An ensemble-based approach to the security-oriented classification of low-level log traces

Abstract

Traditionally, Expert Systems have found a natural application in the behavioral analysis of processes. In fact, they have proved effective in the tasks of interpreting the data collected during the process executions and of analyzing these data with the aim of diagnosing/detecting anomalies. In this context, we focus on log data generated by executions of business processes, and consider the issue of detecting “insecure” process instances, involving some kind of security breach (e.g. attacks, frauds). We propose a hybrid framework for accomplishing a security-oriented classification of activity-unawaretraces, i.e., traces consisting of “low-level” events with no explicit reference to the “high-level” activities the analysts are typically familiar with. The framework integrates two classification approaches traditionally used as alternative ways to decide on the “secureness” of process traces: (i) a model-driven approach, using knowledge of behavioral models expressed at the abstraction level of the activities, and (ii) an example driven approach, exploiting the availability of event sequences labeled by experts as symptomatic of “secure” or “insecure” behavior. The core of our solution is a meta-classifier combining (i) and (ii) thanks to a probabilistic Montecarlo mechanism that allows the traces to be simultaneously viewed as sequences of low-level events and of high-level activities. The framework has been empirically proved effective in jointly exploiting the two aforementioned forms of knowledge/expertise, typically coming from different experts, and in acting as a sort of “super-expert” classification tool. Its accuracy and efficiency make it a solid basis for implementing a novel kind of expert system for the security-oriented monitoring/analysis of business processes.