Journal of Intelligent Information Systems

, Volume 50, Issue 1, pp 195–230 | Cite as

Online and offline classification of traces of event logs on the basis of security risks

  • Bettina Fazzinga
  • Sergio Flesca
  • Filippo FurfaroEmail author
  • Luigi Pontieri


The problem of classifying business log traces is addressed in the context of security risk analysis. We consider the challenging setting where the actions performed in a process instance are described in the log as executions of low-level operations (such as “Pose a query over a DB”, “Upload a file into an ftp server”), while analysts and business users describe/understand the process steps as instances of high-level activities (such as “Update the customer’s personal data”, and “Share a project draft with the coworkers”). Given this, we aim at classifying each trace as the result of a process execution within which a security breach has occurred or not, by taking into account some (possibly incomplete) knowledge of the process structures and of the patterns representing insecure behaviors. What makes the problem challenging is that, when no workflow regulating the process executions is defined, this knowledge is typically owned by experts who reason in terms of process activities, thus it is encoded by behavioral rules at the higher abstract level. Thus, classifying requires the traces to be interpreted and brought to this higher abstraction level, and often this cannot be done deterministically, since the mapping between operations and activities is many-to-many. In our framework, the operation/activity mapping is encoded probabilistically, and the behavioral rules are expressed in terms of precedence/causality constraints over the activities, grouped into mandatory, highly recommended, and recommended requirements. The classification task is addressed in both the cases that process execution are ongoing and have terminated (i.e. in both online and offline scenarios, respectively), and its core is a Monte Carlo generation, that produces a sample of interpretations whose conformance to the security breach models is used to estimate the risks for the security.


Process logs Security 


  1. Accorsi, R., & Stocker, T. (2012). On the exploitation of process mining for security audits: the conformance checking case. In Proceedings of ACM SAC, (pp. 1709–1716). ACM.Google Scholar
  2. Accorsi, R., Stocker, T., & Müller, G. (2013). On the exploitation of process mining for security audits: the process discovery case. In Proceedings of ACM SAC, (pp. 1462–1468). ACM.Google Scholar
  3. Agresti, A., & Coull, B.A. (1998). Approximate is better than ”exact” for interval estimation of binomial proportions. The American Statistician, 52(2), 119–126.MathSciNetGoogle Scholar
  4. Alur, R., & Henzinger, T.A. (1990). Real-time logics: complexity and expressiveness. In 5th IEEE symposium on logic in computer science (LICS) (pp. 390–401).Google Scholar
  5. Appice, A., & Malerba, D. (2015). A co-training strategy for multiple view clustering in process mining. IEEE Transactions on Services Computing, PP(99) . .Google Scholar
  6. Baier, T., Mendling, J., & Weske, M. (2014a). Bridging abstraction layers in process mining. Information Systems, 46, 123–139.Google Scholar
  7. Baier, T., Rogge-Solti, A., Weske, M., & Mendling, J. (2014b). Matching of events and activities - an approach based on constraint satisfaction. In The practice of enterprise modeling, lecture notes in business information processing, (Vol. 197, pp. 58–72).Google Scholar
  8. Basin, D., Harvan, M., Klaedtke, F., & Zălinescu, E. (2011). Monpoly: monitoring usage-control policies. In International conference on runtime verification, (pp. 360–364).Google Scholar
  9. Bose, R., & van der Aalst, W.M. (2013). Discovering signature patterns from event logs. In Symposium on computational intelligence and data mining (CIDM), (pp. 111–118).Google Scholar
  10. Clarke, E.M., Grumberg, O., & Peled, D. (1999). Model checking: : MIT press.Google Scholar
  11. Cybenko, G., & Berk, V.H. (2007). Process query systems. IEEE Computer, 40 (1), 62–70.CrossRefGoogle Scholar
  12. Di Ciccio, C., & Mecella, M. (2013). Mining artful processes from knowledge workers’ emails. IEEE Internet Computing, 17(5), 10–20.CrossRefGoogle Scholar
  13. Diamantini, C., Genga, L., & Potena, D. (2016). Behavioral process mining for unstructured processes. Journal of Intelligent Information Systems, , 1–28.Google Scholar
  14. De Gramatica, M., Labunets, K., Massacci, F., Paci, F., & Tedeschi, A. (2015). The role of catalogues of threats and security controls in security risk assessment: an empirical study with atm professionals. In Proceedings of the 21st international working conference on requirements engineering: foundation for software quality (REFSQ ’15), (pp. 98–114).Google Scholar
  15. De Murillas, E.G.L., Reijers, H.A., & Van der Aalst, W.M. (2016). Connecting databases with process mining: a meta model and toolset. In International workshop on business process modeling, development and support (pp. 231–249).Google Scholar
  16. Fazzinga, B., Flesca, S., Furfaro, F., Masciari, E., & Pontieri, L. (2015). A probabilistic unified framework for event abstraction and process detection from log data. In On the move to meaningful internet systems: OTM 2015 conferences - confederated international conferences: CoopIS, ODBASE, and C&TC 2015, Rhodes, Greece, October 26-30, 2015, Proceedings, (pp. 320–328).Google Scholar
  17. Fazzinga, B., Flesca, S., Furfaro, F., & Pontieri, L. (2016). Classifying traces of event logs on the basis of security risks. In New frontiers in mining complex patterns: 4th intl workshop, NFMCP 2015, Held in conjunction with ECML-PKDD 2015, Porto, Portugal, September 7, 2015, revised selected papers (pp. 108–124), Springer International Publishing.Google Scholar
  18. Ferilli, S., & Esposito, F. (2013). A logic framework for incremental learning of process models. Fundamenta Informaticae, 128(4), 413–443.MathSciNetzbMATHGoogle Scholar
  19. Folino, F., Guarascio, M., & Pontieri, L. (2014). Mining predictive process models out of low-level multidimensional logs. In International conference on advanced information systems engineering, (pp. 533–547).Google Scholar
  20. Greco, G., Guzzo, A., Lupia, F., & Pontieri, L. (2015). Process discovery under precedence constraints. ACM Transactions on Knowledge Discovery Data, 9(4), 32:1–32:39.Google Scholar
  21. Jans, M., van der Werf, J.M.E.M., Lybaert, N., & Vanhoof, K. (2011). A business process mining application for internal transaction fraud mitigation. Expert Systems with Applications, 38(10), .Google Scholar
  22. Knuplesch, D., Reichert, M., Ly, L.T., Kumar, A., & Rinderle-Ma, S. (2013). Visual modeling of business process compliance rules with the support of multiple perspectives. In International conference on conceptual modeling, (pp. 106–120).Google Scholar
  23. Lippmann, R.P., & Ingols, K.W. (2005). An annotated review of past papers on attack graphs. Technical report, DTIC Document.Google Scholar
  24. Ly, L.T., Maggi, F.M., Montali, M., Rinderle-Ma, S., & van der Aalst, W.M. (2015). Compliance monitoring in business processes: Functionalities, application, and tool-support. Information Systems, 54, 209 –234.Google Scholar
  25. Ly, L.T., Rinderle-Ma, S., Knuplesch, D., & Dadam, P. (2011). Monitoring business process compliance using compliance rule graphs. In OTM confederated international conferences on the move to meaningful internet systems, (pp. 82–99).Google Scholar
  26. Montali, M., Chesani, F., Mello, P., & Maggi, F.M. (2013). Towards data-aware constraints in Declare. In Proceedings of the 28th annual ACM symposium on applied computing, (pp. 1391–1396).Google Scholar
  27. Montali, M., Maggi, F.M., Chesani, F., Mello, P., & van der Aalst, W.M. (2013). Monitoring business constraints with the event calculus. ACM Transactions on Intelligent Systems and Technology (TIST), 5(1), 17.Google Scholar
  28. Montali, M., Maggi, F.M., Chesani, F., Mello, P., & Van der Aalst, W.M. (2013). Monitoring business constraints with the event calculus. ACM transactions on intelligent systems and technology (TIST), 5(1), 17.Google Scholar
  29. Namiri, K., & Stojanovic, N. (2007). Pattern-based design and validation of business process compliance. In OTM confederated international conference, (pp. 59–76).Google Scholar
  30. Rozinat, A., & van der Aalst, W.M. (2008). Conformance checking of processes based on monitoring real behavior. Information Systems, 33(1), 64–95.Google Scholar
  31. Rubin, V., Günther, C. W., Van Der Aalst, W.M., Kindler, E., Van Dongen, B.F., & Schäfer, W. (2007). Process mining framework for software processes. In International conference on software process, (pp. 169–181).Google Scholar
  32. Rubin, V., Günther, C. W., Van Der Aalst, W.M., Kindler, E., Van Dongen, B.F., & Schäfer, W. (2007). Process mining framework for software processes. In International conference on software process, (pp. 169–181).Google Scholar
  33. Sauer, T., Minor, M., & Bergmann, R. (2011). Inverse workflows for supporting agile business process management. In Wissensmanagement, (pp. 204–213).Google Scholar
  34. Sindre, G. (2007). Mal-activity diagrams for capturing attacks on business processes. In International working conference on requirements engineering: foundation for software quality, pp. 355–366.Google Scholar
  35. Suriadi, S., Weiß, B., Winkelmann, A., Ter Hofstede, A.H., Adams, M., Conforti, R., Fidge, C., La Rosa, M., Ouyang, C., Rosemann, M., & et al. (2014). Current research in risk-aware business process management: overview, comparison, and gap analysis. CAIS, 34(1), 933–984.Google Scholar
  36. Turetken, O., Elgammal, A., van den Heuvel, W.J., & Papazoglou, M.P. (2012). Capturing compliance requirements: a pattern-based approach. IEEE Software, 29(3), 28–36.Google Scholar
  37. Van der Aalst, W. (2016). Process mining: data science in action: : Springer.Google Scholar
  38. Van der Aalst, W., Weijters, T., & Maruster, L. (2004). Workflow mining: discovering process models from event logs. IEEE TKDE, 16(9), 1128–1142.Google Scholar
  39. Van der Aalst, W.M., De Beer, H., & Van Dongen, B.F. (2005). Process mining and verification of properties: an approach based on temporal logic: : Springer.Google Scholar
  40. Van der Aalst, W.M.P. (2011). Process mining: discovery, conformance and enhancement of business processes: : Springer Publishing Company, Incorporated.Google Scholar
  41. Van der Aalst, W.M.P., Pesic, M., & Schonenberg, H. (2009). Declarative workflows: balancing between flexibility and support. Computer Science - R&D, 23(2), 99–113.Google Scholar
  42. Weidlich, M., Ziekow, H., Mendling, J., Günther, O., Weske, M., & Desai, N. (2011). Event-based monitoring of process execution violations. In International conference on business process management, (pp. 182–198). Springer.Google Scholar
  43. Werner-Stark, G., & Dulai, T. (2012). Agent-based analysis and detection of functional faults of vehicle industry processes: a process mining approach. In Agent and multi-agent systems. Technologies and applications, (Vol. 7327, pp. 424–433). Springer Berlin Heidelberg.Google Scholar
  44. Westergaard, M., & Maggi, F.M. (2012). Looking into the future. In OTM confederated international conference, (pp. 250–267).Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.ICAR - CNRNapoliItaly
  2. 2.DIMESUniversity of CalabriaRendeItaly
  3. 3.ICAR - CNRRendeItaly

Personalised recommendations