REDUCTION OF CYBERSECURITY RISK VIA EVALUATING USERS' BEHAVIOUR *

. Since the 1990s, process analysis has attained a fundamental position among business management approaches. With the gradual development and expansion of digitalization in businesses that have begun to use advanced information systems, a demand also arose to survey the processes within companies, including retrospectively from the digital records of information systems. This requirement laid the foundation for the emergence of the scientific discipline known today as Process Mining. In the presented article, we introduce its basic concepts and point out the possibility of using them in the field of security analysis of the log of a general system, which creates digital records of its operation (a so-called journal or log). The result of using Process Mining methods is identifying unrecorded processes running in a system and various deviations from the expected system operation, which may signal security threats to the system itself or its operator. In the battle against hybrid threats, many resources are explicitly devoted to protecting cyberspace. The approach proposed in this article allows a system to be analysed as a whole, identifying patterns of behaviour that would not otherwise arouse suspicion in individual steps but, as a sequence of separate steps (processes), do not fall into the expected pattern of system behaviour. This can be used as a long-term sustainable concept in the fight against hybrid threats. An analysis of a system’s behavior can be built on continuous “learning” by labelling newly discovered processes as safe or unsafe, ensuring the long-term sustainability of this approach. The main advantage of the proposed analyses is that they run as an oversight of the system itself, analysing it only based on records from its event log. Therefore, no interventions are needed in the architecture and source code of the analysed system, and the analyses do not affect its operation or data.


Introduction
In an era characterized by rapid technological advancement and interconnectedness, global security dynamics have undergone a profound transformation.With the development of the digital environment, strategies Security systems in organizations have undergone exciting development in recent years.Various types of security systems, such as cameras, attendance trackers, security guards, and others, can now be integrated into a unified system that facilitates communication with each of them.Several solutions of this kind are currently available in the market.Their primary objective is to collect data from individual systems, of ten from different manufacturers, aggregate this data in one centralized location, and monitor and control individual systems from a central console.The advantage of consolidating data from multiple systems is a more comprehensive view of the collected data and facilitating a more straightforward analysis.
The systems themselves have also evolved.Camera systems now commonly incorporate elements of artificial intelligence that can recognize people and objects in recorded images.Monitoring systems for communication networks continually "learn" from regular operations, enhancing their ability to identify non-standard behaviour on a network and detect potential threats more accurately.Nevertheless, it remains true that the overall analysis of all systems is conducted by an operator who assesses stimuli from individual systems within the broader context of the organization's operation.
A typical example of a threat that only an operator can evaluate within the context of reports from all security systems is a user's login using correct but stolen login data.Such an event may go unnoticed by network monitoring as it appears nonsuspicious.However, if the operator can identify that the user in question did not go through the attendance system and that the camera system in the parking lot did not record the arrival of a car with the corresponding number plate, the successful login with the data of a user who likely did not come to the workplace takes on a completely different dimension.
In this article, we will delve into available solutions that could assist in identifying security incidents based on system behaviour described using events from various sources.Events can originate, for instance, in a computer's operating system, an information system, or the monitoring of the communication network.Most companies utilize tools of this nature, allowing the monitoring of events in security systems, communication networks, information systems, individual workstations and hardware devices.This abundance of information provides insights into the company's activities, and through the analysis of these events, we indirectly scrutinize the company's functioning.This article aims to highlight the potential of utilizing concepts from process analysis and process mining in the realm of security to identify non-standard behavior within a monitored system.

Literature overview
The rationale for selecting and analysing processes from the field of process mining lies in their applicability to a broad spectrum of systems.Managing businesses based on processes dates back to the 1990s (Hammer, 1994).It gradually gained popularity, and as companies underwent computerization, inquiries emerged regarding the automated identification of processes within a company.This was done to optimize costs, enhance output quality, or accelerate production.Once an organization's processes were delineated, a necessity arose to verify the actual execution of business operations against the formally described processes.Formal business process descriptions often involve using tools such as BPMN diagrams.These basic questionsidentifying processes in the running system and verifying real processes in the system against the designed processeslaid the foundation for research in the field of Process mining ( Van der Aalst, 2016).Process mining falls into the field of data sciences and connects the fields of process modelling and business intelligence.The basic concept used in process mining is an event.The process mining methods assume the availability of a record detailing the system's behavior in the form of events.An event is characterized by a few fundamental attributes: time, event type, and case.While the context remains focused on company processes, the abstraction provided by viewing them through events allows for the analysis of any system.This approach enables examining systems whose operation can be monitored as a sequence of events occurring within them.Therefore, in this article, we will also focus on process mining methods in the context of general systems.We focus mainly on cyberspacecomputers, networks, information systems, and applications.
The frequency of cyberattacks has recently increased (Plėta et al., 2020).Information of dubious origin is spreading within the unregulated social media environment, contributing to societal polarisation.This phenomenon is not solely associated with the conflict in Ukraine.Cyberattacks and the spread of disinformation both fall under the umbrella term hybrid threats.The term hybrid threat refers to an activity carried out by state or nonstate entities aiming to harm the target by influencing its local, regional, state, or institutional decisionmaking (NBÚ, 2024;Kovács, 2022).
We aim to highlight the potential applications of process analysis of system behaviour and insights from process mining in combating hybrid threats.We place particular emphasis on the long-term sustainability of the proposed procedures.We assume that the investigated system generates structured information about the events that occur during its activities.The advantage of our proposed procedures is that they do not require interventions in the monitored system and do not affect its operation.
As business environments become increasingly dynamic and complex (Sliwa, Krzos & Piwoni-Krzeszowska, 2021).It becomes indispensable for organizations to objectively analyse business processes, monitor existing and potential operational frictions, and take proactive actions to mitigate risks and improve performance.Process mining provides techniques to extract insightful knowledge about business processes from event data collected during the execution of the processes.In addition, various approaches have been suggested to support the real-time (predictive) monitoring of process-related problems.However, the link between the insights from continuous monitoring and specific management actions for actual process improvement needs to be included.Action-oriented process mining aims to connect the knowledge extracted from event data to actions (Park & Van der Aalst, 2022).Process mining is an approach which can discover and improve business processes by extracting knowledge from event logs created in an information system.Typically, process execution data in an event is supported by an information system and technology.Moreover, organizations perform various business processes to serve their clients.Process mining employs an event log to determine and control the flow and processing of information and the performance of resources.Precise prediction helps a manager deal with undesired situations with more control; thus, future losses can be controlled (Neerumalla & Parvathy, 2022).
Historical data on the execution of processes stored in information systems provide a valuable source of knowledge for improving processes inside organizations.Running business processes consists of different events that shape the event data.Process mining is a set of data-driven techniques for unlocking the power of event data within organizations (Van der Aalst, 2016).It provides a variety of insights into processes, such as discovering process models, determining whether the discovered models and event data are aligned (Carmona et al. 2018), and revealing performance and bottleneck analysis (Van der Aalst, Adriansyah & van Dongen, 2012; van Dongen, 2018).These process reviews in different aspects should be put into action, i.e., the discovered status of a process and its problems should be addressed with regard to process improvement.
Process mining has demonstrated its ability to deliver backward-looking insights, but there is a growing demand for forward-looking insights that can be used to change processes.All techniques in process mining that intend to undertake future analysis are referred to as forward-looking techniques.We have divided them into two categories: simulation and prediction techniques.The mainstream forward-looking techniques in process mining are also at a detailed level, e.g., predicting the remaining time of a case using machine learning techniques (Tax et al., 2017) or simulating processes in detail (Rozinat et al., 2009).Simulation techniques are well-known forward-looking techniques introduced into the process mining field 15 years ago (Van Der Aalst, 2009).Discrete Event Simulation (DES) is a commonly used approach to play out process models at a detailed level (Rozinat et al., 2009).Simulation models and outcomes are improved using process mining approaches, such as in (Camargo, Dumas & González-Rojas, 2020).However, at detailed levels, some process aspects remain concealed and can only be captured at a higher level of aggregation.The impact of strategic and highlevel decisions and external factors such as resource expertise are, for example, overlooked (Van Der Aalst, 2015).
In contrast to discrete event simulation or other detailed modelling techniques based on individual entities, system dynamics techniques are based on aggregation, e.g., the number of people or products per day (Brailsford, Churilov & Dangerfield, 2014).These techniques can cover various effects, including human factors, and model nonlinear relations at an aggregated level (Sterman, 2002).System dynamics tends to describe and capture a system using its variables and the underlying effects among them.Such approaches seek to provide a holistic system model that incorporates all possible effective variables in the system over time intervals (Pourbafrani & Van der Aalst, 2021;Berti & Herforth et al., 2023).However, most simulation-based approaches, including system dynamics, rely heavily on users and their understanding of the system.Each level can be used for different simulation techniques, as proposed in where the results of coarse-grained simulations are used to update processes at detailed levels and later simulate the DES models at operational levels (Pourbafrani & Van der Aalst, 2022a).
Process mining techniques can describe and model real processes using historical event data from organisations' information systems.Later, these insights are used for process improvement.For instance, Discrete Event Simulation (DES) uses process models that can mimic real-world events.However, the aggregated performance status of processes over time reveals various hidden relationships between process variables.Coarse-grained process logs are sets of performance variables over intervals of time generated using event data from processes.The coarse-grained process logs describe processes at higher levels.System Dynamics completes process mining by capturing the relationships between various process variables at a higher level of abstraction.In their paper, the authors propose a new framework for capturing conceptual models of processes using transformed event data.The main idea is to discover the underlying relations as equations automatically.This allows system dynamics simulations of processes to be generated, and these employ various statistical and machine learning techniques to find the hidden relationships between process variables.The framework supports the simulation modelling task in the context of system dynamics simulations.Experiments using real event logs demonstrate that this approach can generate valid models and capture the underlying relationships (Pourbafrani &Van Der Aalst, 2022b;Berti & Jessen et al., 2023).
Process mining techniques help practitioners optimize the execution of P2P processes by analysing the execution data and providing valuable insights.However, existing techniques may result in misleading insights due to many-to-many relationships between business objects, e.g., between orders and invoices in the P2P process.Recently, object-centric process mining techniques have been proposed to avoid the limitations of traditional process mining techniques (Bouricha, Hsairi & Ghédira, 2023).
Process mining that focused only on activity-oriented processes and neglected users' behaviours behind the activities led to an overlooking of the reality they proposed to create.Recognizing the users' underlying intentions can improve guidance and offer better recommendations.As a result, an area of study known as Intention Mining has emerged.It aims to discover users' behaviours using an event log.Intention is frequently used in computer science research, including definition of requirements, business processes, and method engineering for context adaption.Authors have reviewed Intention Oriented Process Mining based on event logs in the information systems engineering field.The objective is to identify the different models, methodologies, and algorithms proposed, the tools used, and the various challenges in these fields based on four steps of review for the selection process, which start with identification, followed by screening, eligibility, and inclusion.For the first time, we are focused on process mining and intention mining based on log files and their relationship to get an idea about the area of intention mining (Qafari & Van Der Aalst, 2022).
Process mining techniques can help organizations improve their operational processes.Organizations can benefit from process mining techniques in finding and amending the root causes of performance or compliance problems.Considering the volume of the data and the number of features captured by the information systems of today's companies, discovering the features that should be regarded as in causal analysis can be quite involving (Elkoumy et al., 2022).
Privacy and confidentiality are crucial prerequisites for process mining to ensure compliance with regulations and safeguard company secrets.The authors in their article provide a foundation for future research on privacypreserving and confidential process mining techniques.The main threats are identified and related to a motivation application scenario in a security context and the current body of work on privacy and confidentiality in process mining.A newly developed conceptual model structures the discussion that existing techniques leave room for improvement.This leads to several significant research challenges that need to be addressed in future process mining studies (Macak, Oslejsek & Buhnova, 2022).
Process mining techniques can help organizations improve their operational processes.Organizations can benefit from process mining by finding and amending the root causes of performance or compliance problems.Considering the volume of data and the number of features captured by the information system of today's companies, discovering the set of features that should be considered in causal analysis can be quite involving.In their paper, the authors propose a method for finding the set of (aggregated) features that could possibly have a causal effect on the problem.The causal analysis task is usually done by applying a machine learning technique to the data gathered from the information system supporting the processes.To prevent mixing up correlation and causation, which may happen because of interpreting the findings of machine learning techniques as causal, the authors propose a method for a structural equation model of the process that can be used for causal analysis (Keršanskas & Deterence, 2020).
The quality of hands-on cybersecurity training is crucial for effectively mitigating cyber threats and attacks.However, practical cybersecurity training is strongly process-oriented, making post-training analysis difficult.The authors present process mining methods applied to the learning analytics workflow in their paper.They introduce a unified approach to reconstructing behavioural graphs from sparse event logs of cyber ranges.Furthermore, they discuss significant data features that affect their practical usability for educational process mining.Based on that, methods of dealing with the complexity of process graphs are presented, taking advantage of the puzzle-based gamification of in-class training sessions (Macak et al., 2022).

Hybrid threats
Hybrid threats, in general, represent a combination of threats in the real world and cyberspace.In recent years, the fight against hybrid threats has intensified (Korauš et al., 2023).The methods of combatting hybrid threats can be divided into preventive and responsive, with the preventive approach focusing on deterring attackers and increasing the costs of their attacks (Keršanskas & Deterence, 2020).Responsive approaches are oriented on reacting to an action already in progress, or based on an identified action; they try to prevent future actions.
The fight against threats in cyberspace, stemming from the dissemination of fake news and radicalizing posts, involves analysing the content of posts on websites and social networks to identify suspicious posts and their authors automatically.Sophisticated algorithms for lexical analysis using artificial intelligence, which can identify the post's sentiment (Wankhade et al., 2022) or categorize its content, are used for this purpose.
With information security protection, the foundation is the security of networks and all devices communicating within a given network against intrusions, misuse, and theft of sensitive data.A broad spectrum of resources can be used here, which can be divided into hardware and software.Hardware resources are devices used for scanning a system or monitoring network traffic; typical examples are hardware firewalls and proxy servers.Software tools ensure the monitoring of running applications, communication, and the availability of services.The following review highlights the most commonly used ones (Keary, 2023).
In this article, we propose using process analysis of the monitored system to identify non-standard behavior in a system.The proposed method of analysing a system is dynamic; it learns continuously by allowing discovered deviations from the system's expected behaviour to be classified as standard (the system changes over time and the newly discovered change is in line with its new processes) or as incidents.A standard behaviour model for the system in our proposal is stored as a continuously updated footprint matrix and/or as a list of permitted processes in the form of BPMN diagrams.The dynamic approach thus ensures the long-term sustainability of the proposed approach in detecting security incidents in the system, which in general may consist of several permitted steps but whose sequence as a process in the system is suspicious.The monitored system, in our case, is any system creating a log of its operation, so the proposed approach applies to a wide range of systems, particularly in cyberspace, and the proposed approaches can thus significantly help in the fight against hybrid threats (Korauš et al., 2024).

Basic concepts
In the following sections, we will introduce the basic concepts with which we will continue to work.

Processes
In general, a process is a naturally occurring or artificially created sequence of changes in the properties of an object or system.Suppose we focus on processes within an organization.In that case, we can define a business process as an objectively natural sequence of activities to achieve a given goal in objectively given conditions (Řepa 2012).In this article, we will deal with processes that can be identified in systems but which are not necessarily explicitly described.We are also interested in processes that are part of the system's normal functioning but may not be directly associated with fulfilling its goals, such as production or the provision of a service.

Events
As we mentioned in the introduction, we assume that the examined system keeps a record of the changes during its activity.In IT solutions, a system's operation records are recorded in a log.This common practice gives us information about what happened in a system, when, and who caused the event.It cannot be expected.However, system runtime logs will look the same in different systems and be available in the same form or structure.For a rigorous analysis of data from a system's operation, it is necessary, however, to create a basic definition that will determine what minimum information the system operation log must contain to be able to analyse it further.The basic concept we will continue to work with is the concept of an event.
Definition.An event is a change of properties or attributes in a system, described by the time of its occurrence, case, and type.
Under the term case, we understand, for example, the instance of the process in which the given event occurred, the instance of the process performed by a specific user, or for a particular customer.Along with the other listed necessary properties, an event may contain additional information that can be used for more accurate processing in a specific case.In general, however, we expect from an event that we will be able to talk about what kind of event it is when it occurred and the case of its occurrence.
A system log, in general, may also contain much other information that may relate to the system's state at a given moment.Therefore, it is very often necessary to process the log in some way so that the result of the processing is only a set of events relevant to the purposes of the selected analysis.

Log processing
The issue of collecting events from different sources and in various formats, unifying them and gathering them into one place is familiar in IT solutions.In the common practice of operating systems, it is very often necessary to have log entries available in a uniform format in one place for rapid and more accessible analyses of events in individual systems.For this purpose, tools convert log entries from different sources into a uniform format.Every technology currently used to develop IT systems includes support for creating logs.The conventions used in practice mean that the potential conversion to other formats is a simple task.Most of these conversions are secured by log processing tools, and if they do not support the given format, they provide the option of implementing one's converter.The purpose of this article is not to analyse these tools.Still, we can recommend to the reader, for example, an overview of freely available tools for log processing at the link (Ankush 10 Open Source Log Collectors for Centralized Logging, 2023).Figure 1 schematically depicts the processing of logs from different sources.Log processing tools support several log formats and sources which can automatically process, filter, and convert data into the desired output format.Suppose the system creates a log whose format is not supported by the log processing tool.In that case, it is necessary to write a custom converter that ensures the conversion of the log from its original format to a format understood by the log processing tool.After filtering out unnecessary entries from the log and converting the log data into the format according to the event definition, we get a unified structure of events stored in a database.This will further allow us to process events in time slices and contexts.
After unifying the event records, some applications may experience the problem of uniform user identification across several systems.In one source of events, a user can be identified, for example, by a username, but in another source, he may have a different username or only a personal number.When analysing events in a system, we usually need to trace one user's activity through multiple sources of events.Therefore, it is necessary when processing logs to think not only about the unification of formats but also the mapping of user identifiers when we replace various user identifiers in individual event sources with a single identifier so that we can identify events from different sources to a specific user.

BPMN diagrams
Business Process Model and Notation (BPMN) diagrams make it possible to represent processes in a standardized way graphically.Figure 2 shows a sample BPMN diagram that describes the process of gaining access to a customer's VPN network to perform an intervention by a vendor in a database with sensitive data.The process begins with the vendor's employee, labelled "Vendor", at the top of the diagram.The beginning of the process is marked as "Start".The vendor requests access by emailing the customer's IT administrator.The IT administrator who processes the request first verifies whether the vendor has approved access to the required resources in the "Approved Requests" database.If the vendor approves access needed, the IT administrator will grant access for a limited time.Suppose such access is not shown as approved for the vendor.In that case, the IT administrator will send an access denial email, will not allow access, and will also report an incident requesting unauthorized access to the internal system for recording incidents.In case of denial of access, the process ends on the vendor's side at the point "End" after receiving information about the denial of access.If the vendor's request for access is justified, the IT administrator allows access, and the process continues on the vendor's side by performing the intervention on the database itself.In practice, this may mean the sequential execution of steps on the vendor's side consisting of logging into the customer's VPN network, then logging into the server on which the intervention will be performed, performing the intervention itself in the database, and then logging out of the server and finally from the customer's VPN network, by which the process ends.We explicitly indicated in the process diagram that all process activities are written to the respective logs: "VPN Access Log", "Server OS Log" and "Database System Log".Thus, the IT administrator can monitor all vendor activities during the whole process.We point indirectly to the standard state of such solutions, in which each system element creates its log, and in the event of investigating an incident, it becomes necessary to search several logs in several formats and in several places.It is also necessary to obtain event records from individual logs in chronological order to create an overall picture of the sequence of activities performed in the system by one user.
The advantage of BPMN diagrams lies mainly in that they are clear and use a relatively small number of elements to represent processes that are easy to learn and understand.Therefore, both business representatives and technical staff understand them.

Petri nets
Petri nets are used for formally exact mathematical modelling of distributed and parallel systems.
Definition.A Petri net comprises places, transitions, and the boundaries that connect them.The places may contain tokens that represent the state of the system.Transitions may create and consume tokens representing events or actions in the modelled system.The places in the diagram marked as P1, P2, ... P10 represent places or positions at which tokens may occur at some point during the entire process.The individual activities of the process are represented as transitions in the Petri net.A transition (activity) can be realized only if all locations at its input places contain a token.A transition is carried out by consuming one token from one input place and creating one token at one of its output places.This process is repeated until all inputs have tokens.The transition stops now.There is one input place to a transition that no longer contains a token.
Petri nets are used in process mining algorithms.As we will show in the following sections, they are used as both inputs and outputs in the process mining methods that we will present.

System processes
Information systems and a high level of digitalization and automation are currently an integral part of business management.A typical business operates thanks to one or several information systems that ensure quick access to information where it is needed.Along with information systems, companies usually have various other systems that take care of security (cameras, a security system), control of employee attendance (time attendance system), and other potential systems.All such systems have one common basic concept: events occur in them, which these systems process in some way, and that is important for us to record.
For the analyses used in this article, data on the functioning of a business (and the system in general) are needed in a digitally processable and structured form.With this, we automatically orient ourselves on the records of events in information and other systems, through which we can monitor events, whether in the company that uses them or in some other system, such as a social network or a banking system.As we mentioned in the section on log processing, the problem of unifying log entries from different sources is technically solvable.Henceforth, we will assume that we have chronologically ordered logs collected from all sources of the investigated system.At the same time, the event log also identifies the source system in which it occurred.
As soon as we have an overview of the events in the system obtained from various sources and sorted chronologically, we have the basis for analyses of the events in the system.We can start searching for similar sequences of events, events that occur frequently or only exceptionally, and attempt to identify standard and non-standard behavior of the entire system.The answers to these and other questions are provided by process mining technologies, which we will describe in the next section.

Process mining
In practice, process mining is used primarily when the system's description of the processes is insufficient or cannot be obtained in any other way.In our concept of using process mining methods, we have several goals: 1. To obtain a description of the behavior of the monitored system.2. To identify deviations from normal system behavior.3. To verify whether the explicitly described processes run in the system according to their description.
In the analysis of system behaviour using process mining methods, we will not focus on optimizing existing processes, which is the primary goal of process mining, but more on identifying relationships between events in the system, acquiring an overview of the functioning of the system, and detecting non-standard behaviour within the system.Process mining methods cover two main areas: 1. Searching for processes in the system (Process Discovery).
2. Verifying processes in the system against their formal designs (Conformity test).
Algorithm classes that deal with the discovery of processes in the system will help us fulfil the first goal of acquiring a description of the observed system.We will describe them in more detail in the next subsection.To demonstrate specific outputs, we will use the ProM application (Lohman, Verbeek, Dijkman 2009) to process and analyse the logs, which is a basic research tool for process mining, implementing several algorithms used in research in this area.

Process discovery
Searching for or discovering processes is the first step in process mining.Its main objective is to transform an event log into a process model.The basic algorithm for gaining insight into the causality of individual events in the log is the Alpha algorithm, which forms a Petri net from the events in the log representing the succession of individual events.It distinguishes the following relationships between events: 1. Direct succession, denoted as X>Y.It holds that X>Y if and only if the event Y follows X.
2. Causality, referred to as X -> Y.It is true that X -> Y, if and only if X>Y, but not Y>X.In other words, in the event log, event X results in event Y, but never vice versa.Based on the given definitions, we can identify different patterns in the sequence of events in the logs.In Figure 4, the sequence of events X and Y is shown on the left, and on the right, the choice for which (X->Y and X->Z, and Y # Z) is valid is drawn.The individual items mean (in the following order): record id, event occurrence time, sensor label, sensor status (true = closed), serial number of the day of the year (doy), serial number of the day of the week (dow), year, time of day (tod).The ProM tool uses as input for its algorithm's files in the.xes format, which is a format for describing events using the XML language.In most applications, the events file is in a different format; therefore, conversion to the.xes format is required.The ProM tool provided the conversions of some used formats to the.xes format directly.
For analysis in the ProM tool, when converting the source data in the .csvformat to the.xes format, we chose a combination of the sensor name and its status as the activity identification.We obtained several sequences of events using the algorithm to identify local process models (mine local process models).The following Figure 6 shows a preview of one sequence obtained.The presented sequence means that the depicted events occurred in this order 13 times in the observed period.The order of events is: • Opening of the balcony door.
• Opening of the entrance to the terrace.
• Opening of the outer door to the terrace (marked as Fiona).
The event of opening the balcony door occurred in this sequence 14 times out of a total of 53 events, opening the patio entrance 13 times out of 60 occurrences, and opening the exterior patio door 13 times out of a total of 28 events in the data sample.It is worth noting that the analysed data comes from a private house where several household members lived, including three cats.The algorithm found several sequences, most of which were difficult to interpret regarding the movement of a single inhabitant in the building.The sequence in Figure 1 was one of the few sequences in which a logical sequence of events could be interpretedin this case, it was probably a person leaving the house through the balcony and terrace.Since the data also contained a number of events that were not related to each other because their temporal sequence was disrupted by the fact that they originated on different sensors from different residents of the house, we were able, thanks to the process mining method, to identify in the sequences found recurring habits the house's residents.
With this kind of approach, we can map the behavior of a system, find repeating sequences that identify some common processes in the system, and subsequently monitor this system and evaluate at certain time intervals whether it is still behaving normally.With the example used, we tried to point out that not only can information systems be analysed using process mining methods, but they can also be used, for example, for events generated by an independent group of primitive sensors.

Conformance checking
In this section, we will verify the explicitly described processes in the system that we have available while adhering to the processes in the real operation of the system.The main motivation for this type of control is to verify whether actual processes carried out in the system comply with the rules stipulated by management, the government, or other interested entities.This is an audit of the system's functioning, and its result may be the uncovering of embezzlement, security incidents, or misuse of a system.The analysis will once again be based on the availability of a log containing events from the actual operation of the system and BPMN models of the processes intended for examination in the real system operation.The outcome of such monitoring should indicate the current process's conformity with its design in the BPMN diagram.This encapsulates the fundamental concept of conformance checking, which will be employed in our analyses.
The BPMN diagram is used as an input because, in practice, it is the most used way of recording processes in both business and technical environments.Its basic problem is that it cannot be formalised, which is why Petri nets are used in the analyses, which have formal semantics, and the models they described can be formally verified.The conversion of a BPMN diagram to a Petri net can be done using various procedures (Frank Front Door Motion & Brightness 2024).Among the basic methods for conformance checking are: • Comparing the footprint matrix of the log and the model.
• The token-replay algorithm in the Petri net corresponding to the model.
Our goal differs from the purpose of using a conformity test.Although it is interesting for us to know how exactly the agreed processes are followed in practice, we are mainly interested in situations when the real process in the system does not go according to design.All three algorithms, however, analyse the event logs using individual identified sequences, so it is not a problem to modify the algorithms so that the sequences of events from the log that do not correspond to the designed process are flagged in some suitable way.We will discuss individual algorithms in more detail.

Comparing the footprint matrices
The algorithm's operation principle lies in the fact that it creates a footprint matrix for a given log, which represents the dependence of two events on each other.In the same way, it creates a footprint matrix for the process model against which the log will be compared.We use the definitions of relationships between events from the Process discovery section to create a footprint matrix.Let us assume we have identified the following sequence of events in the event log: {<A,B>, <A,C,D>}.We create a footprint matrix from them: Source: own processing Table 3. Sample footprint matrix for the log From the footprint matrix of the model, we see that the sequence of events (A, D) is also enabled in the model, but it does not appear in the log.This creates for us a difference between the matrices.The relation determines the similarity (fitness) of the matrices (Van der Aalst 2016).
To identify suspicious behaviour in the system, the similarity value is indeed interesting, but to determine whether this is some kind of incident in the system, we need to analyse the differences.However, we can get them very easily when we compare the matrices.Specifically, in this case, when examining the log, the absence of a sequence of events (A, D) that the model permits but which did not occur in real operation should be analysed.The sequences that occurred in the log are equally interesting, but the model does not allow for them.
Another option for using footprint matrices is to compare two logs obtained from different periods of system operation.The procedure could be such that we declare the log obtained for a specific period as the standard and, monitor the following periods and compare them with the standard.We then analyse the individual differences in the sequence of events in both compared logs in more detailif it is an expected or "secure" sequence, we adjust the standard by supplementing this sequence of events.We will thereby gradually build a model of the system's standard behaviour as described by the footprint matrix, against which we can then continuously compare the real operation of the system and thus identify potential incidents.

Token-replay algorithm
The algorithm's main idea is to replay the running of one sequence of events on a model, represented by a Petri net.Replaying a sequence in a Petri net takes place according to the definition of a Petri net, with the difference that if an event from the sequence cannot be played because it does not have the necessary tokens at the input places, we create the missing tokens and count them in the missing tokens counter.Likewise, if any tokens in the Petri net remain unconsumed after the sequence is played, we count them in the remaining tokens counter.Overall, we define 4 counters that maintain counts for: 1. created tokens (p), 2. consumed tokens (c),  2. The first step in the sequence is Access Granted.However, we cannot perform this step in the Petri net because there is no token at the input place to this transition (place P2).We produce a token on it and add 1 to the counter of missing tokens (Figure 11): 3.In this Petri net configuration, we can now perform the transition.So, the Access Granted thus consumes a token at the input place and creates a token at the output place, which in this case is location P4 (Figure 12): The verified sequence has no further steps, so the final configuration of the Petri net will look like this (Figure 13): We add the consumed token from P4 to the counter c, and we have an unconsumed token left at place P1, which we add to the counter of remaining tokens r.The final state of the counters is as follows: p=2, c=2, m=1, r=1.The similarity of the verified sequence with the process model is then given.
Thus, the verified sequence only partially matches the model.As a secondary output of the Petri net marking process, we will use the residual tokens, which indicate which activities of the model did not run well in reality.We can, therefore, analyse them in more detail in terms of the severity of non-conformity with the prescribed process or from the point of view of the occurrence of a possible incident.

Alignment algorithm
The token-replay algorithm is efficient and easy to understand but has shortcomings.With a more complicated Petri net, it may not follow the most appropriate path given by events from the log.The alignment algorithm aims to systematically search the Petri net and find the most accurate matches between the verified sequences of events and the corresponding paths in the Petri net.However, this approach is computationally demanding (Frank Front Door Motion & Brightness 2023).It is unsuitable for analysing events in more complex systems, especially if we wish to analyse events in the system in (almost) real time.

Conclusions
In this article, we have taken a closer look at process mining and the possible use of its methods in the field of system monitoring to reveal non-standard behaviour in a system.In our analyses, the operation of a system was described only by a log of events that occurred in a system.The events were represented with only a few basic attributes, such as the time, originator, and event type.With a little work, creating such a log from ordinary log records of information systems and using the process mining method to analyse them is possible.
We demonstrated the process of analysis to detect processes in the system by simply logging events generated by the motion sensors of a private house.By doing this, we pointed out that even though we are dealing with systems, we can also apply the used methods to a group of primitive sensors, each of which independently generates events, and from an analysis of them, we are able to estimate the behaviour of the residents of the house.Suppose we have data obtained in this way.In that case, we can monitor the system in real-time or at time intervals and detect deviations in its behaviour that may represent a security risk.
The second main direction of research in process mining is testing the conformity of the actual operation of the system to the process model.We presented two methods: the comparison of footprint matrices and the tokenreplay algorithm on a Petri net constructed from a process model.In both cases, we proposed simple modifications of the algorithms, the purpose of which is to point out the differences in the system's behaviour compared to the model to identify potential incidents in the system's operation.
The application of the mentioned processes in combatting hybrid threats primarily covers cyberspace.Because we can assume the analysis of events, the system must somehow generate themwhich automatically brings into information technology.We can thus identify deviations in the behavior of the information systems of companies of interest and thus identify attempts at hacking, attacks in cyberspace, or industrial espionage.The use of methods from the field of process mining has the advantage that many companies (and thus also the information systems they use) have their internal processes described to a greater or lesser extent.To increase security and protection, other processes can be defined so that their subsequent monitoring is beneficial for the system's overall security.
In conclusion, this scientific exploration of process analysis as a long-term sustainable concept in combating hybrid threats underscores the importance of dynamic and adaptive strategies in our evolving security landscape.As we continue to witness the proliferation and sophistication of hybrid threats, it is clear that traditional, static security measures are insufficient.
Our findings emphasise that process analysis offers a valuable framework for organisations and governments alike to develop comprehensive and resilient approaches to threat mitigation.By continually assessing and improving their processes, entities can enhance their ability to detect, respond to, and recover from hybrid threats effectively.
Moreover, this research highlights the need for a holistic perspective on security, one that transcends traditional silos and embraces cross-functional collaboration.Stakeholders across sectors must collaborate, sharing insights, best practices, and threat intelligence to strengthen our defences collectively.
As demonstrated in this study, process analysis is not a one-size-fits-all solution.Instead, it is a dynamic and iterative approach that requires ongoing commitment and investment.However, its potential to enhance an organisation's resilience against hybrid threats cannot be overstated.
In an era where the threat landscape is constantly evolving, process analysis provides a forward-looking strategy that aligns with the principles of adaptability and continuous improvement.It empowers organisations to stay ahead of emerging threats and to develop sustainable, long-term security practices.
In conclusion, process analysis offers a promising path forward as hybrid threats continue to challenge our security paradigms.By integrating this approach into our security strategies and fostering collaboration across disciplines and sectors, we can collectively work toward a safer and more resilient future in the face of evolving threats.

Figure 1 .
Figure 1.Processing of logs from different sources Source: own processing

Figure 2 .
Figure 2. Example of BPMN diagram Source: own processing

Figure 2 .
Figure 2. Example of a Petri net Source: own processing

3 .
Parallel events, referred to as X II Y.It is true that X II Y, if and only if X>Y and at the same time Y<X. 4. A choice, denoted as X # Y.It is true that X # Y if and only if (X>Y)' and (Y>X)', where the symbol ' indicates the negation of the statement.

Figure 3 .
Figure 3. Patterns of event sequences: on the left, direct succession, on the right, exclusive selection Source: own processing

Figure 5 .
Figure 5. Patterns of event sequences, Y and Z parallel events Source: own processing

Figure 1 .
Figure 1.Example of a sequence of events found through the ProM tool Source: own processing

Figure 10 .
Figure 10.Petri net with a token in P1 place Source: own processing

Figure 11 .
Figure 11.Petri net with a token in P1 place and a missing token in P2 place Source: own processing p=1, c=0, m=1, r=0.

Figure 12 .
Figure 12.Petri net with tokens in places P1 and P4 Source: own processing

Figure 13 .
Figure 13.Petri net with remaining token in place P1 Source: own processing /doi.org/10.9770/jesi.2024.11.3(27)of individual sensors.Upon a change of state, each sensor reported an event, event time and sensor status (input open/closed).The following table contains a sample of the data.
).These are records of changes in the state

Table 2 .
Sample footprint matrix for the log