Can process mining help in anomaly-based intrusion detection?

Abstract: In this paper, we consider the naive applications of process mining in network traffic comprehension, traffic anomaly detection, and intrusion detection. We standardise the procedure of transforming packet data into an event log. We mine multiple process models and analyse the process models mined with the inductive miner using ProM [19] and the fuzzy miner using Disco [7]. We compare the two types of process models extracted from event logs of differing sizes. We contrast the process models with the RFC TCP s… Show more

“…Online conformance checking is available in later research [29] but the anomaly detection is limited to conformance checking in process mining domain. Zhong and Lisitsa have done tests in [30] as a naive approach to use process mining on network data and then tried to detect anomaly with conformance checking. The results have turned out not promising.…”

“…The results have turned out not promising. An interested reader may find further experimental results and explanations in [30].…”

Online Transition-Based Feature Generation for Anomaly Detection in Concurrent Data Streams

“…Online conformance checking is available in later research [29] but the anomaly detection is limited to conformance checking in process mining domain. Zhong and Lisitsa have done tests in [30] as a naive approach to use process mining on network data and then tried to detect anomaly with conformance checking. The results have turned out not promising.…”

“…The results have turned out not promising. An interested reader may find further experimental results and explanations in [30].…”

Online Transition-Based Feature Generation for Anomaly Detection in Concurrent Data Streams