1 CS techniques for IT auditing Lecture 6

Dept of Mathematics and Computer Science 2 Transition system (1) Basic process model of CS is a transition system Synonyms: labeled transition system, automaton, Kripke structure Petri nets and process algebra’s are formalisms to specify and reason about transition systems

Dept of Mathematics and Computer Science 3 Technology of information systems Transition systems (2) Definition: a transition system is 4-tuple: TS = such that S set of states A set of actions or events R  SxAxS the transition relation s 0  S is the initial state p is a mapping that assigns to a state s the finite set p(s) of elementary properties that hold in s (e.g. p(s)={a,b,c,d}) Note that (so far) S does not have to be finite!

Dept of Mathematics and Computer Science 4 Technology of information systems Transition systems (3) Typical properties Reachability: –s  a s’ iff (s,a,s’)  R –s  * s’ iff s = s’   a  A, s”  S: s  a s”  s”  * s’ –The set of reachable states RS = {s| s 0  * s} –A path  is a sequence of states  = (s 1,s 2,…,s n ) such that  i  {1,...,n-1}:  a  A: s i  a s i+1 Safety: “things that never may happen” –For all reachable states a certain property should (not) hold. It is an invariant of the system. This can be a state property only, e.g.  s  RS: a  p(s) –For all finite paths some property must hold, e.g. the number of events with label a is less the 12 –Mostly safety is used for unwanted behavior (i.e. Some property should NOT hold)

Dept of Mathematics and Computer Science 5 Technology of information systems Transition systems (4) Typical properties Deadlock: a state s is a deadlock is no transition is possible Liveness: “things that should be possible or happen in the future”. Several types of liveness: –Eventually some property will hold or eventually some event will occur, e.g. for each commercial activity some invoice will be send. –For each reachable state there will always be a future event x, i.e. x will occur infinitely often! –For each reachable state it is possible that a certain event happens in the future

Dept of Mathematics and Computer Science 6 Transition systems (5) We follow: Systems and Software Verification –Sub-title: Model checking techniques and tools –Authors: Berard, Bidoit, Finkel, Larousinenie, Petit, Petrucci, Schnoebelen, McKenzie –Publisher: Springer-Verlag 2001, ISBN Extension of transition systems with –Global variables: to be updated during transitions, by an assignment (e.g. x:=x+1) –Guards to block (prevent) transitions (x<9) If the variables have a finite range, we can unfold the extended transition system to obtain a (normal) transition system: the states are a vector consisting of the original state and the values of the variables (see fig 1.7 and 1.8)

Dept of Mathematics and Computer Science 7 Transition systems (6) Example fig1.7 Event set ={A,B,C} Global variable =ctr Unfolding: fig 1.8 B, C if ctr<3 ctr:=ctr+1 A if ctr<3 ctr:=ctr+1 B, C if ctr<3 ctr:=ctr+1 B A A B, C if ctr=3 ctr:=ctr+1 B, C if ctr=3 ctr:=ctr+1 C if ctr<3 ctr:=ctr+1 A,C if ctr=3 ctr:=ctr+1 ctr=0

Dept of Mathematics and Computer Science 8 Transition systems (7) Decomposition and synthesis of transition systems Synchronized product of two or more transition systems –State space is the Cartesian product –Event set is the union of event sets where each event set is extended with the “inaction” (-) (So a transition is possible if one or more components can make a transition) –Synchronization: Sync is a subset of the Cartestian product of all (extended) event sets –Transition relation: R={(s,a,s’)| a  Sync  s i  ai s i ’ iff (s i,a i,s i ’)  R i  a i =-  s i =s i ’ } where s, a, s’ vectors of states or events

Dept of Mathematics and Computer Science 9 Transition systems (8) Synchronization by message passing is this system live ? (i.e. is there for each reachable state each event in the future possible?) A? A! B? B! A? B? A?

Dept of Mathematics and Computer Science 10 Transition systems (9) Synchronization by variable sharing If A=1 A:=0 If A=1; A:=0 If A=0 A:=1 If A=0 If A=1 If A=0 A=0

Dept of Mathematics and Computer Science 11 Questions to be answered (1) Conformance: the process behaves according to some set of business rules, e.g. –Every purchase order has been approved by some manager –Never is the person who approves a purchase order the one that approves the payment –Eventually each client invoice will be paid or compensated by a credit invoice –Each business process should always have the possibility to terminate (soundness property) Conformance is required by higher layers of management, contracts or laws

Dept of Mathematics and Computer Science 12 Questions to be answered (2) Performance: the key performance indicators (KPI) are within acceptance regions, e.g. –The average response time of a help desk is lower than 10 min –The percentage of misprints is lower than 5% –The uptime of the system is at least 99% Often perfomance is required in contracts, e.g. service level agreements (SLA)

Dept of Mathematics and Computer Science 13 Overview of techniques Specifying system properties (in temporal logic) Model checking: only for finite transition systems, but |S| may be 10 9 Theorem proving: only in a very special cases Testing: always possible, but gives never 100% assurance Process mining: learning from the past !

Dept of Mathematics and Computer Science 14 Temporal logic (1) How to specify properties? Temporal logic! –(P)LTL: (Propositional) Linear Temporal Logic –CTL: Computation Tree Logic (more general!) We consider CTL* (difference will be explained later) Syntax: –Finite set of atomic propositions (e.g. “cold”, “hot”, “x=y+3”) –Standard Boolean combinators: , , ,  –Temporal combinators: for one path X, next state, U until X  means: in the next state  will hold  1 U  2 means:  1 holds until some stat where  2 holds –Path quantifiers: A, for all paths, E, for some path

Dept of Mathematics and Computer Science 15 Temporal logic (2) Two derivable temporal combinators: –G, for all states in the future on one path –F, for some state in the future on one path –F  = True U  –G  =  F   In CTL always X, F, G, U preceded by A or E, e.g. EF, AX (P)LTL: does not have the path quantifiers A and E This means that we can’t express in LTL: “for all paths in every state of the path, there starts a path such that some property  eventually holds” This property is expressed as AGEF  e.g. “for each reachable state there is a path to some specific state” So a path for which no state has property , may satisfy AGEF 

Dept of Mathematics and Computer Science 16 Model checking (1) We present an algorithm for veryfying an arbitrary CTL formulae. Procedure is recursive, using the structure of the formula. The main procedure is called “marking”. It is marking states in different ways. States s have attributes, e.g. s.psi, s.seen. The formula holds iff at the termination of the procedure the initial state satisfies the formula. Note that constructs not used in the algorithm can be derived (AX  =  EX   )

Dept of Mathematics and Computer Science 17 Model checking (2) procedure marking (phi) case 1: phi=P forall s in S do if P in p(s) then s.phi:= true else s.phi:=false fi endfor; case 2: phi= not psi marking (psi); forall s in S do s.phi:=not(s.psi); endfor; case 3: phi=psi1 /\ psi2 marking (psi1); marking (psi2); forall s in S do s.phi:=and(s.psi1,s.psi2); od; case 4: phi=EX psi marking (psi); forall s in S do s.phi:= false; endfor; /*initialization*/ forall (s,a,s’) in R do if s’.psi = true then s.phi:=true endfor;

Dept of Mathematics and Computer Science 18 Model checking (3) case 5: phi=E psi1 U psi2 marking (psi1); marking (psi2); forall s in S do s.phi:=false; s.seen:=false; od; /*initialization*/ L:={}; forall s in S do if s.psi2=true then L:=L+{s}; od; while L not empty do draw s from L; L:=L-{s}; s.phi:= true; forall (s’,a,q) in R do if s’.seen=false then do s’.seen:=true; if s’.psi1=true then L:=L+{s’}; od; endfor; endwhile

Dept of Mathematics and Computer Science 19 Model checking (4) case 6: phi=A psi1 U psi2 marking (psi1); marking (psi2); L:={}; forall s in S do s.nb=degree(s); s.phi:=false; endfor; /*initialization*/ forall s in S do if s.psi2=true then L:=L+{s}; endfor; while L not empty do draw s from L; L:=L-{s}; s.phi:= true; forall (s’,a, s) in R do s’.nb:=s’.nb-1; if (s’.nb= 0) and (s’.psi1=true)and (s’.phi=false) then L:=L+{s}; endfor; endwhile;

Dept of Mathematics and Computer Science 20 Model checking (5) In fact we have two functions to compute: Sat(  ), the set of states where  holds Pre(X), the set of predecessors of some set of states X – Y:={}; –while (Y  X) do – Y:=X; X:=X  Pre(X) –endwhile; –return X; Sat(  ) can be computed by the following rules: –Sat(   ) = S \ Sat(  ) –Sat (    ) = Sat(  )  Sat(  ) –Sat (EX  )=Pre(Sat(  )) –Sat (AX  )= S\Pre(S\Sat(  )) –etc

Dept of Mathematics and Computer Science 21 Model checking (6) Symbolic model checking: using symbolic representations for –transitions triples –Sat (P) –Algorithm for pre(X) from symbolic computation of X –Algorithm for set operations, such as union, intersection and complement for symbolic representations of sets One popular symbolic representations is Binary Decision Diagrams (BDD) They have nice properties: –The can be optimized to get a minimal representation –This representation is unique –They can be used to code large sets –All kind of set theoretic operations can be performed in a fast way

Dept of Mathematics and Computer Science 22 Model checking (7) Basis idea: take a Boolean function of a vector of Boolean variables e.g. f(x,y,z) x y z truefalse F FF F F T T T T T

Dept of Mathematics and Computer Science 23 Model checking (8) Two reduction rules: If two nodes have the same subtree: they will be shared If the outgoing arcs of a node refer to the same node, the node will be skipped x y z true false F FF F F T T T T T x y z true false F F T T T T x y z true false F F T T T T

Dept of Mathematics and Computer Science 24 Model checking (9) Application to model checking: Binary coding of states and events, e.g. if there are 2 10 states and 2 8 events we use 10 bits for each state and 8 for each event. The transition relation R is a subset of the set of all triples. Each triple has 28 bits so 2 28 triples! sTo code only the subset R of this set we use BDD, in fact we define the characteristic function f of the set R, i.e. f(s,a,s’)= True iff  R, where s, a, s’ are the encodings of s,a and s’. Function f will be optimized by the reduction rules. All kind of set theoretic operations can be performed efficiently on the BDD’s e.g. –The complement of a set is just exchanging True and False in the leaves –Emptyness test: check if tree is reduced to only one node False –Equality testing is just the comparison of two tree trees

Dept of Mathematics and Computer Science 25 Process mining: for discovery, conformance and performance Process mining (1)

Dept of Mathematics and Computer Science 26 Examples of applications Process mining (2)

Dept of Mathematics and Computer Science 27 Process mining (3) Process mining can be used for: –Discovery (What is the process?) –Conformance analysis (Is it doing what was specified?) –Performance analysis (How can we improve?) process mining

Dept of Mathematics and Computer Science 28 Overview of applications of log mining 1) basic performance metrics 2) process model3) organizational model4) social network 5) performance characteristics If …then … 6) auditing/security Process mining (4)

Dept of Mathematics and Computer Science 29 The alpha algorithm (Van der Aalst e.a.) alpha algorithm Process mining (5)

Dept of Mathematics and Computer Science 30 Process log Minimal information in log: case id’s and task id’s. Additional information: event type, time, resources, and data. In this log there are three possible sequences: –ABCD –ACBD –EF case 1 : task A case 2 : task A case 3 : task A case 3 : task B case 1 : task B case 1 : task C case 2 : task C case 4 : task A case 2 : task B case 2 : task D case 5 : task E case 4 : task C case 1 : task D case 3 : task C case 3 : task D case 4 : task B case 5 : task F case 4 : task D Process mining (6)

Dept of Mathematics and Computer Science 31 >, ,||,# relations Direct succession: x>y iff for some case x is directly followed by y. Causality: x  y iff x>y and not y>x. Parallel: x||y iff x>y and y>x Choice: x#y iff not x>y and not y>x. case 1 : task A case 2 : task A case 3 : task A case 3 : task B case 1 : task B case 1 : task C case 2 : task C case 4 : task A case 2 : task B case 2 : task D case 5 : task E case 4 : task C case 1 : task D case 3 : task C case 3 : task D case 4 : task B case 5 : task F case 4 : task D A>B A>C B>C B>D C>B C>D E>F ABACBDCDEFABACBDCDEF B||C C||B Process mining (7)

Dept of Mathematics and Computer Science 32 Basic idea (1) xyxy Process mining (8)

Dept of Mathematics and Computer Science 33 Basic idea (2) x  y, x  z, and y||z Process mining (9)

Dept of Mathematics and Computer Science 34 Basic idea (3) x  y, x  z, and y#z Process mining (10)

Dept of Mathematics and Computer Science 35 Basic idea (4) x  z, y  z, and x||y Process mining (11)

Dept of Mathematics and Computer Science 36 Basic idea (5) x  z, y  z, and x#y Process mining (12)

Dept of Mathematics and Computer Science 37 It is not that simple: basic  -algorithm Let W be a workflow log over T.  (W) is defined as follows. 1.T W = { t  T     W t   }, 2.T I = { t  T     W t = first(  ) }, 3.T O = { t  T     W t = last(  ) }, 4.X W = { (A,B)  A  T W  B  T W   a  A  b  B a  W b   a1,a2  A a 1 # W a 2   b1,b2  B b 1 # W b 2 }, 5.Y W = { (A,B)  X   (A,B)  X A  A  B  B  (A,B) = (A,B) }, 6.P W = { p (A,B)  (A,B)  Y W }  {i W,o W }, 7.F W = { (a,p (A,B) )  (A,B)  Y W  a  A }  { (p (A,B),b)  (A,B)  Y W  b  B }  { (i W,t)  t  T I }  { (t,o W )  t  T O }, and  (W) = (P W,T W,F W ). Process mining (13)

Dept of Mathematics and Computer Science 38 Process mining (14) case 1 : task A case 2 : task A case 3 : task A case 3 : task B case 1 : task B case 1 : task C case 2 : task C case 4 : task A case 2 : task B case 2 : task D case 5 : task E case 4 : task C case 1 : task D case 3 : task C case 3 : task D case 4 : task B case 5 : task F case 4 : task D  (W) W

Dept of Mathematics and Computer Science 39 Theoretical result (Van der Aalst e.a.) If we start with a process model in a certain class (of Petri nets) And if we assume the the process log is “complete” Then it can be proved that the process is exactly reconstructed However we are never sure that the process log is complete! Process mining (15)

Dept of Mathematics and Computer Science 40 A simple example Requirement: it is forbidden that C and D are in the same trace. Test log: –A, B, C –A, B, E –D, B, E ABCDE A-→### B--→-→ C#--## D#→#-# E#-##- Process mining (16)

Dept of Mathematics and Computer Science 41 Reconstructed process In this process the following trace occurs: –D, B, C This one did not occur in the log! So it is worthwile to test this trace in the real system So we can discover potential errors! Process mining (17)

Dept of Mathematics and Computer Science 42 Hidden tasks Process mining (18)

Dept of Mathematics and Computer Science 43 Duplicate tasks Process mining (19)

Dept of Mathematics and Computer Science 44 Loops Process mining (20)

Dept of Mathematics and Computer Science 45 Incompleteness Process mining (21)

Dept of Mathematics and Computer Science 46 Process mining - conformance Specification Log Conformance testing Process mining (22)

Dept of Mathematics and Computer Science 47 Sometimes you get spaghetti! Process mining (23)

Dept of Mathematics and Computer Science 48 Tools Model checker: SPIN with Promela – Process mining: ProM –