Research On Anomaly Detection Method Of Event Log Based On Multi-Perspective

With the rapid development of the information age,business process management has been widely used.Business process is an activity in which different people complete a series of tasks together in order to achieve specific goals.There is a strict sequence of execution among the activities.During the execution of a business process,a large amount of data is generated,which is usually recorded in event logs.Each log records a different trace,which records a different activity.Each activity records the corresponding data information in addition to the activity itself,so it is a difficult task to manage the business process.Process mining is the application of data mining in business process management.It extracts and analyzes the event logs that record business process data,reproduces the real situation of business process,and finally realizes the analysis and optimization of business process.Based on the relevant knowledge of Petri net,this paper extracts and analyzes the abnormal behavior in the business process from multiple perspectives.In the actual execution of business processes,due to resource allocation,organizational collaboration and other factors,the actual execution of the process recorded in the event log may not be consistent with the regulations of the enterprise,resulting in some violations.Anomaly detection can detect the behaviors that do not conform to the regulations of enterprises and organizations in the event logs,and then can repair the event logs to achieve more subsequent applications in the field of process mining.In this paper,a method based on cluster is proposed to measure the trace similarity in the log to detect the anomalies on the event log control flow,then the likelihood graph is used to detect the anomalies on the event log data flow,and finally the DBPMN and fuzzy alignment methods are used to detect the anomalies on the event log control flow and data flow from multi-perspective.The main work of this paper is as follows:(1)Aiming at the problem of manual threshold setting,a log anomaly detection method based on trace clustering was proposed to avoid setting thresholds.By mining the relationship between activities,the similarity between traces was calculated,and Petri net was used for modeling.This method aims to establish a model approximating the standard,and replay traces in the model,successfully avoiding the problem of manually setting thresholds.(2)Aiming at the problem of the existing event log anomaly detection methods usually only focus on the control flow,and few work focuses on the data flow,namely the attribute correlation problem,an event log attribute anomaly detection method based on likelihood graph is proposed.First,a basic likelihood graph is constructed for the control flow of event log,and the likelihood value of each edge in the graph is calculated.Then,the extended likelihood graph is constructed based on the basic likelihood graph combined with data attributes,and the likelihood value is calculated.The purpose of this method is to establish the likelihood graph of the event log,and successfully detect the anomalies on the event log data stream by comparing the likelihood value with the test threshold.(3)Aiming at the problem of the existing event log anomaly detection methods are usually divorced from the real model and limited to a single perspective,a method is proposed to detect the occurrence of anomalies on the control flow and data flow at the same time under the given standard model.The standard model is transformed into data Petri net which can be used for subsequent calculation,and the fuzzy alignment method is used to measure the deviation between the actual execution of the event log and data Petri net,and the optimal fuzzy alignment is calculated.The optimal fuzzy alignment cost was encoded as a matrix and substituted into the statistical leverage formula to calculate the anomaly score of each trace.The trace whose anomaly score was larger than the threshold value was labeled as an anomaly.This method was designed to carry out consistency check between the event log and the model through a standard model,and successfully detect the anomaly on the control flow and data flow of the event log.Figure [15] Table [22] Reference [81]...