Abstract
Current automated methods to identify erroneous or malicious executions of a business process from logs, metrics, or other observable effects are based on detecting deviations from the normal behavior of the process. This requires a “single model of normative behavior”: the current execution either conforms to that model, or not. In this paper, we propose a method to automatically distinguish different behaviors during the execution of a process, so that a timely reaction can be triggered, e.g., to mitigate the risk of an ongoing attack. The behavioral classes are learned from event logs of a process, including branching probabilities and event frequencies. Using this method, harmful or problematic behavior can be identified during or even prior to its occurrence, raising alarms as early as undesired behavior is observable. The proposed method has been implemented and evaluated on a set of artificial logs capturing different types of exceptional behavior. Pushing the method to its edge in this evaluation, we provide a first assessment of where the method can clearly discriminate between classes of behavior, and where the differences are too small to make a clear determination.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Xu, X., Zhu, L., Weber, I., Bass, L., Sun, W.: POD-Diagnosis: error diagnosis of sporadic operations on cloud applications. In: IEEE/IFIP DSN (2014)
Nielsen, M., Plotkin, G.D., Winskel, G.: Petri nets, event structures and domains, part I. Theor. Comput. Sci. 13, 85–108 (1981)
van Beest, N.R.T.P., Dumas, M., García-Bañuelos, L., La Rosa, M.: Log delta analysis: interpretable differencing of business process event logs. In: Motahari-Nezhad, H.R., Recker, J., Weidlich, M. (eds.) BPM 2015. LNCS, vol. 9253, pp. 386–405. Springer, Cham (2015). doi:10.1007/978-3-319-23063-4_26
Manning, C.D., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge Univ. Press, Cambridge (2008)
Van den Broucke, S., De Weerdt, J., Vanthienen, J., Baesens, B.: An improved process event log artificial negative event generator. Faculty of Economics and Business, KU Leuven (Belgium), Technical report KBI_1216 (2012)
Leontjeva, A., Conforti, R., Francescomarino, C., Dumas, M., Maggi, F.M.: Complex symbolic sequence encodings for predictive monitoring of business processes. In: Motahari-Nezhad, H.R., Recker, J., Weidlich, M. (eds.) BPM 2015. LNCS, vol. 9253, pp. 297–313. Springer, Cham (2015). doi:10.1007/978-3-319-23063-4_21
Teinemaa, I., Dumas, M., Maggi, F.M., Francescomarino, C.: Predictive business process monitoring with structured and unstructured data. In: La Rosa, M., Loos, P., Pastor, O. (eds.) BPM 2016. LNCS, vol. 9850, pp. 401–417. Springer, Cham (2016). doi:10.1007/978-3-319-45348-4_23
van der Aalst, W.: Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer, New York (2011)
Weidlich, M., Polyvyanyy, A., Desai, N., Mendling, J., Weske, M.: Process compliance analysis based on behavioural profiles. Inf. Syst. 36(7), 1009–1025 (2011)
Maggi, F.M., Montali, M., Westergaard, M., Aalst, W.M.P.: Monitoring business constraints with linear temporal logic: an approach based on colored automata. In: Rinderle-Ma, S., Toumani, F., Wolf, K. (eds.) BPM 2011. LNCS, vol. 6896, pp. 132–147. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23059-2_13
van der Aalst, W., Adriansyah, A., van Dongen, B.: Replaying history on process models for conformance checking and performance analysis. WIREs Data Min. Knowl. Discov. 2(2), 182–192 (2012)
Weber, I., Rogge-Solti, A., Li, C., Mendling, J.: CCaaS: online conformance checking as a service. In: Proceedings of BPM Demo Track, August 2015
Koskimies, K., Mäkinen, E.: Automatic synthesis of state machines from trace diagrams. Softw. Pract. Exper. 24(7), 643–658 (1994)
Chen, X.J., Ural, H.: Automated recovery of protocol designs from execution histories. In: Proceedings of SCI 2001, pp. 103–108, July 2001
Uchitel, S., Brunet, G., Chechik, M.: Synthesis of partial behavior models from properties and scenarios. IEEE TSE 35(3), 384–406 (2009)
Song, M., Günther, C.W., Aalst, W.M.P.: Trace clustering in process mining. In: Ardagna, D., Mecella, M., Yang, J. (eds.) BPM 2008. LNBIP, vol. 17, pp. 109–120. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00328-8_11
De Weerdt, J., van den Broucke, S., Vanthienen, J., Baesens, B.: Active trace clustering for improved process discovery. IEEE TKDE 25(12), 2708–2720 (2013)
Yin, J., Yang, Q., Pan, J.J.: Sensor-based abnormal human-activity detection. IEEE TKDE 20(8), 1082–1090 (2008)
Jin, M., Zou, H., Weekly, K., Jia, R., Bayen, A.M., Spanos, C.J.: Environmental sensing by wearable device for indoor activity and location estimation. In: IEEE IECON (2014)
Vishwakarma, S., Agrawal, A.: A survey on activity recognition and behavior understanding in video surveillance. Vis. Comput. 29(10), 983–1009 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
van Beest, N.R.T.P., Weber, I. (2017). Behavioral Classification of Business Process Executions at Runtime. In: Dumas, M., Fantinato, M. (eds) Business Process Management Workshops. BPM 2016. Lecture Notes in Business Information Processing, vol 281. Springer, Cham. https://doi.org/10.1007/978-3-319-58457-7_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-58457-7_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-58456-0
Online ISBN: 978-3-319-58457-7
eBook Packages: Computer ScienceComputer Science (R0)