Kristof Böhmer

Multi-perspective Anomaly Detection in Business Process Execution Events

Ensuring anomaly-free process model executions is crucial in order to prevent fraud and security breaches. Existing anomaly detection approaches focus on the control flow, point anomalies, and struggle with false positives in the case of unexpected events. By contrast, this paper proposes an anomaly detection approach that incorporates perspectives that go beyond the control flow, such as, time and resources (i.e., to detect contextual anomalies). In addition, it is capable of dealing with unexpected process model execution events: not every unexpected event is immediately detected as anomalous, but based on a certain likelihood of occurrence, hence reducing the number of false positives. Finally, multiple events are analyzed in a combined manner in order to detect collective anomalies. The performance and applicability of the overall approach are evaluated by means of a prototypical implementation along and based on real life process execution logs from multiple domains.

Automatic Signature Generation for Anomaly Detection in Business Process Instance Data

Implementing and automating business processes often means to connect and integrate a diverse set of potentially flawed services and applications. This makes them an attractive target for attackers. Here anomaly detection is one of the last defense lines against unknown vulnerabilities. Whereas anomaly detection for process behavior has been researched, anomalies in process instance data have been neglected so far, even though the data is exchanged with external services and hence might be a major sources for attacks. Deriving the required anomaly detection signatures can be a complex, work intensive, and error-prone task, specifically at the presence of a multitude of process versions and instances. Hence, this paper proposes a novel automatic signature generation approach for textual business process instance data while respecting its contextual attributes. Its efficiency is shown by an comprehensive evaluation that applies the approach on thousands of realistic data entries and 240, 000 anomalous data entries.

A Genetic Algorithm for Automatic Business Process Test Case Selection

Process models tend to become more and more complex and, therefore, also more and more test cases are required to assure their correctness and stability during design and maintenance. However, executing hundreds or even thousands of process model test cases leads to excessive test suite execution times and, therefore, high costs. Hence, this paper presents a novel approach for process model test case selection which is able to address flexible user-driven test case selection requirements and which can integrate a diverse set of knowledge sources to select an appropriate minimal set of test cases which can be executed in minimal time. Additionally, techniques are proposed which enable the representation of unique coverage requirements and effects for each process node and process test case in a comprehensive way. For test case selection, a genetic algorithm is proposed. Its effectiveness is shown in comparison with other test case selection approaches.

Multi Instance Anomaly Detection in Business Process Executions

Processes control critical IT systems and business cases in dynamic environments. Hence, ensuring secure model executions is crucial to prevent misuse and attacks. In general, anomaly detection approaches can be employed to tackle this challenge. Existing ones analyze each process instance individually. Doing so does not consider attacks that combine multiple instances, e.g., by splitting fraudulent fund transactions into multiple instances with smaller “unsuspicious” amounts. The proposed approach aims at detecting such attacks. For this, anomalies between the temporal behavior of a set of historic instances (ex post) and the temporal behavior of running instances are identified. Here, temporal behavior refers to the temporal order between the instances and their events. The proposed approach is implemented and evaluated based on real life process logs from different domains and artificial anomalies.

A Testing Approach for Hidden Concurrencies Based on Process Execution Logs

It is crucial to ensure correct process model executions. However, existing process testing approaches struggle with the verification of concurrent resource access patters that can lead to concurrency faults, such as, deadlocks or data corruption during runtime. Thus, we provide a concurrency verification approach that exploits recorded executions to verify the most frequently occurring concurrent resource access patterns with low test execution time. A prototypical implementation along with real life and artificial process execution logs is utilized for an evaluation.

Difference-Preserving Process Merge

Providing merging techniques for business processes fosters the management and maintenance of (large) process model repositories. Contrary to existing approaches that focus on preserving behavior of all participating process models, this paper presents a merging technique that aims at preserving the difference between the participating process models by exploiting the existence of a common parent process, e.g., a reference or standard process model.

Association Rules for Anomaly Detection and Root Cause Analysis in Process Executions

Existing business process anomaly detection approaches typically fall short in supporting experts when analyzing identified anomalies. Hereby, false positives and insufficient anomaly countermeasures might impact an organization in a severely negative way. This work tackles this limitation by basing anomaly detection on association rule mining. It will be shown that doing so enables to explain anomalies, support process change and flexible executions, and to facilitate the estimation of anomaly severity. As a consequence, the risk of choosing an inappropriate countermeasure is likely reduced which, for example, helps to avoid the termination of benign process executions due to mistaken anomalies and false positives. The feasibility of the proposed approach is shown based on a publicly available prototypical implementation as well as by analyzing real life logs with injected artificial anomalies.

Probability Based Heuristic for Predictive Business Process Monitoring

Predictive business process monitoring concerns the unfolding of ongoing process instance executions. Recent work in this area frequently applies “blackbox” like methods which, despite delivering high quality prediction results, fail to implement a transparent and understandable prediction generation process, likely, limiting the trust users put into the results. This work tackles this limitation by basing prediction and the related prediction models on well known probability based histogram like approaches. Those enable to quickly grasp, and potentially visualise the prediction results, various alternative futures, and the overall prediction process. Furthermore, the proposed heuristic prediction approach outperforms state-of-the-art approaches with respect to prediction accuracy. This conclusion is drawn based on a publicly available prototypical implementation, real life logs from multiple sources and domains, along with a comparison with multiple alternative approaches.

Control Flow Structure Preservation During Process Fragment Anonymization

Existing process anonymization work does not yet support control flow anonymization. However, as the control flow is one core component of business processes and represents confidential information, this can result in an information leakage. Hence, a control flow anonymization approach is proposed. It merges multiple control flows from the same process collection to minimize the similarity between the original and the anonymized one. At the same time, the original control flow structure is preserved to foster the representativity of the anonymized flows. The approach is prototypically implemented and evaluated with 10, 987 business process models from multiple process collections.

Automatic Business Process Test Case Selection: Coverage Metrics, Algorithms, and Performance Optimizations

Business processes describe and implement the business logic of companies, control human interaction, and invoke heterogeneous services during runtime. Therefore, ensuring the correct execution of processes is crucial. Existing work is addressing this challenge through process verification. However, the highly dynamic aspects of the current processes and the deep integration and frequent invocation of third party services limit the use of static verification approaches. Today, one frequently utilized approach to address this limitation is to apply process tests. However, the complexity of process models is steadily increasing. So, more and more test cases are required to assure process model correctness and stability during design and maintenance. But executing hundreds or even thousands of process model test cases lead to excessive test suite execution times and, therefore, high costs. Hence, this paper presents novel coverage metrics along with a genetic test case selection algorithm. Both enable the incorporation of user-driven test case selection requirements and the integration of different knowledge sources. In addition, techniques for test case selection computation performance optimization are provided and evaluated. The effectiveness of the presented genetic test case selection algorithm is evaluated against five alternative test case selection algorithms.