ANOMALY DETECTION ALGORITHMS IN BUSINESS PROCESS LOGS

Fábio Bezerra, Jacques Wainer

2008

Abstract

In some domains of application, like software development and health care processes, a normative business process system (e.g. workflow management system) is not appropriate because a flexible support is needed to the participants. On the other hand, while it is important to support flexibility of execution in these domains, security requirements can not be met whether these systems do not offer extra control, which characterizes a trade off between flexibility and security in such domains. This work presents and assesses a set of anomaly detection algorithms in logs of Process Aware Systems (PAS). The detection of an anomalous instance is based on the “noise” which an instance makes in a process model discovered by a process mining algorithm. As a result, a trace that is an anomaly for a discovered model will require more structural changes for this model fit it than a trace that is not an anomaly. Hence, when aggregated to PAS, these methods can support the coexistence of security and flexibility.

References

  1. Agarwal, D. K. (2005). An empirical bayes approach to detect anomalies in dynamic multidimensional arrays. In ICDM, pages 26-33.
  2. Agrawal, R., Gunopulos, D., and Leymann, F. (1998). Mining process models from workflow logs. In EDBT 7898: Proceedings of the 6th International Conference on Extending Database Technology, pages 469-483, London, UK. Springer-Verlag.
  3. Cook, J. E. and Wolf, A. L. (1998). Discovering models of software processes from event-based data. ACM Trans. Softw. Eng. Methodol., Vol. 7(3):p. 215-249.
  4. de Medeiros, A., van der Aalst, W., and Weijters, A. (2003). Workflow mining: Current status and future directions. In Meersman, R., Tari, Z., and Schmidt, D., editors, On The Move to Meaningful Internet Systems, volume 2888 of LNCS.
  5. de Medeiros, A. K. A., Weijters, A. J. M. M., and van der Aalst, W. M. P. (2006). Genetic process mining: A basic approach and its challenges. Lecture Notes in Computer Science, 3812:203-215. ISSN 0302-9743.
  6. Donoho, S. (2004). Early detection of insider trading in option markets. In KDD 7804: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining, pages 420-429, New York, NY, USA. ACM Press.
  7. Fawcett, T. (2004). Roc graphs: Notes and practical considerations for researchers.
  8. Fawcett, T. and Provost, F. (1997). Adaptive fraud detection. Data Mining and Knowledge Discovery, Vol. 1:p. 291-316.
  9. Hammori, M., Herbst, J., and Kleiner, N. (2006). Interactive workflow mining - requirements, concepts and implementation. Data Knowl. Eng., Vol. 56(1):p. 41-63.
  10. Lee, W. and Xiang, D. (2001). Information-theoretic measures for anomaly detection. In IEEE Symposium on Security and Privacy.
  11. Maruster, L., van der Aalst, W. M. P., Weijters, T., van den Bosch, A., and Daelemans, W. (2001). Automated discovery of workflow models from hospital data. In Krse, B., Rijke, M., Schreiber, G., and Someren, M., editors, Proceedings of the 13th Belgium-Netherlands Conference on Artificial Intelligence (BNAIC 2001), pages 183-190.
  12. Noble, C. C. and Cook, D. J. (2003). Graph-based anomaly detection. In KDD 7803: Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining, pages 631-636, New York, NY, USA. ACM Press.
  13. Pandit, S., Chau, D. H., Wang, S., and Faloutsos, C. (2007). Netprobe: a fast and scalable system for fraud detection in online auction networks. In WWW 7807: Proceedings of the 16th international conference on World Wide Web, pages 201-210, New York, NY, USA. ACM Press.
  14. Rozinat, A. and van der Aalst, W. M. P. (2005). Conformance testing: Measuring the fit and appropriateness of event logs and process models. In Business Process Management Workshops, pages 163-176.
  15. Sabhnani, R., Neill, D., and Moore, A. (2005). Detecting anomalous patterns in pharmacy retail data. In Proceedings of the KDD 2005 Workshop on Data Mining Methods for Anomaly Detection.
  16. Schimm, G. (2004). Mining exact models of concurrent workflows. Comput. Ind., Vol. 53(3):p. 265-281.
  17. van der Aalst, W. M. P. and de Medeiros, A. K. A. (2005). Process mining and security: Detecting anomalous process executions and checking process conformance. Electr. Notes Theor. Comput. Sci., Vol. 121:p. 3-21.
  18. van der Aalst, W. M. P., Weijters, T., and Maruster, L. (2004). Workflow mining: Discovering process models from event logs. IEEE Trans. Knowl. Data Eng., Vol. 16(9):p. 1128-1142.
  19. van der Aalst Minseok Song, W. M. (2004). Mining social networks: Uncovering interaction patterns in business processes. In Desel, J., Pernici, B., and Weske, M., editors, Business Process Management: Second International Conference, volume 3080 of LNCS, pages pp. 244 - 260.
  20. Wainer, J., Kim, K., and Ellis, C. A. (2005). A workflow mining method through model rewriting. In Fuks, H., Lukosch, S., and Salgado, A. C., editors, Groupware: Design, Implementation, and Use: 11th International Workshop, volume 3706, pages p. 184-19, Porto de Galinhas, Brazil. CRIWG 2005.
Download


Paper Citation


in Harvard Style

Bezerra F. and Wainer J. (2008). ANOMALY DETECTION ALGORITHMS IN BUSINESS PROCESS LOGS . In Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-8111-37-1, pages 11-18. DOI: 10.5220/0001674700110018


in Bibtex Style

@conference{iceis08,
author={Fábio Bezerra and Jacques Wainer},
title={ANOMALY DETECTION ALGORITHMS IN BUSINESS PROCESS LOGS},
booktitle={Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2008},
pages={11-18},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001674700110018},
isbn={978-989-8111-37-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - ANOMALY DETECTION ALGORITHMS IN BUSINESS PROCESS LOGS
SN - 978-989-8111-37-1
AU - Bezerra F.
AU - Wainer J.
PY - 2008
SP - 11
EP - 18
DO - 10.5220/0001674700110018