PN-BBN: A Petri Net-Based Bayesian Network for Anomalous Behavior Detection
Abstract
:1. Introduction
2. Related Work
3. Background Knowledge
3.1. Petri Net Model
3.2. Bayesian Networks
4. Detecting Abnormal Behavior using Petri Net-Based Bayesian Network
4.1. Using Behavior Profiles to Determine Behavior Context
Algorithm 1: Ineluctable Path Identification. |
4.2. Constructing Petri Net-Based Bayesian Networks for Anomaly Detection
Algorithm 2: Anomalous behavior detection leveraging probabilistic inference. |
5. Evaluation
5.1. Event Log
5.2. Evaluation Indicators
5.3. Bayesian Structural Analysis
5.4. Anomaly Detection Results
6. Summary
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Bezerra, F.; Wainer, J.; van der Aalst, W.M.P. “Anomaly Detection Using Process Mining”, in Enterprise, Business-Process and Information Systems Modeling. J. Big Data 2009, 29, 149–161. [Google Scholar] [CrossRef]
- Goldstein, M.; Uchida, S. A Comparative Evaluation of Unsupervised Anomaly Detection Algorithms for Multivariate Data. PLoS ONE 2016, 11, e0152173. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Saba, T.; Rehman, A.; Sadad, T.; Kolivand, H.; Bahaj, S.A. Anomaly-based intrusion detection system for IoT networks through deep learning model. Comput. Electr. Eng. 2022, 99, 107810. [Google Scholar] [CrossRef]
- Khan, A.T.; Cao, X.; Li, S.; Katsikis, V.N.; Brajevic, I.; Stanimirovic, P.S. Fraud detection in publicly traded U.S firms using Beetle Antennae Search: A machine learning approach. Expert Syst. Appl. 2022, 191, 116148. [Google Scholar] [CrossRef]
- Weytjens, H.; De Weerdt, J. Creating Unbiased Public Benchmark Datasets with Data Leakage Prevention for Predictive Process Monitoring. Comput. Sci. 2022, 436, 18–29. [Google Scholar] [CrossRef]
- Liu, H.; Xu, X.; Li, E.; Zhang, S.; Li, X. Anomaly Detection With Representative Neighbors. IEEE Trans. Neural Netw. Learn. Syst. 2021, 1–11. [Google Scholar] [CrossRef] [PubMed]
- Aggarwal, C.C. Outlier Analysis. Cham: Springer International Publishing. 2017. Available online: http://link.springer.com/10.1007/978-3-319-47578-3 (accessed on 7 September 2021).
- Nolle, T.; Luettgen, S.; Seeliger, A.; Mühlhäuser, M. Analyzing business process anomalies using autoencoders. Mach. Learn. 2018, 107, 1875–1893. [Google Scholar] [CrossRef] [Green Version]
- van Dongen, B.F.; De Smedt, J.; Di Ciccio, C.; Mendling, J. Conformance checking of mixed-paradigm process models. Inf. Syst. 2021, 102, 101685. [Google Scholar] [CrossRef]
- Nagy, Z.; Werner-Stark, A. An Alignment-based Multi-Perspective Online Conformance Checking Technique. Acta Polytech. Hung. 2022, 19, 105–127. [Google Scholar] [CrossRef]
- Rullo, A.; Guzzo, A.; Serra, E.; Tirrito, E. A Framework for the Multi-modal Analysis of Novel Behavior in Business Processes. Int. Conf. Intell. Data Eng. Autom. Learn. 2020, 12489, 51–63. [Google Scholar] [CrossRef]
- Sani, M.F.; Van Zelst, S.J.; Van Der Aalst, W.M.P. Conformance Checking Approximation Using Subset Selection and Edit Distance. In Proceedings of the Advanced Information Systems Engineering—32nd International Conference, CAiSE 2020, Grenoble, France, 8–12 June 2020; Volume 12127, pp. 234–251. [Google Scholar] [CrossRef]
- Sani, M.F.; Kabierski, S.J.; Van Der Aalst, W.M.P. Model Independent Error Bound Estimation for Conformance Checking Approximation. arXiv 2021, arXiv:2103.13315. [Google Scholar] [CrossRef]
- Lee, W.L.J.; Verbeek, H.; Munoz-Gama, J.; van der Aalst, W.M.; Sepúlveda, M. Recomposing conformance: Closing the circle on decomposed alignment-based conformance checking in process mining. Inf. Sci. 2018, 466, 55–91. [Google Scholar] [CrossRef]
- Sani, M.F.; van Zelst, S.J.; van der Aalst, W.M.P. Applying Sequence Mining for Outlier Detection in Process Mining. In Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2018; Volume 11230, pp. 98–116. [Google Scholar] [CrossRef]
- van Zelst, S.J.; Sani, M.F.; Ostovar, A.; Conforti, R.; La Rosa, M. Filtering Spurious Events from Event Streams of Business Processes. In Advanced Information Systems Engineering; Springer: Cham, Switzerland, 2018; Volume 10816, pp. 35–52. [Google Scholar] [CrossRef]
- Dixit, P.M.; Suriadi, S.; Andrews, R.; Wynn, M.T.; ter Hofstede, A.H.M.; Buijs, J.C.A.M.; van der Aalst, W.M.P. Detection and Interactive Repair of Event Ordering Imperfection in Process Logs. In Proceedings of the Advanced Information Systems Engineering—30th International Conference, CAiSE 2018, Tallinn, Estonia, 11–15 June 2018; Volume 10816, pp. 274–290. [Google Scholar] [CrossRef] [Green Version]
- Nolle, T.; Seeliger, A.; Mühlhäuser, M. Unsupervised Anomaly Detection in Noisy Business Process Event Logs Using Denoising Autoencoders. In Discovery Science; Springer: Bari, Italy, 2016; pp. 442–456. [Google Scholar] [CrossRef]
- Nolle, T.; Seeliger, A.; Thoma, N.; Mühlhäuser, M. DeepAlign: Alignment-Based Process Anomaly Correction Using Recurrent Neural Networks. In Advanced Information Systems Engineering; Springer: Cham, Switzerland, 2020; Volume 12127, pp. 319–333. [Google Scholar] [CrossRef]
- Neto, R.V.; Tavares, G.; Ceravolo, P.; Barbon, S. On the use of online clustering for anomaly detection in trace streams. In XVII Brazilian Symposium on Information Systems; ACM: New York, NY, USA, 2021; pp. 1–8. [Google Scholar] [CrossRef]
- Wil, M.P. van der Aalst, W.M.P. In Process Mining: Data Science in Action, 2nd ed.; Springer: Berlin/Heidelberg, Germany, 2016. [Google Scholar]
- Padró, L.; Carmona, J. Computation of alignments of business processes through relaxation labeling and local optimal search. Inf. Syst. 2022, 104, 101703. [Google Scholar] [CrossRef]
- Sucar, L.E. Probabilistic Graphical Models; Springer: London, UK, 2015; Available online: http://link.springer.com/10.1007/978-1-4471-6699-3 (accessed on 4 July 2022).
- Augusto, A.; Conforti, R.; Dumas, M.; La Rosa, M.; Polyvyanyy, A. Split miner: Automated discovery of accurate and simple business process models from event logs. Knowl. Inf. Syst. 2019, 59, 251–284. [Google Scholar] [CrossRef] [Green Version]
- van der Aalst, W.; Weijters, T.; Maruster, L. Workflow mining: Discovering process models from event logs. IEEE Trans. Knowl. Data Eng. 2004, 16, 1128–1142. [Google Scholar] [CrossRef]
- Prasidis, I.; Theodoropoulos, N.-P.; Bousdekis, A. Handling Uncertainty in Predictive Business Process Monitoring with Bayesian Networks. In Proceedings of the 2021 12th International Conference on Information, Intelligence, Systems & Applications (IISA), Online, 12–14 July 2021. [Google Scholar] [CrossRef]
- Fan, J.; Upadhye, S.; Worster, A. Understanding receiver operating characteristic (ROC) curves. Can. J. Emerg. Med. 2006, 8, 19–20. [Google Scholar] [CrossRef] [PubMed]
- Barbieri, N.; Manco, G.; Ritacco, E. Probabilistic Approaches to Recommendations. Synth. Lect. Data Min. Knowl. Discov. 2014, 5, 1–197. [Google Scholar] [CrossRef]
Log Name | Total Traces | Total Events | Distinct Traces | Distinct Events | Trace Length | ||
---|---|---|---|---|---|---|---|
Max | Min | Avg | |||||
Receipt | 1434 | 8577 | 116 | 27 | 25 | 1 | 6.0 |
Receipt + 5% | 1434 | 8966 | 237 | 27 | 25 | 1 | 6.3 |
Receipt + 10% | 1434 | 9412 | 435 | 27 | 25 | 1 | 6.6 |
Receipt + 15% | 1434 | 9793 | 679 | 27 | 26 | 1 | 6.8 |
Receipt + 20% | 1434 | 10193 | 920 | 27 | 30 | 1 | 7.1 |
Receipt + 25% | 1434 | 10624 | 1128 | 27 | 30 | 1 | 7.4 |
Receipt − 5% | 1434 | 8153 | 718 | 27 | 24 | 1 | 5.7 |
Receipt − 10% | 1434 | 7712 | 792 | 27 | 24 | 1 | 5.4 |
Sepsis | 1050 | 15214 | 846 | 16 | 185 | 3 | 14.5 |
Sepsis + 5% | 1050 | 15875 | 906 | 16 | 198 | 3 | 15.1 |
Sepsis + 10% | 1050 | 16467 | 962 | 16 | 200 | 3 | 15.7 |
Sepsis + 15% | 1050 | 17098 | 994 | 16 | 209 | 3 | 16.3 |
Sepsis + 20% | 1050 | 17703 | 1011 | 16 | 218 | 3 | 16.7 |
Sepsis + 25% | 1050 | 18241 | 1015 | 16 | 260 | 3 | 17.4 |
Sepsis − 5% | 1050 | 14410 | 1007 | 16 | 177 | 2 | 13.7 |
Sepsis − 10% | 1050 | 13604 | 1009 | 16 | 167 | 1 | 13.0 |
Log Name | Recall | Fitness | Simplicity | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
a | b | c | d | None | a | b | c | d | None | a | b | c | d | |
Receipt | \ | \ | \ | \ | 0.84 | \ | \ | \ | \ | 0.69 | \ | \ | \ | \ |
Receipt − 5% | 0.50 | 0.75 | 0.63 | 0.87 | 0.51 | 0.62 | 0.60 | 0.54 | 0.81 | 0.38 | 0.43 | 0.53 | 0.48 | 0.71 |
Receipt − 10% | 0.44 | 0.68 | 0.56 | 0.84 | 0.49 | 0.41 | 0.58 | 0.53 | 0.76 | 0.49 | 0.50 | 0.55 | 0.46 | 0.69 |
Receipt + 5% | 0.64 | 0.71 | 0.54 | 0.91 | 0.73 | 0.54 | 0.65 | 0.54 | 0.83 | 0.56 | 0.48 | 0.59 | 0.61 | 0.73 |
Receipt + 10% | 0.62 | 0.61 | 0.51 | 0.85 | 0.81 | 0.49 | 0.51 | 0.61 | 0.80 | 0.51 | 0.47 | 0.52 | 0.49 | 0.71 |
Receipt + 15% | 0.50 | 0.61 | 0.48 | 0.81 | 0.79 | 0.59 | 0.51 | 0.48 | 0.81 | 0.52 | 0.48 | 0.49 | 0.51 | 0.71 |
Receipt + 20% | 0.49 | 0.55 | 0.45 | 0.72 | 0.74 | 0.52 | 0.46 | 0.47 | 0.78 | 0.61 | 0.62 | 0.58 | 0.55 | 0.73 |
Receipt + 25% | 0.42 | 0.51 | 0.40 | 0.66 | 0.74 | 0.44 | 0.53 | 0.42 | 0.79 | 0.56 | 0.53 | 0.51 | 0.54 | 0.68 |
Sepsis | \ | \ | \ | \ | 0.91 | \ | \ | \ | \ | 0.66 | \ | \ | \ | \ |
Sepsis − 5% | 0.41 | 0.71 | 0.73 | 0.86 | 0.75 | 0.51 | 0.63 | 0.66 | 0.92 | 0.57 | 0.55 | 0.61 | 0.65 | 0.71 |
Sepsis − 10% | 0.39 | 0.69 | 0.68 | 0.81 | 0.72 | 0.48 | 0.61 | 0.59 | 0.84 | 0.60 | 0.50 | 0.59 | 0.63 | 0.78 |
Sepsis + 5% | 0.45 | 0.72 | 0.73 | 0.89 | 0.89 | 0.56 | 0.54 | 0.69 | 0.89 | 0.65 | 0.57 | 0.65 | 0.64 | 0.69 |
Sepsis + 10% | 0.42 | 0.70 | 0.67 | 0.85 | 0.84 | 0.53 | 0.52 | 0.61 | 0.81 | 0.61 | 0.52 | 0.61 | 0.62 | 0.66 |
Sepsis + 15% | 0.38 | 0.66 | 0.67 | 0.80 | 0.82 | 0.47 | 0.51 | 0.56 | 0.75 | 0.61 | 0.46 | 0.54 | 0.67 | 0.65 |
Sepsis + 20% | 0.35 | 0.61 | 0.65 | 0.76 | 0.85 | 0.43 | 0.50 | 0.50 | 0.73 | 0.63 | 0.34 | 0.42 | 0.58 | 0.61 |
Sepsis + 25% | 0.29 | 0.59 | 0.62 | 0.71 | 0.81 | 0.39 | 0.49 | 0.48 | 0.71 | 0.58 | 0.31 | 0.53 | 0.55 | 0.57 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Lu, K.; Fang, X.; Fang, N. PN-BBN: A Petri Net-Based Bayesian Network for Anomalous Behavior Detection. Mathematics 2022, 10, 3790. https://doi.org/10.3390/math10203790
Lu K, Fang X, Fang N. PN-BBN: A Petri Net-Based Bayesian Network for Anomalous Behavior Detection. Mathematics. 2022; 10(20):3790. https://doi.org/10.3390/math10203790
Chicago/Turabian StyleLu, Ke, Xianwen Fang, and Na Fang. 2022. "PN-BBN: A Petri Net-Based Bayesian Network for Anomalous Behavior Detection" Mathematics 10, no. 20: 3790. https://doi.org/10.3390/math10203790
APA StyleLu, K., Fang, X., & Fang, N. (2022). PN-BBN: A Petri Net-Based Bayesian Network for Anomalous Behavior Detection. Mathematics, 10(20), 3790. https://doi.org/10.3390/math10203790