Files

T

Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization

10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-20 23:52:15 +09:00

4.6 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

Complex Event Processing (CEP)

매 한 줄

"매 stream of simple events → meaningful complex pattern". David Luckham (Stanford, 2002) 가 정의한 paradigm. 2026 현재 Apache Flink CEP, Kafka Streams, Esper NEsper 가 main implementation; fraud detection, IoT anomaly, algorithmic trading 의 backbone.

매 핵심

매 개념

Event: timestamped 의 fact (transaction, sensor reading, click).
Pattern: temporal/causal relationship 의 events (A followed by B within 5s).
Window: sliding/tumbling/session 시간 frame.
Aggregation: count, sum, avg over window.
Correlation: 다중 stream 매 join (e.g., trades + market data).

매 pattern operator

Sequence: A → B → C (in order).
Conjunction: A AND B (any order, in window).
Negation: A NOT followed by B.
Iteration: A repeated N times.
Within: temporal constraint.

매 응용

Fraud detection — card swipes 매 different countries within 1h.
IoT — sensor reading exceeds threshold for 3 consecutive readings.
Trading — bid/ask spread anomaly detection.
Network security — port scan pattern (many SYN, few ACK).
SLA monitoring — 5xx error rate spike correlated with deploy event.

💻 패턴

Pattern<LoginEvent, ?> failedLogins = Pattern
    .<LoginEvent>begin("first")
    .where(e -> !e.success)
    .next("second").where(e -> !e.success)
    .next("third").where(e -> !e.success)
    .within(Time.minutes(5));

CEP.pattern(loginStream.keyBy(e -> e.userId), failedLogins)
   .select(match -> new Alert(match.get("first").get(0).userId))
   .addSink(alertSink);

Esper EPL — fraud detection

-- swipe in different countries within 1 hour
SELECT a.cardId, a.country, b.country
FROM pattern [
    every a=Swipe -> b=Swipe(cardId=a.cardId, country!=a.country)
        where timer:within(1 hour)
];

Kafka Streams — sliding window aggregation

KStream<String, Click> clicks = builder.stream("clicks");

clicks.groupByKey()
      .windowedBy(SlidingWindows.ofTimeDifferenceWithNoGrace(Duration.ofMinutes(5)))
      .count()
      .filter((k, count) -> count > 1000)
      .toStream()
      .to("anomalies");

Flink — session window

stream.keyBy(e -> e.userId)
      .window(EventTimeSessionWindows.withGap(Time.minutes(30)))
      .aggregate(new SessionStats())
      .addSink(...);

Pattern with negation (NO heartbeat in 30s)

Pattern.<HeartbeatEvent>begin("start")
    .notFollowedBy("missing")
    .where(e -> true)
    .within(Time.seconds(30));

Modern: Materialize / RisingWave (SQL-native streaming)

CREATE MATERIALIZED VIEW fraud_alerts AS
SELECT user_id, COUNT(*) as failed_count
FROM logins
WHERE success = false
  AND ts > NOW() - INTERVAL '5 minutes'
GROUP BY user_id
HAVING COUNT(*) >= 3;

매 결정 기준

상황	Approach
Java/JVM, complex patterns	Flink CEP
Kafka-centric, simple aggregation	Kafka Streams
SQL-first, low ops	Materialize / RisingWave
In-process, low-volume	Esper
Cloud-native, serverless	AWS Kinesis Data Analytics

기본값: Flink CEP for complex patterns, Materialize for SQL-native streaming.

🔗 Graph

부모: Event-Driven Architecture · Stream-Processing-Architectures
변형: Event Sourcing · CQRS
Adjacent: Apache Flink

🤖 LLM 활용

언제: pattern definition 매 natural language → EPL/Flink translation, alert explanation. 언제 X: micro-second latency hot path (LLM 매 too slow).

❌ 안티패턴

Unbounded state: window 없이 group-by → memory blowup.
Wall-clock instead of event-time: out-of-order event 매 wrong result.
Pattern explosion: NFA state count 매 exponential, pattern 너무 복잡.
No watermark: late event 매 silently lost.

🧪 검증 / 중복

Verified (Luckham 2002 Power of Events, Apache Flink CEP docs 2026).
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — full content with Flink CEP, Esper, Materialize

4.6 KiB Raw Blame History