In the context of security risk analysis, we address the problem of classifying log traces describing business process executions. Specifically, on the basis of some (possibly incomplete) knowledge of the process structures and of the patterns representing unsecure behaviors, we classify each trace as instance of some process and/or as potential security breach. This classification is addressed in the challenging setting where each event has not a unique interpretation in terms of the activity that has generated it, but it can correspond to more activities. In our framework, the event/activity mapping is encoded probabilistically, and the models describing the processes and the security breaches are expressed in terms of precedence/causality rules over the activities. Each trace is classified on the basis of the conformance of its possible interpretations, generated by a Monte Carlo mechanism, to the security-breach models and/or the process models. The framework has been experimentally proved to be efficient and effective.
Classifying traces of event logs on the basis of security risks
Fazzinga B.;FLESCA, Sergio;FURFARO, Filippo;
2016-01-01
Abstract
In the context of security risk analysis, we address the problem of classifying log traces describing business process executions. Specifically, on the basis of some (possibly incomplete) knowledge of the process structures and of the patterns representing unsecure behaviors, we classify each trace as instance of some process and/or as potential security breach. This classification is addressed in the challenging setting where each event has not a unique interpretation in terms of the activity that has generated it, but it can correspond to more activities. In our framework, the event/activity mapping is encoded probabilistically, and the models describing the processes and the security breaches are expressed in terms of precedence/causality rules over the activities. Each trace is classified on the basis of the conformance of its possible interpretations, generated by a Monte Carlo mechanism, to the security-breach models and/or the process models. The framework has been experimentally proved to be efficient and effective.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
