• 인터넷정보학회논문지
• /
• 제20권6호
• /
• pp.21-28
• /
• 2019

Process mining is state-of-the-art technology in the workflow field. Recently, process mining becomes more important because of the fact that it shows the status of the actual behavior of the workflow model. However, as the process mining get focused and developed, the material of the process mining - workflow event log - also grows fast. Thus, the process mining algorithms cannot operate with some data because it is too large. To solve this problem, there should be a lightweight process mining algorithm, or the event log must be divided and processed partly. In this paper, we suggest a set of operations that control and edit XES based event logs for process mining. They are designed based on relational algebra, which is used in database management systems. We designed three operations for tailoring XES event logs. Select operation is an operation that gets specific attributes and excludes others. Thus, the output file has the same structure and contents of the original file, but each element has only the attributes user selected. Union operation makes two input XES files into one XES file. Two input files must be from the same process. As a result, the contents of the two files are integrated into one file. The final operation is a slice. It divides anXES file into several files by the number of traces. We will show the design methods and details below.

• 한국인터넷방송통신학회논문지
• /
• 제17권5호
• /
• pp.125-130
• /
• 2017

PLC 등의 현장제어기기는 주요 이벤트 정보를 로깅하는 기능이 없기 때문에 사고분석이 힘들다. 따라서, PLC, IED와 같은 현장제어기기의 주요 이벤트 정보를 로깅하여, 사이버 사고 발생 시 분석이 가능한 정보 확보가 필요하다. 이벤트 로깅을 위한 현장제어기기(임베디드기기) 통신 프로토콜을 분석하기 위해서는 프로토콜 애널라이저(분석기)가 필요하다. 그러나 Wireshark와 같은 기존의 분석기는 페이로드 데이터 기반의 다양한 프로토콜 분석 및 분류가 어렵고 이벤트 로깅을 위한 대용량의 데이터 식별 및 추출을 처리하기에는 어려움이 있다. 따라서, 본 논문에서는 대용량의 이벤트 로깅을 위한 빅데이터 기반 현장제어기기 통신프로토콜 페이로드 데이터 추출을 위한 시스템을 연구개발하였다.

• 한국CDE학회논문집
• /
• 제17권2호
• /
• pp.97-110
• /
• 2012

High performance sensors and modern data logging technology with real-time telemetry facilitate system fault diagnosis in a very precise manner. Fault detection, isolation and identification in fault diagnosis systems are typical steps to analyze the root cause of failures. This systematic failure analysis provides not only useful clues to rectify the abnormal behaviors of a system, but also key information to redesign the current system for retrofit. The main barriers to effective failure analysis are: (i) the gathered data (event) logs are too large in general, and further (ii) they usually contain noise and redundant data that make precise analysis difficult. This paper therefore applies suitable pre-processing techniques to data reduction and feature extraction, and then converts the reduced data log into a new format of event sequence information. Finally the event sequence information is decoded to investigate the correlation between specific event patterns and various system faults. The efficiency of the developed pre-filtering procedure is examined with a terminal box data log of a marine diesel engine.

• 정보보호학회논문지
• /
• 제32권5호
• /
• pp.1009-1017
• /
• 2022

로그 데이터는 정보 시스템의 주요 동작과 상태를 이해하고 판단하는 근거로 사용되어 왔으며, 여러 보안 분야 응용에서도 중요한 입력 데이터로 사용된다. 로그 데이터로부터 필요한 정보를 얻어 이를 근거로 의사 결정을 하고, 적절한 대응 방안을 취하는 것은 시스템을 보호하고 안정적으로 운영하는 데 있어 필수적인 요소이지만, 로그의 종류와 양이 폭발적으로 증가함에 따라 기존 도구들로는 효과적이고 효율적인 대응이 쉽지 않은 상황이다. 이에 본 연구에서는 자연어 처리 기반의 머신 러닝을 이용해 멀티 소스 이벤트 로그의 보안 심각도를 여러 단계로 분류하는 방법을 제안하였으며, 472,972건의 훈련 및 테스트 샘플을 이용하여 실험을 수행한 결과 99.59%의 정확도를 달성하였다.

• 환경영향평가
• /
• 제23권4호
• /
• pp.285-295
• /
• 2014

본 연구는 논으로부터 배출되는 오염물질항목별(COD, TOC, T-N, T-P, SS) 농도 분포에 적합한 확률분포모형을 분석하고 실측 평균 EMC와 확률분포 모형을 통해 추정된 중앙값 EMC(EMC50)값과 비교하였다. 이를 위해 2008년부터 2011년까지 전라남도 함평군에 위치한 논에서 모니터링을 수행하였다. 그 결과 COD는 3가지 확률분포모형(Normal, Log-Normal, Gamma), T-N은 4가지 확률분포모형(Normal, Log-Normal, Gamma, Weibull), T-P와 TOC는 3가 지 확 률 분 포 모 형 (Log-Normal, Gamma, Weibull), SS는 2가지 확률분포모형 (Log-Normal, Gamma)에서 적합한 것으로 나타났다. 특히, Log-Normal과 Gamma 확률분포모형은 모든 수질항목에 적합한 확률분포모형인 것으로 나타났다. 한편, 강우시 논 유출수의 수질항목별 평균값과 확률분포모형을 통해 추정된 EMC 중앙값과 비교한 결과 COD는 Gamma, TOC, T-N, T-P, SS는 Log-Normal 확률분포모형의 값과 비슷하게 나타났다.

• 산업경영시스템학회지
• /
• 제42권4호
• /
• pp.126-134
• /
• 2019

Nowadays, since there are so many big data available everywhere, those big data can be used to find useful information to improve design and operation by using various analysis methods such as data mining. Especially if we have event log data that has execution history data of an organization such as case_id, event_time, event (activity), performer, etc., then we can apply process mining to discover the main process model in the organization. Once we can find the main process from process mining, we can utilize it to improve current working environment. In this paper we developed a new method to find a final diagnosis of a patient, who needs several procedures (medical test and examination) to diagnose disease of the patient by using process mining approach. Some patients can be diagnosed by only one procedure, but there are certainly some patients who are very difficult to diagnose and need to take several procedures to find exact disease name. We used 2 million procedure log data and there are 397 thousands patients who took 2 and more procedures to find a final disease. These multi-procedure patients are not frequent case, but it is very critical to prevent wrong diagnosis. From those multi-procedure taken patients, 4 procedures were discovered to be a main process model in the hospital. Using this main process model, we can understand the sequence of procedures in the hospital and furthermore the relationship between diagnosis and corresponding procedures.

• 한국멀티미디어학회논문지
• /
• 제23권1호
• /
• pp.24-30
• /
• 2020

As the number of internet-connected appliances and the variety of IoT services are rapidly increasing, it is hard to protect IT assets with traditional network security techniques. Most traditional network log analysis systems use rule based mechanisms to reduce the raw logs. But using predefined rules can't detect new attack patterns. So, there is a need for a mechanism to reduce congested raw logs and detect new attack patterns. This paper suggests enterprise security management for IoT services using graph and network measures. We model an event network based on a graph of interconnected logs between network devices and IoT gateways. And we suggest a network clustering algorithm that estimates the attack probability of log clusters and detects new attack patterns.

• Journal of Information Processing Systems
• /
• 제17권4호
• /
• pp.772-786
• /
• 2021

The process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive, variable, and experience-dependent. The system logs are the most important sources for evidences in this process. However, in the Microsoft Windows operating system, the action events are irregular and the log structure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficiently analyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from the Microsoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposed model applied to track illegal file access. The proposed approach employs three-step tracking templates using Elastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization of the data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.

• 정보보호학회논문지
• /
• 제34권2호
• /
• pp.263-279
• /
• 2024

클라우드 마이그레이션 증가와 함께 클라우드 컴퓨팅 환경에서의 보안 위협도 급증하고 있다. 이에 효율적인 사고조사를 수행하기 위한 로그 데이터 분석의 중요성이 강조되고 있다. 클라우드 환경에서는 서비스 다양성과 간편한 리소스 생성 등의 특성으로 인해 대량의 로그 데이터가 생성된다. 이로 인해 사고 발생 시 어떤 이벤트를 조사해야 하는지 판단하기 어렵고, 방대한 데이터를 모두 확인하려면 상당한 시간과 노력이 필요하다. 따라서 데이터를 효율적으로 조사하기 위한 분석체계가 필요하다. AWS(Amazon Web Services)의 로깅 서비스인 CloudTrail은 계정에서 발생한 모든 API 호출이벤트로그를 수집한다. 그러나 사고 발생 시 어떤 로그를 분석해야 하는지 판단하기 위한 인사이트 제공 역할은 부족하다. 본 논문에서는 Cloud Matrix와 이벤트 정보를 연계하여 사고 조사를 효율적으로 수행할 수 있도록하고, 이를 기반으로 사용자 행위 로그 이벤트의 발생 빈도 및 공격 정보를 동시에 확인할 수 있는 자동화 분석프레임 워크를 제안한다. 이를 통해 ATT&CK Framework를 기반으로 주요 이벤트를 식별하고, 사용자 행위를 효율적으로 파악함으로써 클라우드 사고 조사에 기여할 것으로 기대한다.

• 인터넷정보학회논문지
• /
• 제20권3호
• /
• pp.77-84
• /
• 2019

Workflow management system is a system that manages the workflow model which defines the process of work in reality. We can define the workflow process by sequencing jobs which is performed by the performers. Using the workflow management system, we can also analyze the flow of the process and revise it more efficiently. Many researches are focused on how to make the workflow process model more efficiently and manage it more easily. Recently, many researches use the workflow log files which are the execution history of the workflow process model performed by the workflow management system. Ourresearch group has many interests in making useful knowledge from the workflow event logs. In this paper we use XES log files because there are many data using this format. This papersuggests what are the cardinalities of the temporal workcases and how to get them from the workflow event logs. Cardinalities of the temporal workcases are the occurrence pattern of critical elements in the workflow process. We discover instance cardinalities, activity cardinalities and organizational resource cardinalities from several XES-based workflow event logs and visualize them. The instance cardinality defines the occurrence of the workflow process instances, the activity cardinality defines the occurrence of the activities and the organizational cardinality defines the occurrence of the organizational resources. From them, we expect to get many useful knowledge such as a patterns of the control flow of the process, frequently executed events, frequently working performer and etc. In further, we even expect to predict the original process model by only using the workflow event logs.