Search

CN-115545169-B - Multi-view business process anomaly detection method, system and equipment based on GRU-AE network

CN115545169BCN 115545169 BCN115545169 BCN 115545169BCN-115545169-B

Abstract

The invention provides a multi-view business process anomaly detection method based on a GRU-AE network, which comprises the steps of preprocessing data, preprocessing event logs, executing model training, anomaly detection, inputting the obtained characteristics into a trained model to obtain anomaly scores of attribute levels, marking tracks or attributes as anomalies or normal according to a threshold value, wherein the data preprocessing step further comprises the steps of obtaining each track of the event logs, adding a virtual starting event before a first event, adding a virtual ending event after a last event, and converting the event logs into third-order tensors as characteristics to be input.

Inventors

  • WANG WEI
  • CAO JIAN
  • GUAN WEI

Assignees

  • 上海技群信息科技有限公司

Dates

Publication Date
20260505
Application Date
20221102

Claims (8)

  1. 1. The multi-view business process abnormality detection method based on the GRU-AE network is characterized by comprising the following steps of: preprocessing data and executing preprocessing of event logs; Performing model training, and The anomaly detection is carried out, the obtained characteristics are input into a trained model to obtain an anomaly score of an attribute level, and the track or the attribute is marked as abnormal or normal according to a threshold value; The data preprocessing step further comprises the steps of acquiring each track of an event log, adding a virtual start event before a first event, adding a virtual end event after a last event, and converting the event log into a third-order tensor as a feature to be input; The GRU-AE network carries out model training based on the converted three-dimensional tensor, and learns normal behavior in event logs, wherein a loss function reconstructs an attribute value of each attribute of each event in each track based on a cross entropy criterion, and the formula is as follows: ; In the formula, t represents a trajectory, e represents an event, The attributes are represented as such, Representing the number of tracks in the log, Representing the maximum length of the track in the log, Representing the number of attributes; Wherein the abnormality detection step further includes the step of defining an abnormality score greater than a specified attribute value in a probability distribution Probability of (2) The sum of all probabilities of (a) is given by: ; wherein, by using a threshold τ, the anomaly score is mapped to 0 or 1,0 representing normal, 1 representing anomaly; The multi-view business process anomaly detection method based on the GRU-AE network further comprises the steps of providing a network structure comprising a plurality of encoders and decoders, wherein each attribute in the attribute set is allocated with one encoder and one decoder, the encoder takes a bidirectional GRU as a main structure and learns the representation of the characteristic, the decoder takes the GRU as the main structure and rebuilds normal behavior, and a attention mechanism is introduced.
  2. 2. The method for detecting a multi-view business process anomaly based on a GRU-AE network of claim 1, wherein the event log containing anomaly trajectories is used for training, learning normal behavior for detecting anomalies, and determining that the portion of the event log having a large reconstruction error is anomalous based on a threshold value of anomaly score.
  3. 3. The GRU-AE network based multi-view business process anomaly detection method of claim 1 wherein said GRU-AE network based multi-view business process anomaly detection method further comprises the step of executing a teacher forcing method during GRU-AE network training.
  4. 4. The method for multi-view business process anomaly detection based on GRU-AE network of any of claims 1 to 3 wherein said model training step further comprises the step of using batch normalization and random inactivation methods to resist overfitting.
  5. 5. A multi-view business process anomaly detection device based on a GRU-AE network, comprising: a memory for storing a software application, A processor, configured to execute the software application program, where each program of the software application program correspondingly executes the steps in the method for detecting a multi-view business process anomaly based on a GRU-AE network according to any one of claims 1 to 4.
  6. 6. The multi-view business process anomaly detection system based on the GRU-AE network is characterized by comprising an event log preprocessing unit, a model training unit and an anomaly detection unit, wherein the event log preprocessing unit performs preprocessing of event logs, acquires each track of the event logs, adds a virtual starting event before a first event, adds a virtual ending event after a last event, and converts the event logs into a third-order tensor as a feature to be input; The formula for reconstructing the attribute value of each attribute of each event in each track in the model training unit is as follows: ; In the formula, t represents a trajectory, e represents an event, The attributes are represented as such, Representing the number of tracks in the log, Representing the maximum length of all tracks in the log, Representing the number of attributes; wherein the anomaly score in the anomaly detection unit is defined as being greater than a specified attribute value in a probability distribution Probability of (2) The sum of all probabilities of (a) is given by: ; wherein, by using a threshold τ, the anomaly score is mapped to 0 or 1,0 representing normal, 1 representing anomaly; Wherein the model training unit is provided with a GRU-AE network model, which specifies one encoder and one decoder for each attribute in the set of attributes by means of an unsupervised learning training model, the vector h output by all encoders being input to each decoder and the vector s output by each encoder being input to the corresponding decoder, the model training unit introducing an attention mechanism in the GRU-AE network model and a teacher forcing method in the automatic encoder training process, identifying which attributes of which events are related to the next target value of the attribute related to the decoder by means of the attention mechanism, and giving a high attention weight to these attribute values.
  7. 7. The GRU-AE network based multi-view business process anomaly detection system of claim 6, wherein batch normalization and random deactivation methods are applied to the network structure of the GRU-AE network based multi-view business process anomaly detection system to counteract overfitting.
  8. 8. The multi-view business process anomaly detection system of a GRU-AE network of claim 6 or 7, wherein said model training unit uses cross entropy as a main component of a loss function when performing model training.

Description

Multi-view business process anomaly detection method, system and equipment based on GRU-AE network Technical Field The invention relates to the field of data anomaly detection, in particular to a multi-view business process anomaly detection method, system and equipment based on a GRU-AE network. Background With the development of informatization, enterprises increasingly rely on a process-aware information system (PAISs) to optimize their processes. However, in real-life processes, anomalies are ubiquitous, and there are many causes of such anomalies, such as software failures or operator errors. It is very interesting to detect anomalies in the execution of business processes. On the one hand, the abnormal conditions generated in the execution process of the business flow are discovered as soon as possible, and the abnormal conditions play a vital role in the healthy operation of enterprises. On the other hand, in order to optimize the flow, a high-quality event log is indispensable, and anomalies in the event log should be detected and deleted. For example, process Mining (PM) provides a technique for understanding and optimizing processes. However, most existing flow mining techniques are only effective when the event log is clean (i.e., no anomalies). Event logs contain information in multiple dimensions, such as activity, resources, data, and time, and there are complex internal relationships between these information. For example, the execution of the activities follows a certain order (control flow dependency), data is transferred and modified in each activity (data flow dependency), different activities are performed according to different data values (control flow and data flow coupling), the duration of the activities are different (time dependency), different activities are performed by different machines or users (resource dependency). The exceptions to the event log may be categorized into six categories, namely skip, insert, redo, advance, retard, and attribute exceptions, where the first five categories of exceptions may be referred to as control flow exceptions, caused by errors in the execution order of the activities. Errors in resources, data, and time are all categorized as attribute anomalies. Complicated dependency and diversified anomalies present significant challenges to anomaly detection in business processes. Disclosure of Invention The invention aims to provide a multi-view business process anomaly detection method, a system and equipment based on a GRU-AE network, wherein a trained model is used for detecting anomalies in an event log by training a self-encoder which can reconstruct normal behaviors and takes GRU as a main structure. In order to achieve at least one of the objects of the present invention, the present invention provides a multi-view business process anomaly detection method based on a GRU-AE network, the multi-view business process anomaly detection method based on a GRU-AE network comprising the steps of: preprocessing data and executing preprocessing of event logs; Performing model training, and The anomaly detection is carried out, the obtained characteristics are input into a trained model to obtain an anomaly score of an attribute level, and the track or the attribute is marked as abnormal or normal according to a threshold value; The data preprocessing step further comprises the steps of acquiring each track of an event log, adding a virtual start event before a first event, adding a virtual end event after a last event, and converting the event log into a third-order tensor as a feature to be input; The GRU-AE network carries out model training based on the converted three-dimensional tensor, and learns normal behavior in event logs, wherein a loss function reconstructs an attribute value of each attribute of each event in each track based on a cross entropy criterion, and the formula is as follows: in the formula, T represents a track, E represents an event, a represents an attribute, T represents the number of tracks in the log, E represents the maximum length of the tracks in the log, and A represents the number of the attribute; Wherein the anomaly detection step further comprises the step of defining an anomaly score as the sum of all probabilities of probability p v in the probability distribution being greater than a specified attribute value v, the formula being: wherein, by using a threshold τ, the anomaly score is mapped to 0 or 1,0 representing normal, and 1 representing anomaly. In some embodiments, wherein training is performed using an event log that may contain an anomaly trajectory, normal behavior is learned for detecting anomalies, and the portion of the event log that is large in reconstruction error is determined to be anomalous based on a threshold value for the anomaly score at the attribute level. In some embodiments, the multi-view business process anomaly detection method based on the GRU-AE network further comprises the step of