Skip to main content
SpringerLink
Log in
Book cover

OTM Confederated International Conferences "On the Move to Meaningful Internet Systems"

OTM 2018: On the Move to Meaningful Internet Systems. OTM 2018 Conferences pp 173–190Cite as

Combining Model- and Example-Driven Classification to Detect Security Breaches in Activity-Unaware Logs

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 11230))

Abstract

Current approaches to the security-oriented classification of process log traces can be split into two categories: (i) example-driven methods, that induce a classifier from annotated example traces; (ii) model-driven methods, based on checking the conformance of each test trace to security-breach models defined by experts. These categories are orthogonal and use separate information sources (i.e. annotated traces and a-priori breach models). However, as these sources often coexist in real applications, both kinds of methods could be exploited synergistically. Unfortunately, when the log traces consist of (low-level) events with no reference to the activities of the breach models, combining (i) and (ii) is not straightforward. In this setting, to complement the partial views of insecure process-execution patterns that an example-driven and a model-driven methods capture separately, we devise an abstract classification framework where the predictions provided by these methods separately are combined, according to a meta-classification scheme, into an overall one that benefits from all the background information available. The reasonability of this solution is backed by experiments performed on a case study, showing that the accuracy of the example-driven (resp., model-driven) classifier decreases appreciably when the given example data (resp., breach models) do not describe exhaustively insecure process behaviors.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Superscripts E and M stand for event and model. The reason for using the superscript E for the data-driven classifier is that it performs the classification by looking at the low-level events reported in the traces.

References

  1. van der Aalst, W.M.P., Pesic, M., Schonenberg, H.: Declarative workflows: balancing between flexibility and support. Comput. Sci. - R&D 23(2), 99–113 (2009)

    Google Scholar 

  2. van der Aa, H., Leopold, H., Reijers, H.A.: Checking process compliance on the basis of uncertain event-to-activity mappings. In: Dubois, E., Pohl, K. (eds.) CAiSE 2017. LNCS, vol. 10253, pp. 79–93. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59536-8_6

    Chapter  Google Scholar 

  3. Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: ACM SAC 2012, pp. 1709–1716 (2012)

    Google Scholar 

  4. Baier, T., Mendling, J., Weske, M.: Bridging abstraction layers in process mining. Inf. Syst. 46, 123–139 (2014)

    Article  Google Scholar 

  5. Bennett, P.N., Dumais, S.T., Horvitz, E.: Probabilistic combination of text classifiers using reliability indicators: models and results. In: ACM SIGIR 2002, pp. 207–214 (2002)

    Google Scholar 

  6. Bose, R., van der Aalst, W.: Discovering signature patterns from event logs. In: CIDM 2013, pp. 111–118 (2013)

    Google Scholar 

  7. Jagadeesh Chandra Bose, R.P., van der Aalst, W.M.P.: Abstractions in process mining: a taxonomy of patterns. In: Dayal, U., Eder, J., Koehler, J., Reijers, H.A. (eds.) BPM 2009. LNCS, vol. 5701, pp. 159–175. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03848-8_12

    Chapter  Google Scholar 

  8. Cuzzocrea, A., et al.: A robust and versatile multi-view learning framework for the detection of deviant business process instances. Int. J. Coop. Inf. Syst. 25(04), 1–56 (2016)

    Article  Google Scholar 

  9. Cuzzocrea, A., Folino, F., Guarascio, M., Pontieri, L.: A multi-view multi-dimensional ensemble learning approach to mining business process deviances. In: 2016 International Joint Conference on Neural Networks (IJCNN), pp. 3809–3816. IEEE (2016)

    Google Scholar 

  10. Fazzinga, B.: Online and offline classification of traces of event logs on the basis of security risks. J. Intell. Inf. Syst. 50(1), 195–230 (2018)

    Article  Google Scholar 

  11. Fazzinga, B., Flesca, S., Furfaro, F., Pontieri, L.: Classifying traces of event logs on the basis of security risks. In: Ceci, M., Loglisci, C., Manco, G., Masciari, E., Ras, Z.W. (eds.) NFMCP 2015. LNCS (LNAI), vol. 9607, pp. 108–124. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39315-5_8

    Chapter  Google Scholar 

  12. Kubat, M., Holte, R., Matwin, S.: Learning when negative examples abound. In: van Someren, M., Widmer, G. (eds.) ECML 1997. LNCS, vol. 1224, pp. 146–153. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-62858-4_79

    Chapter  Google Scholar 

  13. Leontjeva, A., Conforti, R., Di Francescomarino, C., Dumas, M., Maggi, F.M.: Complex symbolic sequence encodings for predictive monitoring of business processes. In: Motahari-Nezhad, H.R., Recker, J., Weidlich, M. (eds.) BPM 2015. LNCS, vol. 9253, pp. 297–313. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23063-4_21

    Chapter  Google Scholar 

  14. Lo, D., Cheng, H., Han, J., Khoo, S.C., Sun, C.: Classification of software behaviors for failure detection: a discriminative pattern mining approach. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. pp. 557–566. ACM (2009)

    Google Scholar 

  15. Nguyen, H., Dumas, M., La Rosa, M., Maggi, F.M., Suriadi, S.: Mining business process deviance: a quest for accuracy. In: Meersman, R., et al. (eds.) OTM 2014. LNCS, vol. 8841, pp. 436–445. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45563-0_25

    Chapter  Google Scholar 

  16. Sauer, T., Minor, M., Bergmann, R.: Inverse workflows for supporting agile business process management. In: Wissensmanagement, pp. 204–213 (2011)

    Google Scholar 

  17. Witten, I.H., et al.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, Burlington (2016)

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ICAR-CNR, Rende, Italy

    Bettina Fazzinga, Francesco Folino & Luigi Pontieri

  2. DIMES, University of Calabria, Rende, Italy

    Filippo Furfaro

Authors
  1. Bettina Fazzinga
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francesco Folino
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Filippo Furfaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Luigi Pontieri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luigi Pontieri .

Editor information

Editors and Affiliations

  1. CNRS, University of Lorraine, Vandoeuvre-les-Nancy, France

    Hervé Panetto

  2. Trinity College Dublin, Dublin, Ireland

    Christophe Debruyne

  3. Luxembourg Institute of Science and Technology, Esch-sur-Alzette, Luxembourg

    Henderik A. Proper

  4. Università degli Studi di Milano, Crema, Italy

    Claudio Agostino Ardagna

  5. SINTEF and University of Oslo, Oslo, Norway

    Dumitru Roman

  6. TU Graz, Graz, Austria

    Robert Meersman

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fazzinga, B., Folino, F., Furfaro, F., Pontieri, L. (2018). Combining Model- and Example-Driven Classification to Detect Security Breaches in Activity-Unaware Logs. In: Panetto, H., Debruyne, C., Proper, H., Ardagna, C., Roman, D., Meersman, R. (eds) On the Move to Meaningful Internet Systems. OTM 2018 Conferences. OTM 2018. Lecture Notes in Computer Science(), vol 11230. Springer, Cham. https://doi.org/10.1007/978-3-030-02671-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02671-4_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02670-7

  • Online ISBN: 978-3-030-02671-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation