=Paper=
{{Paper
|id=Vol-1295/paper13
|storemode=property
|title=SecSy: A Security-oriented Tool for Synthesizing Process Event Logs
|pdfUrl=https://ceur-ws.org/Vol-1295/paper13.pdf
|volume=Vol-1295
|dblpUrl=https://dblp.org/rec/conf/bpm/StockerA14
}}
==SecSy: A Security-oriented Tool for Synthesizing Process Event Logs==
https://ceur-ws.org/Vol-1295/paper13.pdf
SecSy: A Security-oriented Tool
for Synthesizing Process Event Logs
Thomas Stocker? and Rafael Accorsi
University of Freiburg, Germany
{stocker,accorsi}@iig.uni-freiburg.de
Abstract. SecSy is a highly flexible log synthesis tool, which allows
users to configure their simulation procedures in a detailed way, including
control flow, data flow and organizational context of business processes.
User friendly dialogs provide rich parameter adjustment and intuitive
coupling of simulation components. With the possibility of integrating
custom transformers, out-of-the-box functionality of SecSy can be ex-
tended to fit custom needs.
1 Introduction
Research into business process security and compliance is concerned with the
requirements formalization of security (e.g. secrecy, binding of duties) and com-
pliance requirements (e.g. obligations, interdependencies between activities) [4]
and the development of well-founded techniques and tools for analyzing, mon-
itoring and auditing these requirements in business process specifications [1].
Here, a particular challenge arises when it comes to testing the effectiveness of
monitoring and auditing techniques and corresponding tools [2, 3]. Specifically,
to test these tools one needs controllably generated event logs that contain pro-
cess executions comprising process flexibility and variability on the one hand,
and process non-compliance on the other, thereby mimicking structural vulnera-
bilities, process dynamics, intentional attacks and user errors [5]. Such event logs
can serve as input for monitoring, auditing and mining tools, thereby allowing
developers to assess their kill-rate, i.e. the precision to identify the violation of
the designated security and compliance properties or deviations from an original
process model.
The concepts for simulating business process flexibility and noncompliance
employed by SecSy are novel, both in the security, compliance and business pro-
cess management communities. SecSy allows for highly-controllable simulation
output incorporating conform process behavior with respect to targeted security
properties, as well as random failures that may lead to the violation of selected
properties and incomplete/distorted process logs. Overall, the generation of “de-
fect” data has been applied to software process improvement in general [6], but
has never been seen in the BPM area. We firmly believe that the controlled,
?
Copyright © 2014 for this paper by its authors. Copying permitted for private and
academic purposes.
�2 T. Stocker, R. Accorsi
push-button generation of (large) test data is a promising research direction and
application domain in business process testing and improvement.
2 Simulation Approach
The overall approach for synthesizing event logs is depicted in Fig. 1. SecSy
takes a series of business process specifications as input and generates a process
log that contains traces of these specifications. Based upon the security and
compliance requirements, deviations from the defined control flow are generated
with the help of transformers which encode specific trace properties that are
either enforced or violated on a random basis. Generated logs are outputted in
MXML (a format for process mining), as well as plain text. Ongoing work adds
support to Extended Event Streams format (XES).
Processes subject to simulation are considered to be executed within a con-
text. While the control flow of a process defines possible execution traces, sub-
jects authorized to execute process activities and objects used by activities are
defined by contexts. SecSy allows to define simulation runs, each relating to one
process model which are processed one after another according to the number
of desired traces for each run. This way, the engine is capable of simulating sit-
uations in which there is an initial model for planned process behavior, but a
variant of this model was executed for some time, possibly due to the activity
of an attacker or process variation/flexibility. During the processing of a simu-
lation run, the engine generates valid log traces according to the control flow of
the corresponding process and context and then passes them through the trace
transformers which apply transformations in a post-processing manner. Trace
transformers can remove or add process activities (simulating skipped activi-
ties or incomplete logging), as well as change information within traces in a
way business related properties like separation/binding of duties or authoriza-
tion constraints are enforced or violated. Information about which transformers
have been applied on which traces and if the enforcement or violation was suc-
cessful is stored in a separate simulation log which can be used to determine the
aforementioned kill-rate of detection-mechanisms.
Fig. 2 depicts the configuration panel of the application. SecSy allows for
flexible configuration of all required parameters and the creation and editing
of corresponding components. Depending on the simulation type (SIMPLE or
DETAILED), generated traces contain only timestamps and activity names or
additionally information about executing subjects and data items.
The time generator component contains all timing related simulation proper-
ties, including the start time for the simulation (date for first trace), the number
of cases per day, office-days and -hours, as well as individual activity durations
and delays between succeeding activities. In the case of simulation type EX-
TENDED, the user has to specify a context and a data container. Data containers
generate values for data items used during process execution (e.g. credit amount)
and store the values until a trace is completed. This way, the consistent usage
of attribute values along a complete trace is ensured. A context holds subjects
� Security-oriented log synthesis 3
Run 1: 1000 [⌦1 , . . . , ⌦r1 ] Simulation Engine
#traces
...
Conform Trace
run [⌦1 , . . . , ⌦r ]
Run i: 500 [⌦1 , . . . , ⌦ri ]
Transformed Trace
...
Log Format
Run n: 1200 [⌦1 , . . . , ⌦rn ]
Process # Traces Transformers
Simulation Runs
Process Simulation
Context Log Log
Fig. 1. Overview of the approach.
and their permissions to execute activities and access data elements together
with activity data usage (attributes used by activities) information. To specify
subject permissions, the user can choose between an access control list or a role
based concept, which is particularly helpful for large contexts. Additionally, a
context allows to specify constraints on attribute values that can be added to
process activities.
3 Trace-Transformations
Trace transformers are used to transform traces in a way specific trace properties
are enforced or violated. Transformers operate on valid traces generated during
the simulation process and generate modified versions of these traces in a post-
processing manner, before they are added to the output log file. Modified fields
are locked to prevent further transformers from corrupting the already enforced
properties coming from previous applications of transformers. Currently, SecSy
comprises the following trace transformers:
1. delay inserts a delay in the process execution and can be used to simulate
situations in which work is piling up and process execution is slowed down
by unusual long delays between single activities.
2. skip removes specific activities from generated valid log traces so simulate
skipped (mandatory) activities. This transformer adjusts timestamps in a
way as if the removed activity never happened.
3. silent captures a situation in which a particular activity has not been logged
onto the file. In contrast to skip, timestamps are not adjusted.
4. authentication mimics an access control policy and its violation.
�4 T. Stocker, R. Accorsi
Fig. 2. Screenshot of the configuration panel.
5. binding of duty (BOD) mimics the compliance with or the violation of a
binding of duty requirement.
6. separation of duties can be seen as the opposite of BOD: it states that a
particular set of activities must be performed by different subjects.
The list of predefined transformers shipped with SecSy can be extended with
or refined to other domain-specific transformers. For this, users can define their
own transformers (implementing specific interfaces) and, subsequently, add them
to SecSy. The procedure of including custom transformers requires writing code
for the transformer functionality and providing a graphical frontend for param-
eter setting. On startup, SecSy looks for custom transformer code and adjusts
dialogs for simulation run configuration appropriately. This method allows highly
flexible transformer definition and sharing and does not require users to compile
their own tweaked version of SecSy. Users can make their custom transformers
available in form of class-files other users can readily employ.
4 Availability
SecSy is a standalone, extensible Java application and has been made available on
the Open-Source platform Sourceforge (http://sourceforge.net/projects/
secsy/). Downloads include a runnable jar-version, an OSX application bundle
and a sample simulation directory which can be used to get started with SecSy
� Security-oriented log synthesis 5
on basis of preconfigured simulation procedures. This directory also contains an
example of a custom trace transformer (DesignatorTransformer). A detailed user
guide explaining how to set up and use SecSy can be found on http://doku.
telematik.uni-freiburg.de/SecSy/. This website also allows users to issue
feature requests and bug reports in an interactive way.
References
1. R. Accorsi. Sicherheit im prozessmanagement. digma Zeitschrift für Datenrecht und
Informationssicherheit, (2):72–76, 2013.
2. R. Accorsi and T. Stocker. On the exploitation of process mining for security audits:
The conformance checking case. In ACM Symposium on Applied Computing, pages
1709–1716. ACM Press, 2012.
3. R. Accorsi and T. Stocker. On the exploitation of process mining for security audits:
The process discovery case. In ACM Symposium on Applied Computing. ACM Press,
2013.
4. T. Breaux, A. Antón, and E. Spafford. A distributed requirements management
framework for legal compliance and accountability. Computers & Security, 28(1-
2):8–17, 2009.
5. L. Lowis and R. Accorsi. Finding vulnerabilities in SOA-based business processes.
IEEE Transactions on Service Computing, 4(3):230–242, August 2011.
6. A. Raninen, T. Toroi, H. Vainio, and J. J. Ahonen. Defect data analysis as input
for software process improvement. In O. Dieste, A. Jedlitschka, and N. J. Juzgado,
editors, Conference on Product-Focused Software Process Improvement, volume 7343
of Lecture Notes in Computer Science, pages 3–16. Springer, 2012.
�