ACD2 is a tool for detecting anomalies and concept drifts in Business process logs. In contrast to many other existing algorithms, ACD2 does not require any manual parameter to be set. ACD2 is based on Extended Dynamic Bayesian Networks. These models are constructed automatically using machine learning, but can be revised by the user afterwards. This model can then be used for scoring cases. Our tool visually represents these scores, making it easy for a user to investigate the data.
ACD2 is a fully interactive, easy-to-use tool based on our winning submission
for the BPI 2018 Challenge [
An Extended Dynamic Bayesian Network (EDBN) [
The main work ow of the tool is to rst use a log to learn the EDBN model structure. The user can then inspect the learned model and make changes to the structure. When the user is happy with the current model, she can use it to test a log for deviations or anomalies given a reference log containing normal behavior.
Performing both the training and testing phases can be a computationally heavy task. Therefor we have created a client-server based application, where all heavy computations happen on the server. Because the tool is fully webbased it can also be used on tablets and smartphones, increasing its usability for non-experts.
ACD2 consist out of the following main parts: 1. Loading datasets 2. Learning the model of the EDBN 3. Inspecting and updating the Model 4. Testing a dataset 5. Anomaly Detection 2.1
A rst step is to upload the datasets we want to use for both learning the model and testing. After uploading, the user can select which attributes she wants to include in the dataset and indicate which attribute corresponds to the case identi er, the time attribute and a (optional) label, indicating if the event is anomalous or not. After uploading, a background task starts to preprocess and store the data on the server for easy access later. The card on the dataset page indicates when preprocessing is done. 2.2
In this phase all relations between attributes that are present in a given dataset are learned. We have chosen to use an asynchronous process because learning the model is computationally demanding and can take some time. When learned, the model gets saved on the server and can be updated by the user or used for testing. 2.3
Once a model is fully learned it can be inspected by the user. She can make
changes to her own insights in the data. Every time the user makes a change
the di erence in quality between the updated model and the original model
is calculated and displayed. We use the Akaike Information Criterion [
Now we can test a new log against the learned model. At this point the model only contains the structure of the EDBN, therefor we rst need to further train the di erent parameters in the model. We thus select a training dataset and a test dataset. An important constraint on these datasets is that they all need to have the same attributes as the original dataset used for learning the structure in order to be compatible. After submitting, the model is further trained and the scores are calculated for the test dataset. When all results are computed a user can start analyzing the results.
The result page consists of three main parts. The middle graph plots all cases in the test log according to their timestamp (or ID) and score, an example graph is shown in Figure 1. This graph forms the basis of any analysis. It can either be used to analyze global behavior, nding clusters of cases (cases with similar properties or behavior), or to inspect individual cases. A low score for a case (or event) means that they do deviate more from the normal behavior, learned from the training dataset. When clicking on a single case, a new table appears below the case graph showing all events in that particular case. Events that deviate more than one standard deviation from the mean score of events are highlighted in red to indicate a possible inconsistency.
Above the case graph we show the attribute plot. For every attribute in the data it shows the mean value of the score for this attribute in the test set. And again, the lower the score, the more the scores for this attribute deviate from the training dataset. In order to compare a subset of the data to the entire dataset we can set a lter for creating a comparison dataset. Using this we can easily see in which attribute(s) a drift occurs.
Drifts in the data can be detected by looking to the case scores. After a drift
the distribution of these scores changes. Sometimes these changes can be seen on
the graph itself. In order to determine the drift point(s) in more detail, we use
the P-values plot, which is created using the Kolmogorov-Smirnov test (KS-test)
[
The ProM tool1 contains di erent conformance checking and concept drift
detection algorithms, often based on computing alignments. Almost all available
algorithms only take the control- ow (and sometimes resource) perspective into
account [
BINet [
Our method is based on the Extended Dynamic Bayesian Networks, making it a very expressive and intuitive way of capturing the normal behavior found in log les. Thanks to this our tool also allows for user intervention after the model has been learned. This in contrast to most other techniques that do not allow for intermediate user input.
We used the data from the BPI 2018 Challenge for the illustrative examples. This data consists of 2M+ events and 43,809 cases, indicating that our tool is able to handle larger datasets, thanks to our client-server architecture. Currently we are working hard to further improve and optimize loading of the result pages.
In the future we would like to extend the comparison capabilities of our tool. Where a user could, for example, draw a bounding box in the case graph to select a particular subset she wants to examine in more detail. We would also like to allow more di erent types of input data and further improve the preprocessing capabilities of the tool.
A link to the tool, screencast and fully elaborated use case are available at http://adrem.uantwerpen.be/conceptdrift.