Mining association rules for anomaly detection in dynamic process runtime behavior and explaining the root cause to users

Mining association rules for anomaly detection in dynamic process runtime behavior and explaining the root cause to users

Abstract

Detecting anomalies in process runtime behavior is crucial: they might reflect, on the one side, security breaches and fraudulent behaviour and on the other side desired deviations due to, for example, exceptional conditions. Both scenarios yield valuable insights for process analysts and owners, but happen due to different reasons and require a different treatment. Hence a distinction into malign and benign anomalies is required. Existing anomaly detection approaches typically fall short in supporting experts when in need to take this decision. An additional problem are false positives which could result in selecting incorrect countermeasures. This paper proposes a novel anomaly detection approach based on association rule mining. It fosters the explanation of anomalies and the estimation of their severity. In addition, the approach is able to deal with process change and flexible executions which potentially lead to false positives. This facilitates to take the appropriate countermeasure for a malign anomaly and to avoid the possible termination of benign process executions. The feasibility and result quality of the approach are shown by a prototypical implementation and by analyzing real life logs with injected artificial anomalies. The explanatory power of the presented approach is evaluated through a controlled experiment with users.

Grafik Top
Authors
  • Böhmer, Kristof
  • Rinderle-Ma, Stefanie
Grafik Top
Projects
Grafik Top
Shortfacts
Category
Journal Paper
Divisions
Workflow Systems and Technology
Journal or Publication Title
Information Systems
ISSN
0306-4379
Publisher
Elsevier
Page Range
p. 101438
Volume
90
Date
May 2020
Export
Grafik Top