{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T15:36:08Z","timestamp":1781105768445,"version":"3.54.1"},"reference-count":26,"publisher":"IGI Global Scientific Publishing","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017,7]]},"abstract":"<jats:p>Current intrusion detection systems are mostly for detecting external attacks, but the \u201cPrism Door\u201d and other similar events indicate that internal staff may bring greater harm to organizations in information security. Traditional insider threat detection methods only consider the audit records of personal behavior and failed to combine it with business activities, which may miss the insider threat happened during a business process. The authors consider operators' behavior and correctness and performance of the business activities, propose a business process mining based insider threat detection system. The system firstly establishes the normal profiles of business activities and the operators by mining the business log, and then detects specific anomalies by comparing the content of real-time log with the corresponding normal profile in order to find out the insiders and the threats they have brought. The relating anomalies are defined and the corresponding detection algorithms are presented. The authors have performed experimentation using the ProM framework and Java programming, with five synthetic business cases, and found that the system can effectively identify anomalies of both operators and business activities that may be indicative of potential insider threat.<\/jats:p>","DOI":"10.4018\/ijbdcn.2017070107","type":"journal-article","created":{"date-parts":[[2017,5,3]],"date-time":"2017-05-03T12:20:31Z","timestamp":1493814031000},"page":"83-98","source":"Crossref","is-referenced-by-count":8,"title":["An Insider Threat Detection Method Based on Business Process Mining"],"prefix":"10.4018","volume":"13","author":[{"given":"Taiming","family":"Zhu","sequence":"first","affiliation":[{"name":"Institute of Cyber Space Security, Information Engineering University, Zhengzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yuanbo","family":"Guo","sequence":"additional","affiliation":[{"name":"Institute of Cyber Space Security, Information Engineering University, Zhengzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ankang","family":"Ju","sequence":"additional","affiliation":[{"name":"Institute of Cyber Space Security, Information Engineering University, Zhengzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jun","family":"Ma","sequence":"additional","affiliation":[{"name":"Institute of Cyber Space Security, Information Engineering University, Zhengzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xuan","family":"Wang","sequence":"additional","affiliation":[{"name":"Department of Electronics Technology, Engineering University of the Armed Police Force, Xi'an, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"ijbdcn.2017070107-0","doi-asserted-by":"publisher","DOI":"10.1109\/IAW.2007.381939"},{"key":"ijbdcn.2017070107-1","author":"R. H.Anderson","year":"2000","journal-title":"Research on mitigating the insider threat to information systems-#2 (No. RAND-CF-163-DARPA)"},{"key":"ijbdcn.2017070107-2","first-page":"1","article-title":"We have met the enemy and he is us.","author":"M.Bishop","year":"2009","journal-title":"Proceedings of the 2008 workshop on New security paradigms"},{"key":"ijbdcn.2017070107-3","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2012.29"},{"key":"ijbdcn.2017070107-4","doi-asserted-by":"crossref","unstructured":"Burattin, A., & Sperduti, A. (2010). PLG: A framework for the generation of business process models and their execution logs. Proceedings of theInternational Conference on Business Process Management (pp. 214-219). Springer Berlin Heidelberg.","DOI":"10.1007\/978-3-642-20511-8_20"},{"key":"ijbdcn.2017070107-5","doi-asserted-by":"publisher","DOI":"10.1007\/11560326_32"},{"key":"ijbdcn.2017070107-6","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4419-7133-3_5"},{"key":"ijbdcn.2017070107-7","doi-asserted-by":"publisher","DOI":"10.1145\/1185448.1185638"},{"key":"ijbdcn.2017070107-8","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-4048(02)00109-8"},{"key":"ijbdcn.2017070107-9","unstructured":"Mantha, K., Chinchani, R., Upadhyaya, S., & Kwiat, K. (2000). A Comprehensive Simulation Platform for Intrusion Detection in Distributed Systems. Proceedings of the Summer Computer Simulation Conference (pp. 586-591). Society for Computer Simulation International."},{"key":"ijbdcn.2017070107-10","doi-asserted-by":"publisher","DOI":"10.1109\/ICRTIT.2012.6206788"},{"key":"ijbdcn.2017070107-11","author":"D. B.Parker","year":"1998","journal-title":"Fighting computer crime: A new framework for protecting information"},{"key":"ijbdcn.2017070107-12","doi-asserted-by":"publisher","DOI":"10.1109\/PASSAT\/SocialCom.2011.211"},{"key":"ijbdcn.2017070107-13","doi-asserted-by":"publisher","DOI":"10.1109\/ISI.2012.6284271"},{"key":"ijbdcn.2017070107-14","unstructured":"Schneier, B. (1999). Attack trees. Dr. Dobb\u2019s journal, 24(12), 21-29."},{"key":"ijbdcn.2017070107-15","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2003.1254322"},{"key":"ijbdcn.2017070107-16","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2004.47"},{"key":"ijbdcn.2017070107-17","doi-asserted-by":"crossref","unstructured":"Van der Aalst, W. M., De Medeiros, A. A., & Weijters, A. J. M. M. (2005). Genetic process mining. Proceedings of theInternational Conference on Application and Theory of Petri Nets (pp. 48-69). Springer Berlin Heidelberg.","DOI":"10.1007\/11494744_5"},{"key":"ijbdcn.2017070107-18","doi-asserted-by":"publisher","DOI":"10.1016\/j.entcs.2004.10.013"},{"issue":"31","key":"ijbdcn.2017070107-19","first-page":"2","article-title":"ProM: The process mining toolkit.","volume":"489","author":"W. M.Van der Aalst","year":"2009","journal-title":"BPM (Demos)"},{"key":"ijbdcn.2017070107-20","doi-asserted-by":"crossref","unstructured":"Van Dongen, B. F., & Van der Aalst, W. M. (2004). Multi-phase process mining: Building instance graphs. Proceedings of theInternational Conference on Conceptual Modeling (pp. 362-376). Springer Berlin Heidelberg.","DOI":"10.1007\/978-3-540-30464-7_29"},{"key":"ijbdcn.2017070107-21","unstructured":"van Dongen, B. F., & Van der Aalst, W. M. (2005). Multi-phase process mining: Aggregating instance graphs into EPCs and Petri nets. Proceedings of the PNCWB 2005 workshop (pp. 35-58)."},{"issue":"2","key":"ijbdcn.2017070107-22","doi-asserted-by":"crossref","first-page":"151","DOI":"10.3233\/ICA-2003-10205","article-title":"Rediscovering workflow models from event-based data using little thumb.","volume":"10","author":"A. J.Weijters","year":"2003","journal-title":"Integrated Computer-Aided Engineering"},{"key":"ijbdcn.2017070107-23","doi-asserted-by":"crossref","unstructured":"Weijters, A. J. M. M., & Ribeiro, J. T. S. (2011). Flexible heuristics miner (FHM). Proceedings of the 2011 IEEE Symposium on Computational Intelligence and Data Mining (CIDM) (pp. 310-317). IEEE.","DOI":"10.1109\/CIDM.2011.5949453"},{"key":"ijbdcn.2017070107-24","doi-asserted-by":"publisher","DOI":"10.1007\/11610113_52"},{"key":"ijbdcn.2017070107-25","first-page":"1","article-title":"An insider threat model for adversary simulation. SRI International","volume":"2","author":"B.Wood","year":"2000","journal-title":"Research on Mitigating the Insider Threat to Information Systems"}],"container-title":["International Journal of Business Data Communications and Networking"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=181588","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,5]],"date-time":"2022-05-05T15:51:58Z","timestamp":1651765918000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/ijbdcn.2017070107"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2017,7]]},"references-count":26,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.4018\/ijbdcn.2017070107","relation":{},"ISSN":["1548-0631","1548-064X"],"issn-type":[{"value":"1548-0631","type":"print"},{"value":"1548-064X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,7]]}}}