meaningful complex pattern"**. David Luckham (Stanford, 2002) 가 정의한 paradigm. 2026 현재 Apache Flink CEP, Kafka Streams, Esper NEsper 가 main implementation; fraud detection, IoT anomaly, algorithmic trading 의 backbone. ## 매 핵심 ### 매 개념 - **Event**: timestamped 의 fact (transaction, sensor reading, click). - **Pattern**: temporal/causal relationship 의 events (A followed by B within 5s). - **Window**: sliding/tumbling/session 시간 frame. - **Aggregation**: count, sum, avg over window. - **Correlation**: 다중 stream 매 join (e.g., trades + market data). ### 매 pattern operator - **Sequence**: A → B → C (in order). - **Conjunction**: A AND B (any order, in window). - **Negation**: A NOT followed by B. - **Iteration**: A repeated N times. - **Within**: temporal constraint. ### 매 응용 1. Fraud detection — card swipes 매 different countries within 1h. 2. IoT — sensor reading exceeds threshold for 3 consecutive readings. 3. Trading — bid/ask spread anomaly detection. 4. Network security — port scan pattern (many SYN, few ACK). 5. SLA monitoring — 5xx error rate spike correlated with deploy event. ## 💻 패턴 ### Flink CEP — 3 failed login pattern ```java Pattern failedLogins = Pattern .begin("first") .where(e -> !e.success) .next("second").where(e -> !e.success) .next("third").where(e -> !e.success) .within(Time.minutes(5)); CEP.pattern(loginStream.keyBy(e -> e.userId), failedLogins) .select(match -> new Alert(match.get("first").get(0).userId)) .addSink(alertSink); ``` ### Esper EPL — fraud detection ```sql -- swipe in different countries within 1 hour SELECT a.cardId, a.country, b.country FROM pattern [ every a=Swipe -> b=Swipe(cardId=a.cardId, country!=a.country) where timer:within(1 hour) ]; ``` ### Kafka Streams — sliding window aggregation ```java KStream clicks = builder.stream("clicks"); clicks.groupByKey() .windowedBy(SlidingWindows.ofTimeDifferenceWithNoGrace(Duration.ofMinutes(5))) .count() .filter((k, count) -> count > 1000) .toStream() .to("anomalies"); ``` ### Flink — session window ```java stream.keyBy(e -> e.userId) .window(EventTimeSessionWindows.withGap(Time.minutes(30))) .aggregate(new SessionStats()) .addSink(...); ``` ### Pattern with negation (NO heartbeat in 30s) ```java Pattern.begin("start") .notFollowedBy("missing") .where(e -> true) .within(Time.seconds(30)); ``` ### Modern: Materialize / RisingWave (SQL-native streaming) ```sql CREATE MATERIALIZED VIEW fraud_alerts AS SELECT user_id, COUNT(*) as failed_count FROM logins WHERE success = false AND ts > NOW() - INTERVAL '5 minutes' GROUP BY user_id HAVING COUNT(*) >= 3; ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Java/JVM, complex patterns | Flink CEP | | Kafka-centric, simple aggregation | Kafka Streams | | SQL-first, low ops | Materialize / RisingWave | | In-process, low-volume | Esper | | Cloud-native, serverless | AWS Kinesis Data Analytics | **기본값**: Flink CEP for complex patterns, Materialize for SQL-native streaming. ## 🔗 Graph - 부모: [[Event-Driven Architecture]] · [[Stream-Processing-Architectures|Stream Processing]] - 변형: [[Event Sourcing]] · [[CQRS]] - Adjacent: [[Apache Flink]] ## 🤖 LLM 활용 **언제**: pattern definition 매 natural language → EPL/Flink translation, alert explanation. **언제 X**: micro-second latency hot path (LLM 매 too slow). ## ❌ 안티패턴 - **Unbounded state**: window 없이 group-by → memory blowup. - **Wall-clock instead of event-time**: out-of-order event 매 wrong result. - **Pattern explosion**: NFA state count 매 exponential, pattern 너무 복잡. - **No watermark**: late event 매 silently lost. ## 🧪 검증 / 중복 - Verified (Luckham 2002 *Power of Events*, Apache Flink CEP docs 2026). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — full content with Flink CEP, Esper, Materialize |