• 한국경영과학회:학술대회논문집
• /
• 대한산업공학회/한국경영과학회 2004년도 춘계공동학술대회 논문집
• /
• pp.544-547
• /
• 2004

Current increasingly information systems log historic information in a systematic way. Not only workflow management systems, but also ERP, CRM, SCM, and B2B systems often provide a so-called 'event log'. Unfortunately, the information in these event logs is rarely used to analyze the underlying processes. Process mining aims at improving this problem by providing techniques and tools for discovering process, control, data, organizational, and social structures from event logs. This paper focuses on the mining social networks. This is possible because event logs typically record information about the users executing the activities recorded in the log. To do this we combine concepts from workflow management and social network analysis. This paper introduces the approach and presents a tool to mine social networks from event logs.

• Journal of Information Processing Systems
• /
• 제17권4호
• /
• pp.772-786
• /
• 2021

The process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive, variable, and experience-dependent. The system logs are the most important sources for evidences in this process. However, in the Microsoft Windows operating system, the action events are irregular and the log structure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficiently analyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from the Microsoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposed model applied to track illegal file access. The proposed approach employs three-step tracking templates using Elastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization of the data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.

• 인터넷정보학회논문지
• /
• 제20권6호
• /
• pp.21-28
• /
• 2019

Process mining is state-of-the-art technology in the workflow field. Recently, process mining becomes more important because of the fact that it shows the status of the actual behavior of the workflow model. However, as the process mining get focused and developed, the material of the process mining - workflow event log - also grows fast. Thus, the process mining algorithms cannot operate with some data because it is too large. To solve this problem, there should be a lightweight process mining algorithm, or the event log must be divided and processed partly. In this paper, we suggest a set of operations that control and edit XES based event logs for process mining. They are designed based on relational algebra, which is used in database management systems. We designed three operations for tailoring XES event logs. Select operation is an operation that gets specific attributes and excludes others. Thus, the output file has the same structure and contents of the original file, but each element has only the attributes user selected. Union operation makes two input XES files into one XES file. Two input files must be from the same process. As a result, the contents of the two files are integrated into one file. The final operation is a slice. It divides anXES file into several files by the number of traces. We will show the design methods and details below.

• 인터넷정보학회논문지
• /
• 제20권1호
• /
• pp.87-96
• /
• 2019

본 논문에서는 분산 워크플로우 실행 이벤트 로그를 수집하고 분류하기 위한 사전 처리 도구로서 맵-리듀스기반 클러스터링 기법을 제안한다. 특히 우리는 볼륨, 속도, 다양성, 진실성 및 가치와 같은 BIG 데이터의 5V 속성에 만족하고 잘 충족되어 있기 때문에 분산 워크플로우 실행 이벤트 로그를 특별히 워크플로우 빅-로그(Workflow BIG-Logs)라고 정의한다. 이 논문에서 개발하는 클러스터링 기술은워크플로우 빅-로그를 기반으로 하는 특정 워크플로 프로세스 마이닝 및 분석 알고리즘의 사전 처리 단계에 적용하기 위한 목적으로 고안된 것이다. 즉, 맵리듀스(Map-Reduce) 프레임워크를 워크플로우 빅-로그 처리 플랫폼으로 사용하고, IEEE XES 표준 데이터 형식을 지원하며, 결국 본 연구에서 개발중에 있는 구조적 정보제어넷기반 워크플로우 프로세스 마이닝 알고리즘인 ${\rho}$-알고리즘의 사전 처리 단계 전용으로 사용되도록 구현된 것이다. 보다 자세하게 말하자면, 워크플로우 빅-로그의 클러스터링 패턴은 단위업무액티버티 기반 클러스터링 패턴과 단위업무 수행자 기반 클러스터링 패턴으로 분류되는데, 특별히 단위업무 액티버티 패턴의 하나인 시간적 워크케이스 패턴과 그의 발생 건수를 재발견하는 맵리듀스 기반 클러스터링 알고리즘을 설계하고 구현하고자 한다. 마지막으로, 우리는 BPI 챌린지에서 공개한 워크플로우 실행 이벤트 로그 데이터세트에 대해 일련의 실험을 수행함으로써 제안된 클러스터링 기법의 기술적 타당성을 검증한다.

• 한국멀티미디어학회논문지
• /
• 제23권1호
• /
• pp.24-30
• /
• 2020

As the number of internet-connected appliances and the variety of IoT services are rapidly increasing, it is hard to protect IT assets with traditional network security techniques. Most traditional network log analysis systems use rule based mechanisms to reduce the raw logs. But using predefined rules can't detect new attack patterns. So, there is a need for a mechanism to reduce congested raw logs and detect new attack patterns. This paper suggests enterprise security management for IoT services using graph and network measures. We model an event network based on a graph of interconnected logs between network devices and IoT gateways. And we suggest a network clustering algorithm that estimates the attack probability of log clusters and detects new attack patterns.

• 인터넷정보학회논문지
• /
• 제20권3호
• /
• pp.77-84
• /
• 2019

Workflow management system is a system that manages the workflow model which defines the process of work in reality. We can define the workflow process by sequencing jobs which is performed by the performers. Using the workflow management system, we can also analyze the flow of the process and revise it more efficiently. Many researches are focused on how to make the workflow process model more efficiently and manage it more easily. Recently, many researches use the workflow log files which are the execution history of the workflow process model performed by the workflow management system. Ourresearch group has many interests in making useful knowledge from the workflow event logs. In this paper we use XES log files because there are many data using this format. This papersuggests what are the cardinalities of the temporal workcases and how to get them from the workflow event logs. Cardinalities of the temporal workcases are the occurrence pattern of critical elements in the workflow process. We discover instance cardinalities, activity cardinalities and organizational resource cardinalities from several XES-based workflow event logs and visualize them. The instance cardinality defines the occurrence of the workflow process instances, the activity cardinality defines the occurrence of the activities and the organizational cardinality defines the occurrence of the organizational resources. From them, we expect to get many useful knowledge such as a patterns of the control flow of the process, frequently executed events, frequently working performer and etc. In further, we even expect to predict the original process model by only using the workflow event logs.

• Journal of information and communication convergence engineering
• /
• 제18권1호
• /
• pp.16-21
• /
• 2020

Owing to the convergence of the communication network with the control system and public network, security threats, such as information leakage and falsification, have become possible through various routes. If we examine closely at the security type of the current control system, the operation of the security system focuses on the threats made from outside to inside, so the study on the detection system of the security threats conducted by insiders is inadequate. Thus, this study, based on "Spotting the Adversary with Windows Event Log Monitoring," published by the National Security Agency, found that event logs can be utilized for the detection and maneuver of threats conducted by insiders, by analyzing the validity of detecting insider threats to the control system with the list of important event logs.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• 제13권8호
• /
• pp.4108-4122
• /
• 2019

Workflow process mining is becoming a more and more valuable activity in workflow-supported enterprises, and through which it is possible to achieve the high levels of qualitative business goals in terms of improving the effectiveness and efficiency of the workflow-supported information systems, increasing their operational performances, reducing their completion times with minimizing redundancy times, and saving their managerial costs. One of the critical challenges in the workflow process mining activity is to devise a reasonable approach to discover and recognize the bottleneck points of workflow process models from their enactment event histories. We have intuitively realized the fact that the iterative process pattern of redo-activities ought to have the high possibility of becoming a bottleneck point of a workflow process model. Hence, we, in this paper, propose an algorithmic approach and its implementation to discover the redo-activities and their performers' involvements patterns from workflow process enactment event logs. Additionally, we carry out a series of experimental analyses by applying the implemented algorithm to four datasets of workflow process enactment event logs released from the BPI Challenges. Finally, those discovered redo-activities and their performers' involvements patterns are visualized in a graphical form of information control nets as well as a tabular form of the involvement percentages, respectively.

• 산업경영시스템학회지
• /
• 제39권2호
• /
• pp.129-137
• /
• 2016

To identify the cause of the error and maintain the health of system, an administrator usually analyzes event log data since it contains useful information to infer the cause of the error. However, because today's systems are huge and complex, it is almost impossible for administrators to manually analyze event log files to identify the cause of an error. In particular, as OpenStack, which is being widely used as cloud management system, operates with various service modules being linked to multiple servers, it is hard to access each node and analyze event log messages for each service module in the case of an error. For this, in this paper, we propose a novel message-based log analysis method that enables the administrator to find the cause of an error quickly. Specifically, the proposed method 1) consolidates event log data generated from system level and application service level, 2) clusters the consolidated data based on messages, and 3) analyzes interrelations among message groups in order to promptly identify the cause of a system error. This study has great significance in the following three aspects. First, the root cause of the error can be identified by collecting event logs of both system level and application service level and analyzing interrelations among the logs. Second, administrators do not need to classify messages for training since unsupervised learning of event log messages is applied. Third, using Dynamic Time Warping, an algorithm for measuring similarity of dynamic patterns over time increases accuracy of analysis on patterns generated from distributed system in which time synchronization is not exactly consistent.

• 한국빅데이터학회지
• /
• 제4권1호
• /
• pp.11-27
• /
• 2019

컨테이너터미널 경영환경이 악화됨에 따라 컨테이너터미널의 수익률은 점차 감소하고 있다. 컨테이너터미널 운영자는 전반적인 컨테이너터미널의 문제점을 분석하고 개선함으로써 컨테이너터미널의 글로벌 경쟁력을 높이고자 한다. 이를 위해 컨테이너터미널은 운영 중 생성되는 데이터를 실시간으로 수집 및 저장하고 있으며, 운영자는 저장된 데이터를 활용하여 운영 문제를 분석하고자 많은 노력을 기울여왔다. 본 연구에서는 컨테이너터미널 운영 프로세스의 특성을 분석하고 컨테이너터미널 운영을 효과적으로 분석하기 위한 컨테이너 프로세스 및 CKO(container keeping object) 프로세스를 제안한다. 또한 TOS(terminal operating system)에 저장된 데이터로부터 본 연구에서 제안된 프로세스를 생성하기 위한 이벤트 로그를 정의한다. 제안된 프로세스를 활용하여 비정상적인 프로세스를 만드는 불완전한 이벤트 로그가 어떻게 효과적으로 정제되는지 설명한다. 이벤트 로그를 쉽고 빠르게 수정하기 위한 프레임워크를 제안하였으며, 이를 검증하기 위해 python2.7을 이용하여 해당 프레임워크를 구현하였다. 또한 실제 컨테이너터미널에서 수집된 데이터를 입력 데이터로 사용하여 제안된 프레임워크의 타당성을 검증하였다. 그 결과, 이벤트 로그 정제를 통해 컨테이너터미널의 비정상적인 프로세스가 크게 개선되었음을 확인할 수 있었다.