Conformance checking of electronic business processes to secure distributed transactions

Advances in computer technologies facilitate the implementation of inter-organizational business processes. At the same time, managing the security of these processes is increasingly difficult. Compliance with high level specifcations, like normatives and pre-agreed protocols, rules and requirements, is difficult to validate. Here we discuss how Conformance Checking, a specific area of Process Mining, can be adapted for this purpose. Its role is to verify if an execution of a business process satisfies specifications represented by formal models (e.g. Petri Nets, Transition Systems, structures based on partial orders, etc). In the process mining literature, few efforts have been dedicated to online checking of business processes and choreographies for security purposes. The main requirement is high precision and reliability of event logs. They should record, precisely and unambiguously, all security-relevant activities of the analyzed process. Mantaining high-level logs becomes difficult with choreographies: log data are distributed, and must be related to events. Important metadata of event logs, like timestamps, can be ambiguous. Moreover, some data cannot be distributed due to security or privacy issues. These problems result in security-relevant ambiguities in event logs. Here we define a framework to create high-level event logs for online inter-organizational compliance checking using a Validation Authority. The system described here has been implemented in the issuing infrastructure for the Italian Electronic Identity card.