Around the same time that Professor Luckham and his team was working on CEP applications in network management and security management, I was leading efforts to build network and security management control centers for the United States Air Force.  In the beginning, dating back to 1994, my Internet-related work was for Air Combat Command (ACC), working out of ACC headquarters at Langley Air Force Base.

In 1997, I lead a technical team that developed countermeasures against an actual distributed Internet-based attack on the Langley AFB SMTP email infrastructure.  This attack was documented in a technical paper, E-Mail Bombs and Countermeasures: Cyber Attacks on Availability and Brand Integrity, IEEE Network Magazine, Vol. 12, No. 2, pp. 10-17, March/April 1998.  In addition, this attackand countermeasures I designed was featured in Popular Science Magazine in an 1998 article, War.Com and other news channels.  I also published a number of related papers on this topic.

Our team used a rule-based approach for countermeasures against massive email bombs attacks on the Langley Air Force Base email infrastructure.   We called this rule-based system, BombShelter. and it was written in PERL.  I developed both the original software architecture and the original working prototype for BombShelter (in two days) and then we turned the software over to our team who used the rule-based approach for daily attack countermeasures.

I watched for days, and then weeks, as my team designed rules, and the attackers wrote new attacks that circumvented the rules.  Some folks in the Pentagon used to say that I “lead the effort to fight the first war in cyberspace”.   It might have have been the first cyberwar, I am not sure, but it was certainly the first publicly documented cyberwar.  There is no doubt about this.

Without getting into all the historical footnotes and significance of this cyberwar that was fought with experts and rule-based systems, I would like to jump to an important conclusion.

Rule-based systems are useful, but have limited functionality and scaleability in most complex event processing applications.

Rule-based systems are human resource intensive because rule-based systems cannot learn and adapt on their own, humans learn and then write new rules.  This is how rule-based systems work.

This is the motivation behind why I spend a lot of time to search for new, more efficient and adaptive methods as alternatives to rule-based systems.   After extensive research, I published a series of papers on the future of intrusion detection in the Internet.  Intrusion Detection Systems & Multisensor Data Fusion - Creating Cyberspace Situational Awareness [1], helped lead an evolution in Internet security, particularly in the area of network-based intrusion detection systems (IDS).

In my published research work, motivated by limitations with rule-based approaches, I used the same mature functional model that is used to process missile attacks, control global air traffic, and other complex event processing applications in physical space; but I applied these concepts to cyberspace.

Around the same time, Professor Luckham and others were working on similar problems, all related to real-time detection and response to threats in cyberspace.  They were also funded by the US government.

Sidebar: Stream processing of transaction- based systems (databases), another area of interest, was focused on a totally different problem, which was the low latency processing of straight-thru processing in databased-oriented systems.   These stream processing systems were, and remain however,  rule-based systems.  The problems we were trying to solve in cyberspace, however, cannot be efficiently and pragmatically solved by rule-based systems alone.  Only relatively simple scenarios can be efficiently detected by rule-based stream processing systems.

The vast majority of complex event processing classes of problems require rules plus advanced algorithms that can learn and adapt in real-time.    I know this, not from reading papers or taking university classes on rule-bases systems, but from working on some very challenging operational problems in real-time.    This is why I remain interested in complex event processing and why I continue to elaborate on why rule-based systems have limitations.

Does Oracle run the world? I would have to say no but Raj (Larry Ellison is his idol) and the 40,000 Oracle customers that descended upon SF last week might beg to differ. What do James Carville and Mary Matalin have to do with enterprise software? Pretty much nothing, except for the fact that they delivered the opening keynote for Oracle OpenWorld. (And that’s the only and last politically-oriented thing you’ll hear from me as we run up to the election). For a surprisingly funny and extensive photo gallery of the eye-popping event, check out cdye1’s photostream on Flickr.

But UB40, Elvis Costello and Seal aside, Oracle OpenWorld did offer training, certifications, and always entertaining speeches by Ellison. Ben Worthen’s favorite – “Larry Ellison’s Brilliant Anti-Cloud Computing Rant” delivered to analysts on Thursday. From Ben’s slightly-edited excerpt:

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?

“We’ll make cloud computing announcements. I’m not going to fight this thing. But I don’t understand what we would do differently in the light of cloud computing other than change the wording of some of our ads. That’s my view.”

So did everyone catch that? Cloud computing is complete gibberish and idiocy, but apparently Oracle’s already been doing enough around it to advertise the fact. I will have my cake and eat it too!

We’ve been pumping out the posts from the shows we went to – let me tell you, live-blogging is hard when you’re trying to share apparently miniscule amounts of bandwidth with 14,000 other attendees – and we have even more to share as we step back, contemplate and describe how some of the announcements, info and especially roadmaps fit into our overall picture over here at ScienceLogic.

For example, we released the results of our annual industry IT survey last week. Twice a year – at FOSE (for Government IT) and at Interop NY (for enterprises) – we take advantage of the fact that we have a big beautiful booth at these shows and offer a fabulous ScienceLogic t-shirt in return for a couple of minutes time with attendees living the problems we try to solve. Instead of telling people what their problems and priorities are, we like to ask.
Interop NY Survey - Trends and Challenges
Detailed Reports on Trends and Comparison to Government IT

And I just had to share this one because it is so bizarre. Are VMware and Paul Maritz guilty of plagiarism? You have to check this out to get even part of the picture. Apparently this guy has posted his slides (we know they are from VMworld 2007 because it says so in the lower-right-hand corner…) which prove that the “virtual datacenter operating system” idea was his idea a year before it showed up on Maritz’s keynote this year. Hmmm. And then after posting all these slides and making all the connections between his presentation and Maritz’s, he says he’s just kidding about the plagiarism. Can anyone sort this out and let me know?

I’ll tell you who wasn’t kidding when I went by their booth at VMworld – a certain chargeback vendor and VMware “partner” who was quite shocked two months ago when they walked into a meeting with VMware about future roadmap. Apparently, the slides they saw (preview of VMware’s announcement re adding extended chargeback capability within vCenter management services) were mighty might similar to slides they had given in a presentation to VMware about their own roadmap. Coincidence? I’ll let you decide. And I’ll also say, their strategy to combat this – support for Hyper-V coming early in 2009.

ATC is an excellent working example of complex event processing.   Radar and GPS provide the basic sensory information to accurately track and trace the position of each aircraft in the area of responsibility (AOR) of a particular control tower/zone.     Naturally,  sensory information is preprocessed and formatted in such a way that the data can be processed upstream by multiple real-time applications.

Before we look at complex ATC scenarios, such as “potential collision” or “aircraft off approach vector” we must trace and trace individual objects, aircraft-objects, accurately with very high confidence.    In addition to tracking aircraft-objects, there is a database of information about the aircraft (ideally), such as make, model, age, range, passengers and other properties about the aircraft-object.      In addition, there is a state-model for each aircraft, for example the aircraft might be “on the ground”, “approaching the runway”, “cleared for takeoff”, “cruising altitude”, “approaching runway”, “final decent” etc.  

Tracking and tracing individual aircraft is what is generally referred to as “object refinement” in our CEP/EP reference architecture.   The reason we call this function “object refinement” is that system engineers are focused on optimizing the situational knowledge about individual objects.     Sometimes we refer to this function as “track and trace” because that is what we are doing to  each object in the model.  In Marc Adler’s recent shoplifting scenario, Marc was interested in tracking and tracing people in a store using imaging processing techniques to estimate their behavioral patterns.  In the same way, before we can process for scenarios such as “potential shoplifter” or “suspicious criminal gang activity” we must be able to accurately process (track and trace) individual object, such as people or merchandise.

Back to aircraft and ATC, the “complex event processing” begins when we are looking about object-object relationships, in this model, aircraft-to-aircraft, but this is an overly simplistic model, as we have not yet added (to our model) ground features (towers, buildings, power lines), weather (storm cells, wind) and other flying objects (known migratory bird paths, swarms of insects) to our simple model.  

Complex event processing occurs when we are processing multiple objects in our model looking for threats in real-time.     Practically speaking, all ATC applications are CEP applications.  This means that vendors and integrators who build ATC applications are also CEP vendors.   

Editorial Note: CEP/EP has been around for a long time and was not recently invented in the past decade as some “inventors” would like for us to believe. 

As you can imagine, there is considerable “complex event processing” that goes on “behind the scenes” to provide air traffic controllers and pilots situational knowledge into the “friendly skies”.   As you might further imagine, the situation is more complex when the skies are “not so friendly”, for example, in air combat situations.   

Processing myriad objects is not the end of the processing “chain”.  For example, decisions are being made constantly about potential damage, alternative airports, and more.    In our reference model, we refer to this, generally speaking, as “impact assessment” because we must take an estimated detected complex event, for example “aircraft collision,” and estimate potential damage based on numerous factors such as, the amount of jet fuel in the aircrafts and the location of the aircrafts (over a large city or rural area, near a hospital and emergency services).   Regardless of the scenario, an impact assessment is normally required before optimal decisions can be made.

This is true, by the way, for our shoplifting example (the impact is different if a piece of gum is stolen versus a $1,000,000 diamond necklace or weapons-grade nuclear material) and other scenarios and models.  Static data (information about objects) is required for accurate decision processing.  

Impact assessment is not the end of the “knowledge chain”.    Decisions are constantly being made that effect resources.  For example, suggestion an alternative route for an aircraft is a resource management decision.    Turning on and off radar or switching to alternative tracking devices is a resource management function.  In our CEP/EP reference model (based on the JDL data fusion model), we call this “resource management”.   This function includes contacting emergency services and directing them to a potential crash location or sending out a message to instruct all aircraft to stay off a certain radio frequency.  Resource management is critical.

Our simple ATC model today is by no means complete, it just scratches the surface.  In fact, I have a very close friend, Mark Secrist, who is a former Marine fighter pilot and currently a senior captain for American Airlines.   I have asked Mark to read this post and help me further refine this crude “laymans” ATC model (Thanks Mark!).

Some of the major obstacles we face with 802.1X center around creating a smooth end user experience.  We, as integrators, have the distinct ability to make ‘whatever’ work- we find a way. But, what I hear most from my customers is “it has to be easy for the end user.”  (Sometimes they go on a little further, but I’ll leave it at that.)

Why does it matter?

Wireless, wireless, wireless. Although wired 1X is popular with our customer-base, the world isn’t quite flocking to it yet. However, 802.1X is certainly the best way to increase security and ease management of wireless networks. It’s standard, it’s flexible, it’s widely-supported by devices and endpoints and it eliminates the need for pre-shared keys or secondary passwords. It’s what most enterprises, government and educational organizations are implementing now, so it’s important.

What are some of the problems?

The end user will have some adjustments to make, and network admins and support desks aren’t always thrilled with the propect of re-training users for these expectations.