Gamal Elkoumy

Gamal Elkoumy, Alisa Pankova, Marlon Dumas

The applicability of process mining techniques hinges on the availability of event logs capturing the execution of a business process. In some use cases, particularly those involving customer-facing processes, these event logs may contain private information. Data protection regulations restrict the use of such event logs for analysis purposes. One way of circumventing these restrictions is to anonymize the event log to the extent that no individual can be singled out using the anonymized log. This article addresses the problem of anonymizing an event log in order to guarantee that, upon release of the anonymized log, the probability that an attacker may single out any individual represented in the original log does not increase by more than a threshold. The article proposes a differentially private release mechanism, which samples the cases in the log and adds noise to the timestamps to the extent required to achieve the above privacy guarantee. The article reports on an empirical comparison of the proposed approach against the state-of-the-art approaches using 14 real-life event logs in terms of data utility loss and computational efficiency.

Gamal Elkoumy, Stephan A. Fahrenkrog-Petersen, Mohammadreza Fani Sani et al.

Privacy and confidentiality are very important prerequisites for applying process mining in order to comply with regulations and keep company secrets. This paper provides a foundation for future research on privacy-preserving and confidential process mining techniques. Main threats are identified and related to an motivation application scenario in a hospital context as well as to the current body of work on privacy and confidentiality in process mining. A newly developed conceptual model structures the discussion that existing techniques leave room for improvement. This results in a number of important research challenges that should be addressed by future process mining research.

Gamal Elkoumy, Alisa Pankova, Marlon Dumas

The applicability of process mining techniques hinges on the availability of event logs capturing the execution of a business process. In some use cases, particularly those involving customer-facing processes, these event logs may contain private information. Data protection regulations restrict the use of such event logs for analysis purposes. One way of circumventing these restrictions is to anonymize the event log to the extent that no individual can be singled out using the anonymized log. This paper addresses the problem of anonymizing an event log in order to guarantee that, upon disclosure of the anonymized log, the probability that an attacker may single out any individual represented in the original log, does not increase by more than a threshold. The paper proposes a differentially private disclosure mechanism, which oversamples the cases in the log and adds noise to the timestamps to the extent required to achieve the above privacy guarantee. The paper reports on an empirical evaluation of the proposed approach using 14 real-life event logs in terms of data utility loss and computational efficiency.

Gamal Elkoumy, Alisa Pankova, Marlon Dumas

Process mining techniques enable organizations to analyze business process execution traces in order to identify opportunities for improving their operational performance. Oftentimes, such execution traces contain private information. For example, the execution traces of a healthcare process are likely to be privacy-sensitive. In such cases, organizations need to deploy Privacy-Enhancing Technologies (PETs) to strike a balance between the benefits they get from analyzing these data and the requirements imposed onto them by privacy regulations, particularly that of minimizing re-identification risks when data are disclosed to a process analyst. Among many available PETs, differential privacy stands out for its ability to prevent predicate singling out attacks and its composable privacy guarantees. A drawback of differential privacy is the lack of interpretability of the main privacy parameter it relies upon, namely epsilon. This leads to the recurrent question of how much epsilon is enough? This article proposes a method to determine the epsilon value to be used when disclosing the output of a process mining technique in terms of two business-relevant metrics, namely absolute percentage error metrics capturing the loss of accuracy (a.k.a. utility loss) resulting from adding noise to the disclosed data, and guessing advantage, which captures the increase in the probability that an adversary may guess information about an individual as a result of a disclosure. The article specifically studies the problem of protecting the disclosure of the so-called Directly-Follows Graph (DFGs), which is a process mining artifact produced by most process mining tools. The article reports on an empirical evaluation of the utility-risk trade-offs that the proposed approach achieves on a collection of 13 real-life event logs.

Gamal Elkoumy, Stephan A. Fahrenkrog-Petersen, Marlon Dumas et al.

Process mining is a family of techniques for analysing business processes based on event logs extracted from information systems. Mainstream process mining tools are designed for intra-organizational settings, insofar as they assume that an event log is available for processing as a whole. The use of such tools for inter-organizational process analysis is hampered by the fact that such processes involve independent parties who are unwilling to, or sometimes legally prevented from, sharing detailed event logs with each other. In this setting, this paper proposes an approach for constructing and querying a common type of artifact used for process mining, namely the frequency and time-annotated Directly-Follows Graph (DFG), over multiple event logs belonging to different parties, in such a way that the parties do not share the event logs with each other. The proposal leverages an existing platform for secure multi-party computation, namely Sharemind. Since a direct implementation of DFG construction in Sharemind suffers from scalability issues, the paper proposes to rely on vectorization of event logs and to employ a divide-and-conquer scheme for parallel processing of sub-logs. The paper reports on an experimental evaluation that tests the scalability of the approach on real-life logs.