Modern IT systems have to deal with unpredictable situations and exceptions more and more often. In contrast, security mechanisms are usually very rigid. This causes organizations to employ functionality like break-the-glass that allows users to bypass security mechanisms in case of emergencies. However, break-the-glass introduces a weak point in the system and can be misused. In this paper, we present a flexible framework for controlling the use of break-the-glass using the notion of alignments. The framework measures to what extent a process execution diverges from the specification (i.e., using optimal alignments) and revokes the exceptional permissions granted to cope with the emergency when the severity of deviations cannot be tolerated. To measure the severity of deviations, we extend alignment-based deviation analysis techniques. In particular, our technique is able to identify high-level deviations such as activity replacements and swaps; hence it provides a more accurate diagnosis of deviations than classical optimal alignments. Our work is implemented as a ProM~6 plug-in and evaluated using both synthetic and real-life data.

Arya Adriansyah, Boudewijn F. van Dongen, and Nicola Zannone, “Controlling Break-The-Glass Through Alignment”, in Proceedings of International Conference on Information Privacy, Security, Risk and Trust. 2013, IEEE.

Robert Richardson, “Computer Crime & Security Survey”, Tech. report, Computer Security Institute, 2008.

Kevin W. Hamlen, Greg Morrisett, and Fred B. Schneider, “Computability classes for enforcement mechanisms”, TOPLAS, vol. 28, no. 1, pp. 175–205, 2006.

Jay Ligatti, Lujo Bauer, and David Walker, “Run-time enforcement of nonsafety policies”, ACM Trans. Inf. Syst. Secur., vol. 12, no. 3, pp. 1–41, 2009.

A Ferreira, R Cruz-Correia, L Antunes, P Farinha, E Oliveira-Palhares, D W. Chadwick, and A Costa-Pereira, “How to break access control in a controlled manner”, in Proceedings of Symposium on Computer- Based Medical Systems. 2006, pp. 847–854, IEEE.

Shane R Reti, Henry J Feldman, Stephen E Ross, and Charles Safran, “Improving personal health records for patient-centered care”, JAMIA, vol. 17, no. 2, pp. 192–195, 2010.

Claudio Agostino Ardagna, Sabrina De Capitani di Vimercati, Tyrone Grandison, Sushil Jajodia, and Pierangela Samarati, “Regulating exceptions in healthcare using policy spaces”, in Data and Applications Security. 2008, LNCS 5094, pp. 254–267, Springer.

Marco Montali, Maja Pesic, Wil M. P. van der Aalst, Federico Chesani, Paola Mello, and Sergio Storari, “Declarative specification and verification of service choreographiess”, TWEB, vol. 4, no. 1, pp. 3:1–3:62, 2010.

Milan Petkovic, Davide Prandi, and Nicola Zannone, “Purpose control: Did you process the data for the intended purpose?”, in Secure Data Management. 2011, LNCS 6933, pp. 145–168, Springer.

J. E. Cook and A. L. Wolf, “Software Process Validation: Quantitatively Measuring the Correspondence of a Process to a Model”, TOSEM, vol. 8, pp. 147–176, 1999.

A. Adriansyah, N. Sidorova, and B. F. van Dongen, “Cost-Based Fitness in Conformance Checking”, in Proceedings of International Conference on Application of Concurrency to System Design. 2011, pp. 57–66, IEEE.

A. Adriansyah, B.F. van Dongen, and W.M.P. van der Aalst, “Memory-Efficient Alignment of Observed and Modeled Behavior”, Tech. Rep., BPMcenter.org, 2013, BPM Center Report BPM-03-03.

Benoit Depaire, Jo Swinnen, Mieke, and KoenVanhoof, “A Process Deviation Analysis Framework”, in Business Process Management Workshops. 2013, LNBIP 132, pp. 701–706, Springer.

Sebastian Banescu, Milan Petkovic, and NicolaZannone, “Measuring privacy compliance using fitness metrics”, in Business Process Management. 2012, LNCS 7481, pp. 114–119, Springer.

T. Murata, “Petri nets: Properties, analysis and applications”, Proc. IEEE, vol. 77, no. 4, pp.541–580, 2002.

W. M. P. van der Aalst, A. Adriansyah, and B. F. van Dongen, “Replaying History on Process Models for Conformance Checking and Performance Analysis”, WIREs Data Mining and Knowledge Discovery, vol. 2, no. 2, pp. 182–192,2012.

Sebastian Banescu and Nicola Zannone, “Measuring privacy compliance with process specifications”, in Proceedings of International Workshop on Security Measurements and Metrics. 2011,pp. 41–50, IEEE.

Susan T. Dumais, “Latent semantic analysis”, ARIST, vol. 38, no. 1, pp. 188–230, 2004.

AnHai Doan, Jayant Madhavan, RobinDhamankar, Pedro Domingos, and Alon Halevy, “Learning to match ontologies on the Semantic Web”, VLDB Journal, vol. 12, no. 4, pp. 303–319, 2003.

Steven Heeps, Joe Sventek, Naranker Dulay, Alberto Schaeffer Filho, Emil Lupu, Morris Sloman, and Stephen Strowes, “Dynamic Ontology Mapping for Interacting Autonomous Systems”, in Proceedings of International Workshop on Self-Organizing Systems. 2007, LNCS 4725, pp. 255–263, Springer.

A. Adriansyah, B. F. van Dongen, and W. M. P. van der Aalst, “Conformance Checking Using Cost-Based Fitness Analysis”, in Proceedings of International Enterprise Distributed Object Computing Conference. 2011, pp. 55–64, IEEE.

B.F. van Dongen, “Event Log for the BPI Challenge 2012”, http://dx.doi.org/10.4121/uuid:3926db30-f712-4394-aebc-75976070e91f, 2012.

R. P. Jagadeesh Chandra Bose and Wil M. P. van der Aalst, “Context aware trace clustering: Towards improving process mining results”, in Proceedings of International Conference on Data Mining. 2009, pp. 401–412, SIAM.

Wil M. P. van der Aalst, Ton Weijters, and Laura Maruster, “Workflow Mining: Discovering Process Models from Event Logs”, TKDE, vol. 16, no. 9, pp. 1128–1142, 2004.

Achim D. Brucker and Helmut Petritsch, “Extending access control models with break-glass”, in Proceedings of Symposium on Access Control Models and Technologies. 2009, pp. 197–206, ACM.

Wil M. P. van der Aalst, H. T. de Beer, and Boudewijn F. van Dongen, “Process mining and verification of properties: An approach based on temporal logic”, in On the Move to Meaningful Internet Systems. 2005, LNCS 3760, pp. 130–147, Springer.

Matthias Weidlich, Artem Polyvyanyy, Nirmit Desai, Jan Mendling, and Mathias Weske, “Process compliance analysis based on behavioural profiles”, Inf. Sys., vol. 36, no. 7, pp. 1009–1025, 2011.

Anne Rozinat and Wil M. P. van der Aalst, “Conformance checking of processes based on monitoring real behavior”, Inf. Syst., vol. 33, no. 1, pp. 64–95, 2008.

A. K. Alves de Medeiros, A. J. M. M. Weijters, and W. M. P. van der Aalst, “Genetic Process Mining: an Experimental Evaluation”, Data Mining and Knowledge Discovery, vol. 14, no. 2, pp. 245–304, 2007.

A. Adriansyah, B. F. van Dongen, and W. M. P. van der Aalst, “Towards Robust Conformance Checking”, in Business Process Management Workshops. 2011, LNBIP 66, pp. 122–133, Springer.

Nataliia Bielova and Fabio Massacci, “Predictability of enforcement”, in Engineering Secure Software and Systems. 2011, LNCS 6542, pp. 73–86, Springer.