Abstract
The problem of classifying business log traces is addressed in the context of security risk analysis. We consider the challenging setting where the actions performed in a process instance are described in the log as executions of low-level operations (such as “Pose a query over a DB”, “Upload a file into an ftp server”), while analysts and business users describe/understand the process steps as instances of high-level activities (such as “Update the customer’s personal data”, and “Share a project draft with the coworkers”). Given this, we aim at classifying each trace as the result of a process execution within which a security breach has occurred or not, by taking into account some (possibly incomplete) knowledge of the process structures and of the patterns representing insecure behaviors. What makes the problem challenging is that, when no workflow regulating the process executions is defined, this knowledge is typically owned by experts who reason in terms of process activities, thus it is encoded by behavioral rules at the higher abstract level. Thus, classifying requires the traces to be interpreted and brought to this higher abstraction level, and often this cannot be done deterministically, since the mapping between operations and activities is many-to-many. In our framework, the operation/activity mapping is encoded probabilistically, and the behavioral rules are expressed in terms of precedence/causality constraints over the activities, grouped into mandatory, highly recommended, and recommended requirements. The classification task is addressed in both the cases that process execution are ongoing and have terminated (i.e. in both online and offline scenarios, respectively), and its core is a Monte Carlo generation, that produces a sample of interpretations whose conformance to the security breach models is used to estimate the risks for the security.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The logs of unstructured work environments may, indeed, gather traces generated by different business processes, or by different variants of a single, typically rather general and flexible, business process.
Clearly, these composition rules tends to produce more liberal (i.e., less precise/irredundant) specifications of behavior than traditional workflow-modeling languages. The choice of using these rules to describe the business processes reflects the fact that, in our setting, only partial knowledge is assumed to be available on the actual behavior of these processes: each process model is just meant here to represent the behavioral properties that are known to be satisfied, with some degree of confidence, by the instances of the process.
Also the specification of composition rules for a business process can leverage background knowledge available, e.g., in the form of documents describing the AS-IS or TO-BE behavior of the process, general guidelines, and industry-specific reference models.
The choice of three levels is inspired by the common way to assign importance to the requirements in specifications, where the three levels must, should, may are usually used.
In the actual implementation of the algorithm, the descriptors in S.I S are selected in line 2 based on the length of their associated interpretations, preferring longer interpretations to shorter ones (which, actually, would require a higher number of steps than the formers to be randomly generated, in order to obtain a valid interpretation for the entire trace Φ): the longer the interpretation the sooner the respective descriptor is chosen.
Notice that in the second part of the algorithm (lines 29 to 49), the function is always called with both ignoreH and ignoreR set to false, and init = 1 (no interpretation steps have been checked in the past).
For example, in the case of project-oriented “engineering” processes performed with Document/Product Management systems (like typical Software Configuration Management systems tools used in software projects), the sole kind of logs data available for these processes is the sequence of modifications (e.g., creation, commit, elimination) made to a project’s documents/artifacts (Rubin et al. 2007b), with no clear mapping between each of these elementary actions and well-established process activities. Similar considerations hold for the logs of database-centric applications (such as, e.g., those stored by most ERP tools) that constitute the backbone of many real business processes (De Murillas et al. 2016).
References
Accorsi, R., & Stocker, T. (2012). On the exploitation of process mining for security audits: the conformance checking case. In Proceedings of ACM SAC, (pp. 1709–1716). ACM.
Accorsi, R., Stocker, T., & Müller, G. (2013). On the exploitation of process mining for security audits: the process discovery case. In Proceedings of ACM SAC, (pp. 1462–1468). ACM.
Agresti, A., & Coull, B.A. (1998). Approximate is better than ”exact” for interval estimation of binomial proportions. The American Statistician, 52(2), 119–126.
Alur, R., & Henzinger, T.A. (1990). Real-time logics: complexity and expressiveness. In 5th IEEE symposium on logic in computer science (LICS) (pp. 390–401).
Appice, A., & Malerba, D. (2015). A co-training strategy for multiple view clustering in process mining. IEEE Transactions on Services Computing, PP(99) . .
Baier, T., Mendling, J., & Weske, M. (2014a). Bridging abstraction layers in process mining. Information Systems, 46, 123–139.
Baier, T., Rogge-Solti, A., Weske, M., & Mendling, J. (2014b). Matching of events and activities - an approach based on constraint satisfaction. In The practice of enterprise modeling, lecture notes in business information processing, (Vol. 197, pp. 58–72).
Basin, D., Harvan, M., Klaedtke, F., & Zălinescu, E. (2011). Monpoly: monitoring usage-control policies. In International conference on runtime verification, (pp. 360–364).
Bose, R., & van der Aalst, W.M. (2013). Discovering signature patterns from event logs. In Symposium on computational intelligence and data mining (CIDM), (pp. 111–118).
Clarke, E.M., Grumberg, O., & Peled, D. (1999). Model checking: : MIT press.
Cybenko, G., & Berk, V.H. (2007). Process query systems. IEEE Computer, 40 (1), 62–70.
Di Ciccio, C., & Mecella, M. (2013). Mining artful processes from knowledge workers’ emails. IEEE Internet Computing, 17(5), 10–20.
Diamantini, C., Genga, L., & Potena, D. (2016). Behavioral process mining for unstructured processes. Journal of Intelligent Information Systems, , 1–28.
De Gramatica, M., Labunets, K., Massacci, F., Paci, F., & Tedeschi, A. (2015). The role of catalogues of threats and security controls in security risk assessment: an empirical study with atm professionals. In Proceedings of the 21st international working conference on requirements engineering: foundation for software quality (REFSQ ’15), (pp. 98–114).
De Murillas, E.G.L., Reijers, H.A., & Van der Aalst, W.M. (2016). Connecting databases with process mining: a meta model and toolset. In International workshop on business process modeling, development and support (pp. 231–249).
Fazzinga, B., Flesca, S., Furfaro, F., Masciari, E., & Pontieri, L. (2015). A probabilistic unified framework for event abstraction and process detection from log data. In On the move to meaningful internet systems: OTM 2015 conferences - confederated international conferences: CoopIS, ODBASE, and C&TC 2015, Rhodes, Greece, October 26-30, 2015, Proceedings, (pp. 320–328).
Fazzinga, B., Flesca, S., Furfaro, F., & Pontieri, L. (2016). Classifying traces of event logs on the basis of security risks. In New frontiers in mining complex patterns: 4th intl workshop, NFMCP 2015, Held in conjunction with ECML-PKDD 2015, Porto, Portugal, September 7, 2015, revised selected papers (pp. 108–124), Springer International Publishing.
Ferilli, S., & Esposito, F. (2013). A logic framework for incremental learning of process models. Fundamenta Informaticae, 128(4), 413–443.
Folino, F., Guarascio, M., & Pontieri, L. (2014). Mining predictive process models out of low-level multidimensional logs. In International conference on advanced information systems engineering, (pp. 533–547).
Greco, G., Guzzo, A., Lupia, F., & Pontieri, L. (2015). Process discovery under precedence constraints. ACM Transactions on Knowledge Discovery Data, 9(4), 32:1–32:39.
Jans, M., van der Werf, J.M.E.M., Lybaert, N., & Vanhoof, K. (2011). A business process mining application for internal transaction fraud mitigation. Expert Systems with Applications, 38(10), .
Knuplesch, D., Reichert, M., Ly, L.T., Kumar, A., & Rinderle-Ma, S. (2013). Visual modeling of business process compliance rules with the support of multiple perspectives. In International conference on conceptual modeling, (pp. 106–120).
Lippmann, R.P., & Ingols, K.W. (2005). An annotated review of past papers on attack graphs. Technical report, DTIC Document.
Ly, L.T., Maggi, F.M., Montali, M., Rinderle-Ma, S., & van der Aalst, W.M. (2015). Compliance monitoring in business processes: Functionalities, application, and tool-support. Information Systems, 54, 209 –234.
Ly, L.T., Rinderle-Ma, S., Knuplesch, D., & Dadam, P. (2011). Monitoring business process compliance using compliance rule graphs. In OTM confederated international conferences on the move to meaningful internet systems, (pp. 82–99).
Montali, M., Chesani, F., Mello, P., & Maggi, F.M. (2013). Towards data-aware constraints in Declare. In Proceedings of the 28th annual ACM symposium on applied computing, (pp. 1391–1396).
Montali, M., Maggi, F.M., Chesani, F., Mello, P., & van der Aalst, W.M. (2013). Monitoring business constraints with the event calculus. ACM Transactions on Intelligent Systems and Technology (TIST), 5(1), 17.
Montali, M., Maggi, F.M., Chesani, F., Mello, P., & Van der Aalst, W.M. (2013). Monitoring business constraints with the event calculus. ACM transactions on intelligent systems and technology (TIST), 5(1), 17.
Namiri, K., & Stojanovic, N. (2007). Pattern-based design and validation of business process compliance. In OTM confederated international conference, (pp. 59–76).
Rozinat, A., & van der Aalst, W.M. (2008). Conformance checking of processes based on monitoring real behavior. Information Systems, 33(1), 64–95.
Rubin, V., Günther, C. W., Van Der Aalst, W.M., Kindler, E., Van Dongen, B.F., & Schäfer, W. (2007). Process mining framework for software processes. In International conference on software process, (pp. 169–181).
Rubin, V., Günther, C. W., Van Der Aalst, W.M., Kindler, E., Van Dongen, B.F., & Schäfer, W. (2007). Process mining framework for software processes. In International conference on software process, (pp. 169–181).
Sauer, T., Minor, M., & Bergmann, R. (2011). Inverse workflows for supporting agile business process management. In Wissensmanagement, (pp. 204–213).
Sindre, G. (2007). Mal-activity diagrams for capturing attacks on business processes. In International working conference on requirements engineering: foundation for software quality, pp. 355–366.
Suriadi, S., Weiß, B., Winkelmann, A., Ter Hofstede, A.H., Adams, M., Conforti, R., Fidge, C., La Rosa, M., Ouyang, C., Rosemann, M., & et al. (2014). Current research in risk-aware business process management: overview, comparison, and gap analysis. CAIS, 34(1), 933–984.
Turetken, O., Elgammal, A., van den Heuvel, W.J., & Papazoglou, M.P. (2012). Capturing compliance requirements: a pattern-based approach. IEEE Software, 29(3), 28–36.
Van der Aalst, W. (2016). Process mining: data science in action: : Springer.
Van der Aalst, W., Weijters, T., & Maruster, L. (2004). Workflow mining: discovering process models from event logs. IEEE TKDE, 16(9), 1128–1142.
Van der Aalst, W.M., De Beer, H., & Van Dongen, B.F. (2005). Process mining and verification of properties: an approach based on temporal logic: : Springer.
Van der Aalst, W.M.P. (2011). Process mining: discovery, conformance and enhancement of business processes: : Springer Publishing Company, Incorporated.
Van der Aalst, W.M.P., Pesic, M., & Schonenberg, H. (2009). Declarative workflows: balancing between flexibility and support. Computer Science - R&D, 23(2), 99–113.
Weidlich, M., Ziekow, H., Mendling, J., Günther, O., Weske, M., & Desai, N. (2011). Event-based monitoring of process execution violations. In International conference on business process management, (pp. 182–198). Springer.
Werner-Stark, G., & Dulai, T. (2012). Agent-based analysis and detection of functional faults of vehicle industry processes: a process mining approach. In Agent and multi-agent systems. Technologies and applications, (Vol. 7327, pp. 424–433). Springer Berlin Heidelberg.
Westergaard, M., & Maggi, F.M. (2012). Looking into the future. In OTM confederated international conference, (pp. 250–267).
Author information
Authors and Affiliations
Corresponding author
Additional information
A preliminary version of this paper appeared in Fazzinga et al. (2016).
Rights and permissions
About this article
Cite this article
Fazzinga, B., Flesca, S., Furfaro, F. et al. Online and offline classification of traces of event logs on the basis of security risks. J Intell Inf Syst 50, 195–230 (2018). https://doi.org/10.1007/s10844-017-0450-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10844-017-0450-y