Skip to main content

Cybersecurity Analysis via Process Mining: A Systematic Literature Review

Part of the Lecture Notes in Computer Science book series (LNAI,volume 13087)

Abstract

The digitalization of our society is only possible in secure software systems governing ongoing critical processes. The understanding of mutual interdependencies of events and processes is crucial for cybersecurity. One of the promising ways to tackle these challenges is process mining, which is a set of techniques that aim to mine knowledge from processes. However, it is unclear how process mining can be practically used in the context of cybersecurity. In this work, we investigate the potential of applying process mining in cybersecurity and support research efforts in this area via collecting existing applications, discussing current trends, and providing promising research directions. To this end, we have conducted a systematic literature review covering all relevant works between 2014 and 2020.

Keywords

  • Process mining
  • Cybersecurity
  • Literature review

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-95405-5_28
  • Chapter length: 15 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-95405-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Fig. 1.

References

  1. van der Aalst, W.: Using process mining to bridge the gap between BI and BPM. Computer 44(12), 77–80 (2011)

    CrossRef  Google Scholar 

  2. van der Aalst, W.: Process Mining: Data Science in Action, 2nd edn. Springer Publishing Company, Incorporated (2016)

    CrossRef  Google Scholar 

  3. Alizadeh, M., Lu, X., Fahland, D., Zannone, N., van der Aalst, W.: Linking data and process perspectives for conformance analysis. Comput. Secur. 73, 172–193 (2018)

    CrossRef  Google Scholar 

  4. de Alvarenga, S.C., Barbon, S., Miani, R.S., Cukier, M., Zarpelão, B.B.: Process mining and hierarchical clustering to help intrusion alert visualization. Comput. Secur. 73, 474–491 (2018)

    CrossRef  Google Scholar 

  5. Asghar, M.R., Hu, Q., Zeadally, S.: Cybersecurity in industrial control systems: issues, technologies, and challenges. Comput. Netw. 165, 106946 (2019)

    Google Scholar 

  6. Baader, G., Krcmar, H.: Reducing false positives in fraud detection: combining the red flag approach with process mining. Int. J. Acc. Inf. Syst. 31, 1–16 (2018)

    CrossRef  Google Scholar 

  7. Bahrani, A., Bidgly, A.J.: Ransomware detection using process mining and classification algorithms. In: 16th International ISC Conference on Information Security and Cryptology, pp. 73–77 (2019)

    Google Scholar 

  8. Bernardi, M.L., Cimitile, M., Distante, D., Martinelli, F., Mercaldo, F.: Dynamic malware detection and phylogeny analysis using process mining. Int. J. Inf. Secur. 18(3), 257–284 (2019)

    CrossRef  Google Scholar 

  9. Bernardi, S., Alastuey, R.P., Trillo-Lado, R.: Using process mining and model-driven engineering to enhance security of web information systems. In: IEEE European Symposium on Security and Privacy Workshops, pp. 160–166 (2017)

    Google Scholar 

  10. Bernardi, S., Trillo-Lado, R., Merseguer, J.: Detection of integrity attacks to smart grids using process mining and time-evolving graphs. In: 14th European Dependable Computing Conference, pp. 136–139 (2018)

    Google Scholar 

  11. Bogarín, A., Cerezo, R., Romero, C.: A survey on educational process mining. Wiley Interdisc. Rev.: Data Mining Knowl. Disc. 8(1) (2018)

    Google Scholar 

  12. Böhmer, K., Rinderle-Ma, S.: Multi-perspective anomaly detection in business process execution events. In: OTM Confederated International Conferences on the Move to Meaningful Internet Systems, pp. 80–98. Springer (2016). https://doi.org/10.1007/978-3-319-48472-3_5

  13. Burattin, A., Sperduti, A., Veluscek, M.: Business models enhancement through discovery of roles. In: CIDM, pp. 103–110 (2013)

    Google Scholar 

  14. Burattin, A., van Zelst, S.J., Armas-Cervantes, A., van Dongen, B.F., Carmona, J.: Online conformance checking using behavioural patterns. In: Business Process Management, pp. 250–267. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-319-98648-7_15

  15. Bustos-Jiménez, J., Saint-Pierre, C., Graves, A.: Applying process mining techniques to DNS traces analysis. In: 33rd International Conference of the Chilean Computer Science Society, pp. 12–16 (2014)

    Google Scholar 

  16. Carmona, J., van Dongen, B., Solti, A., Weidlich, M.: Conformance Checking. Springer (2018). https://doi.org/10.1007/978-3-319-99414-7

  17. Cimino, M.G., De Francesco, N., Mercaldo, F., Santone, A., Vaglini, G.: Model checking for malicious family detection and phylogenetic analysis in mobile environment. Comput. Secur. 90, 101691 (2020)

    Google Scholar 

  18. Coltellese, S., Maggi, F.M., Marrella, A., Massarelli, L., Querzoni, L.: Triage of IoT attacks through process mining. In: OTM Confederated International Conferences “On the Move to Meaningful Internet Systems”, pp. 326–344. Springer (2019). https://doi.org/10.1007/978-3-030-33246-4_22

  19. Compagna, L., dos Santos, D.R., Ponta, S.E., Ranise, S.: Aegis: automatic enforcement of security policies in workflow-driven web applications. In: Proceedings of the 7th ACM Conference on Data and Application Security and Privacy, pp. 321–328. ACM (2017)

    Google Scholar 

  20. Conforti, R., La Rosa, M., ter Hofstede, A.H.: Filtering out infrequent behavior from business process event logs. IEEE Trans. Knowl. Data Eng. 29(2), 300–314 (2016)

    CrossRef  Google Scholar 

  21. Cook, J.E., Wolf, A.L.: Automating process discovery through event-data analysis. In: Proceedings of the 17th International Conference on Software Engineering, pp. 73–82. ACM (1995)

    Google Scholar 

  22. Elkoumy, G., et al.: Privacy and confidentiality in process mining-threats and research challenges. arXiv preprint arXiv:2106.00388 (2021)

  23. Fahland, D., van der Aalst, W.M.: Model repair-aligning process models to reality. Inform. Syst. 47, 220–243 (2015)

    CrossRef  Google Scholar 

  24. Sani, M.F., van Zelst, S.J., van der Aalst, W.M.: Applying sequence mining for outlier detection in process mining. In: OTM Confederated International Conferences “On the Move to Meaningful Internet Systems”, pp. 98–116. Springer (2018). https://doi.org/10.1007/978-3-030-02671-4_6

  25. Fazzinga, B., Folino, F., Furfaro, F., Pontieri, L.: Combining model-and example-driven classification to detect security breaches in activity-unaware logs. In: On the Move to Meaningful Internet Systems. OTM 2018 Conferences, pp. 173–190. Springer (2018). https://doi.org/10.1007/978-3-030-02671-4_10

  26. Fazzinga, B., Folino, F., Furfaro, F., Pontieri, L.: An ensemble-based approach to the security-oriented classification of low-level log traces. Expert Syst. Appl. 153, 113386 (2020)

    Google Scholar 

  27. Genga., L., Zannone., N.: Towards a systematic process-aware behavioral analysis for security. In: Proceedings of the 15th International Joint Conference on e-Business and Telecommunications - Volume 1: BASS, pp. 460–469. INSTICC, SciTePress (2018)

    Google Scholar 

  28. van Genuchten, M., Mans, R., Reijers, H., Wismeijer, D.: Is your upgrade worth it? process mining can tell. IEEE software 31(5), 94–100 (2014)

    CrossRef  Google Scholar 

  29. Geyer-Klingeberg, J., Nakladal, J., Baldauf, F., Veit, F.: Process mining and robotic process automation: a perfect match. In: Proceedings of the Dissertation Award, Demonstration, and Industrial Track at BPM 2018, pp. 124–131 (2018)

    Google Scholar 

  30. Ghasemi, M., Amyot, D.: From event logs to goals: a systematic literature review of goal-oriented process mining. Requirements Eng. 25(1), 67–93 (2020)

    CrossRef  Google Scholar 

  31. Hluchý, L., Habala, O.: Enhancing mobile device security with process mining. In: IEEE 14th International Symposium on Intelligent Systems and Informatics, pp. 181–184 (2016)

    Google Scholar 

  32. Huda, S., Ahmad, T., Sarno, R., Santoso, H.A.: Identification of process-based fraud patterns in credit application. In: 2nd International Conference on Information and Communication Technology, pp. 84–89 (2014)

    Google Scholar 

  33. Jaisook, P., Premchaiswadi, W.: Time performance analysis of medical treatment processes by using disco. In: 13th International Conference on ICT and Knowledge Engineering (ICT & Knowledge Engineering 2015), pp. 110–115. IEEE (2015)

    Google Scholar 

  34. Kelemen, R.: Systematic review on process mining and security. In: Central and Eastern European e—Dem and e—Gov Days 2017 (2017)

    Google Scholar 

  35. Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering (2007)

    Google Scholar 

  36. Lamma, E., Mello, P., Montali, M., Riguzzi, F., Storari, S.: Inducing declarative logic-based models from labeled traces. In: Business Process Management. pp. 344–359. Springer, Berlin Heidelberg (2007). https://doi.org/10.1007/978-3-540-75183-0_25

  37. Leander, B., Causevic, A., Hansson, H.: Cybersecurity challenges in large industrial IoT systems. In: 24th IEEE International Conference on Emerging Technologies and Factory Automation, pp. 1035–1042 (2019)

    Google Scholar 

  38. Leemans, S.J.J., Fahland, D., van der Aalst, W.M.P.: Discovering block-structured process models from event logs containing infrequent behaviour. In: Business Process Management Workshops, pp. 66–78. Springer International Publishing (2014). https://doi.org/10.1007/978-3-319-06257-0_6

  39. Leitner, M., Rinderle-Ma, S.: A systematic review on security in process-aware information systems - constitution, challenges, and future directions. Inf. Softw. Technol. 56(3), 273–293 (2014)

    CrossRef  Google Scholar 

  40. Li, C., Ge, J., Li, Z., Huang, L., Yang, H., Luo, B.: Monitoring interactions across multi business processes with token carried data. IEEE Trans. Serv. Comput. 1 (2018)

    Google Scholar 

  41. Liu, L., De Vel, O., Han, Q., Zhang, J., Xiang, Y.: Detecting and preventing cyber insider threats: a survey. IEEE Commun. Surv. Tutorials 20(2), 1397–1417 (2018)

    CrossRef  Google Scholar 

  42. Macak, M., Kruzelova, D., Chren, S., Buhnova, B.: Using process mining for git log analysis of projects in a software development course. Educ. Inf. Technol. 1–31 (2021)

    Google Scholar 

  43. Macak, M., Kruzikova, A., Daubner, L., Buhnova, B.: Simulation games platform for unintentional perpetrator attack vector identification. In: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, pp. 222–229 (2020)

    Google Scholar 

  44. Macak, M., Vanat, I., Merjavy, M., Jevocin, T., Buhnova, B.: Towards process mining utilization in insider threat detection from audit logs. In: 7th International Conference on Social Networks Analysis, Management and Security, pp. 1–6 (2020)

    Google Scholar 

  45. Mardani, S., Shahriari, H.R.: A new method for occupational fraud detection in process aware information systems. In: 10th International ISC Conference on Information Security and Cryptology, pp. 1–5 (2013)

    Google Scholar 

  46. Myers, D., Radke, K., Suriadi, S., Foo, E.: Process discovery for industrial control system cyber attack detection. In: ICT Systems Security and Privacy Protection, pp. 61–75. Springer International Publishing, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_5

  47. Myers, D., Suriadi, S., Radke, K., Foo, E.: Anomaly detection for industrial control systems using process mining. Comput. Secur. 78, 103–125 (2018)

    CrossRef  Google Scholar 

  48. Reinkemeyer, L.: Process Mining in Action: Principles. Use Cases and Outlook, Springer Nature (2020)

    CrossRef  Google Scholar 

  49. Rojas, E., Munoz-Gama, J., Sepulveda, M., Capurro, D.: Process mining in healthcare: a literature review. J. Biomed. Inform. 61, 224–236 (2016)

    CrossRef  Google Scholar 

  50. Rosa, N.S., Campos, G.M., Cavalcanti, D.J.: Lightweight formalisation of adaptive middleware. J. Syst. Archit. 97, 54–64 (2019)

    CrossRef  Google Scholar 

  51. Rozinat, A., van der Aalst, W.M.: Conformance checking of processes based on monitoring real behavior. Inf. Syst. 33(1), 64–95 (2008)

    CrossRef  Google Scholar 

  52. Sahlabadi, M., Muniyandi, R., Shukur, Z.: Detecting abnormal behavior in social network websites by using a process mining technique. J. Comput. Sci. 10, 393–402 (2014)

    CrossRef  Google Scholar 

  53. Salnitri, M., Alizadeh, M., Giovanella, D., Zannone, N., Giorgini, P.: From security-by-design to the identification of security-critical deviations in process executions. In: International Conference on Advanced Information Systems Engineering, pp. 218–234. Springer (2018). https://doi.org/10.1007/978-3-319-92901-9_19

  54. dos Santos Garcia, C., Meincheim, A., Junior, E.R.F., Dallagassa, M.R., Sato, D.M.V., Carvalho, D.R., et al.: Process mining techniques and applications - a systematic mapping study. Expert Syst. Appl. 133, 260–295 (2019)

    Google Scholar 

  55. Senator, T.E., Goldberg, H.G., Memory, A., Young, W.T., Rees, B., Pierce, R., et al.: Detecting insider threats in a real corporate database of computer usage activity. In: Proceedings of the 19th ACM/SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1393–1401 (2013)

    Google Scholar 

  56. Talamo, M., Povilionis, A., Arcieri, F., Schunck, C.H.: Providing online operational support for distributed, security sensitive electronic business processes. In: International Carnahan Conference on Security Technology, pp. 49–54 (2015)

    Google Scholar 

  57. Viticchié, A., Regano, L., Basile, C., Torchiano, M., Ceccato, M., Tonella, P.: Empirical assessment of the effort needed to attack programs protected with client/server code splitting. Empirical Softw. Eng. 25(1), 1–48 (2020)

    CrossRef  Google Scholar 

  58. Williams, R., Rojas, E., Peek, N., Johnson, O.A.: Process mining in primary care: a literature review. Stud. Health Technol. Inform. 247, 376–380 (2018)

    Google Scholar 

  59. Yen, T.F., et al.: Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of the 29th Annual Computer Security Applications Conference, pp. 199–208. ACM (2013)

    Google Scholar 

  60. Young, W.T., Goldberg, H.G., Memory, A., Sartain, J.F., Senator, T.E.: Use of domain knowledge to detect insider threats in computer activities. In: 2013 IEEE Security and Privacy Workshops, pp. 60–67 (2013)

    Google Scholar 

  61. van Zelst, S.J., van Dongen, B.F., van der Aalst, W.M.: Event stream-based process discovery using abstract representations. Knowl. Inf. Syst. 54(2), 407–435 (2018)

    CrossRef  Google Scholar 

  62. Zerbino, P., Aloini, D., Dulmin, R., Mininno, V.: Process-mining-enabled audit of information systems: methodology and an application. Expert Syst. Appl. 110, 80–92 (2018)

    CrossRef  Google Scholar 

  63. Zhou, X., Jin, Y., Zhang, H., Li, S., Huang, X.: A map of threats to validity of systematic literature reviews in software engineering. In: 23rd Asia-Pacific Software Engineering Conference, pp. 153–160 (2016)

    Google Scholar 

Download references

Acknowledgements

This research was supported by ERDF “CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence” (No. CZ.02.1.01/0.0/0.0/16_019/0000822).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Martin Macak .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Macak, M., Daubner, L., Sani, M.F., Buhnova, B. (2022). Cybersecurity Analysis via Process Mining: A Systematic Literature Review. In: , et al. Advanced Data Mining and Applications. ADMA 2022. Lecture Notes in Computer Science(), vol 13087. Springer, Cham. https://doi.org/10.1007/978-3-030-95405-5_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-95405-5_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-95404-8

  • Online ISBN: 978-3-030-95405-5

  • eBook Packages: Computer ScienceComputer Science (R0)