Generating Business Process Event Logs
Rafael Accorsi
University of Freiburg, Germany
Abstract. One of the difficulties at developing mechanisms for business process security monitoring and auditing is the existence of representative, realistic and controlled test runs. This paper presents ongoing work toward a business process simulation method geared to the synthesis of event logs. The novelty is that it considers the activity of an (internal) attacker able purposefully infringe the designated security requirements or simply manipulate the process’ control and data flow. The resultant logs can be, e.g., readily replayed on a reference monitor, business activity monitoring tool, or serve as input for process discovery tools.
1
Introduction
Research into business process security and control is concerned with the formal-ization of security requirements (e.g., secrecy, integrity, binding of duties) and the development of well-founded techniques and tools for analyzing, monitoring and auditing these requirements in business process specifications. Techniques for this may include, for instance, program analysis [5,6], usage control [1,19] and various types of a posteriori process process analysis [2,4,23]. In this research area, a particular challenge appears when it comes to empirically testing the effectiveness of monitoring and auditing techniques and corresponding tools [3]. Here, controlled input with regard to structural vulnerabilities [15,16] is required to feed the tools with process runs and ascertain thekill-rate, i.e. the precision to identify the violation of the designated security properties.
Business process simulation techniques can provide for these runs. How-ever, the current state of the art approaches (e.g., [11,21,22]) and tool support (e.g.,[9,10]) do not take into account an attacker able to intentionally (albeit controllably) manipulate the process executions and violate the security proper-ties that a specific process under consideration must satisfy. In particular, the capabilities of such an attacker must be determined, thereby defining an attacker model that can be configured for the simulated process.
This paper presents ongoing work toward a business process simulation method geared to the synthesis of attacker-aware event logs. The method, depicted in Fig. 1, takes a business process specification and the security requirements applicable to the process as main inputs. Based upon the process specification, it automatically generates a series of process variants (so-calledmutants) that
initial model
mutant mutant mutant
... ... 1 i n t1 ti tn transformation operations properties
log log log
combined log 1 i n simulation model variants individual traces with property annotations accumulated traces
Fig. 1.Overview of the approach.
deviate from the prescribed control and data flow. Similarly, based upon the security requirements, incorrect process instantiations (with regard to the subjects and their rights) are generated while producing the individual traces. Together, these steps provide for a definition of an attacker model, which can be detailed configured for a particular test case. For versatility, the generated logs are outputted in a variety of formats, including XES and MXML (traditional formats for process mining), as well as CSV and plain text.
The contributions summarized in this extended abstract are threefold: 1. It suggests transformation rules to derive mutants. Assuming a sound
in-formation flow net [7] that represents the process, each of the proposed transformations create a novel and sound net.
2. Considering traditional security and organizational properties for business processes [12], the approach allows for configurable instantiations of process models, thereby allowing for the controllable generation of event logs in which these requirements are violated. Together with structural mutants, these capabilities characterize an attacker model.
3. It describes a prototypical implementation that realizes some of the features of the attacker model, while providing for the configurable synthesizing of
event logs. Eventually, this implementation will be integrated as a SWAT plug-in. The Security Workflow Analysis Toolkit (SWAT) provides for a platform to business process analysis [8].
Overall, the generation of “defect” data has been applied to software process improvement in general [20], but has never been seen in the BPM area. This paper is a first step in this direction. We firmly believe that the controlled, push-button generation of (large) test data is a promising research direction and application domain in business process testing and improvement. This not only for testing mechanisms in the context of security (as in this paper), but also for compliance [1,17], resilience [13,24], visualization [14] and dependability [25] engineering for business process and process-aware information systems.
Regarding the proposed methods, there are several issues that need to be added to obtain a fully-fledged log synthesizing tool, e.g. the simultaneous execution of parallel process models, thereby allowing for the trace interleaving. Further, the completeness of generated logs has not been investigated, i.e. are all the possible cases considered while generating the log. Soundness should be guaranteed by construction, but will be investigated formally in the future. These, as well as other conceptual and practical issues are subject of ongoing and further work. Paper structure.The remainder of this paper describes the main steps of the approach (Section 2), reports on its prototypical realization (Section 3) and summarizes the ongoing/further work (Section 4).
2
Building Blocks and Deviations
2.1 Building Blocks
The main building blocks are, firstly, the process and environment specification and, secondly, the specification of the properties that must hold for the process. Process specification.The process specification considers a Petri net representation of the process. Specifically, we consider an Information Flow Net (IFnet) [7]. IFnetis a colored Petri net dialect that allows the annotation of activities with subject/role information, as well as the consideration of resources (modeled as colored tokens). These models can be obtained automatically for BPEL and BPMN specifications. The definition of a process provides a tupleP= (A, O,O), whereAis a set of activities,O is the set of objects andO:A→O assigns the objects employed by the activities. The environment in which the processP is executed is defined by a tuple EP = (P, S, R,R), where S stands for a set of subject,Rfor a set of roles andRfor a set of tuples (s, r, a), wheres∈S,r∈R anda∈A. If (s1, r2, a5)∈ R, this means that inP the subject s1 is assigned
the role r2 for executing the activitya5. To simplify the notation, we employ
α(a, s, r) to denote that the activity ais executed by the subjects taking the roler.
Security property specification.The specification of security properties assume a formalization using temporal logics. The properties we consider are standard
and assume the organizational properties (e.g. binding of duties and four-eye rule) [12] and purely security properties arising from the violations of the role assignment relationRand, more generally, usage control policies on the style of Park and Sandhu [18] (e.g. obligations after the access to data). Of course there is a non-empty intersection, e.g., between misleading role assignment and a binding of duties, but this is not relevant for the purposes of the paper.
With regard to their specification (and semantics), these properties are specified using linear temporal logics. For example, letαi(ai, s, r) andαj(aj, s, r0). The formula ψBoD = 2(αi → αj) is an initial formalization to capture the separation of duties requirements. (This means: it is always the case that if s carried out ai on the role r, then eventuallya should also execute aj on the roler0.) Regarding the semantics, the idea is to have a trace corresponding to a process execution, whereas each “event” in the trace corresponds to the execution of an activity. A trace fulfills a property, e.g. separation of duties, iff the events appear in the order prescribed by the policies. The full version of the paper provides the formal definition of specification language and its semantics.
2.2 Process Deviations and Property Violations
Given the specification of processes and properties, this section introduces the rules with which deviations (i.e. mutants) are generated. This comprises both the control flow and the instantiation of the process variables with subject/role information. Altogether, both aspects capture the activity of an attacker, whereas control flow only transformations could also be taken as failures of the execution engine.
Control-Flow deviations.The control flow transformations regard only the struc-ture of the process specification and assume, for the sake of simplicity, a correct instantiation of process variables. At the moment, the following mutants are considered.
– And2Xor: this transformation provides a mutant in which an AND-gate is rewritten as an XOR-gate. This means: while the original process requires traversing both paths of the AND-gate, the mutant assumes that only one (randomly chosen) path is traversed.
– Xor2And: the opposite of And2Xor, i.e. each XOR-gate is rewritten as AND-gate.
– Activity skipping: this transformation provides for mutants in which a transi-tion is simply skipped during the executransi-tion.
– Activity swapping: this transformation provides for mutants in which the order of a pair of activities is swapped.
By now, we assume that these transformations are not combined with each other (primitive mutant). In future, they will be combined to what we call “composite mutant”. Note, however, that we give full control to configure the sort
Fig. 2.Screenshot of the configuration panel.
Security requirements.Given a mutant and the security requirements applicable to the process, this step computes mutants that consider the instantiation or control flow of the system violating at least one of policies. We do so by negating the formulae representing the policies. This negation provides us with a pattern of nonconformance with the policies. Hence, whenever applicable, the approach generates an execution trace in which this “malicious” execution pattern occurs. Coming back to the binding of duties requirement, by negating the formulaψSoD,
we obtain a pattern in which an activity pair prescribed to be performed by the same subjects is executed by different subjects or not executed at all.
3
Prototypical Realization
The approach has been implemented in Python. Figure 2 depicts configuration panel of the application. It assumes as input anIFnetmodel containing the process specification, the details on the environment and a definition of the policies. Given that, the user can visualize and configure, on the one hand, execution parameters for each activity in the process. This includes, e.g., the average execution time to be simulated for each activity (useful to model delays and perturbations) and the overall frequency of a particular execution trace (handy for modeling outliers). On the other hand, the user can select the requirements that should hold for the process, thereby specifying the policy applicable to the process. Once this
is carried out, the frequency and kind of security violations can be thoroughly configured.
The output format can be selected among plain text, CSV, MXML and XES. The latter two formats are standard input for process mining technologies, thereby serving as a basis for generating logs to test with process mining tools. The former are useful as an input to be replayed, e.g., onto execution monitors. The performance itself is acceptable: for example, an execution log including 100K process run (middle size log) for a process including 15 activities, 50 roles and 100 subjects takes less than 2 minutes for the CSV output format and in average 3,5 minutes for XML-based formats (AMD quad core A8, 6GB Dual Channel DDR3 SDRAM at 1333Mhz under Windows).
In future, this application will be realized as a module of the Security Workflow Analysis Toolkit (SWAT) [8]. SWAT is an extensible, Eclipse-based application that allows the specification of processes in BPEL and BPMN, their transforma-tion into several Petri net dialects (e.g. open Workflow nets,IFnet, plain Petri nets) and analysis. At the moment, SWAT focuses on the analysis process models, in particular focusing on compliance and information flow. The simulation, an essential step for testing with process discovery methods, is a missing feature.
4
Summary and Further Work
This paper presents and outlined a method to simulating business processes considering an attacker model. Overall, this approach is novel, both in the security and business process management community. With this approach at hand, one is able to quickly and highly-controllably simulate a process that comprises targeted security violations, as well as random failures that potentially lead to the violation of selected properties. The approach has been realized in a prototype. The results are promising and after the thorough testing and extension, it will be added to the a workbench specialized on the security reasoning of business processes. Besides the aforementioned ongoing work, the current effort is in the realization of parallel execution and the consideration of further security properties. Furthermore, the demonstration of formal properties, such as soundness and completeness, must have to be investigated as a means to provide evidence on the quality of the log files generated by the method.
Overall, we believe that the automated generation of such event logs is a necessary step toward the development of tools for business process analysis. This not only for standard process-aware information systems. More importantly, with the advent of big data and business process management “in the large”, there will be the need to test with such log data. Today, generating these data is very tedious. Our proposal should, in the future, be also used for this setting.
References
1. R. Accorsi, Y. Sato, and S. Kai. Compliance monitor for early warning risk determination. Wirtschaftsinformatik, 50(5):375–382, October 2008.
2. R. Accorsi and T. Stocker. Automated privacy audits based on pruning of log data. InProceedings of the EDOC International Workshop on Security and Privacy in Enterprise Computing. IEEE, 2008.
3. R. Accorsi and T. Stocker. On the Exploitation of Process Mining for Security Audits: The Conformance Checking Case. InACM Symposium on Applied Computing, pages 1709–1716. ACM, 2012.
4. R. Accorsi and C. Wonnemann. Auditing workflow executions against dataflow policies. In W. Abramowicz and R. Tolksdorf, editors, Proceedings of the Busi-ness Information Systems, volume 47 ofLecture Notes in Business Information Processing, pages 207–217. Springer, 2010.
5. R. Accorsi and C. Wonnemann. Static information flow analysis of workflow models. In W. Abramowicz, K.-P. F. Rainer Alt, and L. Maciaszek, editors,Conference on Business Process and Service Computing, volume 147 of Lecture Notes in Informatics, pages 194–205. GI, 2010.
6. R. Accorsi and C. Wonnemann. Strong non-leak guarantees for workflow models. InACM Symposium on Applied Computing, pages 308–314. ACM, 2011.
7. R. Accorsi and C. Wonnemann. InDico: Information flow analysis of business processes for confidentiality requirements. In J. C. et al., editor,ERCIM Workshop on Security and Trust Management, volume 6710 ofLecture Notes in Computer Science, pages 194–209. Springer, 2011.
8. R. Accorsi, C. Wonnemann, and S. Dochow. SWAT: A security workflow toolkit for reliably secure process-aware information systems. InConference on Availability, Reliability and Security, pages 692–697. IEEE, 2011.
9. A. Bahrami, D. A. Sadowski, and S. Bahrami. Enterprise architecture for business process simulation. InWinter Simulation Conference, pages 1409–1414, 1998. 10. A. Burattin and A. Sperduti. PLG: A framework for the generation of business
process models and their execution logs. In M. zur Muehlen and J. Su, editors,
Business Process Management Workshops, volume 66 ofLecture Notes in Business Information Processing, pages 214–219. Springer, 2010.
11. Y. H. Cho, J. K. Kim, and K. S. Hie. Role-based approach to business process simulation modeling and analysis.Computers & Industrial Engineering, 35(1/2):343– 346, 1998.
12. K. Knorr and S. R¨ohrig. Security requirements of e-business processes. In B. Schmid, K. Stanoevska-Slabeva, and V. Tschammer, editors, IFIP Confer-ence on E-Commerce, E-Business, E-Government, volume 202 ofIFIP Conference Proceedings, pages 73–86. Kluwer, 2001.
13. T. Koslowski and J. Str¨uker. Erp on demand platform - complementary effects using the example of a sustainability benchmarking service.Business & Information Systems Engineering, 3(6):359–367, 2011.
14. S. Kriglstein and S. RinderleMa. Change visualizations in business processes -requirements analysis. In P. Richard, M. Kraus, R. S. Laramee, and J. Braz, editors,
Conference on Computer Graphics Theory and Applications and International Conference on Information Visualization Theory and Applications, pages 584–593. SciTePress, 2012.
15. L. Lowis and R. Accorsi. On a classification approach for SOA vulnerabilities. In Proceedings of the IEEE International Computer Software and Applications Conference, pages 439–444. IEEE Computer Society, 2009.
16. L. Lowis and R. Accorsi. Finding vulnerabilities in SOA-based business processes.
17. L. T. Ly, S. Rinderle-Ma, D. Knuplesch, and P. Dadam. Monitoring business process compliance using compliance rule graphs. In R. Meersman, T. S. Dillon, P. Herrero, A. Kumar, M. Reichert, L. Qing, B. C. Ooi, E. Damiani, D. C. Schmidt, J. White, M. Hauswirth, P. Hitzler, and M. K. Mohania, editors,On the Move to Meaningful Internet Systems, volume 7044 ofLecture Notes in Computer Science, pages 82–99. Springer, 2011.
18. J. Park and R. Sandhu. The UCONABC usage control model. ACM Transactions
on Information and System Security, 7(1):128–174, February 2004.
19. A. Pretschner, F. Massacci, and M. Hilty. Usage control in service-oriented architec-tures. In C. Lambrinoudakis, G. Pernul, and A. M. Tjoa, editors,Proceedings of the 4th International Conference on Trust, Privacy and Security in Digital Business, volume 4657 ofLecture Notes in Computer Science, pages 83–93. Springer, 2007. 20. A. Raninen, T. Toroi, H. Vainio, and J. J. Ahonen. Defect data analysis as input
for software process improvement. In O. Dieste, A. Jedlitschka, and N. J. Juzgado, editors,Conference on Product-Focused Software Process Improvement, volume 7343 ofLecture Notes in Computer Science, pages 3–16. Springer, 2012.
21. K. Tumay. Business process simulation. InWinter Simulation Conference, pages 93–98, 1996.
22. W. van der Aalst. Business process simulation. In J. vom Brocke and M. Rosemann, editors, Handbook on Business Process Management, volume 1, pages 313–338. Springer, 2010.
23. W. van der Aalst. Process Mining – Discovery, Conformance and Enhancement of Business Processes. Springer, 2011.
24. Q. Wang and N. Li. Satisfiability and resiliency in workflow systems. In J. Biskup and J. Lopez, editors, Proceedings of the European Symposium On Research In Computer Security, volume 4734 of Lecture Notes in Computer Science, pages 90–105. Springer, 2007.
25. B. Wetzstein, P. Leitner, F. Rosenberg, I. Brandic, S. Dustdar, and F. Leymann. Monitoring and analyzing influential factors of business process performance. In
IEEE International Enterprise Distributed Object Computing Conference, pages 141–150. IEEE Computer Society, 2009.
