Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Challenges of Anomaly Detection in the Object-Centric Setting: Dimensions and the Role of Domain Knowledge

Alessandro Berti, Urszula Jessen, Wil M. P. van der Aalst, Dirk Fahland

TL;DR

This work tackles anomaly detection in object-centric event logs (OCELs) where multiple object types and their interactions complicate traditional process mining. It introduces three methodologies—AF1 (oracle-based feature anomalies), AF2 (object-level anomaly scoring), and AF3 (feature-level anomaly aggregation with propagation)—built on object-centric feature maps and optional feature propagation. A real-life P2P case study demonstrates that combining domain knowledge with data-driven detectors (e.g., FastMap for dimensionality reduction, Isolation Forests, and LOF) can reveal non-compliance patterns such as maverick buying and post-mortem requisition changes, while feature propagation uncovers root causes across related objects. Large Language Models can supplement domain knowledge to interpret results but face limitations like context-window constraints, inconsistencies, and hallucinations, necessitating careful, ensemble use. Overall, the framework highlights how domain-informed, OC-aware anomaly detection can deliver actionable insights, though practical adoption requires mindful integration of LLMs and robust feature propagation techniques to manage high dimensionality and interpretability challenges.

Abstract

Object-centric event logs, allowing events related to different objects of different object types, represent naturally the execution of business processes, such as ERP (O2C and P2P) and CRM. However, modeling such complex information requires novel process mining techniques and might result in complex sets of constraints. Object-centric anomaly detection exploits both the lifecycle and the interactions between the different objects. Therefore, anomalous patterns are proposed to the user without requiring the definition of object-centric process models. This paper proposes different methodologies for object-centric anomaly detection and discusses the role of domain knowledge for these methodologies. We discuss the advantages and limitations of Large Language Models (LLMs) in the provision of such domain knowledge. Following our experience in a real-life P2P process, we also discuss the role of algorithms (dimensionality reduction+anomaly detection), suggest some pre-processing steps, and discuss the role of feature propagation.

Challenges of Anomaly Detection in the Object-Centric Setting: Dimensions and the Role of Domain Knowledge

TL;DR

This work tackles anomaly detection in object-centric event logs (OCELs) where multiple object types and their interactions complicate traditional process mining. It introduces three methodologies—AF1 (oracle-based feature anomalies), AF2 (object-level anomaly scoring), and AF3 (feature-level anomaly aggregation with propagation)—built on object-centric feature maps and optional feature propagation. A real-life P2P case study demonstrates that combining domain knowledge with data-driven detectors (e.g., FastMap for dimensionality reduction, Isolation Forests, and LOF) can reveal non-compliance patterns such as maverick buying and post-mortem requisition changes, while feature propagation uncovers root causes across related objects. Large Language Models can supplement domain knowledge to interpret results but face limitations like context-window constraints, inconsistencies, and hallucinations, necessitating careful, ensemble use. Overall, the framework highlights how domain-informed, OC-aware anomaly detection can deliver actionable insights, though practical adoption requires mindful integration of LLMs and robust feature propagation techniques to manage high dimensionality and interpretability challenges.

Abstract

Object-centric event logs, allowing events related to different objects of different object types, represent naturally the execution of business processes, such as ERP (O2C and P2P) and CRM. However, modeling such complex information requires novel process mining techniques and might result in complex sets of constraints. Object-centric anomaly detection exploits both the lifecycle and the interactions between the different objects. Therefore, anomalous patterns are proposed to the user without requiring the definition of object-centric process models. This paper proposes different methodologies for object-centric anomaly detection and discusses the role of domain knowledge for these methodologies. We discuss the advantages and limitations of Large Language Models (LLMs) in the provision of such domain knowledge. Following our experience in a real-life P2P process, we also discuss the role of algorithms (dimensionality reduction+anomaly detection), suggest some pre-processing steps, and discuss the role of feature propagation.
Paper Structure (16 sections, 2 equations, 3 figures, 2 tables)

This paper contains 16 sections, 2 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Object-Centric Event Logs
  5. Object-Centric Feature Maps
  6. Approach
  7. Anomalous Features Identification through Oracles (AF1)
  8. Scoring the Anomalousness of an Object (AF2)
  9. Anomalous Features Identification aggregating Anomaly Scores
  10. Case Study
  11. Context
  12. Methodologies and Algorithms
  13. Refinement of the Analysis
  14. Main Results
  15. Limitations of LLMs as Domain Knowledge Providers
  16. ...and 1 more sections

Figures (3)

  • Figure 1: Outline of the contributions proposed in the paper. The approaches highlighted with "DK" require domain knowledge.
  • Figure 1: Anomaly scores for some purchase orders of the considered log.
  • Figure 2: Interaction between maintenance contracts with several positions and invoices.

Theorems & Definitions (11)

  • definition thmcounterdefinition: Universes
  • definition thmcounterdefinition: Object-Centric Event Log
  • definition thmcounterdefinition: Auxiliary Object-Centric Definitions
  • definition thmcounterdefinition: Object-Centric Feature Map
  • definition thmcounterdefinition: Example of Object-Centric Feature Map
  • definition thmcounterdefinition: Feature Propagation
  • definition thmcounterdefinition: Features' Oracle
  • definition thmcounterdefinition: Objects' Score Function
  • definition thmcounterdefinition: Objects' Score Rank Function
  • definition thmcounterdefinition: Normalization of a Feature Map
  • ...and 1 more