Multi Instance Anomaly Detection in Business Process Executions

  • Kristof BöhmerEmail author
  • Stefanie Rinderle-Ma
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10445)


Processes control critical IT systems and business cases in dynamic environments. Hence, ensuring secure model executions is crucial to prevent misuse and attacks. In general, anomaly detection approaches can be employed to tackle this challenge. Existing ones analyze each process instance individually. Doing so does not consider attacks that combine multiple instances, e.g., by splitting fraudulent fund transactions into multiple instances with smaller “unsuspicious” amounts. The proposed approach aims at detecting such attacks. For this, anomalies between the temporal behavior of a set of historic instances (ex post) and the temporal behavior of running instances are identified. Here, temporal behavior refers to the temporal order between the instances and their events. The proposed approach is implemented and evaluated based on real life process logs from different domains and artificial anomalies.


Runtime anomaly detection Secure business processes Multiple instances Temporal anomalies 


  1. 1.
    Allen, J.F.: Maintaining knowledge about temporal intervals. ACM 26(11), 832–843 (1983)CrossRefGoogle Scholar
  2. 2.
    Atallah, M., Szpankowski, W., Gwadera, R.: Detection of significant sets of episodes in event sequences. In: Data Mining, pp. 3–10. IEEE (2004)Google Scholar
  3. 3.
    Bezerra, F., Wainer, J., Aalst, W.M.P.: Anomaly detection using process mining. In: Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Soffer, P., Ukor, R. (eds.) BPMDS/EMMSAD -2009. LNBIP, vol. 29, pp. 149–161. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01862-6_13CrossRefGoogle Scholar
  4. 4.
    Böhmer, K., Rinderle-Ma, S.: Automatic signature generation for anomaly detection in business process instance data. In: Schmidt, R., Guédria, W., Bider, I., Guerreiro, S. (eds.) BPMDS/EMMSAD -2016. LNBIP, vol. 248, pp. 196–211. Springer, Cham (2016). doi: 10.1007/978-3-319-39429-9_13CrossRefGoogle Scholar
  5. 5.
    Böhmer, K., Rinderle-Ma, S.: Multi-perspective anomaly detection in business process execution events. In: Debruyne, C., et al. (eds.) OTM 2016. LNCS, vol. 10033, pp. 80–98. Springer, Cham (2016). doi: 10.1007/978-3-319-48472-3_5CrossRefGoogle Scholar
  6. 6.
    Böhmer, K., Rinderle-Ma, S.: Anomaly detection in business process runtime behavior - challenges and limitations. arXiv (2017)Google Scholar
  7. 7.
    Chaoji, V., Rastogi, R., Roy, G.: Machine learning in the real world. VLDB Endowment 9(13), 1597–1600 (2016)CrossRefGoogle Scholar
  8. 8.
    Chinchor, N., Sundheim, B.: Muc-5 evaluation metrics. In: Message Understanding, pp. 69–78. Computational Linguistics (1993)Google Scholar
  9. 9.
    Fdhila, W., Rinderle-Ma, S., Knuplesch, D., Reichert, M.: Change and compliance in collaborative processes. In: Services Computing, pp. 162–169. IEEE (2015)Google Scholar
  10. 10.
    Gupta, M., Gao, J., Aggarwal, C.C., Han, J.: Outlier detection for temporal data: a survey. Knowl. Data Eng. 26(9), 2250–2267 (2014)CrossRefGoogle Scholar
  11. 11.
    de Leoni, M., van der Aalst, W.M., Dees, M.: A general process mining framework for correlating, predicting and clustering dynamic behavior based on event logs. Inf. Syst. 56, 235–257 (2016)CrossRefGoogle Scholar
  12. 12.
    Rogge-Solti, A., Kasneci, G.: Temporal anomaly detection in business processes. In: Sadiq, S., Soffer, P., Völzer, H. (eds.) BPM 2014. LNCS, vol. 8659, pp. 234–249. Springer, Cham (2014). doi: 10.1007/978-3-319-10172-9_15CrossRefGoogle Scholar
  13. 13.
    Vogelgesang, T., et al.: Multidimensional process mining: questions, requirements, and limitations. In: España, S., Ivanović, M., Savić, M. (eds.) CAISE Forum, pp. 169–176. Springer, New York (2016)Google Scholar
  14. 14.
    Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Faculty of Computer ScienceUniversity of ViennaViennaAustria

Personalised recommendations