Behavioral classification of business process executions at runtime

Abstract

Current automated methods to identify erroneous or malicious executions of a business process from logs, metrics, or other observable effects are based on detecting deviations from the normal behavior of the process. This requires a “single model of normative behavior”: the current execution either conforms to that model, or not. In this paper, we propose a method to automatically distinguish different behaviors during the execution of a process, so that a timely reaction can be triggered, e.g., to mitigate the risk of an ongoing attack. The behavioral classes are learned from event logs of a process, including branching probabilities and event frequencies. Using this method, harmful or problematic behavior can be identified during or even prior to its occurrence, raising alarms as early as undesired behavior is observable. The proposed method has been implemented and evaluated on a set of artificial logs capturing different types of exceptional behavior. Pushing the method to its edge in this evaluation, we provide a first assessment of where the method can clearly discriminate between classes of behavior, and where the differences are too small to make a clear determination.