Sequential Anomaly Detection Techniques in Business Processes

  • Christian LinnEmail author
  • Dirk Werth
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 263)


Many companies use information systems to manage their business processes and thereby collect large amounts of transactional data. The analysis of this data offers the possibility of automated detection of anomalies, i.e. flaws and faults, in the execution of the process. The anomalies can be related not only to the sequence of executed activities but also to other dimensions like the organization or the person performing the respective activity. This paper discusses two approaches of detecting the different anomalies types using basic sequential analysis techniques. Besides the classical one-dimensional approach, a simple approach to use multiple dimensions of the process information in the sequential analysis is discussed and evaluated on a simulated artificial business process.


Anomaly detection Business process Business analytics 


  1. 1.
    van der Aalst, W.M.P.: Process-aware information systems: lessons to be learned from process mining. Trans. Petri Nets Models Concurr. II, 1–26 (2009)CrossRefGoogle Scholar
  2. 2.
    Van Der Aalst, W.M.P., De Medeiros, A.K.A.: Process mining and security: detecting anomalous process executions and checking process conformance. Electron. Notes Theor. Comput. Sci. 121, 3–21 (2005)CrossRefGoogle Scholar
  3. 3.
    van der Aalst, W.M.P.: Process Mining. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Bezerra, F., Wainer, J., Van Der Aalst, W.M.P.: Anomaly detection using process mining. Management 29, 149–161 (2009)Google Scholar
  5. 5.
    Bezerra, F., Wainer, J.: Algorithms for anomaly detection of traces in logs of process aware information systems. Inf. Syst. 38, 33–44 (2013)CrossRefGoogle Scholar
  6. 6.
    Bezerra, F., Wainer, J.: A dynamic threshold algorithm for anomaly detection in logs of process aware systems. J. Inf. Data 3, 316–331 (2012)Google Scholar
  7. 7.
    Armentano, M.G., Amandi, A.A.: Detection of sequences with anomalous behavior in a workflow process. In: Chen, Q., Hameurlain, A., Toumani, F., Wagner, R., Decker, H. (eds.) DEXA 2015. LNCS, vol. 9261, pp. 111–118. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-22849-5_8 CrossRefGoogle Scholar
  8. 8.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41, 1–58 (2009)CrossRefGoogle Scholar
  9. 9.
    Jagadeesh Chandra Bose, R.P., van der Aalst, W.M.P.: Process diagnostics using trace alignment: opportunities, issues, and challenges. Inf. Syst. 37, 117–141 (2012)CrossRefGoogle Scholar
  10. 10.
    West, J., Bhattacharya, M.: Intelligent financial fraud detection: a comprehensive review. Comput. Secur. 57, 47–66 (2016)CrossRefGoogle Scholar
  11. 11.
    Joudaki, H., Rashidian, A., Minaei-Bidgoli, B., Mahmoodi, M., Geraili, B., Nasiri, M., Arab, M.: Using data mining to detect health care fraud and abuse: a review of literature. Glob. J. Health Sci. 7, 194–202 (2014)Google Scholar
  12. 12.
    Ahmed, M., Naser Mahmood, A., Hu, J.: A survey of network anomaly detection techniques. J. Netw. Comput. Appl. 60, 19–31 (2016)CrossRefGoogle Scholar
  13. 13.
    Bezerra, F., Wainer, J.: Anomaly detection algorithms in business process logs. In: ICEIS 2008 – Proceedings of 10th International Conference on Enterprise Information Systems, AIDSS, pp. 11–18 (2008)Google Scholar
  14. 14.
    Bezerra, F., Wainer, J.: Fraud detection in process aware systems. Int. J. Bus. Process Integr. Manag. 5, 121 (2011)CrossRefGoogle Scholar
  15. 15.
    Sarno, R., Sinaga, F.P.: Business process anomaly detection using ontology-based process modelling and multi-level class association rule learning. In: 2015 International Conference on Computer, Control, Informatics and its Applications (IC3INA), pp. 12–17. IEEE (2015)Google Scholar
  16. 16.
    Kang, B., Kim, D., Kang, S.H.: Real-time business process monitoring method for prediction of abnormal termination using KNNI-based LOF prediction. Expert Syst. Appl. 39, 6061–6068 (2012)CrossRefGoogle Scholar
  17. 17.
    Cabanillas, C., Ciccio, C., Mendling, J., Baumgrass, A.: Predictive task monitoring for business processes. In: Sadiq, S., Soffer, P., Völzer, H. (eds.) BPM 2014. LNCS, vol. 8659, pp. 424–432. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-10172-9_31 Google Scholar
  18. 18.
    Gupta, N., Anand, K., Sureka, A.: Pariket: mining business process logs for root cause analysis of anomalous incidents. Databases Networked Inf. Syst. 8999, 244–263 (2015)Google Scholar
  19. 19.
    Jalali, H., Baraani, A.: Process aware host-based intrusion detection model. Int. J. Commun. Networks Inf. Secur. 4, 117–124 (2012)Google Scholar
  20. 20.
    Rogge-Solti, A.: Temporal anomaly detection in business processes, vol. 16, pp. 35–42 (2010)Google Scholar
  21. 21.
    Quan, L., Tian, G.: Outlier detection of business process based on support vector data description. In: Computing, Communication, Control, and Management, 2009, CCCM 2009. ISECS International Colloquium, vol. 2, pp. 571–574 (2009)Google Scholar
  22. 22.
    Accorsi, R., Wonnemann, C., Stocker, T.: Towards forensic data flow analysis of business process logs. In: 2011 Sixth International Conference on IT Security Incident Management and IT Forensics, pp. 3–20 (2011)Google Scholar
  23. 23.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection for discrete sequences - a survey. IEEE Trans. Knowl. Data Eng. 24, 1–16 (2012)CrossRefGoogle Scholar
  24. 24.
    Burattin, A., Sperduti, A.: PLG: a framework for the generation of business process models and their execution logs. In: Muehlen, M., Su, J. (eds.) BPM 2010. LNBIP, vol. 66, pp. 214–219. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20511-8_20 CrossRefGoogle Scholar
  25. 25.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: alternative data models. In: 1999 IEEE Symposium on Security and Privacy, pp. 133–145 (1999)Google Scholar
  26. 26.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6, 151–180 (1998)CrossRefGoogle Scholar
  27. 27.
    Ron, D., Singer, Y., Tishby, N.: The power of amnesia: learning probabilistic automata with variable memory length. Mach. Learn. 25, 117–149 (1997)CrossRefGoogle Scholar
  28. 28.
    Rabiner, L., Juang, B.H.: An introduction to hidden Markov models. IEEE ASSP Mag. 3, 4–16 (1986)CrossRefGoogle Scholar
  29. 29.
    Forney, G.D.: The viterbi algorithm. Proc. IEEE 61, 268–278 (1973)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.AWS-Institute for Digitized Products and ProcessesSaarbrückenGermany

Personalised recommendations