Multi Instance Anomaly Detection in Business Process Executions
Abstract
Processes control critical IT systems and business cases in dynamic environments. Hence, ensuring secure model executions is crucial to prevent misuse and attacks. In general, anomaly detection approaches can be employed to tackle this challenge. Existing ones analyze each process instance individually. Doing so does not consider attacks that combine multiple instances, e.g., by splitting fraudulent fund transactions into multiple instances with smaller “unsuspicious” amounts. The proposed approach aims at detecting such attacks. For this, anomalies between the temporal behavior of a set of historic instances (ex post) and the temporal behavior of running instances are identified. Here, temporal behavior refers to the temporal order between the instances and their events. The proposed approach is implemented and evaluated based on real life process logs from different domains and artificial anomalies.
Keywords
Runtime anomaly detection Secure business processes Multiple instances Temporal anomaliesReferences
- 1.Allen, J.F.: Maintaining knowledge about temporal intervals. ACM 26(11), 832–843 (1983)CrossRefGoogle Scholar
- 2.Atallah, M., Szpankowski, W., Gwadera, R.: Detection of significant sets of episodes in event sequences. In: Data Mining, pp. 3–10. IEEE (2004)Google Scholar
- 3.Bezerra, F., Wainer, J., Aalst, W.M.P.: Anomaly detection using process mining. In: Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Soffer, P., Ukor, R. (eds.) BPMDS/EMMSAD -2009. LNBIP, vol. 29, pp. 149–161. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01862-6_13CrossRefGoogle Scholar
- 4.Böhmer, K., Rinderle-Ma, S.: Automatic signature generation for anomaly detection in business process instance data. In: Schmidt, R., Guédria, W., Bider, I., Guerreiro, S. (eds.) BPMDS/EMMSAD -2016. LNBIP, vol. 248, pp. 196–211. Springer, Cham (2016). doi: 10.1007/978-3-319-39429-9_13CrossRefGoogle Scholar
- 5.Böhmer, K., Rinderle-Ma, S.: Multi-perspective anomaly detection in business process execution events. In: Debruyne, C., et al. (eds.) OTM 2016. LNCS, vol. 10033, pp. 80–98. Springer, Cham (2016). doi: 10.1007/978-3-319-48472-3_5CrossRefGoogle Scholar
- 6.Böhmer, K., Rinderle-Ma, S.: Anomaly detection in business process runtime behavior - challenges and limitations. arXiv (2017)Google Scholar
- 7.Chaoji, V., Rastogi, R., Roy, G.: Machine learning in the real world. VLDB Endowment 9(13), 1597–1600 (2016)CrossRefGoogle Scholar
- 8.Chinchor, N., Sundheim, B.: Muc-5 evaluation metrics. In: Message Understanding, pp. 69–78. Computational Linguistics (1993)Google Scholar
- 9.Fdhila, W., Rinderle-Ma, S., Knuplesch, D., Reichert, M.: Change and compliance in collaborative processes. In: Services Computing, pp. 162–169. IEEE (2015)Google Scholar
- 10.Gupta, M., Gao, J., Aggarwal, C.C., Han, J.: Outlier detection for temporal data: a survey. Knowl. Data Eng. 26(9), 2250–2267 (2014)CrossRefGoogle Scholar
- 11.de Leoni, M., van der Aalst, W.M., Dees, M.: A general process mining framework for correlating, predicting and clustering dynamic behavior based on event logs. Inf. Syst. 56, 235–257 (2016)CrossRefGoogle Scholar
- 12.Rogge-Solti, A., Kasneci, G.: Temporal anomaly detection in business processes. In: Sadiq, S., Soffer, P., Völzer, H. (eds.) BPM 2014. LNCS, vol. 8659, pp. 234–249. Springer, Cham (2014). doi: 10.1007/978-3-319-10172-9_15CrossRefGoogle Scholar
- 13.Vogelgesang, T., et al.: Multidimensional process mining: questions, requirements, and limitations. In: España, S., Ivanović, M., Savić, M. (eds.) CAISE Forum, pp. 169–176. Springer, New York (2016)Google Scholar
- 14.Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014)CrossRefGoogle Scholar