faculteit technologie management process mining and security: detecting anomalous process executions...

/faculteit technologie management

Process Mining and Security:Process Mining and Security:Detecting Anomalous Process Executions Detecting Anomalous Process Executions

and Checking Process Conformanceand Checking Process Conformance

Wil van der Aalst

Ana Karla A. de Medeiros

Eindhoven University of Technology

Department of Information and Technology

[email protected]


Outline

• Motivation

• Process Mining: -algorithm

• Detecting Anomalous Process Execution

• Checking Process Conformance

• Conclusion and Future work


Process Mining:Overview

1) basic performance metrics

2) process modelStart

Register order

Prepareshipment

Ship goods

(Re)send bill

Receive paymentContact

customer

Archive order

End

3) organizational model 4) social network

5) performance characteristics

If …then …

6) auditing/security


– Workflow Mining (What is the process?)

– Delta analysis (Are we doing what was specified?)

– Performance analysis (How can we improve?)

Motivation


Motivation

How can we benefit from process mining to How can we benefit from process mining to verify security issues in computer verify security issues in computer systems?systems?

– Detect anomalous process execution

– Check process conformance


Process Mining – Process log

ABCDABCD

ACBDACBD

EFEF

case 1 : task A case 1 : task A case 2 : task A case 2 : task A case 3 : task A case 3 : task A case 3 : task B case 3 : task B case 1 : task B case 1 : task B case 1 : task C case 1 : task C case 2 : task C case 2 : task C case 4 : task A case 4 : task A case 2 : task B case 2 : task B case 2 : task D case 2 : task D case 5 : task E case 5 : task E case 4 : task C case 4 : task C case 1 : task D case 1 : task D case 3 : task C case 3 : task C case 3 : task D case 3 : task D case 4 : task B case 4 : task B case 5 : task F case 5 : task F case 4 : task D case 4 : task D

• Minimal information in noise-free log: case id’s and task id’s

• Additional information: event type, time, resources, and data

• In this log there are three possible sequences:


Process Mining – Ordering Relations >,,||,#

• Direct succession: x>y iff for some case x is directly followed by y.

• Causality: xy iff x>y and not y>x.

• Parallel: x||y iff x>y and y>x

• Unrelated: x#y iff not x>y and not y>x.

case 1 : task A case 1 : task A case 2 : task A case 2 : task A case 3 : task A case 3 : task A case 3 : task B case 3 : task B case 1 : task B case 1 : task B case 1 : task C case 1 : task C case 2 : task C case 2 : task C case 4 : task A case 4 : task A case 2 : task B case 2 : task B ......

A>BA>BA>CA>CB>CB>CB>DB>DC>BC>BC>DC>DE>FE>F

AABB

AACC

BBDD

CCDD

EEFF

B||CB||CC||BC||B

ABCDABCD

ACBDACBD

EFEF


Process Mining – -algorithm

Let W be a workflow log over T. (W) is defined as follows.

1. TW = { t T W t },

2. TI = { t T W t = first() },

3. TO = { t T W t = last() },

4. XW = { (A,B) A TW B TW a Ab B a W b a1,a2 A a1#W

a2 b1,b2 B b1#W b2 },

5. YW = { (A,B) X (A,B) XA A B B (A,B) = (A,B) },

6. PW = { p(A,B) (A,B) YW } {iW,oW},

7. FW = { (a,p(A,B)) (A,B) YW a A } { (p(A,B),b) (A,B) YW b

B } { (iW,t) t TI} { (t,oW) t TO}, and

8. (W) = (PW,TW,FW).



A

B

C

D

E F

ABCDABCD

ACBDACBD

EFEF

AABB

AACC

BBDD

CCDD

EEFF

B||CB||CC||BC||B



• If log is complete with respect to relation >, it can be used to mine SWF-net without short loops

• Structured Workflow Nets (SWF-nets) have no implicit places and the following two constructs cannot be used:


Detecting Anomalous Process Executions

• Use the -algorithm to discover the acceptable behavior– Log traces = audit trails– Cases = session ids– Complete log only has acceptable audit trails

• Verify the conformance of new audit trails by playing the “token game”



Enter, Select Product, Add to Basket, Cancel Order



Enter, Select Product, Add to Basket, Proceed to Checkout, Fill in Delivery Info, Fill in Payment Info, Process Order, Finish Checkout


• Verify if a pattern holds

Checking Process Conformance

Provide Password Process Order

So…

Provide Password > Process Order and

NOT Process Order > Provide Password


Provide Password Process Order

Checking Process Conformance

(!) Token game can be used to verify if the pattern holds for every audit trail


Conclusion– Process mining can be used to

• Detect anomalous behavior • Check process conformance

– Tools are available at our website www.processmining.orgwww.processmining.org

Future Work– Apply process mining to audit trails from real-life case

studies

Conclusion and Future Work


Questions?

www.processmining.orgwww.processmining.org

faculteit technologie management process mining and security: detecting anomalous process executions...

Documents

task b case

t w b t w

b y w b b

t t w t

task c case

task d case

task f case

b2 b b