Classifying traces of event logs on the basis of security risks

We address the problem of classifying log traces in the context of security risk analysis concerning business processes. Specifically, on the basis of some (possibly incomplete) knowledge of the structures of the processes and of the patterns representing undesired/risky behaviors, we aim at classifying each log trace as instance of some process and/or as potential security breach. In particular, we address the following challenging setting: each event has not a unique interpretation in terms of the activity of which it is a step, but it can correspond to more than one activity. In our framework, the mapping between events and activities is encoded by probability distributions over events and activities, and both the models describing the processes and the security breaches are expressed in terms of precedence/causality rules over the activities. Each trace is classified on the basis of the conformance of its possible interpretations, generated by a Monte Carlo mechanism, to the security-breach models and/or the to process models. The proposed framework has been experimentally validated, and proved to be efficient and effective.