Combining Model- and Example-Driven Classification to Detect Security Breaches in Activity-Unaware Logs

  • Bettina Fazzinga
  • Francesco Folino
  • Filippo Furfaro
  • Luigi PontieriEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11230)


Current approaches to the security-oriented classification of process log traces can be split into two categories: (i) example-driven methods, that induce a classifier from annotated example traces; (ii) model-driven methods, based on checking the conformance of each test trace to security-breach models defined by experts. These categories are orthogonal and use separate information sources (i.e. annotated traces and a-priori breach models). However, as these sources often coexist in real applications, both kinds of methods could be exploited synergistically. Unfortunately, when the log traces consist of (low-level) events with no reference to the activities of the breach models, combining (i) and (ii) is not straightforward. In this setting, to complement the partial views of insecure process-execution patterns that an example-driven and a model-driven methods capture separately, we devise an abstract classification framework where the predictions provided by these methods separately are combined, according to a meta-classification scheme, into an overall one that benefits from all the background information available. The reasonability of this solution is backed by experiments performed on a case study, showing that the accuracy of the example-driven (resp., model-driven) classifier decreases appreciably when the given example data (resp., breach models) do not describe exhaustively insecure process behaviors.


  1. 1.
    van der Aalst, W.M.P., Pesic, M., Schonenberg, H.: Declarative workflows: balancing between flexibility and support. Comput. Sci. - R&D 23(2), 99–113 (2009)Google Scholar
  2. 2.
    van der Aa, H., Leopold, H., Reijers, H.A.: Checking process compliance on the basis of uncertain event-to-activity mappings. In: Dubois, E., Pohl, K. (eds.) CAiSE 2017. LNCS, vol. 10253, pp. 79–93. Springer, Cham (2017). Scholar
  3. 3.
    Accorsi, R., Stocker, T.: On the exploitation of process mining for security audits: the conformance checking case. In: ACM SAC 2012, pp. 1709–1716 (2012)Google Scholar
  4. 4.
    Baier, T., Mendling, J., Weske, M.: Bridging abstraction layers in process mining. Inf. Syst. 46, 123–139 (2014)CrossRefGoogle Scholar
  5. 5.
    Bennett, P.N., Dumais, S.T., Horvitz, E.: Probabilistic combination of text classifiers using reliability indicators: models and results. In: ACM SIGIR 2002, pp. 207–214 (2002)Google Scholar
  6. 6.
    Bose, R., van der Aalst, W.: Discovering signature patterns from event logs. In: CIDM 2013, pp. 111–118 (2013)Google Scholar
  7. 7.
    Jagadeesh Chandra Bose, R.P., van der Aalst, W.M.P.: Abstractions in process mining: a taxonomy of patterns. In: Dayal, U., Eder, J., Koehler, J., Reijers, H.A. (eds.) BPM 2009. LNCS, vol. 5701, pp. 159–175. Springer, Heidelberg (2009). Scholar
  8. 8.
    Cuzzocrea, A., et al.: A robust and versatile multi-view learning framework for the detection of deviant business process instances. Int. J. Coop. Inf. Syst. 25(04), 1–56 (2016)CrossRefGoogle Scholar
  9. 9.
    Cuzzocrea, A., Folino, F., Guarascio, M., Pontieri, L.: A multi-view multi-dimensional ensemble learning approach to mining business process deviances. In: 2016 International Joint Conference on Neural Networks (IJCNN), pp. 3809–3816. IEEE (2016)Google Scholar
  10. 10.
    Fazzinga, B.: Online and offline classification of traces of event logs on the basis of security risks. J. Intell. Inf. Syst. 50(1), 195–230 (2018)CrossRefGoogle Scholar
  11. 11.
    Fazzinga, B., Flesca, S., Furfaro, F., Pontieri, L.: Classifying traces of event logs on the basis of security risks. In: Ceci, M., Loglisci, C., Manco, G., Masciari, E., Ras, Z.W. (eds.) NFMCP 2015. LNCS (LNAI), vol. 9607, pp. 108–124. Springer, Cham (2016). Scholar
  12. 12.
    Kubat, M., Holte, R., Matwin, S.: Learning when negative examples abound. In: van Someren, M., Widmer, G. (eds.) ECML 1997. LNCS, vol. 1224, pp. 146–153. Springer, Heidelberg (1997). Scholar
  13. 13.
    Leontjeva, A., Conforti, R., Di Francescomarino, C., Dumas, M., Maggi, F.M.: Complex symbolic sequence encodings for predictive monitoring of business processes. In: Motahari-Nezhad, H.R., Recker, J., Weidlich, M. (eds.) BPM 2015. LNCS, vol. 9253, pp. 297–313. Springer, Cham (2015). Scholar
  14. 14.
    Lo, D., Cheng, H., Han, J., Khoo, S.C., Sun, C.: Classification of software behaviors for failure detection: a discriminative pattern mining approach. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. pp. 557–566. ACM (2009)Google Scholar
  15. 15.
    Nguyen, H., Dumas, M., La Rosa, M., Maggi, F.M., Suriadi, S.: Mining business process deviance: a quest for accuracy. In: Meersman, R., et al. (eds.) OTM 2014. LNCS, vol. 8841, pp. 436–445. Springer, Heidelberg (2014). Scholar
  16. 16.
    Sauer, T., Minor, M., Bergmann, R.: Inverse workflows for supporting agile business process management. In: Wissensmanagement, pp. 204–213 (2011)Google Scholar
  17. 17.
    Witten, I.H., et al.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, Burlington (2016)zbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Bettina Fazzinga
    • 1
  • Francesco Folino
    • 1
  • Filippo Furfaro
    • 2
  • Luigi Pontieri
    • 1
    Email author
  1. 1.ICAR-CNRRendeItaly
  2. 2.DIMESUniversity of CalabriaRendeItaly

Personalised recommendations