bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
22cd97698ef9352ce3ac6cd79ef9508bc9dfc09f
2nd/10_Wiki/Topics/Architecture/Complex Event Processing (CEP).md
T
Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization 
10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 23:52:15 +09:00

149 lines
4.6 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-complex-event-processing-cep
title: Complex Event Processing (CEP)
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [CEP, Event Stream Processing, 복합 이벤트 처리]
duplicate_of: none
source_trust_level: A
confidence_score: 0.88
verification_status: applied
tags: [cep, streaming, event-driven, flink, esper]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: java
framework: flink
---
# Complex Event Processing (CEP)
## 매 한 줄
> **"매 stream of simple events → meaningful complex pattern"**. David Luckham (Stanford, 2002) 가 정의한 paradigm. 2026 현재 Apache Flink CEP, Kafka Streams, Esper NEsper 가 main implementation; fraud detection, IoT anomaly, algorithmic trading 의 backbone.
## 매 핵심
### 매 개념
- **Event**: timestamped 의 fact (transaction, sensor reading, click).
- **Pattern**: temporal/causal relationship 의 events (A followed by B within 5s).
- **Window**: sliding/tumbling/session 시간 frame.
- **Aggregation**: count, sum, avg over window.
- **Correlation**: 다중 stream 매 join (e.g., trades + market data).
### 매 pattern operator
- **Sequence**: A → B → C (in order).
- **Conjunction**: A AND B (any order, in window).
- **Negation**: A NOT followed by B.
- **Iteration**: A repeated N times.
- **Within**: temporal constraint.
### 매 응용
1. Fraud detection — card swipes 매 different countries within 1h.
2. IoT — sensor reading exceeds threshold for 3 consecutive readings.
3. Trading — bid/ask spread anomaly detection.
4. Network security — port scan pattern (many SYN, few ACK).
5. SLA monitoring — 5xx error rate spike correlated with deploy event.
## 💻 패턴
### Flink CEP — 3 failed login pattern
```java
Pattern<LoginEvent, ?> failedLogins = Pattern
.<LoginEvent>begin("first")
.where(e -> !e.success)
.next("second").where(e -> !e.success)
.next("third").where(e -> !e.success)
.within(Time.minutes(5));
CEP.pattern(loginStream.keyBy(e -> e.userId), failedLogins)
.select(match -> new Alert(match.get("first").get(0).userId))
.addSink(alertSink);
```
### Esper EPL — fraud detection
```sql
-- swipe in different countries within 1 hour
SELECT a.cardId, a.country, b.country
FROM pattern [
every a=Swipe -> b=Swipe(cardId=a.cardId, country!=a.country)
where timer:within(1 hour)
];
```
### Kafka Streams — sliding window aggregation
```java
KStream<String, Click> clicks = builder.stream("clicks");
clicks.groupByKey()
.windowedBy(SlidingWindows.ofTimeDifferenceWithNoGrace(Duration.ofMinutes(5)))
.count()
.filter((k, count) -> count > 1000)
.toStream()
.to("anomalies");
```
### Flink — session window
```java
stream.keyBy(e -> e.userId)
.window(EventTimeSessionWindows.withGap(Time.minutes(30)))
.aggregate(new SessionStats())
.addSink(...);
```
### Pattern with negation (NO heartbeat in 30s)
```java
Pattern.<HeartbeatEvent>begin("start")
.notFollowedBy("missing")
.where(e -> true)
.within(Time.seconds(30));
```
### Modern: Materialize / RisingWave (SQL-native streaming)
```sql
CREATE MATERIALIZED VIEW fraud_alerts AS
SELECT user_id, COUNT(*) as failed_count
FROM logins
WHERE success = false
AND ts > NOW() - INTERVAL '5 minutes'
GROUP BY user_id
HAVING COUNT(*) >= 3;
```
## 매 결정 기준
| 상황 | Approach |
|---|---|
| Java/JVM, complex patterns | Flink CEP |
| Kafka-centric, simple aggregation | Kafka Streams |
| SQL-first, low ops | Materialize / RisingWave |
| In-process, low-volume | Esper |
| Cloud-native, serverless | AWS Kinesis Data Analytics |
**기본값**: Flink CEP for complex patterns, Materialize for SQL-native streaming.
## 🔗 Graph
- 부모: [[Event-Driven Architecture]] · [[Stream-Processing-Architectures|Stream Processing]]
- 변형: [[Event Sourcing]] · [[CQRS]]
- Adjacent: [[Apache Flink]]
## 🤖 LLM 활용
**언제**: pattern definition 매 natural language → EPL/Flink translation, alert explanation.
**언제 X**: micro-second latency hot path (LLM 매 too slow).
## ❌ 안티패턴
- **Unbounded state**: window 없이 group-by → memory blowup.
- **Wall-clock instead of event-time**: out-of-order event 매 wrong result.
- **Pattern explosion**: NFA state count 매 exponential, pattern 너무 복잡.
- **No watermark**: late event 매 silently lost.
## 🧪 검증 / 중복
- Verified (Luckham 2002 *Power of Events*, Apache Flink CEP docs 2026).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — full content with Flink CEP, Esper, Materialize |
Reference in New Issue View Git Blame Copy Permalink