Alessandro Niro,Michael Werner

2024-02-14

Abstract:Detecting anomalies is important for identifying inefficiencies, errors, or fraud in business processes. Traditional process mining approaches focus on analyzing 'flattened', sequential, event logs based on a single case notion. However, many real-world process executions exhibit a graph-like structure, where events can be associated with multiple cases. Flattening event logs requires selecting a single case identifier which creates a gap with the real event data and artificially introduces anomalies in the event logs. Object-centric process mining avoids these limitations by allowing events to be related to different cases. This study proposes a novel framework for anomaly detection in business processes that exploits graph neural networks and the enhanced information offered by object-centric process mining. We first reconstruct and represent the process dependencies of the object-centric event logs as attributed graphs and then employ a graph convolutional autoencoder architecture to detect anomalous events. Our results show that our approach provides promising performance in detecting anomalies at the activity type and attributes level, although it struggles to detect anomalies in the temporal order of events.

Statistical Finance,Databases,Machine Learning

Kristof Böhmer,Stefanie Rinderle-Ma

DOI: https://doi.org/10.1007/978-3-319-48472-3_5

2016-01-01

Abstract:Ensuring anomaly-free process model executions is crucial in order to prevent fraud and security breaches. Existing anomaly detection approaches focus on the control flow, point anomalies, and struggle with false positives in the case of unexpected events. By contrast, this paper proposes an anomaly detection approach that incorporates perspectives that go beyond the control flow, such as, time and resources (i.e., to detect contextual anomalies). In addition, it is capable of dealing with unexpected process model execution events: not every unexpected event is immediately detected as anomalous, but based on a certain likelihood of occurrence, hence reducing the number of false positives. Finally, multiple events are analyzed in a combined manner in order to detect collective anomalies. The performance and applicability of the overall approach are evaluated by means of a prototypical implementation along and based on real life process execution logs from multiple domains.

Alessandro Berti,Marco Montali,Wil M.P. van der Aalst

DOI: https://doi.org/10.48550/arXiv.2311.08795

2023-11-15

Abstract:Recent years have seen the emergence of object-centric process mining techniques. Born as a response to the limitations of traditional process mining in analyzing event data from prevalent information systems like CRM and ERP, these techniques aim to tackle the deficiency, convergence, and divergence issues seen in traditional event logs. Despite the promise, the adoption in real-world process mining analyses remains limited. This paper embarks on a comprehensive literature review of object-centric process mining, providing insights into the current status of the discipline and its historical trajectory.

Databases

Alexandre Goossens,Johannes De Smedt,Jan Vanthienen

2024-05-21

Abstract:Process mining aims to comprehend and enhance business processes by analyzing event logs. Recently, object-centric process mining has gained traction by considering multiple objects interacting with each other in a process. This object-centric approach offers advantages over traditional methods by avoiding dimension reduction issues. However, in contrast to traditional process mining where a standard event log format was quickly agreed upon with XES providing a common platform for further research and industry, various object-centric logging formats have been proposed, each addressing specific challenges such as object relations or dynamic attribute changes. This makes that interoperability of object-centric algorithms remains a challenge, hindering reproducibility and generalizability in research. Additionally, the object-centric process storage paradigm aligns well with a wide range of object-oriented databases storing process data.

Databases

Leman Akoglu

DOI: https://doi.org/10.48550/arXiv.2105.10077

2021-05-31

Abstract:Anomaly mining is an important problem that finds numerous applications in various real world domains such as environmental monitoring, cybersecurity, finance, healthcare and medicine, to name a few. In this article, I focus on two areas, (1) point-cloud and (2) graph-based anomaly mining. I aim to present a broad view of each area, and discuss classes of main research problems, recent trends and future directions. I conclude with key take-aways and overarching open problems.

Machine Learning,Social and Information Networks

Jonas Soenen,Elia Van Wolputte,Vincent Vercruyssen,Wannes Meert,Hendrik Blockeel

2023-05-22

Abstract:Most anomaly detection systems try to model normal behavior and assume anomalies deviate from it in diverse manners. However, there may be patterns in the anomalies as well. Ideally, an anomaly detection system can exploit patterns in both normal and anomalous behavior. In this paper, we present AD-MERCS, an unsupervised approach to anomaly detection that explicitly aims at doing both. AD-MERCS identifies multiple subspaces of the instance space within which patterns exist, and identifies conditions (possibly in other subspaces) that characterize instances that deviate from these patterns. Experiments show that this modeling of both normality and abnormality makes the anomaly detector performant on a wide range of types of anomalies. Moreover, by identifying patterns and conditions in (low-dimensional) subspaces, the anomaly detector can provide simple explanations of why something is considered an anomaly. These explanations can be both negative (deviation from some pattern) as positive (meeting some condition that is typical for anomalies).

Machine Learning

Len Feremans,Vincent Vercruyssen,Wannes Meert,Boris Cule,Bart Goethals

DOI: https://doi.org/10.1007/978-3-030-48861-1_1

2020-01-01

Abstract:In the present-day, sensor data and textual logs are generated by many devices. Analysing these time series data leads to the discovery of interesting patterns and anomalies. In recent years, numerous algorithms have been developed to discover interesting patterns in time series data as well as detect periods of anomalous behaviour. However, these algorithms are challenging to apply in real-world settings. We propose a framework, consisting of generic transformations, that allows to combine state-of-the-art time series representation, pattern mining, and pattern-based anomaly detection algorithms. Using an early- or late integration our framework handles a mix of multi-dimensional continuous series and event logs. In addition, we present an open-source, lightweight, interactive tool that assists both pattern mining and domain experts to select algorithms, specify parameters, and visually inspect the results, while shielding them from the underlying technical complexity of implementing our framework.

Wil M. P. van der Aalst

DOI: https://doi.org/10.1007/978-3-030-30446-1_1

2019-01-01

Abstract:Process mining techniques use event data to answer a variety of process-related questions. Process discovery, conformance checking, model enhancement, and operational support are used to improve performance and compliance. Process mining starts from recorded events that are characterized by a case identifier, an activity name, a timestamp, and optional attributes like resource or costs. In many applications, there are multiple candidate identifiers leading to different views on the same process. Moreover, one event may be related to different cases (convergence) and, for a given case, there may be multiple instances of the same activity within a case (divergence). To create a traditional process model, the event data need to be “flattened”. There are typically multiple choices possible, leading to different views that are disconnected. Therefore, one quickly loses the overview and event data need to be exacted multiple times (for the different views). Different approaches have been proposed to tackle the problem. This paper discusses the gap between real event data and the event logs required by traditional process mining techniques. The main purpose is to create awareness and to provide ways to characterize event data. A specific logging format is proposed where events can be related to objects of different types. Moreover, basic notations and a baseline discovery approach are presented to facilitate discussion and understanding.

Neil Caithness,David Wallom

DOI: https://doi.org/10.5220/0006835502850293

2018-04-09

Abstract:As the Industrial Internet of Things (IIoT) grows, systems are increasingly being monitored by arrays of sensors returning time-series data at ever-increasing 'volume, velocity and variety' (i.e. Industrial Big Data). An obvious use for these data is real-time systems condition monitoring and prognostic time to failure analysis (remaining useful life, RUL). (e.g. See white papers by <a class="link-external link-http" href="http://Senseye.io" rel="external noopener nofollow">this http URL</a>, and output of the NASA Prognostics Center of Excellence (PCoE).) However, as noted by Agrawal and Choudhary 'Our ability to collect "big data" has greatly surpassed our capability to analyze it, underscoring the emergence of the fourth paradigm of science, which is data-driven discovery.' In order to fully utilize the potential of Industrial Big Data we need data-driven techniques that operate at scales that process models cannot. Here we present a prototype technique for data-driven anomaly detection to operate at industrial scale. The method generalizes to application with almost any multivariate dataset based on independent ordinations of repeated (bootstrapped) partitions of the dataset and inspection of the joint distribution of ordinal distances.

Machine Learning

Laura Erhan,Maryleen U. Ndubuaku,Mario Di Mauro,Wei Song,M. Chen,Giancarlo Fortino,Ovidiu Bagdasar,Antonio Liotta

DOI: https://doi.org/10.1016/j.inffus.2020.10.001

IF: 18.6

2021-01-01

Information Fusion

Abstract:Anomaly detection is concerned with identifying data patterns that deviate remarkably from the expected behaviour. This is an important research problem, due to its broad set of application domains, from data analysis to e-health, cybersecurity, predictive maintenance, fault prevention, and industrial automation. Herein, we review state-of-the-art methods that may be employed to detect anomalies in the specific area of sensor systems, which poses hard challenges in terms of information fusion, data volumes, data speed, and network/energy efficiency, to mention but the most pressing ones. In this context, anomaly detection is a particularly hard problem, given the need to find computing-energy accuracy trade-offs in a constrained environment. We taxonomize methods ranging from conventional techniques (statistical methods, time-series analysis, signal processing, etc.) to data-driven techniques (supervised learning, reinforcement learning, deep learning, etc.). We also look at the impact that different architectural environments (Cloud, Fog, Edge) can have on the sensors ecosystem. The review points to the most promising intelligent-sensing methods, and pinpoints a set of interesting open issues and challenges.

A. Herreros-Martínez,R. Magdalena-Benedicto,J. Vila-Francés,A.J. Serrano-López,S. Pérez-Díaz

2024-05-24

Abstract:In a context of a continuous digitalisation of processes, organisations must deal with the challenge of detecting anomalies that can reveal suspicious activities upon an increasing volume of data. To pursue this goal, audit engagements are carried out regularly, and internal auditors and purchase specialists are constantly looking for new methods to automate these processes. This work proposes a methodology to prioritise the investigation of the cases detected in two large purchase datasets from real data. The goal is to contribute to the effectiveness of the companies' control efforts and to increase the performance of carrying out such tasks. A comprehensive Exploratory Data Analysis is carried out before using unsupervised Machine Learning techniques addressed to detect anomalies. A univariate approach has been applied through the z-Score index and the DBSCAN algorithm, while a multivariate analysis is implemented with the k-Means and Isolation Forest algorithms, and the Silhouette index, resulting in each method having a transaction candidates' proposal to be reviewed. An ensemble prioritisation of the candidates is provided jointly with a proposal of explicability methods (LIME, Shapley, SHAP) to help the company specialists in their understanding.

Computational Engineering, Finance, and Science,Machine Learning

Salvatore Vilella,Arthur Thomas Edward Capozzi Lupi,Marco Fornasiero,Dario Moncalvo,Valeria Ricci,Silvia Ronchiadin,Giancarlo Ruffo

DOI: https://doi.org/10.48550/arXiv.2311.14778

2024-02-19

Abstract:This paper explores anomaly detection through temporal network analysis. Unlike many conventional methods, relying on rule-based algorithms or general machine learning approaches, our methodology leverages the evolving structure and relationships within temporal networks, that can be used to model financial transactions. Focusing on minimal changes in stable ecosystems, such as those found in large international financial institutions, our approach utilizes network centrality measures to gain insights into individual nodes. By monitoring the temporal evolution of centrality-based node rankings, our method effectively identifies abrupt shifts in the roles of specific nodes, prompting further investigation by domain experts. To demonstrate its efficacy, our methodology is applied in the Anti-Financial Crime (AFC) domain, analyzing a substantial financial dataset comprising over 80 million cross-country wire transfers. The goal is to pinpoint outliers potentially involved in malicious activities, aligning with financial regulations. This approach serves as an initial stride towards automating AFC and Anti-Money Laundering (AML) processes, providing AFC officers with a comprehensive top-down view to enhance their efforts. It overcomes many limitations of current prevalent paradigms, offering a holistic interpretation of the financial data landscape and addressing potential blindness to phenomena that cannot be effectively estimated through single-node or narrowly focused transactional approaches.

Social and Information Networks,Computational Engineering, Finance, and Science,Information Retrieval

Abdul Qadir Khan,Saad El Jaouhari,Nouredine Tamani,Lina Mroueh

DOI: https://doi.org/10.1016/j.engappai.2024.108996

IF: 8

2024-07-26

Engineering Applications of Artificial Intelligence

Abstract:Due to the rapidly increasing number of Internet-connected objects, a huge amount of data is created, stored, and shared. Depending on the use case, this data is visualized, cleaned, checked, visualized, and processed for various purposes. However, this data may encounter many problems such as inaccuracy, duplication, absence, etc. Such issues can be regarded as anomalies that deviate from a referential point, which can be caused by malicious attackers, abnormal behavior of systems, and a failure of devices, transmission channels, or data processing units. Anomaly detection is still one of the most important issues in cybersecurity, especially when it comes to system monitoring, automated forensics, and post-mortem analysis, which require anomaly detection mechanisms. In the literature, different approaches have been developed to detect anomalies, which can be classified as statistic-based, semantic-based, clustering-based, classification-based, and deep learning-based, depending on the algorithms used. This survey focuses on knowledge-based approaches, a sub-category of semantic-based approaches, as opposed to statistical/learning approaches. We provide a detailed comparison of the recent work in knowledge-based subcategories, namely, rule-based, score-based, and hybrid. We described the components of a knowledge-based system and the steps required to process raw data for anomaly detection. Furthermore, we have collected for each approach, when available, information about its semantic expressiveness, computational complexity, and application domain. Finally, we identify the challenges and discuss some future research directions in knowledge-based anomaly detection. Identifying such approaches and challenges can help cybersecurity engineers design better models that meet their application requirements.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Alexandre Goossens,Johannes De Smedt,Jan Vanthienen

2024-01-26

Abstract:Organizations execute decisions within business processes on a daily basis whilst having to take into account multiple stakeholders who might require multiple point of views of the same process. Moreover, the complexity of the information systems running these business processes is generally high as they are linked to databases storing all the relevant data and aspects of the processes. Given the presence of multiple objects within an information system which support the processes in their enactment, decisions are naturally influenced by both these perspectives, logged in object-centric process logs. However, the discovery of such decisions from object-centric process logs is not straightforward as it requires to correctly link the involved objects whilst considering the sequential constraints that business processes impose as well as correctly discovering what a decision actually does. This paper proposes the first object-centric decision-mining algorithm called Integrated Object-centric Decision Discovery Algorithm (IODDA). IODDA is able to discover how a decision is structured as well as how a decision is made. Moreover, IODDA is able to discover which activities and object types are involved in the decision-making process. Next, IODDA is demonstrated with the first artificial knowledge-intensive process logs whose log generators are provided to the research community.

Machine Learning

Kamil Faber,Roberto Corizzo,Bartlomiej Sniezynski,Nathalie Japkowicz

DOI: https://doi.org/10.1109/access.2024.3377690

IF: 3.9

2024-03-27

IEEE Access

Abstract:Anomaly detection is of paramount importance in many real-world domains characterized by evolving behavior, such as monitoring cyber-physical systems, human conditions and network traffic. Current research in anomaly detection leverages offline learning working with static data or online learning focusing on constant adaptation to evolving data. At the same time, lifelong learning represents an emerging trend, answering the need for machine learning models that continuously adapt to new challenges in dynamic environments while retaining past knowledge. Although this aspect could be beneficial to build effective and robust anomaly detection models, lifelong learning research is mainly dedicated to proposing new model update strategies in image classification and reinforcement learning domains. The limited scope addressed by lifelong learning works thus far creates a gap in understanding whether such techniques and capabilities can be fruitfully exploited in anomaly detection contexts, which represents the main motivation of this paper. More specifically, anomaly detection provides unique challenges, such as an evolving normal class and limited availability of anomalies, which significantly differs from the landscape and scenarios of lifelong image classification and reinforcement learning. In this paper, we face this issue by exploring, motivating, and discussing lifelong anomaly detection, as well as providing foundations with regard to scenarios, strategies, and metrics. First, we explain why lifelong anomaly detection is relevant, defining challenges and opportunities to design anomaly detection methods that deal with lifelong learning complexities. Second, we formulate and characterize lifelong learning settings tailored for anomaly detection problems, and design a scenario generation procedure that enables researchers to experiment with lifelong anomaly detection using existing datasets. Third, we perform experiments with popular anomaly detection methods on proposed lifelong scenarios, emphasizing the gap in performance that could be filled with the adoption of lifelong learning. In summary, our efforts are directed at assessing the performance of non-lifelong anomaly detection models in lifelong scenarios and how the adoption of lifelong learning impacts their learning capabilities. Overall, we conclude that the adoption of lifelong anomaly detection is important to design more robust models that provide a comprehensive view of the environment, as well as simultaneous adaptation and knowledge retention.

computer science, information systems,telecommunications,engineering, electrical & electronic

Prabin B Lamichhane,William Eberle

2024-05-10

Abstract:Real-world graphs are complex to process for performing effective analysis, such as anomaly detection. However, recently, there have been several research efforts addressing the issues surrounding graph-based anomaly detection. In this paper, we discuss a comprehensive overview of anomaly detection techniques on graph data. We also discuss the various application domains which use those anomaly detection techniques. We present a new taxonomy that categorizes the different state-of-the-art anomaly detection methods based on assumptions and techniques. Within each category, we discuss the fundamental research ideas that have been done to improve anomaly detection. We further discuss the advantages and disadvantages of current anomaly detection techniques. Finally, we present potential future research directions in anomaly detection on graph-structured data.

Machine Learning,Cryptography and Security

Jonas Bühler,Jonas Fehrenbach,Lucas Steinmann,Christian Nauck,Marios Koulakis

2024-07-03

Abstract:One persistent obstacle in industrial quality inspection is the detection of anomalies. In real-world use cases, two problems must be addressed: anomalous data is sparse and the same types of anomalies need to be detected on previously unseen objects. Current anomaly detection approaches can be trained with sparse nominal data, whereas domain generalization approaches enable detecting objects in previously unseen domains. Utilizing those two observations, we introduce the hybrid task of domain generalization on sparse classes. To introduce an accompanying dataset for this task, we present a modification of the well-established MVTec AD dataset by generating three new datasets. In addition to applying existing methods for benchmark, we design two embedding-based approaches, Spatial Embedding MLP (SEMLP) and Labeled PatchCore. Overall, SEMLP achieves the best performance with an average image-level AUROC of 87.2 % vs. 80.4 % by MIRO. The new and openly available datasets allow for further research to improve industrial anomaly detection.

Computer Vision and Pattern Recognition

Wei Guan,Jian Cao,Haiyan Zhao,Yang Gu,Shiyou Qian

DOI: https://doi.org/10.1109/tkde.2024.3484159

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Effective management of business processes is crucial for organizational success. However, despite meticulous design and implementation, anomalies are inevitable and can result in inefficiencies, delays, or even significant financial losses. Numerous methods for detecting anomalies in business processes have been proposed recently. However, there is no comprehensive benchmark to evaluate these methods. Consequently, the relative merits of each method remain unclear due to differences in their experimental setup, choice of datasets and evaluation measures. In this paper, we present a systematic literature review and taxonomy of business process anomaly detection methods. Additionally, we select at least one method from each category, resulting in 16 methods that are cross-benchmarked against 32 synthetic logs and 19 real-life logs from different industry domains. Our analysis provides insights into the strengths and weaknesses of different anomaly detection methods. Ultimately, our findings can help researchers and practitioners in the field of process mining make informed decisions when selecting and applying anomaly detection methods to real-life business scenarios. Finally, some future directions are discussed in order to promote the evolution of business process anomaly detection.

Lien Bosmans,Jari Peeperkorn,Alexandre Goossens,Giovanni Lugaresi,Johannes De Smedt,Jochen De Weerdt

2024-10-01

Abstract:Object-centric process mining is emerging as a promising paradigm across diverse industries, drawing substantial academic attention. To support its data requirements, existing object-centric data formats primarily facilitate the exchange of static event logs between data owners, researchers, and analysts, rather than serving as a robust foundational data model for continuous data ingestion and transformation pipelines for subsequent storage and analysis. This focus results into suboptimal design choices in terms of flexibility, scalability, and maintainability. For example, it is difficult for current object-centric event log formats to deal with novel object types or new attributes in case of streaming data. This paper proposes a database format designed for an intermediate data storage hub, which segregates process mining applications from their data sources using a hub-and-spoke architecture. It delineates essential requirements for robust object-centric event log storage from a data engineering perspective and introduces a novel relational schema tailored to these requirements. To validate the efficacy of the proposed database format, an end-to-end solution is implemented using a lightweight, open-source data stack. Our implementation includes data extractors for various object-centric event log formats, automated data quality assessments, and intuitive process data visualization capabilities.

Databases

Domenico Giordano,Matteo Paltenghi,Stiven Metaj,Antonin Dvorak

DOI: https://doi.org/10.1051/epjconf/202125102011

2021-01-01

EPJ Web of Conferences

Abstract:Anomaly detection in the CERN OpenStack cloud is a challenging task due to the large scale of the computing infrastructure and, consequently, the large volume of monitoring data to analyse. The current solution to spot anomalous servers in the cloud infrastructure relies on a threshold-based alarming system carefully set by the system managers on the performance metrics of each infrastructure’s component. This contribution explores fully automated, unsupervised machine learning solutions in the anomaly detection field for time series metrics, by adapting both traditional and deep learning approaches. The paper describes a novel end-to-end data analytics pipeline implemented to digest the large amount of monitoring data and to expose anomalies to the system managers. The pipeline relies solely on open-source tools and frameworks, such as Spark, Apache Airflow, Kubernetes, Grafana, Elasticsearch . In addition, an approach to build annotated datasets from the CERN cloud monitoring data is reported. Finally, a preliminary performance of a number of anomaly detection algorithms is evaluated by using the aforementioned annotated datasets.