faculteit technologie management Process Mining and Security: Detecting Anomalous Process Executions...
-
date post
21-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of faculteit technologie management Process Mining and Security: Detecting Anomalous Process Executions...
/faculteit technologie management
Process Mining and Security:Process Mining and Security:Detecting Anomalous Process Executions Detecting Anomalous Process Executions
and Checking Process Conformanceand Checking Process Conformance
Wil van der Aalst
Ana Karla A. de Medeiros
Eindhoven University of Technology
Department of Information and Technology
/faculteit technologie management
Outline
• Motivation
• Process Mining: -algorithm
• Detecting Anomalous Process Execution
• Checking Process Conformance
• Conclusion and Future work
/faculteit technologie management
Process Mining:Overview
1) basic performance metrics
2) process modelStart
Register order
Prepareshipment
Ship goods
(Re)send bill
Receive paymentContact
customer
Archive order
End
3) organizational model 4) social network
5) performance characteristics
If …then …
6) auditing/security
/faculteit technologie management
– Workflow Mining (What is the process?)
– Delta analysis (Are we doing what was specified?)
– Performance analysis (How can we improve?)
Motivation
/faculteit technologie management
Motivation
How can we benefit from process mining to How can we benefit from process mining to verify security issues in computer verify security issues in computer systems?systems?
– Detect anomalous process execution
– Check process conformance
/faculteit technologie management
Process Mining – Process log
ABCDABCD
ACBDACBD
EFEF
case 1 : task A case 1 : task A case 2 : task A case 2 : task A case 3 : task A case 3 : task A case 3 : task B case 3 : task B case 1 : task B case 1 : task B case 1 : task C case 1 : task C case 2 : task C case 2 : task C case 4 : task A case 4 : task A case 2 : task B case 2 : task B case 2 : task D case 2 : task D case 5 : task E case 5 : task E case 4 : task C case 4 : task C case 1 : task D case 1 : task D case 3 : task C case 3 : task C case 3 : task D case 3 : task D case 4 : task B case 4 : task B case 5 : task F case 5 : task F case 4 : task D case 4 : task D
• Minimal information in noise-free log: case id’s and task id’s
• Additional information: event type, time, resources, and data
• In this log there are three possible sequences:
/faculteit technologie management
Process Mining – Ordering Relations >,,||,#
• Direct succession: x>y iff for some case x is directly followed by y.
• Causality: xy iff x>y and not y>x.
• Parallel: x||y iff x>y and y>x
• Unrelated: x#y iff not x>y and not y>x.
case 1 : task A case 1 : task A case 2 : task A case 2 : task A case 3 : task A case 3 : task A case 3 : task B case 3 : task B case 1 : task B case 1 : task B case 1 : task C case 1 : task C case 2 : task C case 2 : task C case 4 : task A case 4 : task A case 2 : task B case 2 : task B ......
A>BA>BA>CA>CB>CB>CB>DB>DC>BC>BC>DC>DE>FE>F
AABB
AACC
BBDD
CCDD
EEFF
B||CB||CC||BC||B
ABCDABCD
ACBDACBD
EFEF
/faculteit technologie management
Process Mining – -algorithm
Let W be a workflow log over T. (W) is defined as follows.
1. TW = { t T W t },
2. TI = { t T W t = first() },
3. TO = { t T W t = last() },
4. XW = { (A,B) A TW B TW a Ab B a W b a1,a2 A a1#W
a2 b1,b2 B b1#W b2 },
5. YW = { (A,B) X (A,B) XA A B B (A,B) = (A,B) },
6. PW = { p(A,B) (A,B) YW } {iW,oW},
7. FW = { (a,p(A,B)) (A,B) YW a A } { (p(A,B),b) (A,B) YW b
B } { (iW,t) t TI} { (t,oW) t TO}, and
8. (W) = (PW,TW,FW).
/faculteit technologie management
Process Mining – -algorithm
A
B
C
D
E F
ABCDABCD
ACBDACBD
EFEF
AABB
AACC
BBDD
CCDD
EEFF
B||CB||CC||BC||B
/faculteit technologie management
Process Mining – -algorithm
• If log is complete with respect to relation >, it can be used to mine SWF-net without short loops
• Structured Workflow Nets (SWF-nets) have no implicit places and the following two constructs cannot be used:
/faculteit technologie management
Detecting Anomalous Process Executions
• Use the -algorithm to discover the acceptable behavior– Log traces = audit trails– Cases = session ids– Complete log only has acceptable audit trails
• Verify the conformance of new audit trails by playing the “token game”
/faculteit technologie management
Detecting Anomalous Process Executions
Enter, Select Product, Add to Basket, Cancel Order
/faculteit technologie management
Detecting Anomalous Process Executions
Enter, Select Product, Add to Basket, Proceed to Checkout, Fill in Delivery Info, Fill in Payment Info, Process Order, Finish Checkout
/faculteit technologie management
• Verify if a pattern holds
Checking Process Conformance
Provide Password Process Order
So…
Provide Password > Process Order and
NOT Process Order > Provide Password
/faculteit technologie management
Provide Password Process Order
Checking Process Conformance
(!) Token game can be used to verify if the pattern holds for every audit trail
/faculteit technologie management
Conclusion– Process mining can be used to
• Detect anomalous behavior • Check process conformance
– Tools are available at our website www.processmining.orgwww.processmining.org
Future Work– Apply process mining to audit trails from real-life case
studies
Conclusion and Future Work