Extracting Role-Based Access Control Models from Business Process Event Logs
Name
Taivo Teder
Abstract
Today, as business processes are getting more complex and the volumes of stored data about
business process executions are increasing in size, collecting information for the analysis and
for the improvement of the business process security1, is becoming a complex task.
Information systems that support business processes record business process executions into
event logs which capture the behavior of system usage in terms of events. Business process
event logs can be used for analysing and improving the business process, but also for
analysing the information security. One of the main goals of security analysis is to check the
compliance with existing security requirements. Also event logs can be the basis for business
process mining, or shortly process mining. Utilizing bottom-up process mining on event logs,
we can extract business process-related information for security analysis. Process mining is
not just only for discovering business process models, but also other models, such as security
models. For this purpose, we present a possible approach to extract RBAC models
(semi-)automatically from event logs in XES format. The focus is also on determining the
protected business assets, such as document or other artifact data that is exchanged and
accessed during business process activities. In addition, we evaluate the applicability of this
approach with conformance checking where we check the compliance of a real-life event log
with respect to the LTL constraints translated from RBAC model. Eventually, the purpose of
the extracted RBAC models is that they provide a basis for security analysis and they can be
adapted by other applications in order to implement access control mechanism.
Graduation Thesis language
English
Graduation Thesis type
Master - Software Engineering
Supervisor(s)
Raimundas Matulevičius, Fabrizio M. Maggi
Defence year
2014