The document discusses a method for creating differentially private event logs to protect individuals' privacy in process mining, focusing on the risks posed by identifying individuals through event traces. It proposes a mechanism that anonymizes event logs by applying grouping, timestamp noise injection, and careful estimation of privacy parameters to limit the likelihood of an attacker singling out an individual. The authors outline empirical evaluations and future research directions, including addressing challenges with unique traces and broadening the anonymization to other log components.

1. Mine Me but Don’t
Single Me out:
Differentially
Private Event Logs
for Process Mining
Gamal Elkoumy, Alisa Pankova, Marlon Dumas
University of Tartu and Cybernetica
Estonia

2. Event Log

3. Privacy
Threats
John Doe checked-in at 8:33 AM
and had a surgery from 8:35 AM to
9:25 AM.
On average, the activity "surgery"
happens between 8 AM and 10
AM with an execution time
between 30 minutes and 2 hours.

4. GDPR

5. Motivation
• Masking (pseudonymization)
is not enough.
• An attacker can use prefixes
or suffixes of the John’s trace
to identify him.
• Also, the attacker can use
the event timestamp to
identify John.

6. Attack Model
The attacker has a goal ℎ 𝐿 that captures their
interest in an event log 𝐿. We specifically
consider the following attacker’s goals:
• ℎ1: Has the individual been through a specific
sub-trace (prefix or suffix)? The output is a
bit with a value ϵ 0, 1 that represents yes or
no.
• ℎ2 : What is the execution time of a
particular activity that has been executed for
the individual? The output is a real value to
be guessed with precision.

7. Motivation
• We do not want the attacker to guess John Doe after
releasing the event log.
• We do not want that guessing probability to increase by a
certain amount after the event log release.
• We use this guessing advantage probability (δ) to
anonymize event logs.

8. Problem Statement
• Given an event log L, and given a
maximum level of acceptable guessing
advantage δ , generate an anonymized
event log L' such that the probability of
singling out an individual after
publishing L' does not increase by more
than δ .

9. Differential Privacy
ε

10. Approach

11. Approach – DAFSA
• Group events that go through the same prefixes/suffixes.
• Minimal Grouping shared prefixes/suffixes.
• Lossless representation of event log.
• Oversampling size estimation.
• Timestamp anonymization
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

12. Approach – Event Log Annotation
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

13. Approach – ε estimation
• The effect of ε differs based on the range of values
• Two ε values:
• ε for trace variants anonymization.
• ε for timestamp anonymization.
• We estimate different ε for each event based on the
distribution of values.
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

14. ε estimation – Personalized Differential Privacy
Input: δ=0.2
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

15. ε estimation – Personalized Differential Privacy
ε= 0.81 for δ=0.2
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

16. Approach - Oversampling
• The set of case variants is the main input used by process
mining techniques, e.g., conformance checking.
• In this setting, having the same set of case variants is
critical.
• Adding new case variants increases the false positives.
• Removing existing case variants increases the false
negatives.
• We adopt Oversampling over the DAFSA transition to
prevent singling out an individual using their prefix/suffix.
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

17. Approach - Oversampling
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

18. Approach – Time Noise Injection
Annotate
Event Log with
DAFSA states
ε estimation
for relative
time
ε estimation
for trace
variants
Oversampling
Cases
Noise Injection
to Timestamps

19. Anonymized Log

20. Empirical
Evaluation
We selected 14 publicly available event
logs.
What is the effect of choosing a privacy
level δ on the time dilation of the
anonymized event log?
What is the effect of choosing a privacy
level σ on the case variant distribution
of the anonymized event log?

21. Empirical Evaluation

22. Empirical Evaluation

23. • We proposed a concept of differentially private
event log and a mechanism to compute such logs.
• A differentially private event log limits the increase
in the probability that an attacker may single out
an individual based on the prefixes or suffixes of
the traces in the log and the timestamps of each
event.
Conclusion
and Future
Work

24. Conclusion
and Future
Work
A limitation is that the proposed method
introduces high levels of noise in the presence of
unique traces or temporal outliers. We plan to
investigate an approach where high-risk traces
are suppressed so that the amount of injected
noise into the remaining traces is lower.
A second future research avenue is to consider
anonymizing other columns in the event log, e.g.,
resources.

25. Questions