Discover Process Models Research Articles

A process mining-based method for attacker profiling using the MITRE ATT&CK taxonomy

Cybersecurity intelligence involves gathering and analyzing data to understand cyber adversaries’ capabilities, intentions, and behaviors to establish adequate security measures. The MITRE ATT&CK framework is valuable for gaining insight into cyber threats since it details attacker tactics, techniques, and procedures. However, to fully understand an attacker’s behavior, it is necessary to connect individual tactics. In this context, Process Mining (PM) can be used to analyze runtime events from information systems, thereby discovering causal relations between those events. This article presents a novel approach combining Process Mining with the MITRE ATT&CK framework to discover process models of different attack strategies. Our approach involves mapping low-level system events to corresponding event labels from the MITRE ATT&CK taxonomy, increasing the abstraction level for attacker profiling. We demonstrate the effectiveness of our approach using real datasets of human and automated (malware) behavior. This exploration helps to develop more efficient and adaptable security strategies to combat current cyber threats and provides valuable guidelines for future research.

Entropy-Based Behavioral Closeness Filtering Chaotic Activity Method

In the era of big data, one of the key challenges is to discover process models and gain insights into business processes by analyzing event data recorded in information systems. However, Chaotic activity or infrequent behaviors often appear in actual event logs. Process models containing such behaviors are complex, difficult to understand, and hide the relevant key behaviors of the underlying processes. Established studies have generally achieved chaotic activity filtering by filtering infrequent activities or activities with high entropy values and ignoring the behavioral relationships that exist between activities, resulting in effective low-frequency behaviors being filtered. To solve this problem, this paper proposes an entropy-based behavioral closeness filtering of chaotic activities method. Firstly, based on the behavior profile theory of high-frequency logging activities, the process model is constructed by combining the feature network and the module network. Then, the identification of suspected chaotic activity sets is achieved through the Laplace entropy value. Next, a query model is built based on logs containing suspicious chaotic activity. Finally, based on the succession relationship, the behavioral closeness of the query model and the business process model is analyzed to achieve the goal of accurately filtering chaotic activities to retain behaviors beneficial to the process. To evaluate the performance of the method, we validated the effectiveness of the proposed algorithm in synthetic logs and real logs, respectively. Experimental results showed that the proposed method performs better in precision after filtering chaotic activities.

Discovering Process Models with Long-Term Dependencies while Providing Guarantees and Filtering Infrequent Behavior Patterns

In process discovery, the goal is to find, for a given event log, the model describing the underlying process. While process models can be represented in a variety of ways, Petri nets form a theoretically well-explored description language and are therefore often used. In this paper, we extend the eST-Miner process discovery algorithm. The eST-Miner computes a set of Petri net places which are considered to be fitting with respect to a certain fraction of the behavior described by the given event log as indicated by a given noise threshold. It evaluates all possible candidate places using token-based replay. The set of replayable traces is determined for each place in isolation, i.e., these sets do not need to be consistent. This allows the algorithm to abstract from infrequent behavioral patterns occurring only in some traces. However, when combining places into a Petri net by connecting them to the corresponding uniquely labeled transitions, the resulting net can replay exactly those traces from the event log that are allowed by the combination of all inserted places. Thus, inserting places one-by-one without considering their combined effect may result in deadlocks and low fitness of the Petri net. In this paper, we explore adaptions of the eST-Miner, that aim to select a subset of places such that the resulting Petri net guarantees a definable minimal fitness while maintaining high precision with respect to the input event log. Furthermore, current place evaluation techniques tend to block the execution of infrequent activity labels. Thus, a refined place fitness metric is introduced and thoroughly investigated. In our experiments we use real and artificial event logs to evaluate and compare the impact of the various place selection strategies and place fitness evaluation metrics on the returned Petri net.

Advancing verification of process mining models with quantitative model checking in stochastic environment

The study of business process analysis and optimization has attracted significant scholarly interest in the recent past, due to its integral role in boosting organizational performance. A specific area of focus within this broader research field is Process Mining (PM). Its purpose is to extract knowledge and insights from event logs maintained by information systems, thereby discovering process models and identify process-related issues. The goal of the current study is to examine how Quantitative Model Checking (QMC) approaches might be applied in the context of PM. Model checking is a well-known verification approach that provides thorough analysis and validation of a system’s properties in comparison to a predetermined model. The adoption of QMC is aimed at improving the accuracy, reliability, and comprehensiveness of PM models in stochastic environment. We propose a novel methodology in this research direction, which integrates QMC with PM by formally modelling discovered and replayed process models and applying QMC methods to verify PM models. The potential of QMC to overcome significant drawbacks of the existing methodologies is the main driver for its use in PM. By including probabilistic model verification, it is possible to take into account the uncertainties and stochastic behaviour that are frequently present in systems that are used in real world; while statistical model checking methods utilized where probabilistic methods fails/not suitable, such as, to handle complex models and/or models with large state-spaces.

A screenshot-based task mining framework for disclosing the drivers behind variable human actions

Robotic Process Automation (RPA) enables subject matter experts to use the graphical user interface as a means to automate and integrate systems. This is a fast method to automate repetitive, mundane tasks. To avoid constructing a software robot from scratch, Task Mining approaches can be used to monitor human behavior through a series of timestamped events, such as mouse clicks and keystrokes. From a so-called User Interface log (UI Log), it is possible to automatically discover the process model behind this behavior. However, when the discovered process model shows different process variants, it is hard to determine what drives a human’s decision to execute one variant over the other. Existing approaches do analyze the UI Log in search for the underlying rules, but neglect what can be seen on the screen. As a result, a major part of the human decision-making remains hidden. To address this gap, this paper describes a Task Mining framework that uses the screenshot of each event in the UI Log as an additional source of information. From such an enriched UI Log, by using image-processing techniques and Machine Learning algorithms, a decision tree is created, which offers a more complete explanation of the human decision-making process. The presented framework can express the decision tree graphically, explicitly identifying which elements in the screenshots are relevant to make the decision. The framework has been evaluated through a case study that involves a process with real-life screenshots. The results indicate a satisfactorily high accuracy of the overall approach, even if a small UI Log is used. The evaluation also identifies challenges for applying the framework in a real-life setting when a high density of interface elements is present.

Statistical Model Checking in Process Mining: A Comprehensive Approach to Analyse Stochastic Processes

The study of business process analysis and optimisation has attracted significant scholarly interest in the recent past, due to its integral role in boosting organisational performance. A specific area of focus within this broader research field is process mining (PM). Its purpose is to extract knowledge and insights from event logs maintained by information systems, thereby discovering process models and identifying process-related issues. On the other hand, statistical model checking (SMC) is a verification technique used to analyse and validate properties of stochastic systems that employs statistical methods and random sampling to estimate the likelihood of a property being satisfied. In a seamless business setting, it is essential to validate and verify process models. The objective of this paper is to apply the SMC technique in process mining for the verification and validation of process models with stochastic behaviour and large state space, where probabilistic model checking is not feasible. We propose a novel methodology in this research direction that integrates SMC and PM by formally modelling discovered and replayed process models and apply statistical methods to estimate the results. The methodology facilitates an automated and proficient evaluation of the extent to which a process model aligns with user requirements and assists in selecting the optimal model. We demonstrate the effectiveness of our methodology with a case study of a loan application process performed in a financial institution that deals with loan applications submitted by customers. The case study highlights our methodology’s capability to identify the performance constraints of various process models and aid enhancement efforts.

Methods of Partial Differential Equation Discovery: Application to Experimental Data on Heat Transfer Problem

The paper presents two effective methods for discovering process models in the form of partial differential equations based on an evolutionary algorithm and an algorithm for the best subset selection. The methods are designed to work with sparse and noisy data and implement various numerical differentiation techniques, including piecewise local approximation using multidimensional polynomial functions, neural network approximation, and an additional algorithm for selecting differentiation steps. To verify the algorithms, the experiment is carried out on pulsed heating of a viscous liquid (glycerol) by a submerged horizontal cylindrical heat source. Temperature measurements are taken only at six points, which makes the data very sparse. The noise level ranges from 0.2 to 1% of the observed maximum temperature. The algorithms can successfully restore the structure of the heat transfer equation in cylindrical coordinates and determine the thermal diffusivity coefficient with an error of 2.5–20%, depending on the algorithm type and heating mode. Additional synthetic setups are employed to analyze the dependence of accuracy on the noise level. Results also demonstrate the algorithms’ ability to identify underlying processes such as convective motion.

Everything at the proper time: Repairing identical timestamp errors in event logs with Generative Adversarial Networks

Process mining generates valuable insights into business processes through the analysis of event logs. However, event logs are commonly subject to various data quality issues which hinder the success of process mining initiatives in organizations. Identical timestamp errors, for example, occur when multiple events of a process instance mistakenly share the same timestamp. This error causes discovered process models to be unrepresentative and process performance analysis results to be misleading. To address this problem, we propose a method for automatically repairing identical timestamp errors in event logs. To that end, we combine existing method components for error detection and reordering of erroneous events with a novel approach for repairing timestamps based on Generative Adversarial Networks. To allow for a rigorous evaluation, we instantiate our approach as a software prototype, and use it to repair a total of six real-life and artificial event logs with overall 30 variations. Thereby, we show that the proposed method shows improved results compared to alternative approaches for repairing identical timestamp errors in event logs.

X-Processes: Process model discovery with the best balance among fitness, precision, simplicity, and generalization through a genetic algorithm

Although process model discovery has been largely investigated over the past two decades, existing process discovery methods are not yet considered fully satisfactory. A particular issue is the difficulty of discovering process models with a good balance among recall (or fitness), precision, generalization, and simplicity, notably for real-world event logs. This article revisits the genetic algorithms-based X-Processes process discovery method, discussing the results of using a fitness function calculated through a harmonic mean that considers the four main metrics of process model quality used in process mining — recall, precision, generalization and simplicity. Although genetic algorithms have been used to discover process models, such methods have limitations, as do other non-genetic algorithm-based methods. X-Processes was tested with two harmonic mean options — one based on recall and precision only and another based on the four quality metrics. X-Processes showed superior effectiveness when compared to state-of-the-art process discovery methods, including one also based on genetic algorithms. The experimental results obtained for both harmonic mean options, using 12 real-world event logs, show that the overall quality of all process models discovered by X-Processes is superior to that of the baseline methods. While its execution time is longer than the other compared process discovery methods, X-Processes emerges as a solution when the need for a higher quality process model outweighs the hunger for agility.

Discovering hybrid process models with bounds on time and complexity: When to be formal and when not?

Discovering process models from event data is a highly relevant, but also a notoriously difficult, problem. Therefore, it is unsurprising that the biggest share of process mining research is devoted to process discovery. While techniques reported in scientific literature tend to produce process models that are formal, i.e., which mathematically describe the possible behaviors, commercial process mining tools return informal models (merely a “picture” not allowing for any form of formal reasoning). Hybrid process models aim at combining the best of both worlds: they capture behavior that is strongly supported by data and that can be used for formal reasoning, as well as behavior that cannot be represented in clear-cut process constructs or that does not have enough evidence in the data. This paper presents an approach for discovering hybrid Petri nets, which, unlike existing techniques, produces models that have both formal and semi-formal constructs so that even if the behavior in the data is noisy and irregular or it does not fit predefined constructs, causal relationships are still captured. Our evaluation demonstrates the advantages of combining such “deliberate vagueness” with formal guarantees. The ideas presented here are fairly general, and can serve as a foundation for other, new hybrid discovery techniques.

Behavioral and Performance Analysis of a Real-Time Case Study Event Log: A Process Mining Approach

Project-based organizations need to procure different commodities, and the failure/success of a project depends heavily on procurement management. Companies must refine and develop methods to simplify and optimize the procurement process in a highly competitive environment. This paper presents a methodology to help managers of project-based organizations analyze procurement processes to determine the optimal framework for simultaneously addressing multiple objectives. These goals include minimizing the time between the generation and required approval for a purchase, identifying unnamed activities, and allocating the budget efficiently. In this paper, we apply process mining algorithms to a dataset consisting of event logs on Oracle Financials-based enterprise resource planning (ERP) procurement processes in ERP systems and demonstrate interesting results leading to project procurement intelligence (PPI). The provided log data is the real-life data consisting of 180,462 events referring to seven activities within 43,101 cases. The logged procurement processes are filtered and analyzed using the open-source process mining frameworks PrOM and Disco. As a result of the process mining activities, a simulation of the discovered process model derived from the event log of the entire procurement process is presented, and the most frequent potential behaviors are identified. This analysis and extraction of frequent processes from corporate event logs help organizations understand, adapt, and redesign procurement operations and, most importantly, make them more efficient and of higher quality. This study shows that after the successful formulation of guiding principles, data refinement, and process structure optimization, the case study results are considered significant by the organization’s management.

Discovering interpretable medical process models: A case study in trauma resuscitation

Understanding the actual work (i.e., “work-as-done”) rather than theorized work (i.e., “work-as-imagined”) during complex medical processes is critical for developing approaches that improve patient outcomes. Although process mining has been used to discover process models from medical activity logs, it often omits critical steps or produces cluttered and unreadable models. In this paper, we introduce a TraceAlignment-based ProcessDiscovery method called TAD Miner to build interpretable process models for complex medical processes. TAD Miner creates simple linear process models using a threshold metric that optimizes the consensus sequence to represent the backbone process, and then identifies both concurrent activities and uncommon-but-critical activities to represent the side branches. TAD Miner also identifies the locations of repeated activities, an essential feature for representing medical treatment steps. We conducted a study using activity logs of 308 pediatric trauma resuscitations to develop and evaluate TAD Miner. TAD Miner was used to discover process models for five resuscitation goals, including establishing intravenous (IV) access, administering non-invasive oxygenation, performing back assessment, administering blood transfusion, and performing intubation. We quantitively evaluated the process models with several complexity and accuracy metrics, and performed qualitative evaluation with four medical experts to assess the accuracy and interpretability of the discovered models. Through these evaluations, we compared the performance of our method to that of two state-of-the-art process discovery algorithms: Inductive Miner and Split Miner. The process models discovered by TAD Miner had lower complexity and better interpretability than the state-of-the-art methods, and the fitness and precision of the models were comparable. We used the TAD process models to identify (1) the errors and (2)the best locations for the tentative steps in knowledge-driven expert models. The knowledge-driven models were revised based on the modifications suggested by the discovered models. The improved modeling using TAD Miner may enhance understanding of complex medical processes.

Discovering Process Models from Event Logs of Multi-Agent Systems Using Event Relations

The structure of a process model directly discovered from an event log of a multi-agent system often does not reflect the behavior of individual agents and their interactions. We suggest analyzing the relations between events in an event log to localize actions executed by different agents and involved in their asynchronous interaction. Then, a process model of a multi-agent system is composed from individual agent models between which we add channels to model the asynchronous message exchange. We consider agent interaction within the acyclic and cyclic behavior of different agents. We develop an algorithm that supports the analysis of event relations between different interacting agents and study its correctness. Experimental results demonstrate the overall improvement in the quality of process models discovered by the proposed approach in comparison to monolithic models discovered directly from event logs of multiagent systems.

All that glitters is not gold: Four maturity stages of process discovery algorithms

A process discovery algorithm aims to construct a process model that represents the real-world process stored in event data well; it is precise, generalizes the data correctly, and is simple. At the same time, it is reasonable to expect that better quality input event data should lead to constructed process models of better quality. However, existing process discovery algorithms omit the discussion of this relationship between the inputs and outputs and, as it turns out, often do not guarantee it. We demonstrate the latter claim using several quality measures for event data and discovered process models. Consequently, this paper requests for more rigor in the design of process discovery algorithms, including properties that relate the qualities of the inputs and outputs of these algorithms. We present four incremental maturity stages for process discovery algorithms, along with concrete guidelines for formulating relevant properties and experimental validation. We then use these stages to review several state of the art process discovery algorithms to confirm the need to reflect on how we perform algorithmic process discovery.

Formal Modeling and Discovery of Multi-instance Business Processes: A Cloud Resource Management Case Study

Process discovery, as one of the most challenging process analysis techniques, aims to uncover business process models from event logs. Many process discovery approaches were invented in the past twenty years; however, most of them have difficulties in handling multi-instance sub-processes. To address this challenge, we first introduce a multi-instance business process model (MBPM) to support the modeling of processes with multiple sub-process instantiations. Formal semantics of MBPMs are precisely defined by using multi-instance Petri nets (MPNs) that are an extension of Petri nets with distinguishable tokens. Then, a novel process discovery technique is developed to support the discovery of MBPMs from event logs with sub-process multi-instantiation information. In addition, we propose to measure the quality of the discovered MBPMs against the input event logs by transforming an MBPM to a classical Petri net such that existing quality metrics, e.g., fitness and precision, can be used. The proposed discovery approach is properly implemented as plugins in the ProM toolkit. Based on a cloud resource management case study, we compare our approach with the state-of-the-art process discovery techniques. The results demonstrate that our approach outperforms existing approaches to discover process models with multi-instance sub-processes.

Discovery of Business Process Models from Incomplete Logs

The completeness of event logs and long-distance dependencies are two major challenges for process mining. Until now, most process mining methods have not been able to discover long-distance dependency and assume that the directly-follows relationship in the log is complete. However, due to the existence of high concurrency and the cycle, it is difficult to guarantee that the real-life log is complete regarding the directly-follows relationship. Therefore, process mining needs to be able to deal with incompleteness. In this paper, we propose a method for discovering process models including sequential, exclusive, concurrent, and cyclic structures from incomplete event logs. The method analyzes the co-occurrence class of the log and the model and then uses the technology of combining the behavior profile and co-occurrence class to obtain the communication behavior profile of the co-occurrence class. Furthermore, a method of constructing a substructure from the event log using the co-occurrence class is presented. Finally, the whole process model is built by combining those substructures. The experimental results show that the proposed method can discover process models with complex structures involving cycles from incomplete event logs and also can deal with long-distance dependency in the event log. Meanwhile, the discovered process model has a good degree of consistency with the original model.

A Deep Learning Approach for Repairing Missing Activity Labels in Event Logs for Process Mining

Process mining is a relatively new subject that builds a bridge between traditional process modeling and data mining. Process discovery is one of the most critical parts of process mining, which aims at discovering process models automatically from event logs. Like other data mining techniques, the performance of existing process discovery algorithms can be affected when there are missing activity labels in event logs. In this paper, we assume that the control-flow information in event logs could be useful in repairing missing activity labels. We propose an LSTM-based prediction model, which takes both the prefix and suffix sequences of the events with missing activity labels as input to predict missing activity labels. Additional attributes of event logs are also utilized to improve the performance. Our evaluation of several publicly available datasets shows that the proposed method performed consistently better than existing methods in terms of repairing missing activity labels in event logs.

The connection between process complexity of event sequences and models discovered by process mining

Process mining is a research area focusing on the design of algorithms that can automatically provide insights into business processes. Among the most popular algorithms are those for automated process discovery, which have the ultimate goal to generate a process model that summarizes the behavior recorded in an event log. Past research had the aim to improve process discovery algorithms irrespective of the characteristics of the input log. In this paper, we take a step back and investigate the connection between measures capturing characteristics of the input event log and the quality of the discovered process models. To this end, we review the state-of-the-art process complexity measures, propose a new process complexity measure based on graph entropy, and analyze this set of complexity measures on an extensive collection of event logs and corresponding automatically discovered process models. Our analysis shows that many process complexity measures correlate with the quality of the discovered process models, demonstrating the potential of using complexity measures as predictors of process model quality. This finding is important for process mining research, as it highlights that not only algorithms, but also connections between input data and output quality should be studied.

A framework for multi-perspective process mining into a BPMN process model.

Process mining is mainly focused on process discovery from control perspective. It is further applied to mine the other perspectives such as time, data, and resources by replaying the events in event logs over the initial process model. When process mining is extended far beyond discovering the control-flow models to capture additional perspectives; roles, bottlenecks, amounts of time passed, guards, and routing probabilities in the process can be identified. This is a such extensions are considered under the topic of multi-perspective process mining, which makes the discovered process model more understandable. In this study, a framework for applying multi-perspective process mining and creating a Business Process Modelling Notation (BPMN) process model as the output is introduced. The framework, which uses a recently developed application programming interface (API) for storing the BPMN Data Model which keeps what is produced from each perspective as an asset into a private blockchain in a secure and immutable way, has been developed as a plugin to the ProM tool. In doing so, it integrates a number of techniques for multi-perspective process mining in literature, for the perspectives of control-flow, data, and resource; and represents a holistic process model by combining the outputs of these in the BPMN Data Model. In this article, we explain technical details of the framework and also demonstrate its usage over a case in medical domain.

Discovery of Object-Centric Behavioral Constraint Models With Noise

Process discovery techniques can automatically discover process models from event data. These models reveal the actual behavior of the related organization and have successfully been applied in a range of domains. Event data need to be extracted from information systems. Today, most organizations use object-centric systems such as ERP and CRM systems, which generate and store data in an object-centric manner. Unfortunately, existing discovery techniques are more focused on a behavioral perspective of processes, where the data perspective is often considered as a second-class citizen. Moreover, these discovery techniques fail to deal with object-centric data with many-to-many relationships. Event data need to be “flattened” focusing on a single object type (i.e., case notion). Therefore, in this paper, we aim to discover a novel model which combines data and behavior perspectives, and the resulting Object-Centric Behavioral Constraint (OCBC) model is able to describe processes involving interacting instances and complex data dependencies. Besides, we provide solutions to deal with the noise problem, which enables process discovery in real life data.