Ning Yin,Shanshan Wang,Hongyan Li,Lilue Fan

DOI: https://doi.org/10.1007/978-3-319-39958-4_6

2016-01-01

Abstract:Currently, most information systems are data intensive. The data models of such are posing notable influence on business processes. However, the predominance of existed process verification methods leave out the impact of data models on process models. Meanwhile, with parallel structures in business processes multiplying, business process structures are becoming increasingly intricate and large in size. A parallel structure engenders also uncertainty, and consequently increases the chances and decreases the detectability of anomalies occasioned by process and data model conflicts. In this paper, these anomalies are analyzed and classified. A data state matrix and data operation algebra is introduced to establish the relation between the parallel-process model and the data model. Then, an anomaly detection method under the divide-and-conquer framework is proposed to ensure efficiency in detecting anomalies in business processes. Both theoretical analysis and experimental results prove this method to be highly efficient and effective in detecting data model oriented anomalies.

Alessandro Berti,Urszula Jessen,Wil M.P. van der Aalst,Dirk Fahland

2024-07-12

Abstract:Object-centric event logs, allowing events related to different objects of different object types, represent naturally the execution of business processes, such as ERP (O2C and P2P) and CRM. However, modeling such complex information requires novel process mining techniques and might result in complex sets of constraints. Object-centric anomaly detection exploits both the lifecycle and the interactions between the different objects. Therefore, anomalous patterns are proposed to the user without requiring the definition of object-centric process models. This paper proposes different methodologies for object-centric anomaly detection and discusses the role of domain knowledge for these methodologies. We discuss the advantages and limitations of Large Language Models (LLMs) in the provision of such domain knowledge. Following our experience in a real-life P2P process, we also discuss the role of algorithms (dimensionality reduction+anomaly detection), suggest some pre-processing steps, and discuss the role of feature propagation.

Databases

Alessandro Niro,Michael Werner

2024-02-14

Abstract:Detecting anomalies is important for identifying inefficiencies, errors, or fraud in business processes. Traditional process mining approaches focus on analyzing 'flattened', sequential, event logs based on a single case notion. However, many real-world process executions exhibit a graph-like structure, where events can be associated with multiple cases. Flattening event logs requires selecting a single case identifier which creates a gap with the real event data and artificially introduces anomalies in the event logs. Object-centric process mining avoids these limitations by allowing events to be related to different cases. This study proposes a novel framework for anomaly detection in business processes that exploits graph neural networks and the enhanced information offered by object-centric process mining. We first reconstruct and represent the process dependencies of the object-centric event logs as attributed graphs and then employ a graph convolutional autoencoder architecture to detect anomalous events. Our results show that our approach provides promising performance in detecting anomalies at the activity type and attributes level, although it struggles to detect anomalies in the temporal order of events.

Statistical Finance,Databases,Machine Learning

Yin Ning,Liu Zhiqiang,Li Hongyan

2011-01-01

Journal of Computer Research and Development

Abstract:When dealing with large business process models having lots of parallel structures,many traditional anomalies detection methods become inefficient.Moreover,in most of information systems,lots of anomalies are caused by data model's influences,which cannot be easily detected,and there are few methods take them into account.We take on the challenge of analyzing anomalies caused by the inconsistency between process model and data model on process modes with lots of parallel structures.We design the parallel-process tasks set to keep efficiency and propose a Task-data Existence Matrix(TD-Matrix) model to build up linkage between data model and process model.The anomaly-detecting method based on TD-Matrix has high detection rate and efficiency in our experiment.

Wei Guan,Jian Cao,Yan Yao,Yang Gu,Shiyou Qian

DOI: https://doi.org/10.1109/icws62655.2024.00134

2024-01-01

Abstract:In business processes, anomalies are prevalent, arising from diverse factors, such as software malfunctions and operator errors. Detecting these anomalies is imperative, as it significantly influences not only the financial well-being of a business but also the dependability of event logs for subsequent analysis. However, existing deep business process anomaly detection approaches either lack effective temporal dependency modeling between events or encounter challenges associated with gradient vanishing. In this paper, we introduce COMB, which stands for an interConnected transfOrmers-based autoencoder for Multi-perspective Business process anomaly detection. Considering the interdependent nature of multi-perspectives, COMB leverages multiple parallel and interconnected transformers, facilitated by the inclusion of aggregation layers. These layers serve as integration points for information from various perspectives. Notably, considering how control flow influences other perspectives, COMB incorporates innovative mask adapters to enhance its detection performance. Furthermore, we propose a novel method for calculating anomaly scores, which effectively mitigates the influence of varying numbers of potential attribute values. Our extensive experimental evaluation encompasses both synthetic and real-life logs, and the results clearly demonstrate that COMB outperforms state-of-the-art methods in both trace-level and attribute-level anomaly detection.

Wei Guan,Jian Cao,Yang Gu,Shiyou Qian

DOI: https://doi.org/10.1109/tsc.2023.3262405

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:In process-aware information systems (PAISs), anomalies are ubiquitous, having a number of different underlying causes, such as software malfunctions or operator errors. The presence of anomalies not only has an enormous impact on the economic well-being of the business, but also interferes with our ability to mine useful information from event logs. In this article, we propose GRASPED, a GR U- A E Network based multi-per S pective business ProcEss anomaly D etection model. GRASPED can detect anomalies not only from the control flow but also from the data perspective of a business process. GRASPED is based on an autoencoder (AE) with gated recurrent units (GRU) which is trained in an unsupervised fashion (i.e., does not require any labeling of the data). In addition, GRASPED introduces the teacher forcing method as well as the attention mechanism to improve its detection performance. GRASPED does not require training on a clean log (i.e., it can be trained and perform anomaly detection directly on logs containing anomalies). We conduct extensive experiments on synthetic logs as well as real-life logs. The experiment results show that GRASPED outperforms the state-of-the-art methods for both trace-level and attribute-level anomaly detection.

Mohamad Baydoun,Mahdyar Ravanbakhsh,Damian Campo,Pablo Marin,David Martin,Lucio Marcenaro,Andrea Cavallaro,Carlo S. Regazzoni

DOI: https://doi.org/10.48550/arXiv.1803.06579

2018-03-18

Abstract:This paper focuses on multi-sensor anomaly detection for moving cognitive agents using both external and private first-person visual observations. Both observation types are used to characterize agents' motion in a given environment. The proposed method generates locally uniform motion models by dividing a Gaussian process that approximates agents' displacements on the scene and provides a Shared Level (SL) self-awareness based on Environment Centered (EC) models. Such models are then used to train in a semi-unsupervised way a set of Generative Adversarial Networks (GANs) that produce an estimation of external and internal parameters of moving agents. Obtained results exemplify the feasibility of using multi-perspective data for predicting and analyzing trajectory information.

Computer Vision and Pattern Recognition

Ashish Sureka

DOI: https://doi.org/10.48550/arXiv.1507.01168

2015-07-05

Abstract:Business Process Management Systems (BPMS) log events and traces of activities during the execution of a process. Anomalies are defined as deviation or departure from the normal or common order. Anomaly detection in business process logs has several applications such as fraud detection and understanding the causes of process errors. In this paper, we present a novel approach for anomaly detection in business process logs. We model the event logs as a sequential data and apply kernel based anomaly detection techniques to identify outliers and discordant observations. Our technique is unsupervised (does not require a pre-annotated training dataset), employs kNN (k-nearest neighbor) kernel based technique and normalized longest common subsequence (LCS) similarity measure. We conduct experiments on a recent, large and real-world incident management data of an enterprise and demonstrate that our approach is effective.

Software Engineering,Information Retrieval

Tugba Gurgen Erdogan,Ayca Kolukisa Tarhan

DOI: https://doi.org/10.1177/14604582221077195

2022-01-01

Health Informatics Journal

Abstract:Background Multi-perspective process mining is an analytical approach that uses data to gain objective insights and uncover hidden problems in business processes from multiple perspectives. Objective In this paper, we apply multi-perspective process mining techniques in the emergency process through a goal-driven performance evaluation method in order to understand and diagnose the timeliness of the emergency process. Methods Unstructured and multi-disciplinary emergency data is analyzed by following Goal-Question-Feature-Indicator (GQFI) method. In this paper, the GQFI method is extended with perspectives, and the insights in the enriched event data are examined by a decision tree model. All of them are applied in a systematic way in relation to the goal of assessing and improving the emergency process in a university hospital. Results We detected the deviations (e.g., skipping the triage and consultation request steps) and two bottlenecks in the emergency process. Among the suggestions for improving the process, are performing defensive medicine in a harmless manner, classification of the emergency services, ensuring triage step is applied to all patients and effective usage of the call system application in consultation activities. Conclusion: The results of this study showed that goal-oriented multi-perspective process mining is effective in identifying process improvements in emergency services.

health care sciences & services,medical informatics

Stephan Rabanser,Tim Januschowski,Kashif Rasul,Oliver Borchert,Richard Kurle,Jan Gasthaus,Michael Bohlke-Schneider,Nicolas Papernot,Valentin Flunkert

DOI: https://doi.org/10.48550/arXiv.2206.14342

IF: 5.414

2022-06-29

Machine Learning

Abstract:We introduce a novel, practically relevant variation of the anomaly detection problem in multi-variate time series: intrinsic anomaly detection. It appears in diverse practical scenarios ranging from DevOps to IoT, where we want to recognize failures of a system that operates under the influence of a surrounding environment. Intrinsic anomalies are changes in the functional dependency structure between time series that represent an environment and time series that represent the internal state of a system that is placed in said environment. We formalize this problem, provide under-studied public and new purpose-built data sets for it, and present methods that handle intrinsic anomaly detection. These address the short-coming of existing anomaly detection methods that cannot differentiate between expected changes in the system's state and unexpected ones, i.e., changes in the system that deviate from the environment's influence. Our most promising approach is fully unsupervised and combines adversarial learning and time series representation learning, thereby addressing problems such as label sparsity and subjectivity, while allowing to navigate and improve notoriously problematic anomaly detection data sets.

Shuai Zhang,Chuan Zhou,Peng Zhang,Yang Liu,Zhao Li,Hongyang Chen

DOI: https://doi.org/10.1109/icdm58522.2023.00090

2023-01-01

Abstract:Anomaly detection in multi-type event sequences is a crucial and challenging problem with important applications in various domains, including cybersecurity, finance and healthcare. Temporal point process has emerged as a powerful technique for modeling event sequences and has gained considerable attention in the field of anomaly detection. However, existing temporal point process approaches are either inapplicable to multi-type event sequence data or incur the loss of valuable information in subsequences associated with specific event types. To this end, we propose a novel Multiple Hypothesis Testing based Anomaly Detection method (MultiAD) to detect anomalous multi-type event sequences. The basic idea of MultiAD is to capture the underlying distribution of normal sequences using a neural multivariate point process, based on which the original hypothesis testing problem can be converted into a multiple hypothesis testing using the multivariate time rescaling theorem. By conducting multiple hypothesis tests on the time-rescaled subsequences, MultiAD makes full use of the valuable information contained within individual subsequences. Moreover, we claim that the existing test statistic ignores the sequential information of inter-event time intervals and propose new statistics to address this shortcoming. Finally, we employ the kernel method to obtain a smooth estimator of the distribution of the proposed statistics under the null hypothesis. This ensures a more accurate and reliable computation of the p-value, providing robust statistical inference. Extensive experimental results demonstrate that MultiAD significantly outperforms the state-of-the-art methods on both synthetic and real-world data.

Max Schemmer,Joshua Holstein,Niklas Bauer,Niklas Kühl,Gerhard Satzger

DOI: https://doi.org/10.48550/arXiv.2302.03302

IF: 5.414

2023-02-07

Machine Learning

Abstract:Detecting rare events is essential in various fields, e.g., in cyber security or maintenance. Often, human experts are supported by anomaly detection systems as continuously monitoring the data is an error-prone and tedious task. However, among the anomalies detected may be events that are rare, e.g., a planned shutdown of a machine, but are not the actual event of interest, e.g., breakdowns of a machine. Therefore, human experts are needed to validate whether the detected anomalies are relevant. We propose to support this anomaly investigation by providing explanations of anomaly detection. Related work only focuses on the technical implementation of explainable anomaly detection and neglects the subsequent human anomaly investigation. To address this research gap, we conduct a behavioral experiment using records of taxi rides in New York City as a testbed. Participants are asked to differentiate extreme weather events from other anomalous events such as holidays or sporting events. Our results show that providing counterfactual explanations do improve the investigation of anomalies, indicating potential for explainable anomaly detection in general.

Lucas Correia,Jan-Christoph Goos,Philipp Klein,Thomas Bäck,Anna V. Kononova

DOI: https://doi.org/10.1016/j.engappai.2024.109323

2024-09-19

Abstract:Time-series anomaly detection plays an important role in engineering processes, like development, manufacturing and other operations involving dynamic systems. These processes can greatly benefit from advances in the field, as state-of-the-art approaches may aid in cases involving, for example, highly dimensional data. To provide the reader with understanding of the terminology, this survey introduces a novel taxonomy where a distinction between online and offline, and training and inference is made. Additionally, it presents the most popular data sets and evaluation metrics used in the literature, as well as a detailed analysis. Furthermore, this survey provides an extensive overview of the state-of-the-art model-based online semi- and unsupervised anomaly detection approaches for multivariate time-series data, categorising them into different model families and other properties. The biggest research challenge revolves around benchmarking, as currently there is no reliable way to compare different approaches against one another. This problem is two-fold: on the one hand, public data sets suffers from at least one fundamental flaw, while on the other hand, there is a lack of intuitive and representative evaluation metrics in the field. Moreover, the way most publications choose a detection threshold disregards real-world conditions, which hinders the application in the real world. To allow for tangible advances in the field, these issues must be addressed in future work.

Machine Learning,Artificial Intelligence,Systems and Control

A. Herreros-Martínez,R. Magdalena-Benedicto,J. Vila-Francés,A.J. Serrano-López,S. Pérez-Díaz

2024-05-24

Abstract:In a context of a continuous digitalisation of processes, organisations must deal with the challenge of detecting anomalies that can reveal suspicious activities upon an increasing volume of data. To pursue this goal, audit engagements are carried out regularly, and internal auditors and purchase specialists are constantly looking for new methods to automate these processes. This work proposes a methodology to prioritise the investigation of the cases detected in two large purchase datasets from real data. The goal is to contribute to the effectiveness of the companies' control efforts and to increase the performance of carrying out such tasks. A comprehensive Exploratory Data Analysis is carried out before using unsupervised Machine Learning techniques addressed to detect anomalies. A univariate approach has been applied through the z-Score index and the DBSCAN algorithm, while a multivariate analysis is implemented with the k-Means and Isolation Forest algorithms, and the Silhouette index, resulting in each method having a transaction candidates' proposal to be reviewed. An ensemble prioritisation of the candidates is provided jointly with a proposal of explicability methods (LIME, Shapley, SHAP) to help the company specialists in their understanding.

Computational Engineering, Finance, and Science,Machine Learning

Francesco Folino,Gianluigi Greco,Antonella Guzzo,Luigi Pontieri

DOI: https://doi.org/10.1007/978-3-642-00670-8_10

2009-01-01

Enterprise Information Systems

Abstract:Process Mining techniques exploit the information stored in the execution log of a process to extract some high-level process model, useful for analysis or design tasks. Most of these techniques focus on “structural” aspects of the process, in that they only consider what elementary activities were executed and in which ordering. Hence, any other “non-structural” data, usually kept in real log systems (e.g., activity executors, parameter values), are disregarded, yet being a potential source of knowledge. In this paper, we overcome this limitation by proposing a novel approach to the discovery of process models, where the behavior of a process is characterized from both structural and non-structural viewpoints. Basically, we recognize different executions’ classes via a structural clustering approach, and model them with a collection of specific workflows. Relevant correlations between these classes and non-structural properties are captured by a rule-based classification model, which can be used for both explanation and prediction. In order to empower the versatility of our approach, we also combine it with a pre-processing method, which allows to restructure the log events according to different analysis perspectives, and to study them at the right abstraction level. Interestingly, such an approach reduces the risk of obtaining knotty, ”spaghetti-like”, process models when analyzing the logs of loosely-structured processes consisting of low-level operations that are performed in a more autonomous way than in traditional BPM platforms. Preliminary results on real-life application scenario confirm the validity of the approach.

computer science, information systems

Bernadin Namoano,Christina Latsou,John Ahmet Erkoyuncu

DOI: https://doi.org/10.1007/s10845-024-02447-7

IF: 8.3

2024-07-13

Journal of Intelligent Manufacturing

Abstract:Abstract Anomaly detection in multivariate time-series data is critical for monitoring asset conditions, enabling prompt fault detection and diagnosis to mitigate damage, reduce downtime and enhance safety. Existing literature predominately emphasises temporal dependencies in single-channel data, often overlooking interrelations between features in multivariate time-series data and across multiple channels. This paper introduces G-BOCPD, a novel graphical model-based annotation method designed to automatically detect anomalies in multi-channel multivariate time-series data. To address internal and external dependencies, G-BOCPD proposes a hybridisation of the graphical lasso and expectation maximisation algorithms. This approach detects anomalies in multi-channel multivariate time-series by identifying segments with diverse behaviours and patterns, which are then annotated to highlight variations. The method alternates between estimating the concentration matrix, which represents dependencies between variables, using the graphical lasso algorithm, and annotating segments through a minimal path clustering method for a comprehensive understanding of variations. To demonstrate its effectiveness, G-BOCPD is applied to multichannel time-series obtained from: (i) Diesel Multiple Unit train engines exhibiting faulty behaviours; and (ii) a group of train doors at various degradation stages. Empirical evidence highlights G-BOCPD's superior performance compared to previous approaches in terms of precision, recall and F1-score.

engineering, manufacturing,computer science, artificial intelligence

Alessandro Berti,Wil van der Aalst

DOI: https://doi.org/10.48550/arXiv.2001.02562

2020-01-08

Abstract:Much time in process mining projects is spent on finding and understanding data sources and extracting the event data needed. As a result, only a fraction of time is spent actually applying techniques to discover, control and predict the business process. Moreover, current process mining techniques assume a single case notion. However, in reallife processes often different case notions are intertwined. For example, events of the same order handling process may refer to customers, orders, order lines, deliveries, and payments. Therefore, we propose to use Multiple Viewpoint (MVP) models that relate events through objects and that relate activities through classes. The required event data are much closer to existing relational databases. MVP models provide a holistic view on the process, but also allow for the extraction of classical event logs using different viewpoints. This way existing process mining techniques can be used for each viewpoint without the need for new data extractions and transformations. We provide a toolchain allowing for the discovery of MVP models (annotated with performance and frequency information) from relational databases. Moreover, we demonstrate that classical process mining techniques can be applied to any selected viewpoint.

Databases

Xueying Ding,Nikita Seleznev,Senthil Kumar,C. Bayan Bruss,Leman Akoglu

2023-04-07

Abstract:Anomalies are often indicators of malfunction or inefficiency in various systems such as manufacturing, healthcare, finance, surveillance, to name a few. While the literature is abundant in effective detection algorithms due to this practical relevance, autonomous anomaly detection is rarely used in real-world scenarios. Especially in high-stakes applications, a human-in-the-loop is often involved in processes beyond detection such as verification and troubleshooting. In this work, we introduce ALARM (for Analyst-in-the-Loop Anomaly Reasoning and Management); an end-to-end framework that supports the anomaly mining cycle comprehensively, from detection to action. Besides unsupervised detection of emerging anomalies, it offers anomaly explanations and an interactive GUI for human-in-the-loop processes -- visual exploration, sense-making, and ultimately action-taking via designing new detection rules -- that help close ``the loop'' as the new rules complement rule-based supervised detection, typical of many deployed systems in practice. We demonstrate \method's efficacy through a series of case studies with fraud analysts from the financial industry.

Machine Learning,Human-Computer Interaction

Tom Westermann,Milapji Singh Gill,Alexander Fay

2023-08-25

Abstract:Model-Based Anomaly Detection has been a successful approach to identify deviations from the expected behavior of Cyber-Physical Production Systems. Since manual creation of these models is a time-consuming process, it is advantageous to learn them from data and represent them in a generic formalism like timed automata. However, these models - and by extension, the detected anomalies - can be challenging to interpret due to a lack of additional information about the system. This paper aims to improve model-based anomaly detection in CPPS by combining the learned timed automaton with a formal knowledge graph about the system. Both the model and the detected anomalies are described in the knowledge graph in order to allow operators an easier interpretation of the model and the detected anomalies. The authors additionally propose an ontology of the necessary concepts. The approach was validated on a five-tank mixing CPPS and was able to formally define both automata model as well as timing anomalies in automata execution.

Artificial Intelligence

Jingxin ZHANG,Donghua ZHOU,Maoyin CHEN,Dehao WU

DOI: https://doi.org/10.1360/SSI-2022-0404

2023-01-01

Abstract:Industrial processes usually need to function under multiple conditions because of changes in raw materials,setting points,and the external environment.Anomaly monitoring methods for multimode processes effectively ensure the safe operation of industrial systems,and they are a research hotspot of current process monitoring technology.Herein,anomaly monitoring methods for multimode processes are summarized,including overall modeling,adaptive modeling,hybrid modeling,and multi-model modeling methods.Research progress of multimode stationary processes and multimode nonstationary processes is then reviewed,and the advantages and disadvantages of these methods are analyzed.Finally,considering the characteristics of the practical industrial systems,the open problems in this field and the future development direction are summarized.