M Mahdi Alizadeh

Constructing Probable Explanations of Nonconformity: A Data-Aware and History-Based Approach

Auditing the execution of business processes is becoming a critical issue for organizations. Conformance checking has been proposed as a viable approach to analyze process executions with respect to a process model. In particular, alignments provide a robust approach to conformance checking in that they are able to pinpoint the causes of nonconformity. Alignment-based techniques usually rely on a predefined cost function which assigns a cost to every possible deviation. Defining such a cost function, however, is not trivial and is prone to imperfection that can result in inaccurate diagnostic information. This paper proposes an alignment-based approach to construct probable explanations of nonconformity. In particular, we show how cost functions can be automatically computed based on historical logging data and taking into account multiple process perspectives. We implemented our approach as a plug-in of the ProM framework. Experimental results show that our approach provides more accurate diagnostics compared to existing alignment-based techniques.

Risk-based Analysis of Business Process Executions

Organizations need to monitor their business processes to ensure that what actually happens in the system is compliant with the prescribed behavior. Deviations from the prescribed behavior may correspond to violations of security requirements and expose organizations to severe risks. Thus, it is crucial for organizations to detect and address nonconforming behavior as early as possible. In this paper, we present an auditing framework that facilitates the analysis of process executions by detecting nonconforming behaviors and ranking them with respect to their criticality. Our framework employs conformance checking techniques to detect possible explanations of nonconformity. Based on such explanations, the framework assesses the criticality of nonconforming process executions based on historical logging data and context information.

Subgraph mining for anomalous pattern discovery in event logs

Conformance checking allows organizations to verify whether their IT system complies with the prescribed behavior by comparing process executions recorded by the IT system against a process model (representing the normative behavior). However, most of the existing techniques are only able to identify low-level deviations, which provide a scarce support to investigate what actually happened when a process execution deviates from the specification. In this work, we introduce an approach to extract recurrent deviations from historical logging data and generate anomalous patterns representing high-level deviations. These patterns provide analysts with a valuable aid for investigating nonconforming behaviors; moreover, they can be exploited to detect high-level deviations during conformance checking. To identify anomalous behaviors from historical logging data, we apply frequent subgraph mining techniques together with an ad-hoc conformance checking technique. Anomalous patterns are then derived by applying frequent items algorithms to determine highly-correlated deviations, among which ordering relations are inferred. The approach has been validated by means of a set of experiments.

History-based construction of alignments for conformance checking:Formalization and implementation

Alignments provide a robust approach for conformance checking, which has been largely applied in various contexts such as auditing and performance analysis. Alignment-based conformance checking techniques pinpoint the deviations causing nonconformity based on a cost function. However, such a cost function is often manually defined on the basis of human judgment and thus error-prone, leading to alignments that do not provide accurate explanations of nonconformity. This paper proposes an approach to automatically define the cost function based on information extracted from the past process executions. The cost function only relies on objective factors and thus enables the construction of probable alignments, i.e. alignments that provide probable explanations of nonconformity. Our approach has been implemented in ProM and evaluated using both synthetic and real-life data.

Behavior analysis in the medical sector: theory and practice

Behavior analysis has received considerable attention over recent years. In this paper, we apply behavior analysis to study the use of the Break-The-Glass (BTG) procedure at the Academic Medical Center (AMC), a large Dutch hospital. Similar to most hospitals, AMC employs the BTG procedure to deal with emergencies, which allows users to access patient data that they would not be normally allowed to access. This flexibility can be misused by users, leading to legal and financial consequences for the hospital. To assist AMC in the detection of possible misuses of the BTG procedure, in this work, we present an approach to analyze user behavior and apply it to a log collected from AMC. We partition users into different subgroups and build self-explanatory histogram-based profiles for users and subgroups. By comparing profiles, we measure to what extent users behave differently from their peers. The discussion of our findings with experts at AMC has shown that our approach can provide meaningful insights on user behavior and histograms are easy to understand and facilitate the investigation of suspicious behaviors.

From security-by-design to the identification of security-critical deviations in process executions

Security-by-design is an emerging paradigm that aims to deal with security concerns from the early phases of the system development. Although this paradigm can provide theoretical guarantees that the designed system complies with the defined processes and security policies, in many application domains users are allowed to deviate from them to face unpredictable situations and emergencies. Some deviations can be harmless and, in some cases, necessary to ensure business continuity, whereas other deviations might threat central aspects of the system, such as its security. In this paper, we propose a tool supported method for the identification of security-critical deviations in process executions using compliance checking analysis. We implemented the approach as part of the STS-Tool and evaluated it using a real loan management process of a Dutch financial institute.

Discovering anomalous frequent patterns from partially ordered event logs

Conformance checking allows organizations to compare process executions recorded by the IT system against a process model representing the normative behavior. Most of the existing techniques, however, are only able to pinpoint where individual process executions deviate from the normative behavior, without considering neither possible correlations among occurred deviations nor their frequency. Moreover, the actual control-flow of the process is not taken into account in the analysis. Neglecting possible parallelisms among process activities can lead to inaccurate diagnostics; it also poses some challenges in interpreting the results, since deviations occurring in parallel behaviors are often instantiated in different sequential behaviors in different traces. In this work, we present an approach to extract anomalous frequent patterns from historical logging data. The extracted patterns can exhibit parallel behaviors and correlate recurrent deviations that have occurred in possibly different portions of the process, thus providing analysts with a valuable aid for investigating nonconforming behaviors. Our approach has been implemented as a plug-in of the ESub tool and evaluated using both synthetic and real-life logs.