The document discusses the event-decision architecture for complex event processing (CEP) as applied in various business scenarios, emphasizing the need for a common vocabulary and functional architecture due to the computational intensity and complexity of CEP. It reviews various use cases, such as fraud detection in finance and other industries, while illustrating a multi-level inference approach for real-time data processing. TIBCO's solutions are positioned to meet these CEP challenges and enhance decision-making processes in businesses.

1. CEP: Event-Decision Architecture for PredictiveBusiness TM Centre for Strategic Infocomm Technologies (CSIT), Singapore July 26, 2006 Tim Bass, CISSP Principal Global Architect, Director TIBCO Software Inc.

2. Our Agenda Introduction Event-Decision Architecture High Level Overview of Decision Making and BusinessEvents™ Event-Decision Reference Architecture CEP Scenarios, Use Cases and Application Open Discussion

3. Introduction Event-Decision Processing is Computationally Intensive CEP requires a Number of Technologies: Distributed Computing, Publish/Subscribe and SOA Hierarchical, Cooperative Inference Processing High Speed, Real Time Processing with State Management Event-Decision Architecture for Complex Situations and Events There is no single “CEP Solution” or “CEP Product” CEP needs a Common Vocabulary and Functional Architecture based on Mature, Industry-Standard Inference Models TIBCO is Solving CEP Scenarios for Our Customers Today

4. A Vocabulary of Confusion (Work in Progress) Resource Management Data Fusion Sensor Fusion Information Fusion Tracking Data Mining Correlation Planning Complex Event Processing Processing Management Sensor Management Control Estimation Event Stream Processing Adapted from: Steinberg, A., & Bowman, C., CRC Press, 2001

5. PredictiveBusiness TM

6. Example PredictiveBusiness TM Scenarios Finance Program (Opportunistic) Trading and Execution Risk Management Pricing and Consumer Relationship Management Fraud and Intrusion Detection Business Process Management Process Monitoring Exception Management and Outage Prediction Scheduling Sensor Networks Reliability of Complex, Distributed Systems RFID Applications Manufacturing Floor – “Sense and Respond” Power Grid Monitoring Military

7. PredictiveBusiness TM & Complex Event Processing (CEP) More CEP Scenarios: Stock Trading Automatic identification of buy/sell opportunities. Compliance Checks Sarbanes-Oxley detection. Fraud Detection Odd credit card purchases performed within a period. CRM Alert if three orders from the same platinum customer were rejected. Insurance Underwriting Identification of risk. " Events in several forms, from simple events to complex events, will become very widely used in business applications during 2004 through 2008 " --- Gartner July 2003 Graphic Sources: TIBCO Software Inc & IBM CEP Situation Manager Event Streams Historical Data Real-time Detection and Prediction

8. Our Agenda Introduction Event-Decision Architecture High Level Overview of Decision Making and BusinessEvents™ Event-Decision Reference Architecture CEP Scenarios, Use Cases and Application Open Discussion

9. Overview of IT and Decision Making What is a High Level View of How Businesses Make Decisions? Facts Rules Procedures Historical Data/ Historical Events Real-Time Data Real-Time Events Statistical Financial Optimization Simulation Document- Driven Unstructured Docs Distributed Computing Publish-Subscribe Collaboration Knowledge- Driven Decision Making Communications- Driven Model- Driven Data- Driven

10. TIBCO BusinessEvents™ Solutions Overview BusinessEvents™ Solutions Space Data: Events & Databases -Real-Time & Historical Data Models: Statistical Financial Optimization Comms: Pub/Sub Messaging Queues Topics UIs Knowledge: Facts & Rules

11. A Business Optimization Perspective What Classes of Rule-Based Problems Do Businesses Need to Solve? Rule-Based Pattern Recognition Anomaly Detection Track and Trace Monitoring (BAM) Dynamic Resource Allocation Adaptive Resource Allocation Constraint Satisfaction (CSP) Dynamic CSP Adaptive Marketing Dynamic CRM Fault Management Impact Assessment Detection Prediction Scheduling Fraud Detection Intrusion Detection Fault Detection Rule-Based Access Control Exception Management Compliance Work Flow Risk Management Fault Analysis Impact Assessment Solving a Broad Class of Complex Problems

12. Event-Decision Hierarchy 22 Impact Assessment Situational Assessment Relationship of Events Identify Events Location, Times and Rates of Events of Interest Existence of Possible Event of Interest Data/Event Cloud Analysis of Situation & Plans Contextual and Causal Analysis Causal Analysis, Bayesian Belief Networks, NNs, Correlation, State Estimation, Classification Use of Distributed Sensors for Estimations Raw Sensor Data (Passive and Active) Adapted from: Waltz, E. & Llinas, J., Multisensor Data Fusion, 1990 HIGH LOW MED

13. Event-Decision High Level Architecture 22 EVENT CLOUD (DISTRIBUTED DATA SET) KS KS KS KS KS KS KS KS KS KS KS KS KS KS Adapted from: Engelmore, R. S., Morgan, A.J., & and Nii, H. P., Blackboard Systems, 1988 & Luckham, D., The Power of Events, 2002

14. Sensors Systems that provide data and events to the inference models and humans Actuators Systems that take action based on inference models and human interactions Knowledge Processors Systems that take in data and events, process the data and events, and output refined, correlated, or inferred data or events HLA - Knowledge Sources KS KS KS

15. Event-Decision Reference Architecture 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT REFINEMENT USER INTERFACE COMPLEX EVENT PROCESSING (CEP) DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION REFINEMENT LEVEL THREE IMPACT ASSESSMENT LEVEL FOUR PROCESS REFINEMENT Adapted from JDL: Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001

16. Structured Processing for Event-Decision Multi-level inference in a distributed event-decision architectures Level 5 – User Interface Human visualization, interaction and situation management Level 4 – Process Refinement Decide on control feedback, for example resource allocation, sensor and state management, parametric and algorithm adjustment Level 3 – Impact Assessment Impact threat assessment, i.e. assess intent on the basis of situation development, recognition and prediction Level 2 – Situation Refinement Identify situations based on sets of complex events, state estimation, etc. Level 1 – Event Refinement Identify events & make initial decisions based on association and correlation Level 0 – Event Preprocessing Cleansing of event-stream to produce semantically understandable data Level of Inference Low Med High

17. CEP Level 0 – Event Preprocessing Cleanse/Refine/Normalize Data for Upstream Processing Calibrate Raw Event Cloud: Web Server Farm Event Stream Example - Group HTTP REQUESTS and RESPONSES Reduce and Extract Required Data from Transaction Format into Event for Upstream Processing Intelligent Agent Fraud Detection Event Steam Example - Receive Event Stream from Purpose-Built FD Application Reduce and Extract Required Event from Event Stream Format for Upstream Processing Reduces System Load by Preprocessing Events Enables Upstream to Concentrate on Most Relevant Events Focuses on Objects/Events

18. CEP Level 1 – Event Refinement Problem: Which Events in the Event Stream Are “Interesting”? Event Refinement Example (Association & Classification): Hypothesis Generation (HG) Processing incoming events, data and reports Hypothesis: This Group of Events May Represent Fraud Output: Fraud Detection Scorecard or Matrix Hypothesis Evaluation (HE) Evaluates Scorecard/Matrix for likelihood comparison Rank Evaluation: These Events have a Higher Likelihood of Fraud Output: Fills Scorecard/Matrix with relative likelihood estimation Hypothesis Selection (HS) Evaluates Scorecard/Matrix for best fit into “badges of fraud” Evaluation: Provide an Estimate (Name) of the Fraudulent Activity Output: Assignment of fraudulent activity estimate to event

19. CEP Level 2 – Situation Refinement What is the Context of the Identified Events? Focuses on Relationships and States Among Events Situation Refinement Event-Event Relationship Networks Temporal and State Relationships Geographic or Topological Proximity Environmental Context Example: Brand currently used by phishing site in Internet increasing probability of fraud and identity theft Event / Activity Correlation – Relational Networks Pattern, Profile and Signature Recognition Processing Question: Do “Complex Events” == “Situations”?

20. CEP Level 3 – Impact Assessment Predict Intention of Subject (Fraudster example) Make changes to account identity information? Transfer funds out of account? Test for access and return at later time? Estimate Capabilities of Fraudster Organized Gang or Individual Fraudster? Expert or Novice? Estimate Potential Losses if Successful Identify Other Threat Opportunities

21. CEP Level 4 – Process Refinement Evaluate Process Performance and Effectiveness Exception Detection, Response Efficiency and Mitigation Knowledge Development Identify Changes to System Parameters Adjust Event Stream Processing Variables Fine Tune Filters, Algorithms and Correlators Determine If Other Source Specific Resources are Required Recommend Allocation and Direction of Resources

22. CEP - Database Management Examples Reference Database User Profiles Activity and Event Signatures and Profiles Environmental Profiles Inference Database Subject Identification Situation and Threat Assessment Knowledge Mining Referential Mapping Database Examples Mapping Between IP Address and Domain Mapping Between Known Anonymous Proxies

23. CEP Level 5 – User Interface / Interaction Operational Visualization at all “Levels” Dynamic Graphical Representations of Situations Supports the Decision Making Process of Analytics Personnel Process and Resource Control Supports Resource Allocation and Process Refinement Display Control & Personalization Different Operator Views Based on Job Function and Situation

24. TIBCO’S Event-Decision Reference Architecture Flexible SOA and Event-Driven Architecture

25. Our Agenda Introduction Event-Decision Architecture High Level Overview of Decision Making and BusinessEvents™ Event-Decision Reference Architecture CEP Scenarios, Use Cases and Application Open Discussion

26. Event Processing Application Scenarios Examples of Detection-Prediction Scenarios We Solve for Customers POC Fraud Detection Financial Services Pre-Sales Intrusion Detection Financial Services Production Supply Chain Monitoring Business Hub (B2B) Planning/POC Supply Chain Monitoring Manufacturing Pre-Sales Anti Money Laundering Government Pre-Sales Power Grid Monitoring Energy Production Track & Trace Transportation Production Service Monitoring Telecommunications Pre-Sales Track & Trace Supply Chain - Logistics Pre-Sales Network & Applications Management Telecommunications Status (2Q06) Application Scenarios Industry

27. Identity Theft Detection / Phishing Example Fraud Detection Scenario Source: Bass, T., TIBCO Software Inc., January 2006 Uses Proxy Alert Service Account Lockout Profile Mismatch Brand Phishing Alert Security Alert Customer Known Fraud IP Identity Theft Login Success Phishing Alert Brand Misuse

28. Customer Case Study: Fusion-Based IDS High Level Event-Driven Architecture (EDA) – Early Phase JAVA MESSAGING SERVICE (JMS) DISTRIBUTED QUEUES (TIBCO EMS) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE) HIGH PERFORMANCE RULES-ENGINE (TIBCO BE ) SENSOR NETWORK RULES NETWORK NIDS BW JMS LOGFILE JMS BW LOGFILE JMS BW LOGFILE JMS BW IDS JMS BW HIDS JMS BW SQL DB BW JMS ADB SQL DB BW JMS ADB MESSAGING NETWORK TIBCO PRODUCTS

29. Overview of Mizuho Securities Solutions Architecture Fusion of IDS information across Customer’s Enterprise, including: Log files Existing Customer’s IDS (host and network based) devices Network traffic monitors (as required) Host statistics (as required) Secure, standards-based JAVA Messaging Service (JMS) for messaging: Events parsed into JMS Properties (Extended headers) SSL transport for JMS messages TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control TIBCO Business Works™ as required, to transform, map or cleanse data TIBCO BusinessEvents™ for rule-based IDS analytics TIBCO Active Database Adapter as required

30. Potential Extensions to Solutions Architecture Extension of IDS to rules-based access control Integration of IDS with access control TIBCO BusinessEvents™ for rule-based access control Extension of IDS and access control to incident response Event-triggered work flow TIBCO iProcess™ BPM for incident response TIBCO iProcess™ BPM security entitlement work flow TIBCO BusinessEvents™ for rule-based access control Extensions for other risk and compliance requirements Basel II, SOX, and JSOX - for example Other possibilities to be discussed later Extensions for IT management requirements Monitoring and fault management, service management, ITIL

31. Event-Decision Processing Characteristics Adapted (this and the next slide) from: Steinberg, A., & Bowman, C., Handbook of Multisensor Data Fusion, CRC Press, 2001 Sensor Output Individual Event Aggregation (situation) Effect (situation, given plan) (Action) Entity Estimate Sensor Processing Event Processing Situation Assessment Impact Assessment Decision Making Activity Detection Assignment (L0) Event Preprocessing Attribution Assignment (L1) Event Refinement Relational Aggregation (L2) Situation Refinement Plan Interaction Aggregation (L3) Impact Assessment (Control) Planning (L4) Process Refinement Estimation Process Association Process JDL Model Levels

32. Comparison of Event-Decision Models Sense Detect Detect Analyze Analyze Decide Respond Sense & Respond Sensor Processing Collate Orient Sensor Processing (L0) Event Preprocessing Sensor Acquisition Collect Observe Sensing --- Activity Intelligence Cycle Boyd Loop Waterfall Model JDL Model Levels Decision Execution Disseminate Act (L5) Visualization Collate Evaluate Evaluate Disseminate Event Processing Situation Assessment Impact Assessment Decision Making Orient Pattern Processing / Feature Extraction (L1) Event Refinement Orient Situation Assessment (L2) Situation Refinement Orient --- (L3) Impact Assessment Decide Decision Making (L4) Process Refinement

33. Enterprise Scenario The Full Range of Business Integration Products and Services EVENTS EVENTS

34. Key Takeaways Event-Decision Processing is Computationally Intensive CEP requires a Number of Technologies: Distributed Computing, Publish/Subscribe and SOA Hierarchical, Cooperative Inference Processing High Speed, Real Time Processing with State Management Event-Decision Architecture for Complex Situations and Events There is no single “CEP Solution” or “CEP Product” CEP needs a Common Vocabulary and Functional Architecture based on Mature, Industry-Standard Inference Models TIBCO is Solving CEP Scenarios for Our Customers Today

35. Thank You! Tim Bass, CISSP Principal Global Architect [email_address] Complex Event Processing at TIBCO

36. Example Publications, Webinars and Tools