Business process deviance mining

Definition Business process deviance mining refers to the problem of (automatically) detecting and explaining deviant executions of a business process based on the historical data stored in a given Business Process Event Log (called hereinafter event log for the sake of conciseness). In this context, a deviant execution (or "deviance") is one that deviates from the normal/desirable behavior of the process in terms of performed activities, performance measures, outcomes, or security/compliance aspects. Usually, the given event log is regarded as a collection of process traces, encoding each the history of a single process instance, and the task amounts to spotting and analyzing the traces that likely represent deviant process (execution) instances. In principle, this specific process mining task can help recognize, understand, and possibly prevent/ reduce the occurrence of undesired behaviors. Overview Historically, in a business process mining/intelligence context, the term "deviance mining" was first used in Nguyen et al. (2014). Since then increasing attention has been given to this research topic, owing to two main reasons: (i) deviances may yield severe damages to the organization, e.g., in terms of monetary costs, missed opportunities, or reputation loss; (ii) process logs may be very large and difficult to analyze with traditional auditing approaches, so that automated techniques are needed to discover deviances and/or actionable deviance patterns. Abstracting from the common idea of exploiting event log data, approaches developed in this field look quite variegate. Indeed, in addition to possibly resorting to different data mining techniques, they may also differ in two fundamental aspects: the analysis task and the kinds of available information. Two main deviance mining tasks (often carried out together) have been pursued in the literature: deviance explanation and deviance detection. The former is devoted to "explain the reasons why a business process deviates from its normal or expected execution" (Nguyen et al. 2014, 2016). In the latter, it must be decided whether a given process instance (a.k.a. case) is deviant or not. This task can be accomplished in two fashions: (i) run-time detection, each process instance must be analyzed as it unfolds, based on its "premortem" trace; and (ii) ex post detection, only "postmortem" traces (i.e., just one fully grown trace for each finished process instance) must be analyzed to possibly discover deviances. As to the second aspect (namely, available information), two deviance mining settings can be considered, which differ for the presence of auxiliary information, in addition to the given log traces: o Supervised: All the traces are annotated with some deviance label/score, which allows to regard them as examples for learning a deviance detector/classifier or to extract deviance patterns. o Unsupervised: No a priori deviance-oriented information is given for the traces, so that an unsupervised deviance mining method needs to be devised, based on the assumption that all/ most deviances look anomalous with respect to the mainstream process behavior. The rest of this chapter focuses on ex post deviance mining approaches. In fact, the exploitation of supervised learning methods to detect deviances at run-time has been considered in the related field of predictive business process monitoring.