Wednesday, May 20, 2015

A Comparative Study of Correlation Engines for Security Event Management

This just paper came up on my google alerts, you can download the full text from ResearchGate.
"A Comparative Study of Correlation Engines for Security Event Management"

 It's an academic paper, published in the peer reviewed journal.
"10th International Conference on Cyber Warfare and Security (ICCWS-2015)"

Th paper is evaluating the correlation performance for large rule sets and large data sets in different open source engines. I was very pleased to see how well Drools scaled at the top end. I'll quote this from the conclusion and copy the results charts.
"As for the comparison study, it must be said that if the sole criteria was raw performance Drools would be considered the best correlation engine, for several reasons: its consistent behaviour and superior performance in the most demanding test cases."

In Table 2 (first image) we scale form 200 rules to 500 rules, with 1mil events with almost no speed loss - 67s vs 70s.

In Table 1 (second image) our throughput increases as the event sets become much larger.

I suspect the reason why our performance is less for for the lower rule and event set numbers, is due to the engine initialisation time for all the functionality we provide and for all the indexing we do. As the matching time becomes large enough, due to larger rule and data sets, this startup time becomes much less significant on the over all figure.