/faculteit technologie management Process Mining and Security: Process Mining and Security: Detecting Anomalous Process Executions Detecting Anomalous Process Executions and Checking Process Conformance and Checking Process Conformance Wil van der Aalst Ana Karla A. de Medeiros Eindhoven University of Technology Department of Information and Technology [email protected]
17
Embed
faculteit technologie management Process Mining and Security: Detecting Anomalous Process Executions and Checking Process Conformance Wil van der Aalst.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
/faculteit technologie management
Process Mining and Security:Process Mining and Security:Detecting Anomalous Process Executions Detecting Anomalous Process Executions
and Checking Process Conformanceand Checking Process Conformance
– Delta analysis (Are we doing what was specified?)
– Performance analysis (How can we improve?)
Motivation
/faculteit technologie management
Motivation
How can we benefit from process mining to How can we benefit from process mining to verify security issues in computer verify security issues in computer systems?systems?
– Detect anomalous process execution
– Check process conformance
/faculteit technologie management
Process Mining – Process log
ABCDABCD
ACBDACBD
EFEF
case 1 : task A case 1 : task A case 2 : task A case 2 : task A case 3 : task A case 3 : task A case 3 : task B case 3 : task B case 1 : task B case 1 : task B case 1 : task C case 1 : task C case 2 : task C case 2 : task C case 4 : task A case 4 : task A case 2 : task B case 2 : task B case 2 : task D case 2 : task D case 5 : task E case 5 : task E case 4 : task C case 4 : task C case 1 : task D case 1 : task D case 3 : task C case 3 : task C case 3 : task D case 3 : task D case 4 : task B case 4 : task B case 5 : task F case 5 : task F case 4 : task D case 4 : task D
• Minimal information in noise-free log: case id’s and task id’s
• Additional information: event type, time, resources, and data
• In this log there are three possible sequences:
/faculteit technologie management
Process Mining – Ordering Relations >,,||,#
• Direct succession: x>y iff for some case x is directly followed by y.
• Causality: xy iff x>y and not y>x.
• Parallel: x||y iff x>y and y>x
• Unrelated: x#y iff not x>y and not y>x.
case 1 : task A case 1 : task A case 2 : task A case 2 : task A case 3 : task A case 3 : task A case 3 : task B case 3 : task B case 1 : task B case 1 : task B case 1 : task C case 1 : task C case 2 : task C case 2 : task C case 4 : task A case 4 : task A case 2 : task B case 2 : task B ......
A>BA>BA>CA>CB>CB>CB>DB>DC>BC>BC>DC>DE>FE>F
AABB
AACC
BBDD
CCDD
EEFF
B||CB||CC||BC||B
ABCDABCD
ACBDACBD
EFEF
/faculteit technologie management
Process Mining – -algorithm
Let W be a workflow log over T. (W) is defined as follows.
1. TW = { t T W t },
2. TI = { t T W t = first() },
3. TO = { t T W t = last() },
4. XW = { (A,B) A TW B TW a Ab B a W b a1,a2 A a1#W
a2 b1,b2 B b1#W b2 },
5. YW = { (A,B) X (A,B) XA A B B (A,B) = (A,B) },
6. PW = { p(A,B) (A,B) YW } {iW,oW},
7. FW = { (a,p(A,B)) (A,B) YW a A } { (p(A,B),b) (A,B) YW b
B } { (iW,t) t TI} { (t,oW) t TO}, and
8. (W) = (PW,TW,FW).
/faculteit technologie management
Process Mining – -algorithm
A
B
C
D
E F
ABCDABCD
ACBDACBD
EFEF
AABB
AACC
BBDD
CCDD
EEFF
B||CB||CC||BC||B
/faculteit technologie management
Process Mining – -algorithm
• If log is complete with respect to relation >, it can be used to mine SWF-net without short loops
• Structured Workflow Nets (SWF-nets) have no implicit places and the following two constructs cannot be used:
/faculteit technologie management
Detecting Anomalous Process Executions
• Use the -algorithm to discover the acceptable behavior– Log traces = audit trails– Cases = session ids– Complete log only has acceptable audit trails
• Verify the conformance of new audit trails by playing the “token game”
/faculteit technologie management
Detecting Anomalous Process Executions
Enter, Select Product, Add to Basket, Cancel Order
/faculteit technologie management
Detecting Anomalous Process Executions
Enter, Select Product, Add to Basket, Proceed to Checkout, Fill in Delivery Info, Fill in Payment Info, Process Order, Finish Checkout
/faculteit technologie management
• Verify if a pattern holds
Checking Process Conformance
Provide Password Process Order
So…
Provide Password > Process Order and
NOT Process Order > Provide Password
/faculteit technologie management
Provide Password Process Order
Checking Process Conformance
(!) Token game can be used to verify if the pattern holds for every audit trail
/faculteit technologie management
Conclusion– Process mining can be used to
• Detect anomalous behavior • Check process conformance
– Tools are available at our website www.processmining.orgwww.processmining.org
Future Work– Apply process mining to audit trails from real-life case