{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,23]],"date-time":"2026-03-23T13:09:08Z","timestamp":1774271348715,"version":"3.50.1"},"reference-count":55,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2026,3,23]],"date-time":"2026-03-23T00:00:00Z","timestamp":1774224000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>The proliferation of Internet of Things (IoT) devices has intensified the need for efficient real-time anomaly and intrusion detection, making the selection of an appropriate Complex Event Processing (CEP) engine a critical architectural decision for security-aware data pipelines. Python-based CEP frameworks offer compelling advantages through the seamless integration with data science and machine learning ecosystems; however, rigorous comparative evaluations of such frameworks under realistic IoT security workloads remain absent from the literature. This study presents the first systematic comparative evaluation of Faust and Streamz\u2014two Python-native CEP engines representing fundamentally different architectural philosophies\u2014specifically in the context of IoT network intrusion detection. Faust was selected for its actor-based stateful processing model with native Kafka integration and distributed table support, while Streamz was selected for its reactive, lightweight pipeline design targeting high-throughput stateless processing, making them representative of the two dominant paradigms in Python stream processing. Although both engines target different application niches, their performance characteristics under realistic CEP workloads have never been rigorously compared, leaving practitioners without empirical guidance. The primary evaluation employs an IoT network intrusion dataset comprising 583,485 events from 83 heterogeneous devices. To assess whether the observed performance characteristics are specific to this single dataset or generalize across different workload profiles, a secondary IoT-adjacent benchmark is included: the PaySim financial transaction dataset (6.4 million records), selected because its event schema, fraud-pattern temporal structure, and volume differ substantially from the intrusion dataset, providing a stress test for cross-workload robustness rather than a claim of domain equivalence. We acknowledge the reviewer\u2019s valid point that a second IoT-specific intrusion dataset (such as TON_IoT or Bot-IoT) would constitute a more directly comparable validation; this is identified as a priority for future work. The load levels used in scalability experiments (up to 5000 events per second) intentionally exceed the dataset\u2019s natural rate to stress-test each engine\u2019s architectural ceiling and identify saturation thresholds relevant to large-scale or multi-sensor IoT deployments. We conducted controlled experiments with comprehensive statistical analysis. Our results demonstrate that Streamz achieves superior throughput at 4450 events per second with 89% efficiency and minimal resource consumption (40 MB memory, 12 ms median latency), while Faust provides robust intrusion pattern detection with 93\u201398% accuracy and stable, predictable resource utilization (1.4% CPU standard deviation). A multi-framework comparison including Apache Kafka Streams and offline scikit-learn baselines confirms that Faust achieves detection quality competitive with JVM-based alternatives (Faust: 96.2%; Kafka Streams: 96.8%; absolute difference of 0.6 percentage points, not statistically significant at p=0.318) while retaining the Python ecosystem advantages. Statistical analysis confirms significant performance differences across all metrics (p&lt;0.001, Cohen\u2019s d&gt;0.8). Critical scalability thresholds are identified: Streamz maintains efficiency above 95% up to 3500 events per second, while Faust degrades beyond 2500 events per second. These findings provide IoT security engineers and system architects with actionable, empirically grounded guidance for CEP engine selection, establish reproducible benchmarking methodology applicable to future Python-based stream processing evaluations, and advance theoretical understanding of the accuracy\u2013throughput trade-off in stateful versus stateless Python CEP architectures.<\/jats:p>","DOI":"10.3390\/computers15030200","type":"journal-article","created":{"date-parts":[[2026,3,23]],"date-time":"2026-03-23T11:59:36Z","timestamp":1774267176000},"page":"200","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Performance Comparison of Python-Based Complex Event Processing Engines for IoT Intrusion Detection: Faust Versus Streamz"],"prefix":"10.3390","volume":"15","author":[{"given":"Maryam","family":"Abbasi","sequence":"first","affiliation":[{"name":"School of Technology and Management, Polytechnic Institute of Santar\u00e9m, 2001-904 Santar\u00e9m, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3916-5182","authenticated-orcid":false,"given":"Filipe","family":"Cardoso","sequence":"additional","affiliation":[{"name":"School of Technology and Management, Polytechnic Institute of Santar\u00e9m, 2001-904 Santar\u00e9m, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1745-8937","authenticated-orcid":false,"given":"Paulo","family":"V\u00e1z","sequence":"additional","affiliation":[{"name":"Research Center in Digital Services, Polytechnic Institute of Viseu, 3504-510 Viseu, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7285-8282","authenticated-orcid":false,"given":"Jos\u00e9","family":"Silva","sequence":"additional","affiliation":[{"name":"Research Center in Digital Services, Polytechnic Institute of Viseu, 3504-510 Viseu, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7846-8397","authenticated-orcid":false,"given":"Filipe","family":"S\u00e1","sequence":"additional","affiliation":[{"name":"ISEC\u2014Coimbra Institute of Engineering, Polytechnic University of Coimbra, 3030-199 Coimbra, Portugal"}]},{"given":"Pedro","family":"Martins","sequence":"additional","affiliation":[{"name":"Research Center in Digital Services, Polytechnic Institute of Viseu, 3504-510 Viseu, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2026,3,23]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and Other Botnets","volume":"50","author":"Kolias","year":"2017","journal-title":"Computer"},{"key":"ref_2","first-page":"3496","article-title":"A Critical Review of Practices and Challenges in Intrusion Detection Systems for IoT: Toward Universal and Resilient Systems","volume":"20","author":"Benkhelifa","year":"2018","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2187671.2187677","article-title":"Processing flows of information: From data stream to complex event processing","volume":"44","author":"Cugola","year":"2012","journal-title":"ACM Comput. Surv."},{"key":"ref_4","unstructured":"Etzion, O., and Niblett, P. (2010). Event Processing in Action, Manning Publications."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3170432","article-title":"Recent advancements in event processing","volume":"51","author":"Dayarathna","year":"2018","journal-title":"ACM Comput. Surv."},{"key":"ref_6","first-page":"28","article-title":"Apache Flink: Stream and Batch Processing in a Single Engine","volume":"38","author":"Carbone","year":"2015","journal-title":"Bull. IEEE Comput. Soc. Tech. Comm. Data Eng."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"56","DOI":"10.1145\/2934664","article-title":"Apache Spark: A Unified Engine for Big Data Processing","volume":"59","author":"Zaharia","year":"2016","journal-title":"Commun. ACM"},{"key":"ref_8","first-page":"1","article-title":"River: Machine Learning for Streaming Data in Python","volume":"22","author":"Montiel","year":"2021","journal-title":"J. Mach. Learn. Res."},{"key":"ref_9","unstructured":"McKinney, W. (July, January 28). Data Structures for Statistical Computing in Python. Proceedings of the 9th Python in Science Conference (SciPy), Austin, TX, USA."},{"key":"ref_10","first-page":"2825","article-title":"Scikit-learn: Machine Learning in Python","volume":"12","author":"Pedregosa","year":"2011","journal-title":"J. Mach. Learn. Res."},{"key":"ref_11","unstructured":"Krispin, R. (2026, January 01). Faust: A Python Stream Processing Library. Available online: https:\/\/faust.readthedocs.io."},{"key":"ref_12","unstructured":"Rocklin, M. (2026, January 01). Streamz: Build Pipelines to Manage Continuous Streams of Data. Available online: https:\/\/streamz.readthedocs.io."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Chintapalli, S., Dagit, D., Evans, B., Farivar, R., Graves, T., Holderbaugh, M., Liu, Z., Nusbaum, K., Patil, K., and Peng, B.J. (2016). Benchmarking Streaming Computation Engines: Storm, Flink and Spark Streaming. Proceedings of the 2016 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), IEEE.","DOI":"10.1109\/IPDPSW.2016.138"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"313","DOI":"10.1007\/s00778-019-00557-w","article-title":"Complex event recognition in the Big Data era: A survey","volume":"29","author":"Giatrakos","year":"2020","journal-title":"VLDB J."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Karimov, J., Rabl, T., Katsifodimos, A., Samarev, R., Heiskanen, H., and Markl, V. (2018). Benchmarking Distributed Stream Data Processing Systems. Proceedings of the 2018 IEEE 34th International Conference on Data Engineering (ICDE), IEEE.","DOI":"10.1109\/ICDE.2018.00169"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"619","DOI":"10.1016\/j.future.2020.10.007","article-title":"A Survey on Security and Privacy of Federated Learning","volume":"115","author":"Mothukuri","year":"2021","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_17","first-page":"193","article-title":"Scalable and Flexible Stream Processing for Fog Computing: Bridging Gaps with the Cloud and the Edge","volume":"115","author":"Bellavista","year":"2021","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_18","first-page":"102419","article-title":"Deep Learning for Cyber Security Intrusion Detection: Approaches, Datasets, and Comparative Study","volume":"50","author":"Ferrag","year":"2020","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"779","DOI":"10.1016\/j.future.2019.05.041","article-title":"Towards the Development of Realistic Botnet Dataset in the Internet of Things for Network Forensic Analytics: Bot-IoT Dataset","volume":"100","author":"Koroniotis","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"895","DOI":"10.1109\/TKDE.2014.2356476","article-title":"An Event Calculus for Event Recognition","volume":"27","author":"Artikis","year":"2015","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Doshi, R., Apthorpe, N., and Feamster, N. (2018). Machine Learning DDoS Detection for Consumer IoT Devices. Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW), IEEE.","DOI":"10.1109\/SPW.2018.00013"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"165130","DOI":"10.1109\/ACCESS.2020.3022862","article-title":"TON_IoT Telemetry Dataset: A New Generation Dataset of IoT and IIoT for Data-Driven Intrusion Detection Systems","volume":"8","author":"Alsaedi","year":"2020","journal-title":"IEEE Access"},{"key":"ref_23","first-page":"113131","article-title":"Anomaly Detection in IoT Networks Using Machine Learning","volume":"145","author":"Qureshi","year":"2020","journal-title":"Expert Syst. Appl."},{"key":"ref_24","first-page":"117","article-title":"NetFlow Datasets for Machine Learning-Based Network Intrusion Detection Systems","volume":"392","author":"Sarhan","year":"2021","journal-title":"Big Data Technol. Appl."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Thamilarasu, G., and Chawla, S. (2019). Towards Deep-Learning-Driven Intrusion Detection for the Internet of Things. Sensors, 19.","DOI":"10.3390\/s19091977"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"6822","DOI":"10.1109\/JIOT.2019.2912022","article-title":"Machine Learning-Based Network Vulnerability Analysis of Industrial Internet of Things","volume":"6","author":"Zolanvari","year":"2019","journal-title":"IEEE Internet Things J."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Nguyen, T.D., Marchal, S., Miettinen, M., Fereidooni, H., Asokan, N., and Sadeghi, A.R. (2019). D\u00cfoT: A Federated Self-Learning Anomaly Detection System for IoT. Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), IEEE.","DOI":"10.1109\/ICDCS.2019.00080"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Roopak, M., Tian, G.Y., and Chambers, J. (2019). Deep Learning Models for Cyber Security in IoT Networks. Proceedings of the 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 7\u20139 January 2019, IEEE.","DOI":"10.1109\/CCWC.2019.8666588"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Abdelmoumin, G., Whitaker, J., Rawat, D.B., and Rahman, A. (2022). Performance Analysis of Machine Learning Classifiers for Intrusion Detection in IoT Networks. Electronics, 11.","DOI":"10.3390\/electronics11020213"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1016\/j.icte.2021.04.012","article-title":"Feature Selection for Intrusion Detection System in Internet of Things (IoT)","volume":"7","author":"Nimbalkar","year":"2021","journal-title":"ICT Express"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"955","DOI":"10.1007\/s11219-022-09587-0","article-title":"Transferability of Machine Learning Models Learned from Public Intrusion Detection Datasets: The CICIDS17 Case Study","volume":"30","author":"Catillo","year":"2022","journal-title":"Softw. Qual. J."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"1346","DOI":"10.14778\/3236187.3236190","article-title":"Efficient adaptive detection of complex event patterns","volume":"11","author":"Kolchinsky","year":"2018","journal-title":"Proc. VLDB Endow."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Anicic, D., Fodor, P., Rudolph, S., and Stojanovic, N. (2011). EP-SPARQL: A Unified Language for Event Processing and Stream Reasoning. Proceedings of the 20th International Conference on World Wide Web (WWW), ACM.","DOI":"10.1145\/1963405.1963495"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2528412","article-title":"A Catalog of Stream Processing Optimizations","volume":"46","author":"Hirzel","year":"2014","journal-title":"ACM Comput. Surv."},{"key":"ref_35","first-page":"91","article-title":"Complex Event Processing for Cybersecurity: A Comprehensive Review","volume":"185","author":"Jain","year":"2022","journal-title":"Comput. Commun."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"3469","DOI":"10.1109\/TII.2020.3022432","article-title":"Variational LSTM Enhanced Anomaly Detection for Industrial Big Data","volume":"17","author":"Zhou","year":"2021","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Rocklin, M. (2015, January 6\u201312). Dask: Parallel Computation with Blocked Algorithms and Task Scheduling. Proceedings of the 14th Python in Science Conference (SciPy), Austin, TX, USA.","DOI":"10.25080\/Majora-7b98e3ed-013"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Gomes, H.M., Read, J., and Bifet, A. (2019). Streaming Random Patches for Evolving Data Stream Classification. Proceedings of the 2019 IEEE International Conference on Data Mining (ICDM), IEEE.","DOI":"10.1109\/ICDM.2019.00034"},{"key":"ref_39","unstructured":"Beazley, D. Understanding the Python GIL. Presented at PyCon 2010, Atlanta, GA, 2010. Available online: https:\/\/www.dabeaz.com\/python\/UnderstandingGIL.pdf."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Henning, S., and Hasselbring, W. (2021). Theodolite: Scalability Benchmarking of Distributed Stream Processing Engines in Microservice Architectures. Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), IEEE.","DOI":"10.1016\/j.bdr.2021.100209"},{"key":"ref_41","unstructured":"Fabian, B., Ermakova, T., and Kelkel, S. (2023). Performance Analysis of Apache Kafka for IoT Data Streams. Future Internet, 15."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3433675","article-title":"Scotty: Efficient Window Aggregation for Out-of-Order Stream Processing","volume":"46","author":"Traub","year":"2021","journal-title":"ACM Trans. Database Syst."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Lopez, M.A., Lobato, A.G.P., and Duarte, O.C.M.B. (2016). A Performance Comparison of Open-Source Stream Processing Platforms. Proceedings of the 2016 IEEE Global Communications Conference (GLOBECOM), IEEE.","DOI":"10.1109\/GLOCOM.2016.7841533"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Hesse, G., and Lorenz, M. (2015). Conceptual Survey on Data Stream Processing Systems. Proceedings of the 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC), IEEE.","DOI":"10.1109\/ICPADS.2015.106"},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"1792","DOI":"10.14778\/2824032.2824076","article-title":"The Dataflow Model: A Practical Approach to Balancing Correctness, Latency, and Cost in Massive-Scale, Unbounded, Out-of-Order Data Processing","volume":"8","author":"Akidau","year":"2015","journal-title":"Proc. VLDB Endow."},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"1845","DOI":"10.1109\/TPDS.2020.2978480","article-title":"Evaluation of Stream Processing Frameworks","volume":"31","year":"2020","journal-title":"IEEE Trans. Parallel Distrib. Syst."},{"key":"ref_47","unstructured":"Bordin, M.V., Cugola, G., Margara, A., and Morzenti, A. (2020). Distributed and Parallel Complex Event Processing. Proceedings of the 14th ACM International Conference on Distributed and Event-Based Systems (DEBS), ACM."},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"1718","DOI":"10.14778\/3137765.3137777","article-title":"State Management in Apache Flink: Consistent Stateful Distributed Stream Processing","volume":"10","author":"Carbone","year":"2017","journal-title":"Proc. VLDB Endow."},{"key":"ref_49","unstructured":"Kleppmann, M. (2017). Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems, O\u2019Reilly Media."},{"key":"ref_50","unstructured":"Demers, A., Gehrke, J., Panda, B., Riedewald, M., Sharma, V., and White, W. (2007, January 7\u201310). Cayuga: A General Purpose Event Monitoring System. Proceedings of the 3rd Biennial Conference on Innovative Data Systems Research (CIDR), Asilomar, CA, USA."},{"key":"ref_51","first-page":"1557","article-title":"Integrating Complex Event Processing and Machine Learning: An Intelligent Architecture for Situational Awareness Systems","volume":"40","author":"Bawakid","year":"2013","journal-title":"Expert Syst. Appl."},{"key":"ref_52","unstructured":"Hochreiner, C., Voj\u010di\u0107, M., and Schulte, S. (2016). Elastic Stream Processing with Latency Guarantees. Proceedings of the 2015 IEEE 35th International Conference on Distributed Computing Systems, IEEE."},{"key":"ref_53","unstructured":"Ullah, I., and Mahmoud, Q.H. (2026, January 01). IoT Network Intrusion Dataset. Version 1.0. IEEE Dataport. Available online: https:\/\/doi.org\/10.21227\/q70p-q449."},{"key":"ref_54","unstructured":"Lopez-Rojas, E.A., Elmir, A., and Axelsson, S. (2016). PaySim: A Financial Mobile Money Simulator for Fraud Detection. Proceedings of the 28th European Modeling and Simulation Symposium (EMSS), DIME University of Genoa."},{"key":"ref_55","doi-asserted-by":"crossref","unstructured":"Liu, F.T., Ting, K.M., and Zhou, Z.H. (2008). Isolation Forest. Proceedings of the 2008 Eighth IEEE International Conference on Data Mining (ICDM), IEEE.","DOI":"10.1109\/ICDM.2008.17"}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/15\/3\/200\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,23]],"date-time":"2026-03-23T12:16:49Z","timestamp":1774268209000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/15\/3\/200"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,23]]},"references-count":55,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2026,3]]}},"alternative-id":["computers15030200"],"URL":"https:\/\/doi.org\/10.3390\/computers15030200","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,23]]}}}