Privacy and security of electronic data, which are increasingly generated and used in our society (e.g., electronic health records, financial data, demographics and administrative data used in eGoverment), are becoming a serious and urgent issue nowadays. Data protection legislation in the EU imposes very stringent requirements on the collection, processing and disclosure of personal data as well as empowers users to control the access and usage of their data. Traditional access control mechanisms, when correctly deployed, can provide theoretical guarantees that unauthorized accesses are prevented. These mechanisms are too inflexible to be used in dynamic environments like hospitals, where exceptions and unpredictable circumstances often arise. Thus, alongside access control mechanisms, organizations may employ mechanisms like the Break-The-Glass (BTG) procedure that allows users to bypass preventive enforcement mechanisms. This flexibility, however, introduces a weak-point in the system that can be misused by users. To this end, user behavior should be recorded in logs and analyzed to detect possible data misuses.
Current security mechanisms neglect the existence of business processes and do not take advantage of the opportunity to analyze the event logs and business processes to support the IT system in analyzing user behavior. The Security group mainly focus on extending and developing techniques that exploit process-related data for auditing user behavior. Our main contributions include:
History-based conformance checking: There may exist a number of explanations why a process execution is not conforming.
Alignment-based conformance checking techniques pinpoint the deviations causing nonconformity based on a cost
function. However, such a cost function is often manually defined on the basis of human judgment and thus error-prone, leading to alignments that do not provide the most probable explanations of nonconformity.
We have proposed an approach to automatically define the cost function
based on information extracted from the past process executions.
In particular, we have investigated discuss how probable explanations for non-conformity between a process execution and a process model can be constructed and how they can be ranked with respect to their criticality.
Discovering frequent anomalous patterns: Classic conformance checking techniques derive low-level deviations occurred in every single process execution. However, an analysts may have more interest in knowing diagnostics at a higher-level of granularity. In this work, we focus on providing an analyst with a “deviations dashboard”, reporting analytics and interesting trends regarding the occurred deviations. More precisely, we extract anomalous frequent patterns representing recurrent deviations from historical logging data. These patterns describe portion of process executions involving recurrent deviant behaviors which tend to occur together, thus providing the analyst with valuable insights about deviations in past process execution.
Linking data and process perspectives for deviation analysis: The detection of data breaches has become a major challenge for most organizations. The problem lies in that fact that organizations often lack proper mechanisms to control and monitor users’ activities and their data usage. Although several auditing approaches have been proposed to assess the compliance of actual executed behavior, existing approaches focus on either checking data accesses against security policies (data perspective) or checking user activities against the activities needed to conduct business processes (process perspective). Analyzing user behavior from these perspectives independently may not be sufficient to expose security incidents. We have studied how analyze user behavior with respect to both data and process perspectives.