Process Aware Host-based Intrusion Detection Model

Nowadays, many organizations use Process Aware Information Systems (PAISs) to automate their business process. As any other information systems, security plays a major role in PAIS to provide a secure state and maintain the system in it. In order to provide security in a PAIS, a Process Aware Host-based Intrusion Detection (PAHID) model is proposed in this paper. The model detects host-based intrusions in a PAIS using process mining techniques.The proposed model uses both anomaly detection and misuse detection techniques for more efficiency, and organizational perspective of process mining is considered (rather than control-flow perspective) to detect more attack types. The model is automated and can deal with large logs and is suitable for flexible application domains. The PAHID model is implemented by the use of ProM framework and Java programming. It is evaluated by using a simulated log based on a real-world organization information system. Results demonstrate that the model provides high accuracy and low false positive rate

Conformance checking of a longwall shearer operation based on low-level events

Conformance checking is a process mining technique that compares a process model with an event log of the same process to check whether the current execution stored in the log conforms to the model and vice versa. This paper deals with the conformance checking of a longwall shearer process. The approach uses place-transition Petri nets with inhibitor arcs for modeling purposes. We use event log files collected from a few coal mines located in Poland by Famur S.A., one of the global suppliers of coal mining machines. One of the main advantages of the approach is the possibility for both offline and online analysis of the log data. The paper presents a detailed description of the longwall process, an original formal model we developed, selected elements of the approach’s implementation and the results of experiments

Anomaly Detection Algorithms In Business Process Logs

In some domains of application, like software development and health care processes, a normative business process system (e.g. workflow management system) is not appropriate because a flexible support is needed to the participants. On the other hand, while it is important to support flexibility of execution in these domains, security requirements can not be met whether these systems do not offer extra control, which characterizes a trade off between flexibility and security in such domains. This work presents and assesses a set of anomaly detection algorithms in logs of Process Aware Systems (PAS). The detection of an anomalous instance is based on the "noise" which an instance makes in a process model discovered by a process mining algorithm. As a result, a trace that is an anomaly for a discovered model will require more structural changes for this model fit it than a trace that is not an anomaly. Hence, when aggregated to PAS, these methods can support the coexistence of security and flexibility.AIDSS1118Agarwal, D.K., An empirical bayes approach to detect anomalies in dynamic multidimensional arrays (2005) ICDM, pp. 26-33Agrawal, R., Gunopulos, D., Leymann, F., Mining process models from workflow logs (1998) EDBT '98: Proceedings of the 6th International Conference on Extending Database Technology, pp. 469-483. , London, UK. Springer-VerlagCook, J.E., Wolf, A.L., Discovering models of software processes from event-based data (1998) ACM Trans. Softw. Eng. Methodol, 7 (3), pp. 215-249de Medeiros, A., van der Aalst, W., Weijters, A., Workflow mining: Current status and future directions (2003) LNCS, 2888. , Meersman, R, Tari, Z, and Schmidt, D, editors, On The Move to Meaningful Internet Systems, ofde Medeiros, A.K.A., Weijters, A.J.M.M., van der Aalst, W.M.R., Genetic process mining: A basic approach and its challenges (2006) Lecture Notes in Computer Science, 3812, pp. 203-215. , ISSN 0302-9743Donoho, S., Early detection of insider trading in option markets (2004) KDD '04: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 420-429. , New York, NY, USA. ACM PressFawcett, T., (2004) Roc graphs, , Notes and practical considerations for researchersFawcett, T., Provost, F., Adaptive fraud detection (1997) Data Mining and Knowledge Discovery, 50, pp. 291-316Hammori, M., Herbst, J., Kleiner, N., Interactive workflow mining - requirements, concepts and implementation (2006) Data Knowl. Eng, 56 (L), pp. 41-63Lee, W., Xiang, D., Information-theoretic measures for anomaly detection (2001) IEEE Symposium on Security and PrivacyMaruster, L., van der Aalst, W.M.P., Weijters, T., van den Bosch, A., Daelemans, W., Automated discovery of workflow models from hospital data (2001) Proceedings of the 13th Belgium-Netherlands Conference on Artificial Intelligence (BNAIC 2001), pp. 183-190. , Krse, B, Rijke, M, Schreiber, G, and Someren, M, editorsNoble, C.C., Cook, D.J., Graph-based anomaly detection (2003) KDD '03: Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 631-636. , New York, NY, USA. ACM PressPandit, S., Chau, D.H., Wang, S., Faloutsos, C., Netprobe: A fast and scalable system for fraud detection in online auction networks (2007) WWW '07: Proceedings of the 16th international conference on World Wide Web, pp. 201-210. , New York, NY, USA. ACM PressRozinat, A., van der Aalst, W.M.P., Conformance testing: Measuring the fit and appropriateness of event logs and process models (2005) Business Process Management Workshops, pp. 163-176Sabhnani, R., Neill, D., Moore, A., Detecting anomalous patterns in pharmacy retail data (2005) Proceedings of the KDD 2005 Workshop on Data Mining Methods for Anomaly DetectionSchimm, G., Mining exact models of concurrent workflows (2004) Comput. Ind, 53 (3), pp. 265-281van der Aalst, W.M.P., de Medeiros, A.K.A., Process mining and security: Detecting anomalous process executions and checking process conformance (2005) Electr. Notes Theor. Comput. Sci, 121, pp. 3-21van der Aalst, W.M.P., Weijters, T., Maruster, L., Workflow mining: Discovering process models from event logs (2004) IEEE Trans. Knowl. Data Eng, 16 (9), pp. 1128-1142van der Aalst Minseok Song, W.M., Mining social networks: Uncovering interaction patterns in business processes (2004) LNCS, 3080, pp. 244,260. , Desel, J, Pernici, B, and Weske, M, editors, Business Process Management: Second International Conference, of ppWainer, J., Kim, K., and Ellis, C. A. (2005). A workflow mining method through model rewriting. In Fuks, H., Lukosch, S., and Salgado, A. C, editors, Groupware: Design, Implementation, and Use: 11th International Workshop, 3706, pages p. 184-19, Porto de Galinhas, Brazil. CRIWG 200

Anomaly Detection Using Process Mining

Recently, several large companies have been involved in financial scandals related to mismanagement, resulting in financial damages for their stockholders. In response, certifications and manuals for best practices of governance were developed, and in some cases, tougher federal laws were implemented (e.g. the Sarboness Oxley Act). Companies adhered to these changes adopting the best practices for corporate governance by deploying Process Aware Information Systems (PAISs) to automate their business processes. However, these companies demand a rapid response to strategic changes, so the adoption of normative PAISs may compromise their competitiveness. On one hand companies need flexible PAISs for competitiveness reasons. On the other hand flexibility may compromise security of system because users can execute tasks that could result into violation of financial loses. In order to re-balance this trade-off, we present in this work how ProM tools can support anomaly detection in logs of PAIS. Besides, we present the results of the application of our approach with a real case. © 2009 Springer Berlin Heidelberg.29 LNBIP149161Dumas, M., van der Aalst, W., ter Hofstede, A., (2005) Process-Aware Information Systems: Bridging People and Software through Process Technology, , Wiley, ChichesterRozinat, A., van der Aalst, W., Conformance checking of processes based on monitoring real behavior (2008) Information Systems, 33 (1), pp. 64-95van der Aalst, W.M.P., van Dongen, B.F., Herbst, J., Maruster, L., Schimm, G., Weijters, A.J.M.M., Workflow mining: A survey of issues and approaches (2003) Data & Knowledge Engineering, 47 (2), pp. 237-267van der Aalst, W.M.P., Weijters, A.J.M.M., Process mining: A research agenda (2004) Computers in Industry, 53 (3), pp. 231-244Bezerra, F., Wainer, J., Towards detecting fraudulent executions in business process aware systems (2007) WfPM 2007 - Workshop on Workflows and Process Management, Timisoara, Romania (September 2007)In conjunction with SYNASCBezerra, F., Wainer, J., Anomaly detection algorithms in logs of process aware systems (2008) SAC 2008: Proceedings of the 2008 ACM symposium on Applied computing, pp. 951-952. , ACM Press, New YorkBezerra, F., Wainer, J., Anomaly detection algorithms in business process logs (2008) ICEIS 2008: Proceedings of the Tenth International Conference on Enterprise Information Systems, Barcelona, Spain, June 2008. AIDSS, pp. 11-18van der Aalst, W.M.P., de Medeiros, A.K.A., Process mining and security: Detecting anomalous process executions and checking process conformance (2005) Electronic Notes in Theoretical Computer Science, 121 (4), pp. 3-21de Medeiros, A.K.A., van der Aalst, W.M.P., Weijters, A.: Workflow mining: Current status and future directions. In: Meersman, R., Tari, Z., Schmidt, D.C. (eds.) CoopIS 2003, DOA 2003, and ODBASE 2003. LNCS, 2888, pp. 389-406. Springer, Heidelberg (2003)van der Aalst, W.M.P., Weijters, T., Maruster, L., Workflow mining: Discovering process models from event logs (2004) IEEE Transactions on Knowledge and Data Engineering, 16 (9), pp. 1128-1142Cook, J.E., Wolf, A.L., Discovering models of software processes from event-based data (1998) ACM Trans. Softw. Eng. Methodol, 7 (3), pp. 215-249Agrawal, R., Gunopulos, D., Leymann, F.: Mining process models from workflow logs. In: Schek, H.-J., Saltor, F., Ramos, I., Alonso, G. (eds.) EDBT 1998. LNCS, 1377, pp. 469-483. Springer, Heidelberg (1998)Cook, J.E., Du, Z., Liu, C., Wolf, A.L., Discovering models of behavior for concurrent workflows (2004) Computers in Industry, 53 (3), pp. 297-319Pinter, S.S., Golani, M., Discovering workflow models from activities' lifespans (2004) Computers in Industry, 53 (3), pp. 283-296Herbst, J., Karagiannis, D., Workflow mining with inwolve (2004) Computers in Industry, 53 (3), pp. 245-264de Medeiros, A.K.A., Weijters, A.J.M.M., van der Aalst, W.M.P.: Genetic process mining: A basic approach and its challenges. In: Bussler, C.J., Haller, A. (eds.) BPM 2005. LNCS, 3812, pp. 203-215. Springer, Heidelberg (2006)Yang, W.S., Hwang, S.Y., A process-mining framework for the detection of healthcare fraud and abuse (2006) Expert Systems with Applications, 31 (1), pp. 56-68van Dongen, B., de Medeiros, A., Verbeek, H., Weijters, A., van der Aalst, W., The prom framework: A new era in process mining tool support (2005) LNCS, 3536, pp. 444-454. , Ciardo, G, Darondeau, P, eds, ICATPN 2005, Springer, Heidelber

Fraud Detection In Process Aware Systems

In the last years, some large companies have been involved in scandals related to financial mismanagement, which represented a large financial damage to their stockholders. To recover market confidence, certifications for best practices of governance were developed, and in some cases, harder laws were implemented. Companies adhered to these changes as a response to the market, deploying process aware systems (PAS) and adopting the best practices of governance. However, companies demand a rapid response to strategic changes or changes in business models between partners, which may impose serious drawbacks to the adoption of normative PAS to the competitiveness of these companies. Thus, while companies need flexible PAS, flexibility may compromise security. To re-balance the trade-off between security and flexibility, we present in this work an anomaly detection algorithm for PAS. The identification of anomalous events can help the adoption of flexible PAS without the loss of security properties. Copyright © 2011 Inderscience Enterprises Ltd.52121129Agarwal, D.K., An empirical Bayes approach to detect anomalies in dynamic multidimensional arrays (2005) ICDM, pp. 26-33Agrawal, R., Gunopulos, D., Leymann, F., Mining process models from workflow logs (1998) EDBT '98: Proceedings of the 6th International Conference on Extending Database Technology, (1377), pp. 469-483. , Advances in Database Technology - EDDT'98Bezerra, F., Wainer, J., Towards detecting fraudulent executions in business process aware systems (2007) WfPM 2007 - Workshop on Workflows and Process Management, in Conjunction with SYNASC 2007, , Timisoara, RomaniaBezerra, F., Wainer, J., Um método de detec cão de anomalias em logs de processos de negócios (2007) I Brazilian Workshop on Business Process Management, SBC, in Conjunction with Webmedia 2007, , de Toledo, M. B. F. and Madeira, E. M. Eds.: Gramado, RS, BrazilBezerra, F., Wainer, J., Anomaly detection algorithms in business process logs (2008) 10th International Conference on Enterprise Information Systems, pp. 11-18. , Barcelona, SpainBezerra, F., Wainer, J., Anomaly detection algorithms in logs of process aware systems (2008) SAC '08: Proceedings of the 2008 ACM Symposium on Applied Computing, pp. 951-952. , ACM, New York, NY, USACook, J.E., Wolf, A.L., Discovering models of software processes from event-based data (1998) ACM Transactions on Software Engineering and Methodology, 7 (3), pp. 215-249Cook, J.E., Du, Z., Liu, C., Wolf, A.L., Discovering models of behavior for concurrent workflows (2004) Computers in Industry, 53 (3), pp. 297-319De Medeiros, A.K.A., (2006) Genetic Process Mining, , PhD thesis, Technische Universiteit Eindhoven, Eindhoven, ISBN 978-90-386-0785-6De Medeiros, A.K.A., Van Der Aalst, W.M.P., Weijters, A., Workflow mining: Current status and future directions (2003) On the Move to Meaningful Internet Systems, LNCS, 2888. , Meersman, R., Tari, Z. and Schmidt, D. EdsDe Medeiros, A.K.A., Weijters, A.J.M.M., Van Der Aalst, W.M.P., Genetic process mining: A basic approach and its challenges (2006) Lecture Notes in Computer Science, 3812, pp. 203-215. , ISSN 0302-9743Donoho, S., Early detection of insider trading in option markets (2004) KDD-2004 - Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 420-429. , KDD-2004 - Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data MiningFawcett, T., (2004) Roc Graphs: Notes and Practical Considerations for ResearchersFawcett, T., Provost, F., Adaptive fraud detection (1997) Data Mining and Knowledge Discovery, 1, pp. 291-316Hammori, M., Herbst, J., Kleiner, N., Interactive workflow mining-requirements, concepts and implementation (2006) Data and Knowledge Engineering, 56 (1), pp. 41-63. , DOI 10.1016/j.datak.2005.02.006, PII S0169023X05000273, Business Process ManagementHerbst, J., Karagiannis, D., Workflow mining with involve (2004) Computers in Industry, 53 (3), pp. 245-264Lee, W., Xiang, D., Information-theoretic measures for anomaly detection (2001) IEEE Symposium on Security and PrivacyMaruster, L., Van Der Aalst, W.M.P., Weijters, T., Van Den Bosch, A., Daelemans, W., Automated discovery of workflow models from hospital data (2001) Proceedings of the 13th Belgium-Netherlands Conference on Artificial Intelligence (BNAIC 2001), pp. 183-190. , Krse, B., Rijke, M., Schreiber, G. and Someren, M. EdsNoble, C.C., Cook, D.J., Graph-based anomaly detection (2003) KDD '03: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 631-636. , ACM Press, New York, NY, USAPandit, S., Chau, D.H., Wang, S., Faloutsos, C., Netprobe: A fast and scalable system for fraud detection in online auction networks (2007) 16th International World Wide Web Conference, WWW2007, pp. 201-210. , DOI 10.1145/1242572.1242600, 16th International World Wide Web Conference, WWW2007Pinter, S.S., Golani, M., Discovering workflow models from activities' lifespans (2004) Computers in Industry, 53 (3), pp. 283-296Rozinat, A., Van Der Aalst, W.M.P., Conformance checking of processes based on monitoring real behavior (2008) Information Systems, 33 (1), pp. 64-95. , DOI 10.1016/j.is.2007.07.001, PII S030643790700049XRozinat, A., Van Der Aalst, W.M.P., Conformance testing: Measuring the fit and appropriateness of event logs and process models (2005) Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 3812, pp. 163-176. , Business Process Management Workshops - BPM 2005 International Workshops, BPI, BPD, ENEI, BPRM, WSCOBPM, BPS, Revised Selected PapersRozinat, A., Medeiros, A.A., Günther, C., Weijters, A., Van Der Aalst, W.M.P., Towards an evaluating framework for process mining algorithms (2007) Technical Report, Technische Universiteit Eindhoven, , BETA Research School for Operations Management and LogisticsSabhnani, R., Neill, D., Moore, A., Detecting anomalous patterns in pharmacy retail data (2005) Proceedings of the KDD 2005 Workshop on Data Mining Methods for Anomaly DetectionSchimm, G., Mining exact models of concurrent workflows (2004) Comput. Ind., 53 (3), pp. 265-281Van Der Aalst, W.M.P., De Medeiros, A.K.A., Process mining and security: Detecting anomalous process executions and checking process conformance (2005) Electronic Notes in Theoretical Computer Science, 121 (SPEC. ISS.), pp. 3-21. , DOI 10.1016/j.entcs.2004.10.013, PII S1571066105000228Van Der Aalst, W.M.P., Weijters, A.J.M.M., Process mining: A research agenda (2004) Computers in Industry, 53Van Der Aalst, W.M.P., Dongen, B.F., Herbst, J., Maruster, L., Schimm, G., Weijters, A.J.M.M., Workflow mining: A survey of issues and approaches (2003) Data Knowl. Eng., 47 (2), pp. 237-267Van Der Aalst, W.M.P., Weijters, T., Maruster, L., Workflow mining: Discovering process models from event logs (2004) IEEE Trans. Knowl. Data Eng., 16 (9), pp. 1128-1142Wainer, J., Kim, K., Ellis, C.A., A workflow mining method through model rewriting (2005) Groupware: Design, Implementation, and Use: 11th International Workshop, CRIWG 2005, 3706, pp. 184-191. , Fuks, H., Lukosch, S. and Salgado, A. C. Eds.:, Porto de Galinhas, BrazilYang, W.-S., Hwang, S.-Y., A process-mining framework for the detection of healthcare fraud and abuse (2006) Expert Systems with Applications, 31 (1), pp. 56-6