Event logs captured in the real world are prone to errors [ 1 ].

These can stem from a variety of root causes, such as system malfunctioning or human mistakes, resulting in different types of errors, such as abnormal activity labels, or missing, duplicated, and swapped events [ 1 ]–[ 8 ]. Errors in event logs hamper the possibility of extracting useful insights from event log analysis. For instance, they clearly influence the models obtained through process discovery and the fitness computation in conformance checking. Therefore, one should aim at removing these errors before running event log analytics.

If a process model is available or can be discovered from clean traces, then errors can be detected using traditional conformance checking techniques. However, in many cases a process model is not available. Event log anomaly detection or cleaning has emerged recently as a new field in process mining developing techniques to identify anomalies in event logs without assuming the existence of a process model [ 1 ].

To be evaluated, event log cleaning techniques require event logs in which traces and events are labelled, i.e., whether normal or anomalous. When such techniques exploit machine learning algorithms, labelled logs are also necessary for training/testing during model development. Unfortunately, labelled real world event logs are not available among the ones3 usually considered within the process mining community. Therefore, researchers in this field have relied on artificially injecting anomalies into real or simulated event logs.

1Github (including tutorial): https://github.com/jonghyeonk/AIR-BAGEL 2Screencast video: https://shorturl.at/wRY04 3e.g., at https://data.4tu.nl/repository/collection:event logs real

Anomalies of different types are normally injected randomly into event logs at different ratios, i.e., until a target ratio of existing traces and/or events have been modified to become anomalous [ 1 ]. As far as existing tools are concerned, event log generation tools, e.g., PLG2 [ 9 ] and PTandLogGenerator [ 10 ] allow to perturb an event log obtained through simulation of a process model by randomly changing the order of events in a trace or randomly deleting/adding events in a trace, but they do not allow injecting anomalies generated by more complex patterns or into already existing event logs.

In the real world, anomalies are generated by complex organisational situations. Anomalies in an event log, in fact, normally are linked to specific root causes [ 2 ], [ 3 ]. These can be classified, at least at a first high level of analysis, into two categories: resource and system. The former refers to human resources involved in a process being the source of anomalies. Resource A, for instance, may be sloppier at their job than resource B, and therefore cases in which A is involved may have more events skipped or wrongly recorded than the ones involving B. The latter refers to anomalies associated with malfunctioning of systems supporting the execution of processes. System A, for instance, may have malfunctioned for a specific amount of time on a specific day; as a consequence, depending on the type of malfunctioning, the events happening in that specific time window may be missing from the log or have been erroneously recorded, e.g., moved to a different case.

This paper describes AIR-BAGEL, an interactive tool for anomaly injection in event logs that aims at simulating pseudoreal anomalies. The idea behind AIR-BAGEL is to associate the injected anomalies with specific root causes, i.e., the behaviour of resources or system malfunctioning. AIRBAGEL injects anomalies at the level of order and occurrence of activities in a case, e.g., skipping or replacing events in a trace in an event log. The tool outputs event logs with injected anomalies augmented with case-level anomaly binary labels and other attributes required to reconstruct the type of anomaly that was injected. The main objective of AIR-BAGEL is to provide the process mining research community with a simple tool to generate pseudo-real anomalies in existing event logs, so as to enable the development and evaluation of event log cleaning approaches using event log anomalies that better resemble the ones that could be encountered in the real world.

Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). Import event log Preprocessing

Set key attributes 2.2. Fault injection Set types of anomalies

with parameter and simulate incident processes

Export event log with anomalies and statistics

The next section gives an overview of the tool, while Section III and IV describe more in detail the features and the maturity of AIR-BAGEL, respectively. How to access and install the tool is described in Section V, while conclusions are drawn in Section VI.

AIR-BAGEL generates pseudo-real anomalies applying two types of root causes, i.e., resource and system. It is assumed that each event in a log has two attributes, one identifying the (human) resource in charge of executing the task to which an event refers and one identifying the system used for recording the task. Since this information, particularly the system attribute, is often not available in an event log, AIR-BAGEL also allows to generate these two attributes. The user can specify the existence of a given number of resources/systems and associate them with specific classes of events in the process.

As far as generating anomalies is concerned, when resource is the root, since each resource may have different job competency, experience, and behaviour, e.g., new employees are more prone to do mistakes than longer tenured ones, AIRBAGEL firstly creates a distribution of probabilities for each resource in the log to commit an error while logging an event. This distribution may also be set manually if needed. Then, it allows to specify what type(s) of error the resources are likely to commit, e.g., forgetting to record an event or recording an event as a different one. When system is the root, the time and occurrence of one or more malfunctioning of each system may be specified by a Poisson random process or manuallyspecified. Then, the type of malfunctioning must be specified, e.g., whether it concerned skipping the registration of events, i.e., similarly to a system down, or recording a wrong label for events. Specifically, AIR-BAGEL considers 8 pseudo-real patterns of anomaly types caused by the resource root and 3 caused by the system root. These are discussed in the detail in the next section.

The output of AIR-BAGEL is an event log having the same attributes of the input event log in which (i) additional resource and/or system columns are created if required, (ii) anomalies have been injected according to specific patterns and (iii) events and cases are augmented with additional labels to support evaluation of event log cleaning and reconstruction techniques. In particular, for each event, one label recording whether the event belongs to a case that has become anomalous is created. This label supports the evaluation of event log cleaning techniques. Other attributes are created to record the detail of the type of anomaly, such as the position at which an event was skipped in a case. This type of information supports the evaluation of event log reconstruction techniques aiming at explaining the type and cause of trace anomalies.

Step 1 Step 2 Step 3 2.1. (A) Parameter setting for resource root

Set resource‘s failure probability 2.1. (B) Parameter setting for system root

Set events of system malfunctioning setting and anomaly injection, and (iii) output evaluation and data export.

Data import and preprocessing. The tool provides basic import functionality.4 In particular, the tool tries to guess the meaning of columns and the format of timestamps in an event log using basic pattern matching. The user, however, can override the matching if incorrect. After an event log has been imported, if necessary AIR-BAGEL supports a user to configure and generate artificial attribute values for resource and/or system.

Root parameter setting and anomaly injection. The next step for the user is to specify the root of anomaly injection (resource or system). It is also possible to inject anomalies considering both roots at the same time.

Then, for the resource root cause, the probability of a specific resource to inject an anomaly into an event has to be specified. This can be done by selecting and parameterizing one of three possible distributions: exponential(parameter ), normal( ; ), and uniform(a; b). When injecting anomalies, a value is drawn from the specified distribution for each value of the resource attribute in the log. Alternatively, the user can specify the probabilities for each resource manually. This value represents the probability that an event involving this resource will be affected by an anomaly.

For the system root, the user must specify the time of occurrence and duration of system malfunctioning occurrences. This can be done manually, or by specifying the value of the parameter of a Poisson process that models the distribution of inter-arrival times of system malfunctioning (which sets the 4Only import/export of event logs in csv format is supported at the moment. A B time time time time time time time time time time start timestamp of malfunctioning occurrences) and the values of the parameters a and b of a uniform distribution from which the duration of the malfunctioning will be sampled (which sets the end timestamp of malfunctioning occurrences).

Next, the user decides which type of anomalies will be applied for each root cause to events that have been selected as being anomalous, because the corresponding resource behaviour fault probability or because they fall within the occurrence of a system malfunctioning. Multiple types of anomalies may be defined. If multiple types are defined for a given root, then a strength parameter determines how likely is each type to be chosen in respect of others when injecting an anomaly for a given event.

Specifically, anomalies are injected to events ordered in ascending timestamp order. In particular, once a case becomes anomalous, i.e., because one of its events has been modified according to an anomaly type, no other anomalies of the same root will be applied to events of the same case. Multiple anomalies implied by different root cases can be applied to the same trace. Therefore, an individual trace will be injected with at most two types of anomalies, one for the resource root and one for the system root cause.

As stated earlier, we consider a total of 11 anomaly types, 8 for the resource root and 3 for the system root. Anomaly types have been modelled based on previous research on event log cleaning and event log data quality analysis [ 1 ]–[ 8 ]. They are exemplified in Fig. 2 and described in detail next:

The tool is at an early development stage and far from being mature, particularly from a user experience standpoint. Yet, it provides a complete implementation of several pseudo-real anomaly injection patterns. The user experience can be improved by providing a better look-and-feel, a more streamlined workflow, possibly including feedback from extensive testing with students, and migrating to a Web-based interface.

As far as the functional requirements are concerned, we are currently working on the following extensions: (i) supporting the XES event standard format for import/export of event logs, (ii) implementing a finer-grained control of anomaly types, supporting users in specifying anomaly types for individual or groups of resource/system roots, and (iii) improving the summary information shown in the last step. We are also developing pre-defined anomaly injection scenarios to support non-expert users. Finally, by design the tool does not allow to control the overall injected case anomaly ratio, i.e., the ratio of cases that become anomalous as a result of anomaly injection. We are extending the tool to give an early estimate while setting the anomaly injection parameters of the number of cases that will be affected. This feature is particularly important when evaluating new techniques for event log cleaning and reconstruction in a systematic way.

The tool is a stand alone Python application. The source code is available at https://github.com/jonghyeonk/ AIR-BAGEL. A tutorial document explaining the installation procedure and discussing more details about the parameters required to configure the anomaly injection process is available at the same location. AIR-BAGEL has been tested for Python 3.6. It requires the installation of tk/tkinter, the Python Imaging Library, and PM4Py [ 12 ]. For convenience, a preconfigured Ubuntu 20.04-based virtual machine image that could be imported by popular hosted hypervisors has also been made available and can be downloaded at: shorturl.at/kmHN2.

We have presented AIR-BAGEL, a tool to inject pseudoreal trace-level anomalies in event logs. The tool contributes to the process mining community by providing a means to generate event log anomalies modelled around the concepts of root cause and pseudo-real anomaly types, rather than simply injected randomly. It can be used to generate logs for evaluating event log cleaning and reconstruction approaches and to support the training/testing of those approaches that use machine learning algorithms.