Online and offline classification of traces of event logs on the basis of security risks

The problem of classifying business log traces is addressed in the context of security risk analysis. We consider the challenging setting where the actions performed in a process instance are described in the log as executions of low-level operations (such as “Pose a query over a DB”, “Upload a file into an ftp server”), while analysts and business users describe/understand the process steps as instances of high-level activities (such as “Update the customer’s personal data”, and “Share a project draft with the coworkers”). Given this, we aim at classifying each trace as the result of a process execution within which a security breach has occurred or not, by taking into account some (possibly incomplete) knowledge of the process structures and of the patterns representing insecure behaviors. What makes the problem challenging is that, when no workflow regulating the process executions is defined, this knowledge is typically owned by experts who reason in terms of process activities, thus it is encoded by behavioral rules at the higher abstract level. Thus, classifying requires the traces to be interpreted and brought to this higher abstraction level, and often this cannot be done deterministically, since the mapping between operations and activities is many-to-many. In our framework, the operation/activity mapping is encoded probabilistically, and the behavioral rules are expressed in terms of precedence/causality constraints over the activities, grouped into mandatory, highly recommended, and recommended requirements. The classification task is addressed in both the cases that process execution are ongoing and have terminated (i.e. in both online and offline scenarios, respectively), and its core is a Monte Carlo generation, that produces a sample of interpretations whose conformance to the security breach models is used to estimate the risks for the security.