controlling break-the-glass through alignment1zannone/publication/adri... · 2020. 1. 14. ·...
TRANSCRIPT
Controlling Break-The-Glass Through Alignment1
Arya AdriansyahEindhoven University of
TechnologyEmail: [email protected]
Boudewijn F. van DongenEindhoven University of
TechnologyEmail: [email protected]
Nicola ZannoneEindhoven University of
TechnologyEmail: [email protected]
ABSTRACT
Modern IT systems have to deal with unpredictablesituations and exceptions more and more often. Incontrast, security mechanisms are usually very rigid.This causes organizations to employ functionality likebreak-the-glass that allows users to bypass securitymechanisms in case of emergencies. However, break-the-glass introduces a weak point in the system andcan be misused. In this paper, we present a flexibleframework for controlling the use of break-the-glassusing the notion of alignments. The framework mea-sures to what extent a process execution divergesfrom the specification (i.e., using optimal alignments)and revokes the exceptional permissions granted tocope with the emergency when the severity of devi-ations cannot be tolerated. To measure the severityof deviations, we extend alignment-based deviationanalysis techniques. In particular, our technique isable to identify high-level deviations such as activityreplacements and swaps; hence it provides a moreaccurate diagnosis of deviations than classical op-timal alignments. Our work is implemented as aProM 6 plug-in and evaluated using both syntheticand real-life data.
I INTRODUCTION
Recent studies show that insider abuse is a significantproblem for organizations. According to the 2008CSI Computer Crime and Security Survey [2], 44% ofreported incidents belong to the category of insiderabuse, second only to virus incidents (50%). More-over, damage caused by insiders can be particularlyexpensive: a US Secret Service study shows that morethan 50% of respondents on insider frauds claimedlosses over $20.000 with 12 respondents claimed a lossover $1.0 million.
The underlying fundamental problem is that nowa-days policy specification and enforcement, whichguarantee that data are used and distributed accord-ing to established policies, are done exclusively bypreventive means. The basic notion of enforcementrelies on the idea that infringements (i.e., deviations
from policies and procedures) are violations and assuch should not be permitted [3, 4].
Preventive security mechanisms are too inflexibleto be used in dynamic and open environments likehealthcare. While posing strict constraints on theaccess to sensitive information, the system has alsoto cope with the potential exceptions raised in caseof emergencies. For instance, doctors may deviatefrom the specification to react to an emergency. Pre-venting such actions can result in undesirable conse-quences (e.g., the loss of a patient).
The inflexibility of existing enforcement mechanismsoften forces users to bypass them and just switch offsecurity measures, which leads to insecurity. Mosthealthcare systems, for instance, include “break-the-glass” functionality which allow users to bypass ac-cess control rules in emergency situations [5, 6]. Thedeployment of break-the-glass functionality, however,introduces a weak point in the system that can bemisused [7]. To regulate the use of break-the-glassand thus reduce security risks, it is advisable to de-velop flexible yet automated tools able to analyze userbehavior at run-time and take compensation actionswhen the consequences of infringements cannot betolerated.
Several approaches [8,9] have been proposed to checkcompliance of user behavior with specification. Al-though these techniques are able to detect that a devi-ation occurred, they do not explicitly identify its rootcauses, making it difficult to quantify its severity. Incontrast, the notion of alignments [10] provides a ro-bust approach to determine the root causes of devia-tions. Intuitively, alignments are used to identify andmeasure the differences between a process executionand a process model by comparing the process execu-tion against the possible runs of the process model.However, constructing optimal alignments is compu-tationally expensive. Existing techniques [11,12] im-pose restrictions on the type of optimal alignments tocompute them efficiently. In particular, alignmentsonly identify events that occur in the process execu-tion although they not allowed according to the pro-cess model (i.e., insertions) and activities that must
1This paper is an expanded version of [1].
Page 1 of 16c©ASE 2012
occur according to the process model but they areabsent in the process execution (i.e., suppressions).Nonetheless, the severity of deviations should be as-sessed in terms of high level deviations like replace-ments and swaps [13]. Therefore, low level deviationshave to be analyzed and possibly related for a diag-nosis of the actual deviations which occurred. Iden-tifying low level deviations and then using them todiagnose high level deviations, however, may lead tomisinterpret the root causes of deviations. The fun-damental problem is that, although high level devi-ations can be seen as combinations of low level de-viations, their severity cannot be defined in terms ofthose deviations [14].
In this paper we propose a flexible framework for con-trolled break-the-glass based on the notion of align-ments. In case of an emergency, users may requireexceptional permissions. The framework grants userssuch permissions and thus allows them to deviatefrom the specification in order to face the emergency.However, deviations can only be within a certainrange: if the severity of those deviations becomes toohigh, the framework revokes the exceptional permis-sions.
We use online and offline conformance checking basedon alignments to assess the severity of deviations.Online conformance checking measures the extentuser behavior deviates from specification at run-time.Thus, it does not penalize executions that did notreach proper termination according to the model.This, however, may result in an underestimationof deviations. Offline conformance checking is per-formed after process execution is declared to be com-plete. Thus, it considers improper termination as de-viations.
To provide a more accurate diagnosis of user behav-ior and deviations, we extend alignment techniques tosupport the detection of replacements and swaps. Inparticular, we propose constructs that explicitly rep-resent these types of deviations in the process model.Assuming that all activities can be replaced/swappedwith all other activities, however, may reveal mislead-ing diagnostic information and unnecessarily increasecomputation complexity. Therefore, we also provideguidelines to obtain accurate diagnostic informationwhile preserving efficiency.
Our technique has been implemented as a ProM 6plug-in and evaluated using both synthetic and real-life logs. In particular, we use synthetic data to assessthe ability of the approach to detect deviations. Real-life logs from a Dutch Hospital are used to evaluate
the approach for controlled break-the-glass function-ality.
The paper is structured as follows. Section II in-troduces preliminary concepts. Section III presentsour approach for controlled break-the-glass, and Sec-tion IV presents an extension of alignment techniquesto deal with replacements and swaps. Section Vpresents experimental results. Finally, Section VI dis-cusses related work, and Section VII concludes thepaper providing directions for future work.
II PRELIMINARIES
This section introduces the preliminary concepts usedin the remainder of the paper.
Process models describe how processes should be car-ried out. We consider process models in the form ofPetri nets [15]. Our approach is extendable to anymodeling language for which a translation to Petrinets is available. A Petri net consists of transitions,places, arcs connecting places and transitions, and alabeling function. The labeling function maps transi-tions to the activities they represent, while places andarcs describe the routing of activities and dependencybetween them.
Figure 1 shows a simplified procedure of a healthcaretreatment in a hospital. A process instance startswhen a patient makes an Appointment. Then, the pa-tient needs to go through Radiology check, followed byLab test. Meanwhile, a Check history on his/her previ-ous medical record is performed. Gathered informa-tion is then Evaluated and decision is made whetherthe patient should go on Operation or Home treat-ment instead. Evaluation can be performed multipletimes, but it has to be performed at least once. Afteran operation, a patient stays at Nursing ward untilhis/her condition permits dehospitalization. Noticethat transitions t5 and t6 are both labeled with ac-tivity Evaluation in Figure 1.
Figure 1: Example of treatment process
The state of a Petri net is represented by a marking,
Page 2 of 16c©ASE 2012
i.e. a multiset of tokens on the places of the net. APetri net has an initial marking and a final mark-ing. The initial marking of the net in Figure 1 con-sists of one token in place p1. This place is the inputplace of transition Appointment, therefore only transi-tion Appointment is enabled according to the net andmarking. When a transition is executed (i.e., fired),a token is taken from each of its input places and atoken is added to each of its output places. A Petrinet terminates properly if it reaches its final marking(i.e., one token in place p9 in Figure 1). A sequenceof transitions from the initial to the final marking ofa Petri net is a complete run of the net.
A trace is a sequence of activities, representing a pro-cess instance. An instance of an activity in a trace iscalled an event. An event log is a multiset of traces.Figure 2 shows some examples of traces for the pro-cess in Figure 1, where activities are abbreviated ac-cording to their initial letter. Note that an activ-ity may occur many times in a trace, e.g. Evaluationcan be performed multiple times (see trace σ1 in Fig-ure 2).
σ1 = 〈a, r, l, c, e, e, o, n〉 σ2 = 〈a, l, r, c, e〉 σ3 = 〈a, r, l, e, l, t〉Figure 2: Example of traces for the model in Figure 1
Not all traces can be reproduced by the net, i.e. notall traces perfectly fit the process description. If atrace perfectly fits a Petri net, each “move” in thetrace, i.e. an activity observed in the trace, can bemimicked by a “move” in the model, i.e. a transitionfired in the net. Take for example the net in Figure 1and its perfectly fitting trace σ1 in Figure 2. For ev-ery occurrence of an activity in the trace, there isa transition in the net mapped to the same activitythat can be fired. Moreover, after all activities in thetrace are mimicked, the net reaches its final marking.
In cases where deviations occur, some movementsthat occur in the trace cannot be mimicked by thenet or vice versa. We explicitly denote “no move” by�. A legal movement is a pair (x, y) such that
• (x, y) is a synchronous move if x is an activityin the trace and y is a transition in the net, and
• (x, y) is a move on log if x is an activity in thetrace and y is �,
• (x, y) is a move on model if x is � and y is atransition in the net.
A (prefix) alignment between the trace and the netis a sequence of legal movements such that its se-quence of activities (ignoring �) yields the original
trace, and its sequence of transitions (ignoring �)yields a (prefix of a) complete run of the net. Takefor example the Petri net in Figure 1 and trace σ2 inFigure 2. γ1 in Figure 3 is an alignment between σ2and the net. The top row of γ1 shows the sequence of“moves” in the trace, and the bottom row shows thesequence of “moves” in the model (both ignoring�).For every transition, we indicate the correspondingactivity on top of it. As shown in γ1, the sequence ofactivities in the top row yields the original trace σ2and the sequence of transitions in the bottom row isa complete run of the net.
γ1 =a l r c � e �a r c l e h
t1 � t2 t4 t3 t5 t9
γ2 =a l r c � e
a r c l e
t1 � t2 t4 t3 t5
Figure 3: An alignment (top) and a prefix alignment (bottom) between
trace σ2 in Figure 2 and the model in Figure 1
Given a trace representing an incomplete process exe-cution, an alignment between the trace and the modelhighlights the transitions that still need to be fired toreach proper termination as deviations. In contrast,prefix alignments highlight deviations without penal-izing for non-completion. For example, γ2 in Figure 3is a prefix alignment between the net in Figure 1 andtrace σ2 in Figure 2. Notice that the top row of thealignment yields trace σ2 (the same as γ1 in Figure 3),but the bottom row yields a prefix of a complete run.
For a given process model and a trace, there can bemore than one possible (prefix) alignment. For in-stance, γ3 in Figure 4 is another possible alignmentbetween trace σ2 and the net in Figure 1. Noticethat there are more deviations according to γ3 thanaccording to γ1 (4 compared to 3).
γ3 =a l r c � e � �a r c l e o n
t1 � t2 t4 t3 t5 t7 t8
Figure 4: A non optimal alignment between trace σ2 in Figure 2 and
the model in Figure 1
The quality of a (prefix) alignment is measured basedon a predefined cost function. A cost function de-fines the cost of movements that can occur in thealignment. An optimal (prefix) alignment between aprocess model and a trace is the one that has the
Page 3 of 16c©ASE 2012
least total cost according to the cost function. Vari-ous cost functions can be defined, depending on theapplication domain and purpose of the analysis. Forexample, the standard cost function [16] defines thecost of each move on model/move on log equal to 1,the cost of each synchronous move between an activ-ity and a transition labeled with the same activityequal to 0, and the cost is +∞ otherwise. The totalcost of alignment γ1 is 3 and the total cost of align-ment γ3 is 4. Thus, γ1 is better than γ3 according tothe standard cost function. Since there is no otheralignment between the trace and the model that hastotal cost lower than 3, γ1 is an optimal alignment.
Constructing optimal (prefix) alignments requires ex-ploration of the (possibly infinite) state space of aPetri net, which is computationally expensive. Givena Petri net and a trace, the complexity of computingoptimal alignments between the trace and the net isexponential in the number of transitions in the netand the number of activities in the trace. Existing ap-proaches (e.g., [11,12]) exploit structural properties ofboth Petri nets and traces to construct optimal align-ments efficiently. In particular, to increase efficiencythese approaches only allow synchronous moves be-tween an activity and a transition labeled with thesame activity.
III CONTROLLED BREAK-THE-GLASS
In this section, we present a flexible enforcementmechanism that enables a controlled use of break-the-glass functionality. Its architecture is given inFigure 5. In the remainder of the section, we intro-duce the basic concepts and provide an overview ofthe architecture.
Figure 5: Controlled Break-the-glass Architecture
In case of an emergency, users may need to takeactions that deviate from the specification to reactto the emergency. A user may execute an activitywhich is not allowed by the specification (insertion).For instance, a doctor may perform additional teststo better evaluate the patient’s health condition. Auser may not execute an activity which is required bythe specification (suppression). A user may executean activity instead of another activity (replacement).For instance, a doctor may perform a CT-scan insteadof an MRI test because of the temporary unavailabil-ity of technical equipment. A user may execute ac-tivities in a different order than the one defined inthe specification (swap). Each deviation is associ-ated with a cost that represents the severity of thedeviation.
The process model defines the allowed behavior of thesystem. The access control mechanism keeps track ofthe state of the process execution and blocks the exe-cution of those activities that are not compliant withthe process model. At any point of the process ex-ecution, users can invoke the break-the-glass controlto perform actions that they are usually not autho-rized to perform. This functionality takes priorityover the access control mechanism allowing the userto perform the requested actions. While deviationsfrom the specification may be necessary to react tothe emergency, they pose security risks (e.g., datamisuse). Therefore, the use of the break-the-glassfunctionality needs to be monitored. To this end, thebreak-the-glass control activates the logging server torecord the user behavior in an event log and, there-fore, make users accountable for their actions.
When a user invokes break-the-glass functionality, adeviation budget is assigned to such an invocation.Intuitively, the deviation budget represents to whatextent users can deviate from the specification. Theamount of the assigned budget may depend on thebusiness value of the process or on the user request-ing the exceptional permissions. Every time a userdeviates from the specification, the cost of the devia-tion is subtracted from the deviation budget. Whenthe deviation budget is completely spent, the excep-tional permissions are revoked, and the security offi-cer is notified about the infringement.
The diagnostic information necessary to assess theseverity of deviations is obtained through the confor-mance checker. This component takes as input a pro-cess model and an event log, and determines the op-timal alignment between them by replaying the eventlog over the process model. The state of the process
Page 4 of 16c©ASE 2012
execution in which break-the-glass functionality is in-voked, is used to determine the initial marking on theprocess model. The conformance checker determinesthe cost-optimal alignment starting from this initialmarking using the defined cost function.
The severity of deviation is assessed both online andoffline. Online conformance checking is performed atrun-time by replaying the trace of executed activitiesover the process model. Since traces that have notreached proper termination according to the modelshould not be penalized, prefix alignments are used toprovide diagnostics information about the deviationsin the log and quantify them. However, online con-formance checking may underestimate the total costof deviations if the process execution ends withoutreaching proper termination according to the model.Offline conformance checking, which is performed af-ter the process execution is declared to be complete,addresses this issue by also penalizing activities thatshould have been performed according to the model,but do not occur in the trace. Both online and of-fline conformance checking provide diagnostics infor-mation about the deviations beyond simple severitymeasurements, which is reported to the security offi-cer.
Take for example the process in Figure 1. Supposethat a user invokes break-the-glass after Appointmentand a deviation budget equal to 1 is assigned to theuser. The break-the-glass control activates the log-ging server which logs the process instance; confor-mance checking is performed online using the stan-dard cost function. The initial state used for con-formance checking is the marking of the net afterfiring t1 (Appointment) as shown in Figure 6 (left).After the user invoked break-the-glass, he performsLab test. Figure 6(i) shows the optimal prefix align-ment between the recorded trace and the model, re-turned by the checker. As shown in the figure, thechecker recognizes the event as a move on log.
Figure 6: Updated initial marking of the process model, and prefix
optimal alignments returned by conformance checker for the running
example.
After Lab test, the user performs activities Radiology,Check history, and Evaluation consecutively. The firsttwo events are allowed according to the model, andthe conformance checker returns the prefix alignmentin Figure 6(ii). However, after the occurrence ofEvaluation, conformance checking returns an opti-mal prefix alignment with deviation cost of 2 (Fig-ure 6(iii)). The allocated deviation budget is over-spent. Thus, the exceptional permissions are revokedand the security officer is informed about the infringe-ment.
Suppose that the deviation budget assigned to theuser is 2 (instead of 1). In this case, the user wouldstill be allowed to proceed with the execution of theprocess. If the instance is declared to be completeafter Evaluation, conformance checker then computesoffline an optimal alignment between trace 〈l, r, c, e〉and the process model with initial marking in Fig-ure 6. The optimal alignment has cost of 3 (a move onmodel for t9(Home treatment) is added to the align-ment in Figure 6(iii)). Since the allocated deviationbudget is overspent, an alert is sent to the securityofficer.
Existing alignment techniques only allow moves onlog, moves on model, and synchronous moves betweenan activity and a transition labeled with the sameactivity. Therefore, alignments obtained using suchtechniques only show deviations of types insertion(i.e., moves on log) and suppression (i.e., moves onmodel). Replacements and swaps have to be identi-fied as combinations of such deviations. For instance,the move on log and move on model for Lab test inFigure 6 correspond to a swap between Lab test andRadiology. However, analyzing replaced and swappedactivities from identified insertions and suppressions
Page 5 of 16c©ASE 2012
may lead to undesirable results [14]. In our example,if the cost of the swap is 1, the total cost of devia-tions after execution of Evaluation is still within de-viation budget and so exceptional permissions shouldnot have been revoked from the user. Therefore, it isdesirable to identify replacements and swaps directlyin alignments. In the next section, we show how toextend existing approaches to deal with replacementsand swaps.
IV IDENTIFYING DEVIATIONS
The extension to identify replacements and swaps areexplained in Sections 1 and 2 respectively. Section 3provides guidelines for setting the cost of these devi-ations.
1 REPLACEMENT
Given a (prefix) alignment, replacements manifest inthe alignment as synchronous moves between activi-ties and transitions that do not refer to the same ac-tivities. Take for example the model in Figure 1 andtrace σ3 in Figure 2. Suppose that a patient may un-dergo a therapy instead of home treatment in casesof emergency, but doing it in a non-emergency caseis not recommended. Thus, doing Therapy insteadof Home treatment is considered a replacement devia-tion with low cost (Notice that activity Therapy is notmodeled in the model of Figure 1). To consider thisin the deviation analysis, let consider cost functionδ1 where the cost of all movements are the same asthe standard cost function, except for the cost of thesynchronous move between activity Therapy and tran-sition t9 (Home treatment) that is set to 1. With costfunction δ1, the expected optimal alignment betweenσ3 and the model is represented by alignment γ4 inFigure 7. Here, the synchronous move between activ-ity Therapy and transition t9 (Home treatment) showsthe replacement of activity Home treatment with ac-tivity Therapy.
γ4 =a r l � e l t
a r l c e h
t1 t2 t3 t4 t5 � t9
Figure 7: An alignment between trace σ3 in Figure 2 and the model in
Figure 1, showing replacement of activity h with activity t
To efficiently compute optimal alignments, existingapproaches (e.g., [11, 12]) cannot construct optimalalignments that show replacements such as γ3 be-
cause they assume that synchronous moves can onlyoccur between an activity and a transition labeledwith the same activity. We overcome this limitationby explicitly modeling replacements in the net. Forall pairs of activities a, a′, a 6= a′ where a can be re-placed by a′, we duplicate all transitions labeled witha and map the duplicates to activity a′ instead of a.We call the duplicates substitution transitions. Fig-ure 8 shows a substitution transition which modelsthe replacement of activity Home treatment with ac-tivity Therapy. As shown in the figure, firing substi-tution transition t′9 leads to the same state of the netas if transition t9 is fired.
Figure 8: Modeling a replacement of activity Home treatment with
activity Therapy as transition t′9
We extend the cost function for insertions and sup-pressions with the cost of movements involving sub-stitution transitions. The cost of synchronous moves(x, y) where x is an activity and y is its substitu-tion transition, is the cost of the replacement definedby the substitution transition. The cost of move onmodel for substitution transitions is infinitely high(i.e., +∞). This way, there cannot be any moveon model for substitution transitions in any (prefix)alignment. An optimal alignment between trace σ3in Figure 2 and the net of Figure 1 augmented withthe substitution transition in Figure 8, using the ex-tended cost function derived from δ1, is shown in Fig-ure 9.
γ5 =a r l � e l t
a r l c e t (replacing h)
t1 t2 t3 t4 t5 � t′9
Figure 9: An optimal alignment between trace σ3 in Figure 2 and the
net of Figure 1 extended with substitution transitions
Translating the deviations in γ5 (Figure 9) back todeviations in the original model is done by consider-ing synchronous moves that involve substitution tran-sitions as replacements. Alignment γ5 shows a syn-chronous move between substitution transition t′9 and
Page 6 of 16c©ASE 2012
activity Therapy. Therefore, we know that executionof activity Home treatment has been replaced by ac-tivity Therapy. This is exactly the same interpreta-tion that we get from the optimal alignment γ4 inFigure 7.
The proposed solution comes with a price of compu-tation complexity. Suppose that the trace consists ofn unique activities, then its extended net with substi-tution transitions has n times transitions more thanthe original net. Thus, the use of extended nets in-creases the computation complexity of computing op-timal alignments by a constant factor n.
2 SWAPPED ACTIVITIES
A deviation of type insertion, suppression, or replace-ment manifests in alignments as an individual move-ment, i.e. a move on log, a move on model, or asynchronous move; in contrast, swaps are definedover pairs of activities. Hence, they cannot be di-rectly identified from individual movements in opti-mal alignments. Consider again the model in Fig-ure 1, trace σ2 in Figure 2, and their alignment γ1in Figure 3. Suppose that activity Radiology canbe swapped with activity Lab test without any cost.Instead of having one insertion (i.e., activity Labtest) and two suppressions (i.e., activities Lab testand Home treatment) as shown by γ1, the deviationsshould be a pair of swapped activities (i.e., Radiol-ogy with Lab test) and one suppression (i.e., Hometreatment).
We translate the problem of finding swapped activi-ties into the problem of finding a (prefix) alignmentbetween them. Similarly to the approach for iden-tifying replacements, we augment the original modelwith interchange transitions that model swapped ac-tivities explicitly. Let a and a′ be two activities wherea can be swapped with a′. For all pairs of transitions(t1, t2) where t1 and t2 are labeled a and a′ respec-tively, we duplicate t1 and t2 as a pair of interchangetransitions t2→1 and t′2→1 respectively and reversetheir label. Moreover, a place pt2→t1 is added to con-nect t2→1 and t′2→1 such that proper completion onthe model is reached if and only if either both tran-sitions are fired or none of them are fired. Figure 10shows an example of interchange transitions that ex-plicitly models swapping activity Radiology with Labtest (i.e., swapping t2 with t3). Every firing of inter-change transition t3→2 must be followed by firing oft′3→2, otherwise there is a remaining token in placept3→t2 which implies that proper termination is not
reached.
Figure 10: A pair of interchange transitions representing activity
Radiology swapped with Lab test
We extend the original cost function for insertionsand suppressions as follows. The cost of swappingtwo activities is distributed equally among the cor-responding interchange transitions. Note that inter-change transitions are not part of the original modeland, thus, they cannot be considered independentlyin alignments. To this end, we set the cost of moveson model for interchange transitions to +∞. Thisway, moves on model on interchange transitions can-not occur in any optimal alignment between the netand traces.
Consider again the net in Figure 1 and trace σ2 inFigure 2 where the cost of insertions/suppressions fol-lows the standard cost function, the cost of swappingactivities Radiology with Lab test is 1, and the costis +∞ otherwise. An optimal alignment between σ2and the net augmented with the interchange transi-tions in Figure 10, is shown in Figure 11.
γ6 =a l r c e �a l(r swapped with l) r(r swapped with l) c e h
t1 t3→2 t′3→2 t4 t5 t9
Figure 11: An optimal alignment between trace σ2 in Figure 2 and the
net of Figure 1 extended with the interchange transitions in Figure 10
Swaps can be identified by pairing synchronous movesthat involve interchange transitions. The optimalalignment γ6 in Figure 11 shows two synchronousmoves that involve interchange transitions t3→2 andt′3→2. By pairing them and then refer to their labels,we know that activity Radiology has been swappedwith activity Lab test.
Note that prefix alignments show an optimistic viewof deviations with respect to swapped activities, i.e.an optimal prefix alignment may assume that swapswill eventually occur in the future. For example, us-
Page 7 of 16c©ASE 2012
ing the same cost function as the one used in the con-struction of γ6, the alignment γ7 in Figure 12 is anoptimal prefix alignment between trace 〈a, l〉 and themodel in Figure 1. The synchronous move betweenactivity Lab test and interchange transition t3→2 sug-gests that activity Radiology is swapped with activityLab test, although no event in the trace refers to ac-tivity Radiology.
γ7 =a l
a l (r swapped with l)
t1 t3→2
Figure 12: An optimal prefix alignment, showing optimistic
interpretation on deviations
The idea of interchange transitions can be generalizedto identify swaps of sequences of activities. Given aprocess model and a trace, for all pairs of sequencesof activities µ and µ′ that can be swapped (i.e., µ′
can occur first instead of µ while the original modelshows the other way around), we duplicate all tran-sitions in the model that correspond to activities inboth sequences. Places are added between duplicatetransitions of µ′ and µ according to the ordering oftheir activities in the original sequences. Then, weswap the ordering between the sequences of dupli-cate transitions µ′ and µ and add a place betweenthe last duplicate transition of µ′ and the first du-plicate transition of µ. By augmenting the modelwith such constructs, optimal (prefix) alignment be-tween the extended net and the original trace mayreveal swapped sequences of activities in the trace.The sketch of this generalized approach is shown inFigure 13.
Figure 13: Sketch of solutions for the identification of swaps between
two sequences of activities
Given a trace and a Petri net, in the worst case whereall activities in the trace can be swapped with one an-other, the number of possible swaps is n(n−1), wheren is the number of unique activities in the trace. If weallow sequences of activities to be swapped, the com-
plexity is hyper-exponential in the number of activi-ties because the number of possible sequences growsexponentially in the number of their elements.
3 GUIDELINES FOR SETTING COSTFUNCTION
To identify all types of deviations at once, i.e. inser-tion, suppression, replacement, and swap, a Petri netcan be augmented with both interchange and substi-tution transitions. The cost of movements involvingthese transitions is defined as shown in Sections 1and 2. Note that our approach ensures that an eventin the trace is involved in at most one type of devi-ation, e.g. if an occurrence of an activity is swappedwith another activity according to an optimal align-ment, the same occurrence cannot be identified asinserted or swapped with another activity. Thus, ourapproach provides clarity in deviation analysis thatcan be exploited for further analysis.
So far, we assume that the costs of replacements andswaps are given. However, defining such costs is oftennot trivial in practice. For instance, a naıve exten-sion of the standard cost function for replacementsand swaps would assign a cost equal to 1 to every re-placement and swap. This function, however, causesan increase of the complexity of computing optimalalignments because all replacements and swaps be-tween activities need to be explicitly modeled. Fur-thermore, such a function may yield misleading de-viation diagnostics. For instance, in the net of Fig-ure 8, allowing the replacement of Home Treatmentwith Appointment can provide misleading diagnos-tic information, as in reality they are two signifi-cantly different activities. To reduce the complexitywhile providing accurate diagnosis, substitution tran-sitions and interchange transitions should be addedonly when they provide intuitive deviation analysis.
Possible replacements should be determined by ana-lyzing the activities in the process model and eventlog. In particular, it is necessary to identify whichactivities can be replaced by other activities in theprocess execution and estimate the severity of suchreplacements. The process for the identification ofreplacements and estimation of their costs can be sup-ported by the use of metrics for assessing the similar-ity degree between activities. For instance, the workin [17] uses the Latent Semantic Analysis (LSA) [18],a semantic relatedness metric, to assess the similaritybetween two activities based on their name. Ontologyalignment techniques [19,20] can be also employed to
Page 8 of 16c©ASE 2012
assess the similarity degree between two activities.The application of these techniques requires repre-senting activities as concepts in an ontology. Ontol-ogy alignment techniques then can compute the de-gree of semantic resemblance between concepts basedon the ontology structure. The cost of replacementscan be defined as a function of the degree of similar-ity: higher the similarity degree between two activi-ties, lower it is the cost of replacing one activity withthe other.
Swaps can be determined by analyzing the activitiesand control flow in the process model. The con-trol flow defines a precise ordering in which activi-ties should be performed. In some case, when theswap of two activities has an insignificant or limitedimpact on the process execution, the constraints im-posed by the control flow can be relaxed (e.g., activi-ties Radiology and Lab test in Figure 1). However, notevery swap may be allowable. In particular, an ac-tivity cannot be swapped with another activity if theexecution of the latter is required for the execution ofthe former (e.g., in Figure 1 Evaluation is required forOperation). We call such a pair of activities unswap-pable activities and write (Evaluation,Operation) toindicate that Evaluation cannot be swapped with ac-tivity Operation.
The set of unswappable activities specifies the ba-sic pairs of activities that cannot be swapped. Theconstraints imposed by this set may entail con-straints on other pairs of activities. For instance,an activity should not be swapped with the pre-decessors of an activity whose execution is neces-sary for the execution of the former activity. In-deed, allowing such a swap will result in an unde-sirable alignment. Consider, for instance, the netin Figure 1 and the trace 〈Appointment, Radiology,Operation,Check history,Evaluation, Lab test, Nursingward〉. If Lab test is swapped with Operation, thiswould allow Operation before an Evaluation.
To prevent the approach from identifying misleadingswapping, we define the unswappable activity closure.Given a Petri net and a pair of unswappable activities(a, b), the closure of (a, b) consists of the set of pairsof activities (c, b) such that c is a predecessor of a inthe net and the set of pairs of activities (a, d) suchthat d is a successor of b in the net. For instance, theclosure of (Evaluation,Operation) with respect to thenet in Figure 1 is the set {(Appointment, Operation),(Radiology,Operation), (Lab test,Operation),(Check history,Operation)} ∪ {(Evaluation,Nursing ward)}.The costs of pairs of activities in the unswappable
activity closure is set to infinitely large (+∞). A pairof activities can be swapped only if, given a set ofpairs of unswappable activities S, such a pair doesnot belong the unswappable activity closure of S.Its cost should be proportional to its impact on theprocess execution.
We stress that only replacements and swaps whosecost is lower than the sum of the costs of the moveson model and moves on log forming such replace-ments and swaps need to be considered, while thecost of other deviations can be safely assumed to beinfinitely high. If the cost of a replacement or a swapis greater than that sum, the replacement or the swapwill never be considered in the alignment.
V EXPERIMENTS
We have implemented the proposed conformancechecking technique as a ProM 6 plug-in, publiclyavailable at www.processmining.org. We performeda number of experiments to demonstrate the confor-mance checking technique using both synthetic dataand real data logs. In particular, we evaluate offlineconformance checking, i.e. we assume that traces ofexecution have reached proper termination, as it pro-vides non-optimistic deviation diagnostics. The ex-periments were performed using an Intel Core i7 pro-cessor (2.80 GHz) with 8GB RAM.
1 SYNTHETIC DATA
The first set of experiments aims to evaluate the ro-bustness of the approach and, in particular, its abilityto detect deviations. The event log used in the exper-iments was obtained by generating a number of tracesfrom a process model. These traces were then mod-ified to introduce deviations of different types (firstblock in Table 1). Three groups of experiments wereperformed. For each experiment, we report the iden-tified deviations and the total cost for the optimalalignment (TC). For each group of experiments, wealso report the average calculation time per trace.
Page 9 of 16c©ASE 2012
Trace Exp. 1 Exp. 2 Exp. 3
ID INS SUP REP SWA INS SUP TC INS SUP REP SWA TC INS SUP REP SWA TC1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 02 3 0 0 0 3 0 3 3 0 0 0 3 3 0 0 0 33 0 2 0 0 0 2 2 0 2 0 0 2 0 2 0 0 24 1 2 0 0 1 2 3 1 2 0 0 3 1 2 0 0 35 0 0 2 0 2 2 4 0 0 2 0 2 0 0 2 0 26 0 0 2 0 1 2 3 0 0 2 0 2 0 0 2 0 27 1 2 2 0 6 1 7 1 2 2 0 5 1 2 2 0 58 0 0 0 1 1 1 2 0 0 0 1 1 0 0 0 1 19 0 0 0 2 2 2 4 0 0 0 2 2 0 0 0 2 210 0 1 0 1 1 2 3 0 1 0 1 2 0 1 0 1 211 4 1 0 1 5 2 7 3 0 2 0 5 4 1 0 1 612 0 0 1 1 2 2 4 0 0 1 1 2 0 0 1 1 213 0 0 1 1 3 3 6 0 0 1 1 2 0 0 1 1 214 0 2 1 1 5 1 6 0 2 1 1 4 0 2 1 1 4
Average calculation time 0.26ms/trace 114.51ms/trace 0.26ms/trace
Table 1: Deviation detection for experiments on synthetic data
In the first group of experiments (Exp. 1), we useexisting alignment techniques (e.g., [21]) to detect de-viations which occurred. These techniques consideronly moves on log (INS) and moves on model (SUP)when determining deviations. In the experiments,we assigned a cost to every move on log and moveon model equal to 1. The total cost of the optimalalignment is therefore equal to the number of identi-fied deviations in the trace. The results of this groupof experiments are presented in the second block ofTable 1. The results show that, although existingtechniques are efficient, they overestimate the cost ofalignments as replacements and swaps are detected ascombinations of moves on log and moves on model.As a consequence, the low level alignment cannot beused to construct high level deviations. For instance,in trace 6 we expect two replacements (first block ofTable 1). At a low level, they would correspond tofour deviations since replacements can be identifiedas a combination of a move on log and a move onmodel. In contrast, the optimal alignment for trace 6has total cost of 3, given by an insertion and two sup-pressions. This example shows that if the cost func-tion does not include the cost of replacements andswaps, these deviations may not be diagnosed fromthe alignment.
The aim of the second and third groups of experi-ments is to evaluate the ability of the method pro-posed in this work to identify deviations without anyknowledge in advance about occurring deviations. Inthe second group of experiments (Exp. 2), we didnot consider any prior knowledge about deviations.Thus, we use a standard cost function where the costof all possible deviations (including replacements andswaps between all pairs of activities) is equal to 1.The results are presented in the third block of Table 1.
In general, the results of the second group coincidewith the first block in the table. An exception is givenby trace 11, for which the plug-in found a differentinterpretation for the deviations which occurred (i.e.,three insertions and two replacements instead of fourinsertions, one suppression and one swap). However,a closer look at the trace revealed that the alignmentdetermined by the plug-in does not correspond to avalid interpretation of the deviations which occurred.The alignment shows the replacement of two pairsof incompatible activities. This highlights the im-portance of assigning appropriate costs to deviations.In particular, assigning arbitrary costs requires ana-lyzing the identified alignments for validity. Noticethat the average computation time increases signifi-cantly in comparison with the one of Exp. 1. Thisincrement confirms the exponential complexity intro-duced when considering all possible replacements andswaps.
In the third group of experiments (Exp. 3), we con-sider cases where we have background knowledge onthe activities that can be swapped/replaced. We setthe cost of allowed replacements and swaps to 1, whilethe cost of replacements and swaps for other pairsof activities was set to +∞. The cost of moves onlog (INS) and moves on model (SUP) was set to 1.The results are presented in the last block of Table 1.These results show that our technique is able to de-tect all deviations as the last block coincides withthe first block in the table. Moreover, the computa-tion time decreases significantly compared to Exp. 2.This shows that with proper knowledge about activ-ities that can be replaced/swapped, one can set thecost of deviations properly to get a meaningful anal-ysis as well as reducing computation time. Note thatwithout such knowledge, one can perform an iterative
Page 10 of 16c©ASE 2012
procedure to obtain well-founded results by first us-ing the standard cost function as we did for Exp. 2,and then setting the cost for identified incompatibleswapped/replaced activities to high (i.e., +∞) in thenext iterations.
2 REAL-LIFE LOGS
To evaluate the applicability of the approach in a realscenario, we use a real-life event log from a Dutch aca-demic hospital which has been made available for theBPI Challenge 2011 [22]. Since no process model isavailable for the log, a model was mined from the log.The original log contains cases referring to differentdiagnoses (i.e., different treatment processes), whichmakes the log to be heterogeneous. Mining heteroge-neous logs, however, may lead to inaccurate processmodels [23]. We considered only cases related to di-agnosis for cancer of the vulva. The obtained log con-tains 493 events in 94 cases. 70% of these cases (i.e.,66 cases) were used to mine the process model usingthe Alpha Miner ProM plug-ins [24]. For the purposeof the experiments, we assumed that the mined pro-cess model provides the correct representation of theselected diagnosis. This model was analyzed to de-termine the costs of deviations. In particular, we an-alyzed the activities in the model and the control flowto identify which activities can be replaced by otheractivities (e.g., similar medical tests or procedures)as well as which activities can be swapped without asignificant impact on the process execution. A costfor such deviations was defined on the basis of theirseverity. The remaining 30% of cases (i.e., 28 cases)was manually analyzed to evaluate the output of theplug-in. In particular, we analyzed the events exe-cuted in each case and compared them with the con-trol flow specified in the process model. The analyzedcases were assessed using a five-scale system (i.e., low,low/medium, medium, medium/high, and high); eachscale represents the overall severity of the deviationsin a case.
Page 11 of 16c©ASE 2012
Figure 14: Experiment results based on real-life log and model
The cases that were analyzed manually together withthe defined cost function were given as input to theplug-in. The average calculation time per trace was115.53 ms. The results are presented in Figure 14. Asshown in the figure, the results of the plug-in coincidewith the ones obtained through manual analysis in 16cases (out of the 28 cases analyzed). For the other12 cases, there is a slight difference between the re-sults of the plug-in and the ones of manual analysis.Here, we analyze and discuss the reasons behind suchdifferences. A summary is presented in Table 2.
n. cases Result Motivation1 Overestimation Repetition of the same tran-
sition6 Overestimation Reordering5 Underestimation Difficult to manually identify
a corresponding run of theprocess model
Table 2: Analysis of mismatches between manual and automated
investigation
The plug-in overestimates the results of manual anal-ysis in seven cases and underestimate them in fivecases. In one case (#8), an activity, which is allowedby the specification, was repeated several times. Al-though these deviations were correctly identified bythe plug-in as moves on log, the plug-in does not dis-criminate which activities were inserted. In contrast,the repetition of the same activity was considered asa mitigating factor during manual analysis.
In six cases, the plug-in overestimates the results ofmanual analysis because the swap of sequences of ac-tivities is not supported by the plug-in. An analysisof these cases showed that in two cases (#784 and#793) the alignment identified through manual in-spection and by the plug-in was exactly the same;the higher cost is caused by the fact that swaps ofsequences of activities were accounted as combina-tions of moves on log and moves on model. In theother cases (#68, #132, #546, and #783), the plug-
in aligned the log with a run of the process modelwhich was different from the one indicated by man-ual analysis. Note that, although our implementationonly considers swaps of two activities, our approachis general enough to deal with swaps of sequences ofactivities (see Section IV).
The cases in which the plug-in returned a severitylevel lower than the level indicated by manual anal-ysis correspond to cases for which it was difficult toidentify an alignment. As a consequence, the sever-ity of these cases might have been overestimated inthe manual assessment. In three cases (#73, #344and #1048), the alignment determined by the plug-in was reliable. This demonstrates that the plug-incan help in understanding the root causes of devia-tions. In the other two cases (#92 and #1110) theplug-in aligned the cases with very short run of theprocess model and accounted most events in the logas moves on log. This is reflected in the move-log fit-ness metric of alignments, i.e. the ratio between thetotal cost of synchronous moves in the alignment andthe total cost obtained by considering all activitiesin the trace as moves on log. This metric providesan intuition on how much the activities in the traceare deviating from the model. In the last two cases,this metric value is very low (below 0.14 from scaleof 0.0 to 1.0). This indicates that the execution ofactivities in the traces is rather random and does notfollow the flow of activities described in the model.
VI RELATED WORK
Little work in the literature considers how to incorpo-rate break-the-glass functionality in existing infras-tructures. For instance, Brucker and Petritsch [25]present a break-the-glass enforcement architecturewhich extend access control models with the set ofemergency policies. This approach, however, is notpractical as it requires identifying all possible excep-tions at design time. Ferreira et al. [5] extend the
Page 12 of 16c©ASE 2012
access control system with a break-the-glass policythat can be invoked in case of emergency. Althoughsuch a policy is coupled with logging mechanismsthat record users’ actions and non-repudiation mech-anisms, methods for the analysis of user behavior arenot discussed. In contrast, we presented a flexiblearchitecture that allows users to invoke the break-the-glass functionality at any time and alerts whendeviations from specifications cannot be tolerated.
Many approaches have been proposed to checkrecorded process executions against predefinedrules/process models. van der Aalst et al. [26] pro-posed an LTL-based approach to check the satisfi-ability of a set of properties in a given trace. Inthis approach, the satisfiability of each property ischecked independently. Hence, correlations betweendeviations in one rule and other deviations in otherrules cannot be easily identified. An approach basedon the behavioral profile is proposed in [27]. Givena set of traces and a process model, this approachencodes the behavior of both the model and traces inmetric representations before comparison. Althoughthe approach supports root-cause analysis, the met-ric representation may abstract away behavior that isimportant for analysis. Banescu et al. [14] present anapproach for identifying and measuring privacy de-viations based on token-based replay techniques [28].The genetic mining algorithm in [29] uses similar re-play technique to measure the quality of process mod-els with respect to given executions. Token-based re-play techniques, however, may allow behavior that isnot allowed by the model due to the used heuristicand thus may provide misleading diagnostic informa-tion [30].
The notion of alignments [10] provides a robust ap-proach to correlate occurrences of recorded activitieswith transitions in predefined process models usingtheir semantics. In particular, the notion of align-ments is based on the “edit distance” of a trace froma process model. This idea has been used to extendthe theory of runtime enforcement by introducing thenotion of predictability [31]. In particular, edit dis-tance metrics are used to map “almost valid” tracesinto the predictable (closest valid) trace. In [17] editdistance metrics have been enhanced to measure theprivacy distance between expected and actual userbehavior. The problem of these metrics is that theycannot be applied to analyze logs against complexprocess models, for instance including loops. More-over, constructing alignments is computationally ex-pensive. Adriansyah et al. [11, 12, 21] propose effi-cient approaches to construct optimal alignments by
restricting the map of process executions to processmodels, and thus improve the applicability of tech-niques based on alignments to handle real-life cases.Nevertheless, these approaches only identify low leveldeviations (i.e., moves on log and moves on model).This may lead to misinterpret the root causes of de-viations when low level deviations are analyzed toidentify high level deviations. Our approach extendsthe work in [11, 12, 21] by allowing the identificationof high level deviations through alignment, while pre-serving efficiency.
VII CONCLUSIONS AND FUTUREWORK
In this paper we presented a flexible framework forcontrolled break-the-glass based on alignments. Theframework allows users to deviate from the specifi-cation within a given range. The severity of devia-tions is determined using alignment-based online andoffline conformance checking. Online conformancechecking analyzes user behavior at run time. Thisverification, however, may underestimate the sever-ity of deviations when the process execution doesnot reach proper termination. Offline conformancechecking addresses this issue by computing an op-timal alignment between traces in the event log andcomplete runs of the process model. Moreover, we ex-tend the alignment approach to explicitly show highlevel deviations, i.e. replacements and swaps. Theexperiment results show that the proposed approachis robust in the sense that it is able to identify andquantify deviations without proper knowledge aboutdeviations. Prior knowledge on possible deviationscan be used to tune the cost function in order to im-prove the quality of deviation diagnostics and com-putation performance.
The work presented in this paper suggests some in-teresting directions for future work. The proposedapproach determines optimal alignments only basedon the executed activities and the control flow de-fined in the process model. Other information likethe users responsible for the deviations and the datathat have been accessed as well as information aboutthe context may be considered to quantify the sever-ity of deviations, leading to more accurate securitydecisions. Moreover, a systematic way for determin-ing the deviation budget is needed. To this end, weare investigating methods that assess the risks causedby the invocation of the break-the glass functionalitybased on historical data.
Page 13 of 16c©ASE 2012
Acknowledgments. This work has been funded by the
Dutch program COMMIT under the THeCS project, by the
Cyber Security program under the PriCE project, and by
the EU Commission under the Seventh Framework Project
“PoSecCo”.
Page 14 of 16c©ASE 2012
References
[1] Arya Adriansyah, Boudewijn F. van Dongen,and Nicola Zannone, “Controlling Break-The-Glass Through Alignment”, in Proceedings of In-ternational Conference on Information Privacy,Security, Risk and Trust. 2013, IEEE.
[2] Robert Richardson, “Computer Crime & Secu-rity Survey”, Tech. report, Computer SecurityInstitute, 2008.
[3] Kevin W. Hamlen, Greg Morrisett, and Fred B.Schneider, “Computability classes for enforce-ment mechanisms”, TOPLAS, vol. 28, no. 1, pp.175–205, 2006.
[4] Jay Ligatti, Lujo Bauer, and David Walker,“Run-time enforcement of nonsafety policies”,ACM Trans. Inf. Syst. Secur., vol. 12, no. 3, pp.1–41, 2009.
[5] A Ferreira, R Cruz-Correia, L Antunes, P Far-inha, E Oliveira-Palhares, D W. Chadwick, andA Costa-Pereira, “How to break access controlin a controlled manner”, in Proceedings of Sym-posium on Computer- Based Medical Systems.2006, pp. 847–854, IEEE.
[6] Shane R Reti, Henry J Feldman, Stephen E Ross,and Charles Safran, “Improving personal healthrecords for patient-centered care”, JAMIA, vol.17, no. 2, pp. 192–195, 2010.
[7] Claudio Agostino Ardagna, Sabrina De Capitanidi Vimercati, Tyrone Grandison, Sushil Jajodia,and Pierangela Samarati, “Regulating excep-tions in healthcare using policy spaces”, in Dataand Applications Security. 2008, LNCS 5094, pp.254–267, Springer.
[8] Marco Montali, Maja Pesic, Wil M. P. van derAalst, Federico Chesani, Paola Mello, and SergioStorari, “Declarative specification and verifica-tion of service choreographiess”, TWEB, vol. 4,no. 1, pp. 3:1–3:62, 2010.
[9] Milan Petkovic, Davide Prandi, and Nicola Zan-none, “Purpose control: Did you process thedata for the intended purpose?”, in Secure DataManagement. 2011, LNCS 6933, pp. 145–168,Springer.
[10] J. E. Cook and A. L. Wolf, “Software ProcessValidation: Quantitatively Measuring the Corre-spondence of a Process to a Model”, TOSEM,vol. 8, pp. 147–176, 1999.
[11] A. Adriansyah, N. Sidorova, and B. F. vanDongen, “Cost-Based Fitness in Conformance
Checking”, in Proceedings of International Con-ference on Application of Concurrency to SystemDesign. 2011, pp. 57–66, IEEE.
[12] A. Adriansyah, B.F. van Dongen, and W.M.P.van der Aalst, “Memory-Efficient Alignmentof Observed and Modeled Behavior”, Tech.Rep., BPMcenter.org, 2013, BPM Center Re-port BPM-03-03.
[13] Benoit Depaire, Jo Swinnen, Mieke, and KoenVanhoof, “A Process Deviation Analysis Frame-work”, in Business Process Management Work-shops. 2013, LNBIP 132, pp. 701–706, Springer.
[14] Sebastian Banescu, Milan Petkovic, and NicolaZannone, “Measuring privacy compliance usingfitness metrics”, in Business Process Manage-ment. 2012, LNCS 7481, pp. 114–119, Springer.
[15] T. Murata, “Petri nets: Properties, analysis andapplications”, Proc. IEEE, vol. 77, no. 4, pp.541–580, 2002.
[16] W. M. P. van der Aalst, A. Adriansyah, andB. F. van Dongen, “Replaying History on Pro-cess Models for Conformance Checking and Per-formance Analysis”, WIREs Data Mining andKnowledge Discovery, vol. 2, no. 2, pp. 182–192,2012.
[17] Sebastian Banescu and Nicola Zannone, “Mea-suring privacy compliance with process specifica-tions”, in Proceedings of International Workshopon Security Measurements and Metrics. 2011,pp. 41–50, IEEE.
[18] Susan T. Dumais, “Latent semantic analysis”,ARIST, vol. 38, no. 1, pp. 188–230, 2004.
[19] AnHai Doan, Jayant Madhavan, RobinDhamankar, Pedro Domingos, and AlonHalevy, “Learning to match ontologies on theSemantic Web”, VLDB Journal, vol. 12, no. 4,pp. 303–319, 2003.
[20] Steven Heeps, Joe Sventek, Naranker Dulay, Al-berto Schaeffer Filho, Emil Lupu, Morris Slo-man, and Stephen Strowes, “Dynamic Ontol-ogy Mapping for Interacting Autonomous Sys-tems”, in Proceedings of International Workshopon Self-Organizing Systems. 2007, LNCS 4725,pp. 255–263, Springer.
[21] A. Adriansyah, B. F. van Dongen, and W. M. P.van der Aalst, “Conformance Checking UsingCost-Based Fitness Analysis”, in Proceedingsof International Enterprise Distributed ObjectComputing Conference. 2011, pp. 55–64, IEEE.
[22] B.F. van Dongen, “Event Logfor the BPI Challenge 2012”,
Page 15 of 16c©ASE 2012
http://dx.doi.org/10.4121/uuid:
3926db30-f712-4394-aebc-75976070e91f,2012.
[23] R. P. Jagadeesh Chandra Bose and Wil M. P.van der Aalst, “Context aware trace clustering:Towards improving process mining results”, inProceedings of International Conference on DataMining. 2009, pp. 401–412, SIAM.
[24] Wil M. P. van der Aalst, Ton Weijters, and LauraMaruster, “Workflow Mining: Discovering Pro-cess Models from Event Logs”, TKDE, vol. 16,no. 9, pp. 1128–1142, 2004.
[25] Achim D. Brucker and Helmut Petritsch, “Ex-tending access control models with break-glass”,in Proceedings of Symposium on Access Con-trol Models and Technologies. 2009, pp. 197–206,ACM.
[26] Wil M. P. van der Aalst, H. T. de Beer, andBoudewijn F. van Dongen, “Process mining andverification of properties: An approach based ontemporal logic”, in On the Move to Meaning-ful Internet Systems. 2005, LNCS 3760, pp. 130–147, Springer.
[27] Matthias Weidlich, Artem Polyvyanyy, NirmitDesai, Jan Mendling, and Mathias Weske, “Pro-cess compliance analysis based on behaviouralprofiles”, Inf. Sys., vol. 36, no. 7, pp. 1009–1025,2011.
[28] Anne Rozinat and Wil M. P. van der Aalst,“Conformance checking of processes based onmonitoring real behavior”, Inf. Syst., vol. 33,no. 1, pp. 64–95, 2008.
[29] A. K. Alves de Medeiros, A. J. M. M. Weijters,and W. M. P. van der Aalst, “Genetic Pro-cess Mining: an Experimental Evaluation”, DataMining and Knowledge Discovery, vol. 14, no. 2,pp. 245–304, 2007.
[30] A. Adriansyah, B. F. van Dongen, and W. M. P.van der Aalst, “Towards Robust Confor-mance Checking”, in Business Process Manage-ment Workshops. 2011, LNBIP 66, pp. 122–133,Springer.
[31] Nataliia Bielova and Fabio Massacci, “Pre-dictability of enforcement”, in Engineering Se-cure Software and Systems. 2011, LNCS 6542,pp. 73–86, Springer.
Page 16 of 16c©ASE 2012