Elsevier

Computers & Security

Volume 73, March 2018, Pages 172-193
Computers & Security

Linking data and process perspectives for conformance analysis

https://doi.org/10.1016/j.cose.2017.10.010Get rights and content

Abstract

The detection of data breaches has become a major challenge for most organizations. The problem lies in the fact that organizations often lack proper mechanisms to control and monitor users' activities and their data usage. Although several auditing approaches have been proposed to assess the compliance of actual executed behavior, existing approaches focus on either checking data accesses against security policies (data perspective) or checking user activities against the activities needed to conduct business processes (process perspective). Analyzing user behavior from these perspectives independently may not be sufficient to expose security incidents. In particular, security incidents may remain undetected or diagnosed incorrectly. This paper proposes a novel auditing approach that reconciles the data and process perspectives, thus enabling the identification of a large range of deviations. In particular, we analyze and classify deviations with respect to the intended purpose of data and the context in which data are used, and provide a novel algorithm to identify non-conforming user behavior. The approach has been implemented in the open source framework ProM and was evaluated through both controlled experiments and a case study using real-life event data. The results show that the approach is able to accurately identify deviations in both data usage and control-flow, while providing the purpose and context of the identified deviations.

Introduction

Large amounts of sensitive data (e.g., customer personal data, corporate secrets) are often collected and stored by organizations to carry out their businesses. Data are a valuable asset for organizations and, thus, need to be protected from unauthorized access and illegitimate usage. Organizations often use process models and security policies to describe the normative behavior of their IT systems and legitimate usages of data. However, in practice, organizations may allow users to deviate from the prescribed behavior in order to efficiently deal with unanticipated circumstances. For example, IT systems of hospitals often employ the “break-the-glass” functionality to deal with emergency situations. However, such a functionality can be abused, increasing the risks of harmful data breaches. Moreover, a user may exploit his/her credentials to access sensitive information for personal or financial gain.

Data breaches can have severe financial and legal consequences as well as decrease a company's competitive advantages over other companies. For instance, according to a study conducted by the Ponemon Institute in 350 companies in 2015, the average cost of data breaches is $3.79 million per incident (Ponemon Institute, 2015). Many legal regulations and best practices such as HIPAA in healthcare, Basel III in finance, and COBIT for IT governance have been proposed to mitigate the risks of security incidents. These regulations require organizations to implement internal controls and constantly monitor their business processes to detect security incidents and respond to them. Moreover, organizations need to learn from earlier incidents to improve security policies and prevent data breaches in the future.

The continuous monitoring of processes has enabled the collection of event data that show, for example, which activities users performed, when users accessed certain data and which operations they executed on the data. Alongside process monitoring, several auditing solutions have been proposed to assist organizations in the analysis of user behavior (recorded in event logs) with respect to security policies and regulations. These solutions assess compliance of user behavior either (i) with respect to the access and usage of sensitive data (data perspective) or (ii) with respect to the activities performed by users (process perspective). Auditing techniques that operate at the data level (Azkia et al, 2014, Cederquist et al, 2007, Dekker, Etalle, 2007, Rissanen et al, 2005) analyze whether a user had the right to perform certain operations on the data. However, data operations are typically verified individually. This does not allow for the verification of data protection policies, such as purpose control, that require analyzing the observed behavior as a whole (Petković et al., 2011). On the other hand, techniques that operate at the process level (Adriansyah et al, 2013a, Adriansyah et al, 2013b, Banescu et al, 2012, Petković et al, 2011, Rozinat, van der Aalst, 2008) usually analyze whether a user has performed the right activity as prescribed by the organization's processes. In particular, these techniques focus on the process control-flow and they do not analyze how data are used within the execution of the process.

Analyzing the observed behavior with respect to the data perspective or the process perspective alone has therefore two main drawbacks: (i) deviations can remain undetected and (ii) diagnostics may not provide an understanding of the deviations that occurred, thus making it difficult for a security analyst to take the measures necessary to respond to security infringements. These issues are even more critical when considering insider threats (i.e., security threats originating from within the organization being attacked or targeted). In fact, without knowing the context in which data are accessed and used, it is difficult, if not impossible, to discriminate between legitimate and illegitimate behaviors.

In this work, we propose an auditing approach that reconciles the data and process perspectives, thus enabling the identification of deviations that otherwise would remain undetected, and providing accurate diagnostics of those deviations. In particular, the usage of data is analyzed within both the context (defined with respect to the process control-flow) and the purpose (defined in terms of process activities) for which data were used. Fig. 1 shows an overview of our approach together with its inputs and outputs. As shown in the figure, for the analysis of the process perspective, we rely on the notion of control-flow alignments (❺) and, in particular, partially ordered alignments (Lu et al., 2014), which provide a robust way to pinpoint the causes of non-conformity between a process execution recorded in a process log (❷) and a process model (❶). The diagnostics provided by control-flow alignments show the validity of the context in which operations on data are executed. Moreover, by linking data operations, recorded in a system log (❹), to control-flow alignments (❺), we can check whether the purpose (i.e., the activity) of a data operation is valid according to the intended usage of data (modeled using a CRUD matrix (❸) (Brandon, 2002)).

By leveraging this reconciled view of the two perspectives, we introduce the notion of composite moves, representing pairwise matching between activities recorded in a log and activities in a process model along with the required operations on the data, and define a taxonomy of the different sorts of composite moves (

). This taxonomy provides the basis for an analysis of the causes of non-conformity. Moreover, we propose an algorithm to construct inter-level alignments (
), i.e., alignments consisting of composite moves, by linking the operations on data recorded in a system log to activities in the control-flow alignment. Such inter-level alignments enable the analysis of operations on the data with respect to the context in which those operations are executed. This way we can provide more accurate diagnostic information about non-conformity taking into account the purpose of data operations. To the best of our knowledge, this is the first work that proposes an auditing technique reconciling both the data and process perspectives.

It is worth noting that in this work we assume that the observed behavior is recorded at both the data and process level. We argue that this assumption is realistic as demonstrated by BPM platforms like FLOWer (now called Lexmark Case Management) (van der Aalst et al., 2005) and Activiti (http://activiti.org/), which provide such functionality. Also in many other information systems both database updates and activity executions are recorded (see the change logs in ERP systems and the redo logs in database systems). Our technique has been implemented as a plug-in of the open source process-mining framework ProM and evaluated using both synthetic and real-life datasets.

The remainder of the paper is organized as follows. The next section presents the basic concepts used to represent the process and data perspectives and introduces background on alignments. Section 3 investigates data breaches and identifies types of insider threats relating to the data and process perspectives. Section 4 presents a taxonomy of composite moves and discuss how the identified threats can be captured in terms of composite moves. Section 5 formally defines inter-level alignments and presents our approach to construct such alignments. Experimental results are presented in Section 6. Finally, Section 7 discusses related work, and Section 8 concludes the paper and provides directions for future work.

Section snippets

Preliminaries

In this section, we introduce the main concepts and notation used to model the process and data perspectives of an IT system. An overview of these perspectives and their interconnections is shown in Fig. 1. Moreover, we introduce preliminaries on partially ordered alignments (Lu et al., 2014), which are the basis of the proposed approach.

Threat model

In the security research community and industry, there is consensus that a large percentage of data breaches that occur in organizations is caused by insider threats. An insider is typically defined as an individual who has some privileged access to an organization's IT system (Bishop, Gates, 2008, Kandias et al, 2010, Pfleeger, 2008). Accordingly, an insider can be a current employee or officer of the organization but can also be a discharged employee whose system credentials have not yet been

Taxonomy of composite moves

In order to detect deviations more accurately and provide contextual information for diagnosis, we relate the four basic elements discussed in Section 2, namely trace-events, run-events, system-events and CRUD-entries to each other. In particular, we introduce the notion of composite move, which connects these elements thus reconciling the process and data perspectives. A trace-event e and a run-event a constitute a control-flow alignment move (also called process move) that provides the context

Inter-level alignments

Composite moves reconcile the process and data perspectives, thus enabling the identification of deviations that otherwise would remain undetected, and providing accurate diagnostics of those deviations. As discussed in the previous section, diagnostic information provided by composite moves provides a valuable support to analysts in the identification of several insider threats as the ones described in Section 3. However, determining which composite moves should be used to capture the actual

Evaluation

We implemented the approach illustrated in Fig. 1 as a plug-in named Inter-Level Replayer for the Security package within the ProM framework (http://www.promtools.org). The plug-in takes as input control-flow alignments, a system-event log and a CRUD matrix, and computes an inter-level alignment for each system-trace and its corresponding control-flow alignment. The output of the plug-in consists of the computed inter-level alignments and can be used by other plug-ins for visualization or

Related work

Existing auditing techniques can be classified in three categories based on the layer(s) in which they operate: data layer, process layer or both.

Data Layer. Several auditing approaches have been proposed to detect illegitimate data access and usage (see Reuben et al. (2016) for a survey). Agrawal et al. (2004) propose an auditing framework to verify whether a database system complies with privacy policies. Differently from our work, the focus of this framework is on minimizing the information

Conclusion

In recent years, many auditing techniques have been proposed to analyze the observed behavior recorded by information systems. These techniques typically focus on either the process or data perspective. Focusing on a single perspective, however, may not be sufficient to detect threats posed by insiders who have knowledge of the information system and security controls in place and can misuse their privileges and this knowledge for malicious purposes. In addition, diagnostics obtained using

Acknowledgments

This work has been funded by the NWO CyberSecurity programme under the PriCE project.

Mahdi Alizadeh received the bachelor's degree in computer engineering from Amirkabir University of Technology and the master's degree in information technology from Sharif University of Technology. He is currently working toward the PhD degree at Eindhoven University of Technology researching in the area of auditing for privacy and security compliance. His research interests include privacy, auditing, and process mining.

References (48)

  • M. Alizadeh

    Healthcare treatment process

  • M. Alizadeh et al.

    Risk-based analysis of business process executions

  • M. Alizadeh et al.

    History-based construction of alignments for conformance checking: Formalization and implementation

  • M. Alizadeh et al.

    Constructing probable explanations of nonconformity: A data-aware and history-based approach

    (2015)
  • A. Appari et al.

    Information security and privacy in healthcare: current state of research

    Int J Internet Enterp Manage

    (2010)
  • H. Azkia et al.

    Deployment of a posteriori access control using IHE ATNA

    Int J Inf Secur

    (2014)
  • S. Banescu et al.

    Measuring privacy compliance using fitness metrics

  • A. Barth et al.

    Privacy and contextual integrity: framework and applications

    (2006)
  • M. Bishop et al.

    Defining the insider threat

    (2008)
  • M. Bishop et al.

    Case studies of an insider framework

    (2009)
  • Bloomberg Businessweek

    Diagnosis: identity theft

  • D. Brandon

    CRUD matrices for detailed object oriented design

    J Comput Sci Coll

    (2002)
  • J.G. Cederquist et al.

    Audit-based compliance control

    Int J Inf Secur

    (2007)
  • M. de Leoni et al.

    Road traffic fine management process

  • Cited by (52)

    • Physics-aware targeted attacks against maritime industrial control systems

      2024, Journal of Information Security and Applications
    • Explainable conformance checking: Understanding patterns of anomalous behavior

      2023, Engineering Applications of Artificial Intelligence
    View all citing articles on Scopus

    Mahdi Alizadeh received the bachelor's degree in computer engineering from Amirkabir University of Technology and the master's degree in information technology from Sharif University of Technology. He is currently working toward the PhD degree at Eindhoven University of Technology researching in the area of auditing for privacy and security compliance. His research interests include privacy, auditing, and process mining.

    Xixi Lu received the bachelor's degree in computer science and the masters of science degree in business information systems from the Eindhoven University of Technology. She is currently working toward the PhD degree at the Eindhoven University of Technology researching in the areas of architecture of business information systems and process mining. She also studied economics and management at Tsinghua University as an exchange student. Her research interests include business process management, conformance checking between process models and recorded logs, deviation detection and analysis, and process mining in general.

    Dirk Fahland received the PhD degree in computer science from the Humboldt-Universität zu Berlin, Germany, and the Eindhoven University of Technology, the Netherlands, in 2010. He is an assistant professor at the Eindhoven University of Technology. His research interests include distributed processes and systems built from distributed components for which he investigates system modeling, analyzing systems for errors or misconformances (through verification or simulation), and process mining/specification mining techniques for discovering system models from event logs.

    Nicola Zannone received his Ph.D. degree in computer science at the University of Trento, Italy, in 2007. He is an associate professor in the Security Group at the Eindhoven University of Technology, the Netherlands. His research interests include computer security, data protection, access control and formal methods.

    Wil M. P. van der Aalst is a full professor of information systems at the Technische Universiteit Eindhoven (TU/e) where he is also the scientific director of the Data Science Center Eindhoven (DSC/e). His research interests include data science, process mining, Petri nets, business process management, process modeling, and process analysis. He is an elected member of the Royal Netherlands Academy of Arts and Sciences, the Royal Holland Society of Sciences and Humanities, and Academia Europaea.

    View full text