<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Shareprom: A Tool for Privacy-Preserving Inter-Organizational Process Mining</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Gamal Elkoumy</string-name>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Stephan A. Fahrenkrog-Petersen</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Marlon Dumas</string-name>
          <email>marlon.dumasg@ut.ee</email>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Peeter Laud</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Alisa Pankova</string-name>
          <email>alisa.pankovag@cyber.ee</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Matthias Weidlich</string-name>
          <xref ref-type="aff" rid="aff1">1</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Cybernetica</institution>
          ,
          <addr-line>Tartu</addr-line>
          ,
          <country country="EE">Estonia</country>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Humboldt-Universitat zu Berlin</institution>
          ,
          <addr-line>Berlin</addr-line>
          ,
          <country country="DE">Germany</country>
        </aff>
        <aff id="aff2">
          <label>2</label>
          <institution>University of Tartu</institution>
          ,
          <addr-line>Tartu</addr-line>
          ,
          <country country="EE">Estonia</country>
        </aff>
      </contrib-group>
      <abstract>
        <p>Process mining is a set of techniques to analyze business processes based on event logs extracted from information systems. Existing process mining techniques are designed for intra-organizational settings, as they assume that the entire event log of a process is available for analysis at once. In an intra-organizational process, each party only has access to its own private event log, which gives only a partial picture of the whole process. Moreover, the involved parties may be unwilling or unable to share their private logs due to con dentiality or privacy imperatives. In this context, this paper presents a tool, namely Shareprom, that enables independent parties to execute process mining operations without revealing any data other than the output of the analysis. Speci cally, Shareprom uses secure multi-party computation techniques to compute the frequency or time-annotated Directly-Follows Graph (DFG) of event logs held by multiple parties, without these parties having to share any information other than the resulting DFG. The tool applies a di erentially private release mechanism before revealing the output DFG in order to provide an additional layer of privacy protection.</p>
      </abstract>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>-</title>
      <p>Process mining techniques enable organizations to analyze business processes
from event logs extracted from information systems. These techniques allow us,
for example, to identify performance bottlenecks and to recommend changes to
a process in order to increase its e ciency. Existing process mining techniques
assume that the event log to be analyzed can be accessed in its entirety. This
assumption is reasonable in an intra-organizational setting, where all the data
about a given process is located within the same trust domain. However, in
an inter-organizational process, the event log is distributed across multiple
independent organizations. For example, in a supply chain process, a manufacturer
interacts with multiple suppliers. Each of them holds its own private event log,
which only provides a partial view of the whole process.</p>
      <p>Due to con dentiality concerns and privacy regulations, such as GDPR4
and HIPAA5, the involved organizations are unwilling to, or sometimes legally
prevented from, sharing their event logs. They are prevented from sharing the
logs either with each other or with a third-party, such as an independent analysis
rm, to jointly perform the analysis.</p>
      <p>In this paper, we present Shareprom, a secure multi-party computation
system for inter-organizational process mining. Shareprom allows independent
cooperating organizations to control what is disclosed from their event logs. We
assume that the parties have agreed to reveal the time-annotated process map.
In other words, the analysis rm will not learn anything about the independent
organizations other than this output. Shareprom applies di erential privacy to
the resulting DFG so as to provide an extra layer of privacy, as presented in
Section 2. The analysis rm will neither have access to speci c traces, nor to any
information associated to these traces. And naturally, the data providers will not
be able to learn anything about each other's private data.
2</p>
    </sec>
    <sec id="sec-2">
      <title>Overview of the Tool</title>
      <p>
        Shareprom uses secure multi-party computation (MPC) to process event logs and
to build the DFG matrix. Before revealing the DFG matrix, Shareprom applies
Laplacian di erential privacy by the injection of noise into the matrix. Shareprom
relies on a platform for secret-sharing based MPC (speci cally Sharemind [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ]).
      </p>
      <p>
        Shareprom uses the three-party MPC protocol set of Sharemind, which is
secure against honest-but-curious adversaries. This means that as long as the
parties are following the protocols honestly and do not collude, none of them will
learn more than the size of the data. Parties in a typical secure MPC deployment
can be: input parties, computation parties, or output parties [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ]. The sets of
input and computing parties may intersect. In this paper, we assume a simpli ed
scenario, where the three computing parties themselves provide the inputs and
receive the outputs. Two of the parties contribute the input data, and the third
party is the analysis rm that receives the nal output.
      </p>
      <p>
        We assume that input parties share with each other the number of activities
and the maximum trace length in their event logs. Also, we assume that the
case identi ers are the same across the input parties. This is needed to conduct
preprocessing that reduces the amount of information that might be learned from
the size of data. Even with encrypted data, contextual knowledge might lead to
leakage of some information [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ]. An adversarial party might learn the shortest or
the longest trace, and using the domain knowledge, they could reveal the actual
activities. For such a case, we apply padding to the logs on the client side of
each input party, so the resulting log has all the traces with the same length,
which is set to the maximum trace length. Parties can hide the maximum trace
length by adding extra padding. The logs are uploaded to computation servers
in a secret-shared manner, and the MPC protocol performs computation without
4 https://eur-lex.europa.eu/eli/reg/2016/679/oj
5 https://www.hhs.gov/hipaa/
any intermediate declassi cations. As such, during the computation, the parties
do not learn anything in addition to the sizes of padded logs. This also excludes
any attacks related to access patterns, like frequent pattern mining, which would
be possible, if the events that are equal to each other, are leaked.
      </p>
      <p>
        Figure 1 gives an overview of the system components. Below we summarize
the functionality of each component of Shareprom. More information about the
system components can be found in [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ].
      </p>
      <p>Preprocessing. Each party of the cooperating organization uses Shareprom clients
to import the XES le of their event log. Shareprom then performs preprocessing
of the event log at its organization site. The parties exchange the maximum trace
length and the number of unique activities of their entire log. All the traces need
to be padded to have the same length as the longest trace. The activities are
mapped to a one-hot encoding format, independently on each input party. Also,
a sort step of the logs by traces is performed. The two latter steps are needed as
a preparation for the subsequent secure MPC protocol, which requires the data
to be available in a speci c format.</p>
      <p>
        Mapping Event Log to Secret-shares. Each party uses their Shareprom client to
map their event logs into secret-shares. Each client pushes its secret-shares to the
Sharemind servers. Secret-shares do not reveal any information about the event
log. Until this point, the analysis rm, as one of the computation parties, has
only received a single share of each input, which alone looks like a random value.
DFG Matrix Calculation. Shareprom runs the Sharemind MPC protocol to
construct the DFG matrix from uploaded secret-shared data. An algorithm based
on a one-hot encoding technique allows us to ensure that the computation does
not reveal any information to the parties, including the access pattern (e.g. which
log entries follow each other). The details of this algorithm can be found in [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ].
The resulting DFG takes the form of a matrix with secret-shared entries, where
each entry corresponds to a transition between two activities, containing the
frequency count and the total execution time for that transition.
Di erential Privacy. The DFG itself may reveal some information about the
parties' inputs. We consider the frequency and time di erence between each pair
of activities in the DFG as a separate query. Hence, before disclosing the nal
result to the analyst party, we enhance it with di erential privacy by injecting
Laplacian noise to the frequency and time di erence of each pair of activities.
The added noise conceals the order of activities and their execution times. We
consider understanding the trade-o s between the amount of added noise and
the utility of the output as a direction for future work.
3
      </p>
    </sec>
    <sec id="sec-3">
      <title>Tool Packaging and Maturity</title>
      <p>
        Shareprom is developed in Python 3.7 and SecreC { a dialect of the C language
supported by the Sharemind plartform [
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]. For ease of use, Shareprom comes with
      </p>
      <p>Party</p>
      <p>A
Party
B</p>
      <p>Import
XES
Import
XES</p>
      <p>Preprocessing</p>
      <p>Preprocessing
Cooperating Parties</p>
      <p>Mapping Event
Log to Secret</p>
      <p>Shares
Mapping Event
Log to Secret</p>
      <p>Shares</p>
      <p>Combine
Secure Processing
Using Secret Shares</p>
      <p>Parallel Sort
DFG Matrix
Calculation
Differential
Privacy</p>
      <p>Analyzing the
model
a desktop client application. The desktop client allows a user to import an event
log (in XES format) as shown in Figure 2a. The desktop client connects with its
respective Shareprom server. In a typical con guration, three Sharemind servers
are inter-connected, e.g. two input providers and a computation node { the latter
representing for example an analysis rm, as shown in Figure 2b. The analysis
rm can view the output (with di erential privacy noise) as shown in Figure 2c.
An analyst at this rm can then analyze the output and share the ndings (or
the whole output) with the input providers depending on the intended use case.</p>
      <p>
        Shareprom has been tested with event logs of di erent characteristics, as
reported in [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ]. The tool can handle event logs with several thousands of events
with up to a couple of dozens distinct activity labels. Further optimizations
targeted at speci c use cases should allow it to scale to large logs in future.
4
      </p>
    </sec>
    <sec id="sec-4">
      <title>Screencast and Source Code</title>
      <p>A screencast is available at https://youtu.be/uz2mrYz-y-w . This screencast
illustrates a scenario where two parties (a manufacturer and a supplier) delegate
an analysis task to a data analysis rm. The manufacturer produces goods based
on purchase orders. Parts of the production pipeline need intermediate parts
from the supplier. The manufacturer orders the intermediate parts from the
supplier. The supplier produces the intermediate parts and transports them to
the manufacturer. Each party has its own separate event log. The analysis rm
analyzes the joint DFG constructed from the event logs.</p>
      <p>The source code, installation steps, dependencies, and example event logs can
be found at https://github.com/Elkoumy/shareprom/releases/tag/v0.2.
5</p>
    </sec>
    <sec id="sec-5">
      <title>Conclusion</title>
      <p>Shareprom leverages the secure multi-party computation capabilities of Sharemind
in order to enable multiple parties to perform inter-organizational process mining
without revealing any data other than the analysis output. A di erential privacy
(c) The Joint DFG After</p>
      <p>Di erential Privacy
mechanism allows this output to be further protected against possible privacy
leakages. At present, Shareprom focuses on the computation of DFGs, which is
a basic graphical process representation used in process mining tools. Future
work aims at expanding the capabilities of Shareprom to other process mining
operations, while at the same time tackling associated scalability challenges.
Acknowledgments. This research is partly funded by ERDF via the Estonian
Centre of Excellence in ICT (EXCITE).</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          1.
          <string-name>
            <surname>Bogdanov</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Laud</surname>
            ,
            <given-names>P.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Randmets</surname>
          </string-name>
          , J.:
          <article-title>Domain-polymorphic programming of privacypreserving applications</article-title>
          .
          <source>In: Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security</source>
          . pp.
          <volume>53</volume>
          {
          <issue>65</issue>
          (
          <year>2014</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          2.
          <string-name>
            <surname>Bogdanov</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Laur</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Willemson</surname>
          </string-name>
          , J.:
          <article-title>Sharemind: A framework for fast privacypreserving computations</article-title>
          .
          <source>In: European Symposium on Research in Computer Security</source>
          . pp.
          <volume>192</volume>
          {
          <fpage>206</fpage>
          . Springer (
          <year>2008</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          3.
          <string-name>
            <surname>Elkoumy</surname>
            ,
            <given-names>G.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Fahrenkrog-Petersen</surname>
            ,
            <given-names>S.A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Dumas</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Laud</surname>
            ,
            <given-names>P.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Pankova</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Weidlich</surname>
            ,
            <given-names>M.</given-names>
          </string-name>
          :
          <article-title>Secure multi-party computation for inter-organizational process mining</article-title>
          .
          <source>In: Proceedings of the BPMDS and EMMSAD Working Conferences</source>
          . Springer (
          <year>2020</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          4.
          <string-name>
            <surname>Kamm</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          :
          <article-title>Privacy-preserving statistical analysis using secure multi-party computation</article-title>
          .
          <source>Ph.D. thesis</source>
          , University of Tartu (
          <year>2015</year>
          )
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          5.
          <string-name>
            <surname>Ra</surname>
            <given-names>ei</given-names>
          </string-name>
          , M.,
          <string-name>
            <surname>von Waldthausen</surname>
          </string-name>
          , L.,
          <string-name>
            <surname>van der Aalst</surname>
          </string-name>
          , W.M.:
          <article-title>Supporting con dentiality in process mining using abstraction and encryption</article-title>
          .
          <source>In: Data-Driven Process Discovery and Analysis</source>
          , pp.
          <volume>101</volume>
          {
          <fpage>123</fpage>
          . Springer (
          <year>2018</year>
          )
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>