Embed Size (px)
Citation preview
Institut fur Computergraphik undAlgorithmen
Technische Universitat WienKarlsplatz 13/186/2
A-1040 WienAUSTRIA
Tel: +43 (1) 58801-18601Fax: +43 (1) 58801-18698
Institute of Computer Graphics andAlgorithms
Vienna University of Technologyemail:
other services:http://www.cg.tuwien.ac.at/ftp://ftp.cg.tuwien.ac.at/
TECHNICAL REPORT
The Event Tunnel: Interactive Visualization of ComplexEvent Streams for Business Process Pattern Analysis
Martin SuntingerSENACTIVE IT-Dienstleistungs GmbH
Hannes ObwegerSENACTIVE IT-Dienstleistungs GmbH
Josef SchieferInstitute for Software Technology and Interactive Systems, Vienna University of Technology
M. Eduard GrollerInstitute of Computer Graphics and Algorithms, Vienna University of Technology
TR-186-2-07-07May 2007
The Event Tunnel: Interactive Visualization of Complex EventStreams for Business Process Pattern Analysis
Martin Suntinger∗
SENACTIVE IT-Dienstleistungs GmbH
Hannes Obweger†
SENACTIVE IT-Dienstleistungs GmbH
Josef Schiefer‡
Institute for Software Technology and Interactive Systems, Vienna University of Technology
M. Eduard Groller§
Institute of Computer Graphics and Algorithms, Vienna University of Technology
May 14, 2007
Abstract
Event-based systems are gaining increasing popularityfor building loosely coupled and distributed systems.Since business processes are becoming more intercon-nected and event-driven, event-based systems fit well forsupporting and monitoring business processes. In thispaper, we present an event-based business intelligencetool, the Event Tunnel framework. It provides an in-teractive visualization of event streams to support busi-ness analysts in exploring business cases and businessprocesses. The visualization is based on the metaphorof considering the event stream as a cylindrical tunnel,which is presented to the user from multiple perspec-tives. In the Event Tunnel, relevant business events arelaid out and depicted for analysts. The information ofsingle events is encoded in event glyphs that allow fora selective mapping of event attributes to colors, sizeand position. Different policies for the placement of theevents in the tunnel as well as a clustering mechanismgenerate various views on historical event data. Theevent tunnel is able to display the relationships betweenevents. This facilitates users to discover root causes andcausal dependencies of event patterns. Our frameworkcouples the event-tunnel visualization with query toolsthat allow users to search for relevant events within adata repository. Using query, filter and highlighting op-erations the analyst can navigate through the Event Tun-nel until the required information or event patterns be-
∗e-mail: [email protected]†e-mail: [email protected]‡e-mail: [email protected]§e-mail: [email protected]
come visible. We demonstrate our approach with usecases from the fraud management and logistics domain.Keywords:Business process visualization, complexevent processing, query-driven visualization.
1 Introduction
Today’s networked business environment requires sys-tems which are adaptive and easy to integrate. Event-based systems have been developed and used to con-trol business processes with loosely coupled systems.One of the most promising concepts for gaining insightinto business processes in order to support closed loopdecision-making on an operative level is Complex EventProcessing (CEP) [6]. CEP includes a set of technolo-gies to process large amounts of events, utilizing them tomonitor, steer and optimize the business processes withminimal latency. Typical application areas of CEP re-quire fast decision cycles [8] based on a large numberof observable business events which can be used to dis-cover exceptional situations or business opportunities.Typically, these are areas like financial market analysis,trading, security, fraud detection, logistics like trackingshipments, compliance checks, and customer relation-ship management.The success of event-driven business solutions dependson an ongoing learning process. It is an iterative cycleincluding the analysis and interpretation of past pro-cessing results and the conversion of these results intothe event-processing logic. Analysis tools are requiredwhich are tailored to the characteristics of event datato answer questions like: Where did irregularities occur
1
2 2 RELATED WORK
in my business? Did processes change over time? Doesmy business slow down, or can certain processes be ex-ecuted more effectively? Which of different executionpaths of a process is most effective? Which contribu-tors to my business process are most valuable? Uponwhich data were past, automated decisions made? Diderrors occur in the automated decision process? Whathappened at a certain point in time at a certain locationand who was involved? To answer these questions, thebusiness analyst has to be equipped with extensive re-trieval tools to extract required data sets. Also expressivevisualizations are necessary to navigate through eventdata and recognize recurring patterns and irregularitiesthat influence the business performance. In the follow-ing, we present an approach for visualizing event data,the Event Tunnel. It is based on the metaphor of consid-ering the continuous stream of events as a tunnel, whichwe show from a top and a side view. Around this core vi-sualization, we have built an analysis workspace whichwe will also briefly discuss in this paper.
The paper is structured as follows: In Section 2, we re-flect on related work on event-based visualization ap-proaches and discuss our contribution. Section 3 de-scribes event spaces which are the data foundationfor our visualization. Section 4 describes the visualmetaphor of the Event Tunnel and its major componentssuch as its views, the glyph-based event representationand the cluster display. In Section 5, we show how theevent tunnel visualization is embedded in an analysisframework and discuss related implementation issues.In Section 6, we present evaluation results with respectto two use-case scenarios and, finally, with Section 7,we conclude our paper and provide an outlook for fu-ture work.
2 Related work
Currently, event-based systems and applications aregaining increasing maturity and are starting to be em-ployed in industrial settings. Event-data specific visual-ization and analysis tools on the other hand are still intheir infancy. In the domain of business intelligence andanalysis, many approaches exist, from online-analytical-processing (OLAP) to data mining techniques. Thesetechnologies are applicable for the analysis of event-based operational business data as well, but they do nottake into consideration the nature and special charac-teristics of events. Techapichetvanich and Datta [12]and Maniatis [7] describe visualization approaches forOLAP, which allow users to explore and analyze data
cubes and data warehouses without generating sophis-ticated queries. Users can gain both overviews and re-fine views on any particular areas of interest through thecombination of interactive tools and navigational func-tions (i.e., drill-down, roll-up, and slicing). In compari-son to OLAP analysis, our approach consciously omitsan abstraction of the data into a set of multidimensionalkey figures and focuses instead on the events as the datapoints for the visual data representations. High-levelviews on the data are provided by visual patterns andclusters, and drill-down operations are possible down tothe level of a single event.Hao et al. [4] presented VisImpact, an approach to re-duce the complexity of business data by extracting im-pact factors that identify either single nodes or groups ofnodes from business flow diagrams that influence busi-ness operations. VisImpact is able to find relationshipsamong the most important impact factors and supportsan immediate identification of anomalies. Our approachis not dependent on process models and is able to visual-ize process-behavior patterns based on events generatedfrom IT-systems. It does not reduce the complexity ofthe data, but allows investigating causal dependenciesof events in a business environment. By extracting andvisualizing manageable data sets, a user is able to dis-cover (hidden) relationships between events as well asimpact factors for business operations.Kapoor et al. [5] proposed OPAL, which uses clas-sical visualization techniques (charts, time tables, his-tograms, scatter plots) for operational, multidimensionaldata about business operations. OPAL helps users inmaking faster and more well-informed decisions in or-der to respond to irregular process patterns.Rudensteiner et al. [10] implemented the XmdvToolfor multivariate data visualization that allows users toview data from different perspectives. The XmdvToolsupports a variety of advanced visual interaction tech-niques, including brushing in screen space, data space,and structure space, panning, zooming and distortion.We extended this approach by a visualization techniqueand show events without further abstraction in the con-text of their occurrence. Condition-based mappings en-able the encoding of various event-data aspects in therendering.The event-tunnel visualization is designed to displaysearch results from event-data queries. Rosznyai et al.[9] proposed the search-engine Event Cloud for analyz-ing business events based on event queries. The systemcorrelates and indexes the events in a data staging pro-cess and enables users to search in large sets of historicalevents. Event Cloud allows to flexibly retrieve histori-cal event data and uses a text-based view for displaying
3
the search results. This is supported by the work of Se-brechts et al. [11], who showed that locating a searchtarget is fastest in text-based views. We hypothesize thatfor event data, a visual representation of query resultsis more valuable for answering questions of a businessuser, since it shows the user multiple perspectives of asearch result and allows at the same time to graphicallydisplay the relationships of the retrieved events.In the domain of information visualization, different ap-proaches exist to display the time dimension for data.Carlis and Konstan [2] and Weber et al. [13] proposeda time spiral, aiming on temporal patterns in periodicdata. Arranging data in a spiral, their approaches pro-vide the user with easy visual cues to both serial and pe-riodic aspects of the data, along with interactions, suchas the change in period over time. Yee et al. [14] showa visualization approach which uses a radial tree lay-out method for supporting the interactive exploration ofgraphs. In our approach, we combine and extend thesetechniques for displaying networks of correlated eventswhich occur over a certain period of time.
3 The event space
Continuous capturing and processing of events producesvast amounts of data. Event-based business processanalysis relies on these data. An efficient mass storage isrequired to store all events and prepare the data for laterretrieval. Throughout this paper, we refer to this massstorage as the event space. During the processing of theevents in the event-based system, they are captured byan auditing service and stored in a data repository. Fur-thermore, the events are indexed for quick retrieval ofcorrelated events and metrics are pre-calculated. Figure1 illustrates this process.For the purpose of maintaining information about busi-ness activities, events capture attributes about the con-text when the event occurred. Event attributes are itemssuch as the agents, resources, and data associated withan event, the tangible result of an action (e.g., the place-ment of an order by a customer), or any other informa-tion that gives character to the specific occurrence ofthat type of event. For example, a typical order eventcould have the following attributes as context informa-tion:
• Customer Name (string data attribute)
• Order ID (string data attribute)
• Product ID (string data attribute)
• Price (numeric data attribute)
Event-basedsystem
Auditing service
Business environment
Interfaces to the businessenvironment
Events
Event-space data-repository
Figure 1: The event-space backend system contains pro-cessed events for analysis and retrieval.
This template of attributes defines the structure of a cer-tain class of events and is called event type. It indicatesthe underlying type of state change in a business processthat is reflected by the event.
To back-trace and analyze the events of a business pro-cess, it is important to correlate temporally and semanti-cally related events. Elements of an event context can beused to define a relationship between events. Chains ofcorrelated events reflect instances of a business process(see figure 2).
Event-spacedata-repository
Time
Order Placed Transport Start Transport End Order Received
Order ID: 1234Customer Name:John Q. PublicProduct ID: 5678Price: 3000
Order ID: 1234Transport ID:XYZ-123456Duration est.: 3dDate 01/01/2000Carrier CarryMe
Order ID: 1234Transport ID:XYZ-123456Date 03/01/2000
Order ID: 1234Date: 03/01/2000Accepted: True
Event tunnel
Figure 2: A business process instance is given as a set ofcorrelated events. The semantic correlation is based onthe event attribute order ID.
The event-tunnel visualization follows a query-drivenapproach. A business analyst can define queries for ex-
4 4 THE EVENT-TUNNEL VISUALIZATION
tracting data from the event-space data repository in or-der to retrieve and prepare data sets for the visualization.We have unified the access to event data by specifyingevent filters and patterns with a so-called event-accessexpression language. This language allows to easily ac-cess event attributes and supports the modeling of com-plex conditions including calculations and aggregations.A typical search query is a set of conditions which isused to filter the events from the event space. A simpleexample of an EA expression is: Order.Price BETWEEN100 AND 200 AND OrderDelivered.Status = ’Delayed’.As the example shows, the query model allows defin-ing a search scope for retrieving correlated events thatmatch a set of conditions. Throughout this paper, wewill demonstrate that our query model is applied formultiple purposes. Conditions separate the event datainto (eventually overlapping) groups. Condition-basedcoherences can then be visually mapped to color, spatialproximity and other characteristics of a visualization.
4 The Event-Tunnel Visualization
In the previous section, we presented the event spaceas a queryable data repository for historical events. Inthis section, we propose a visualization technique calledevent tunnel to produce a highly interactive, visual de-piction of this data. The event-tunnel visualization isbased on the metaphor of seeing the past stream ofevents as a 3D cylinder and providing two views ontothis cylinder: a top view that looks into the stream ofevents along the time-axis, and a side view plotting theevents in temporal order (see figure 3).
Time
Time
Unassigned
Unassigned
Time
Unassigned
Event-tunnelSide-view
Event-tunnelTop-view
(a) (b)
Event tunnel
Figure 3: The event-tunnel visualization: Side view andtop view onto the stream of events.
Following the metaphor of an event-stream cylinder,one axis is determined and occupied unambiguouslyby time, whereas the remaining axis is assignable by aplacement policy. For the top view and the side view, wewill show placement policies that either aim on efficientspace filling or try to encode data attributes in the spatialarrangement.
4.1 Event-Tunnel Top-View
The event-tunnel top-view maps the 3D view into theevent-stream cylinder to a radial 2D rendering (see fig-ure 3b). Events on the inner circles of the tunnel are dis-played smaller to simulate perspective projection. Themotivation behind this technique is an observation wemade early in the planning phase: During the analysisof historical event data we found out that the entropyand business value of the most recent events are usu-ally higher in comparison to similar but older events.This tendency results from the fact that the most recentevents are more relevant for a business analyst as well asthe final events of a business process generally charac-terize best the outcome of a business case. The perspec-tive projection in the event-tunnel top-view reflects thisrequirement to emphasize recent events. In the tunnel,the latest events appear larger at the outer rings and arewell visible.
4.1.1 Placement policies
Following the underlying metaphor of the event tunnel,the distance from the center of the top view is defined bythe dimension mapped to the cylinder axis, i.e., usuallytime. Another parameter, the angular position of eachevent, is not implicitly defined and can be controlled bythe business analyst with placement policies.The strategies for effectively placing the events on theconcentric rings of the tunnel depend on the objectivesof the business analyst. Possible objectives might be:
• Avoid overlapping events
• Display correlated events close to each other
• Keep sequences of events on nearly straight linesto be able to easily recognize process behavior pat-terns
It is hard to find a single strategy that fits all require-ments at the same time. However, it is possible to definespecialized policies that concentrate on certain aspectsand try to optimize the output with respect to these as-pects. Ultimately, the user can switch between the place-ment strategies to find the output that is most effective
4.2 Event-Tunnel Side-View 5
for his/her purposes. In the following, several placementpolicies are proposed, and their results are discussed.
4.1.2 Sector placement-policy
The sector placement-policy focuses on distributionsof events. Events are placed in non-overlapping, an-gular sectors, depending on their particular attributes.The overall appearance of the outcome resembles well-known pie charts. Conditions are used to define sector-memberships, though restrictions must be introducedto avoid multi-set memberships. When using numericevent attributes for the sector distribution instead of hav-ing discrete sector conditions, additional expressivenesscan be achieved. In this case the events are arrangedaround the tunnel surface by performing a linear map-ping of the event attributes to the position.
In many cases, the sector placement policy shows ex-pressive results on medium to large event sets (fromseveral hundreds up to 40,000 events). Accumulations,missing events over time, as well as single, isolated out-liers become visible. Combined with adequate color andsize configurations, patterns can be discovered acrossthe sectors.
4.1.3 Centric event-sequence placement-policy
The centric event-sequence placement-policy (CESPpolicy) is focused on sequences of correlated events,such as the events of a business process instance. A posi-tion of an event depends solely upon its membership in agroup of correlated events. The CESP algorithm followsevent sequences and plots them in coherent chains.
Algorithm4.1: CESPLACEMENT(events)
comment: Plot events according to the CESP
ORDERBYTIME(events)for i← 0 to events.length
do
if i = 0then PLOTEVENT(events[i])
else
events[i].Angle← events[i−1].Angleif OVERLAP(events[i],events[i−1])
then SHIFTCLOCKWISE(events[i]) (i)PLOTEVENT(events[i])
Algorithm 4.1 avoids overlapping of events by clock-wise shifts: on line (i), the event’s representation is
(a)
(b)
(c)
(d)(e)
(f )
Figure 4: Examples of characteristic business-processpatterns in the CESP policy. Refer to table 1 for an ex-planation of the individual patterns.
moved clockwise as far as not to overlap its predeces-sor. The algorithm results in specific patterns, being ab-stract representations of underlying business process in-stances. As regular instances of a business process pro-ceed more or less according to a template, characteris-tic patterns emerge. This enables the analyst to derivefuzzy, visual template representations for certain busi-ness processes. Anomalies can then be assessed by com-paring the resulting pattern with the expected template.Therefore, the CESP policy is well suited for the analy-sis of smaller data sets to detect fine-grained causal re-lationships. Although most of the emerging patterns areapplication and data specific, several basic, high-levelpatterns can be characterized. Figure 4 schematicallyshows these patterns. Table 1 lists how these patternscan be interpreted.
4.2 Event-Tunnel Side-View
Some of the event-tunnel top-view’s most valuable char-acteristics result from the perspective projection. Onthe other hand, the perspective projection results in anon-linear transformation from time to distance, whichmakes it difficult to estimate absolute time values. Insome cases, an adequate representation of the eventspace’s temporal relationships is indispensable to a de-tailed analysis process. Therefore, we provide an addi-tional view of the event tunnel, the side view (figure 3a).
6 4 THE EVENT-TUNNEL VISUALIZATION
Table 1: Interpretation of business-process patterns inthe CESP policy.
Pattern InterpretationStair pattern (a) Represents a business process whose exec-
ution is characterized by several idletimes (potentially exceptional delays).
Non-interfering chain (b) A long-running process, whose stages arepassed straight forward in regular timesteps.
Parallel chain (c) A fast-executing process (probably auto-mated or machine controlled) without idletimes.
Acceleration worm (d) Represents a process whose execution acc-elerated continuously.
Deceleration worm (e) Represents a process whose execution de-celerated continuously.
Rattlesnake (f) Reflects one extreme delay in the executionof a process.
It is intended as an extension to the event-tunnel top-view that accurately presents temporal coherences.
For the event-tunnel side-view, the question arises againhow to utilize the unassigned axis of the tunnel. Wedecided to exclusively focus on temporal relationshipsbetween correlated event sequences and plot these se-quences on horizontal lines in temporal order. Event se-quences (which reflect business process instances) ap-pear as continuous bars surrounding the single eventscontained in the sequence. The result closely resemblesprocess charts such as GANTT diagrams without the de-piction of dependencies.
4.3 Mapping data to event glyphs
The placement policies described above work on the ba-sis of events’ characteristics either attribute values orcorrelation-group memberships. Hence, placement poli-cies perform a mapping of data attributes to position.Another possibility to visually encode event attributesis the shape of a single event itself. An event is rep-resented by a spherical event glyph (see figure 5). Theevent glyph consists of a sphere surrounded by an outerring. The size and color of these elements do encodeevent attributes. The sphere surface and the surface ofthe outer ring may be subdivided into more than onesector to simultaneously encode several attributes.
4.3.1 Size
By its nature, coding the size parameters of the eventglyphs is suitable for the mapping of continuous at-tributes. Per event type, separate mappings can be de-fined for the sphere diameter and the diameter of theouter ring.
Time
Outer ringdiameter
Spherediameter
Outer ringcolor
Spherecolor
Figure 5: Event attributes can be mapped to colors andsizes of event glyph parameters.
4.3.2 Color
In contrast to size coding, the color parameters of theevent glyph can be utilized to visualize arbitrary eventattributes. Anyhow, the complexity of analysis tasks re-quires a flexible and powerful approach far beyond thebasic mapping of single, discrete attributes to color.Therefore, the application enables the user to defineconditions, each associated with a customizable color.In case of an event fulfilling a condition, the event’s bul-let area is filled with the respective color. As describedin section 3, conditions may lead to multi-set member-ships. This is incorporated by subdividing the event-glyph sphere into differently colored sectors of equalsize.
4.4 Displaying event correlations
So far, in the event-tunnel side-view correlations be-tween events are naturally encoded and visually de-picted. In the event-tunnel top-view the only techniqueavailable to visualize correlations is via the spatial ar-rangement (CESP policy). In the course of this work,we elaborated an additional technique to visualize eventcorrelations in the top view. The approach simply con-nects related events on demand. The connections aredrawn as semi-transparent bands. Each band reachesfrom one event to the next, in temporal order. The thick-ness of the band is continuously adjusted to the events’sizes.
4.5 Drawing clusters
The techniques presented so far are suitable for smalland medium sized data sets of up to 10,000 events.
7
A distribution analysis in the sector placement-policycan also be performed with data sets of up to 40,000events. To cope with result sets that are larger than that,we implemented a clustering mechanism that aggregatesgroups of events into single data points. The implemen-tation supports the formation of clusters based on cor-relations, equality of event types and arbitrary event-access expression conditions. Each cluster possesses ananchor event (see figure 6a): The temporal occurrence ofthis event determines the plotting position of the clusterin the event tunnel. A cluster can be collapsed or ex-panded. In the collapsed state, its appearance resemblesa single event node, in the expanded state, the eventscontained in the cluster are plotted on a resizable cir-cle. The metric determining the events’ distance fromthe center of this circle is customizable (figure 6b). Ex-panded clusters can be dragged around by the user: athin line indicates the connection to the anchor event.Clustering does not only aim at a sparse visual repre-
Figure 6: A cluster of transport events. The anchor event(a) indicates a demand; the events in the cluster aretransports available to fulfill the demand. Distance met-ric in the cluster (b): estimated transport costs.
sentation of large result sets. The organization of eventsin clusters additionally allows a distribution analysis anda direct comparison of distinct event groups. For exam-ple, having grouped the events from business process Ain cluster 1 and the events from business process B incluster 2, the analyst can bring the clusters to an equalsize and compare them to each other. For the generationof clusters, we support both automatic clustering of thecomplete result set or selective clustering of a selectionof events. To cluster the complete result set, the user candefine so-called clustering rules. These rules configure
the event aggregation (e.g., generate one cluster for eachcorrelation chain) and the selection of the anchor eventin each cluster.
The representation of clusters that are in the collapsedstate is similar to an event glyph. This again offers sev-eral parameters (colors and sizes) to map data. In thisway, the mapping characterizes the aggregated group ofevents. For example, if a cluster aggregates the eventsof one correlation, the metrics defined for this correla-tion can be mapped to the cluster glyph. In the simpletransport chain correlation introduced in figure 2, possi-ble metrics to map could be transport duration, transportcosts, satisfaction status, shipment delay and order vol-ume.
5 The Analysis Framework
The event-tunnel top and side view visualizations gen-erate interactive views on the event data. We have em-bedded these views into a configurable workspace forevent analysis and mining purposes. It is designed as anextendable framework offering the possibility to plug-in customized event-data visualizations without havingto implement basic functionalities. Besides the event-tunnel views, the analysis workspace includes facilitiesfor querying and retrieving event-data from the event-space data-repository, selective filter operations, dis-playing metrics and the content of events, discoveringsimilarities of correlated event sequences, and managinganalysis results. All visualizations are linked together.Highlighting an event in one of the views highlights itin all other views. Figure 7 provides a screenshot of theanalysis workspace.
Besides the event-tunnel top-view (a) and the event-tunnel side-view (b), the analysis framework currentlyconsists of a text view (c) that generates a text-basedoutput of an event query result, a metric charting view(d) that plots calculated metrics for selected businessprocesses, a text box (e) that displays information on thecurrent selection in the visualizations, a graphical querybuilder (f), a filter manager (g), a management consolefor clustering (h), a configuration manager to control themapping of data attributes, select placement strategiesand configure a condition-based highlighting (i) and asnapshot management console (j) to capture the currentview state and configuration and restore past analysisresults. The analysis framework targets business ana-lysts and developers of business logic which is basedon company-specific event processing. The goal is toaccomplish back-tracing tasks, draw conclusions on the
8 6 APPLICATIONS AND RESULTS
Figure 7: The analysis workspace: event-tunnel top-view (a), event-tunnel side-view (b), text view (c), metriccharting view (d), text box (e), graphical query builder (f), filter manager (g), clustering management console (h),configuration manager (i), snapshot management console (j).
business performance and discover undetected correla-tions and patterns. These findings can then be employedin the automated event processing.The analysis framework has been written in C#. For en-abling simple plug-in integration, it is built upon theCastle Project’s Windsor IoC container for managingmodules and components. We tried to keep the visu-alizations as slim as possible. Therefore, we provide arange of interfaces, each with a certain limited scope. Avisualization module can be notified of event selections,and it can support clustering, each through implement-ing the respective interface.The introduced views on the event tunnel combine anextensive graphical rendering with a rich user interac-tion model. Therefore, we made use of the Piccolo.NETframework [1], a graphical toolkit that supports zoom-ing and panning as well as object-level event handling.Due to the high computational effort of transformationoperations, we decided to reduce rendering details to anabsolute minimum during zooming and panning.
6 Applications and Results
To evaluate the above-presented visualization tech-niques, we have applied the analysis framework for twoselected business applications: automated fraud detec-tion in online betting platforms and real-time monitor-ing of logistics and transportation processes. We experi-enced that a typical analysis task can be split up into:
• data tracing
• anomalies discovery
• pattern characterization
Data tracing means the process of a step-wise repro-duction of recent, influential occurrences. Typically, thisstep is triggered by some clue that serves as the startingpoint for further investigation efforts. The framework’squery-driven visualization-approach complies well withdata tracing tasks: The initial clue can be translated to aquery in order to extract a limited dataset for the visual-ization. The analyst can subsequently narrow or broadenthe search scope to the required granularity level.The discovery of anomalies in data sets was the subjectof many recent research efforts [3] [4]. Our approachis currently limited to a manual anomaly-discovery pro-cess supported by the following techniques: Outlier de-tection in the sector placement policy, accentuation ofoutliers in event clusters, pattern comparison in theCESP policy, highlighting of abnormal event attributevalues by color and size coding and interpretation oftemporal accumulations in the event-tunnel top-viewand the event-tunnel side-view.After a data tracing step, information on anomalies andconspicuous occurrences is available. However, in orderto exploit this information, in most cases a generaliza-tion and characterization of the discovered patterns isessential. The characterization of a pattern includes in-fluential factors (i.e., key figures and threshold levels) as
6.1 Automated Fraud Detection and Prevention 9
well as behavioral patterns in event sequences, whosecombination makes up a reference pattern. This refer-ence pattern can be used by event-based systems for dis-covering similar cases. Tools that support the character-ization of reference patterns are the event tunnel itself,the text view and the metrics view. From the event tun-nel, the analyst can extract a sequence pattern of eventsand generalize it to an event sequence model. The met-rics view shows the temporal evolution of key figureswhich helps to assess threshold levels. Finally, from thetext view the events’ exact data values can be extracted.
6.1 Automated Fraud Detection and Pre-vention
Fraud detection and prevention is a major issue intechnology-driven business domains relying on onlinepayment solutions and web-based customer interac-tions. A market that has been heavily affected by fraudcases recently is online betting and gambling. Vari-ous forms of fraud have been reported, reaching fromphysical attacks by hackers over money laundering tothe abuse of insider information about sport events.With event-based systems, fraud cannot only be de-tected, but proactively prevented in near real-time bya continuous rule-based evaluation of customer inter-actions. An automated intervention is then possible incase of a conceived suspicion [8]. To implement an ef-ficient fraud detection and prevention system, exhaus-tive knowledge on the underlying business processesand occurring fraud patterns is a prerequisite. Contin-uous learning and the knowledge of chain fraud patternsare necessary to keep an event-based system up-to-date[3]. We propose the event-tunnel analysis-framework toattain this knowledge and evaluated it with an event-based fraud detection and prevention system for onlinebetting providers. The data in the following exampleswere generated using a simulation model that emprisesknown user-behavior patterns in the simulated events.For the evaluation, we simulated ordinary bet placing,cash-in and cash-out events and randomly added aboutthree percent fraud cases from several available fraudtemplates. The templates were parameterized to vary instructure and degree of conspicuity.
6.1.1 Tracing of Customer Activities
In a requirements study for an online betting providerwe observed that a complete department was concernedwith data tracing. For fraud investigations, security an-alysts had to regularly back-trace customer actions incase of system alerts. Fraud investigations target single
users or groups of users or the analysis of complete mar-kets and leagues. In addition, automated system inter-ventions are regularly investigated. In the following, weassume that an event-driven fraud-detection system au-tomatically generates alerts for users with suspicious be-havior. The security analysts regularly receive clues (theaccount IDs of users with fraudulent behavior) that serveas starting points for a data-tracing analysis step. In fig-ure 8 an excerpt of a step-wise tracing and discoveryprocess is shown. It is based on an illustrative case dis-covered by a test-user in the simulated data set. Figure 8shows the historical events of two user accounts that areto be investigated. Both users triggered an alert for thesame sport event and bet type. The plot shows that theyfailed to place a bet because the system recognized themas officials. It is further visible that the sequence of ac-tions of both users strongly correlates. The bet placingfailed for both users nearly concurrently. Mapping theevent attribute bet type to color reveals that both usersexclusively place bets of type free throws.
The graphical rendering of events together with the den-sity of coded information allows security analysts a fastreconstruction of recent incidents. In addition, the twouser profiles can directly be compared: Concurrent ac-cumulations of bets or similar behavioral patterns be-come visible and may expose networks of fraudulentactors. The efficiency of the event-tunnel visualizationin comparison to a text-based output of the sequence ofuser events results from the ability to display multidi-mensional information in one view: While a text-basedlist of events provides one degree of freedom (the se-quential order), the event-tunnel visualization provides atime-based display, two size dimensions (sphere diam-eter and outer-ring diameter) and several color dimen-sions. The advantage over a text-based view becomesmore obvious in the analysis of multiple account pro-files: The exact temporal order of all users’ events is re-flected in the visualization and temporal coherences areimmediately visible.
6.1.2 Discovering Anomalies in Betting Behavior
Data tracing activities focus on a very specific businessentity, e.g., a user, and track the events related to thisentity. A more general approach is to start at a highergranularity level and drill down to more detailed datafor discovering different types of anomalies. The pre-vious example showed bet placing failures in the pro-file of two users. The bet type in the example was freethrows. Having this information available, the analystcan broaden the search scope to all recent bets of thetype free throws in a certain market. Figure 8b shows
10 6 APPLICATIONS AND RESULTS
Figure 8: Example of a step-wise investigation of online-betting data. Account histories of two users (a), bet amountdistribution for a selected sport event (b), suspicious occurrences at a certain point in time (c), a putter-on accountprofile (d), cluster of high-stake bets with abnormal outlier (e).
a plot of bet events with the sector placement policy.The bets scatter around the tunnel according to the betamount. The bet placing failure events detected in theprevious step appear in the bulk of average bet amounts.The plot exposes one salient outlier temporally relatedto the detected bet placing failure events. For the furtheranalysis steps, this data point presents a valuable link toconspicuous data. In figure 8c the account history eventsof the user who placed this bet are plotted in relation tothe already detected suspicious account profiles. Fromthe color and size mapping the analyst can concludethat the third user successfully placed a high stake betequivalent to the bet that failed for the two other users.One possible interpretation could be that user three isa so-called ”putter-on” who placed bets for people thatare prohibited to bet, i.e., officials and players. This hy-pothesis is supported by the account profile of user threeplotted in figure 8d. The marked areas represent a recur-ring sequence of bet placing, bet won and immediatecash-out. This sequence characterizes the putter-on pat-tern. One strength of the event-tunnel analysis methodbecomes visible in the example: A single visual clue in
a plot can immediately be exploited to navigate to for-merly unconsidered data. We experienced that in prac-tice such navigation chains can be followed by analystsover more than 10 steps before performing a completelynew query. For example could step 8(d) lead to a fur-ther broadening of the search scope to investigate if thehigh-stake bet of user three should have been prohibitedby the system. Figure 8e plots recent high-stake bets ina cluster. The plot shows that one bet is an outlier andtherefore abnormal. This could be a data error or a fail-ure of the event-processing system.The above example demonstrated that anomaly discov-ery is currently supported by the event-tunnel analysis-framework in the sense of checking and exploring inter-esting or exceptional situations. When discovering out-liers, a user can continuously detect anchor points inthe navigation chain. One major advantage over clas-sical methods like histograms or scatter plots is that thelevel of abstraction in the output does not have to bechanged. In a cluster, the scattered data points are stillsingle events embedded in their context. The techniquesfor size mapping and color coding can be applied in
6.2 Real-Time Logistics and Resource Planning 11
the same way as with other placement techniques. Onetrade-off is the difficulty of labeling. In comparison to adiagram, reading the exact data values from the visual-ization is hardly possible. We tried to alleviate this prob-lem by showing tool tips with event data informationand metrics to the user when hovering with the mouseover an event.
6.2 Real-Time Logistics and ResourcePlanning
Transportation and logistics service providers are find-ing themselves confronted with increasing cost pres-sures. Many organizations have already introducedlarge-scale IT systems to increase the efficiency in lo-gistics management. The goal is to improve and shortensupply chains to provide just-in-time deliveries.
In the area of analysis and visualization approaches inthe supply chain domain, two types of systems are rel-evant to logistics applications: Geographical trackingsystems like popular parcel trackers and business intel-ligence tools that are able to extract and analyze key fig-ures on the organization’s performance. A combinationof these techniques covers the current scope of logisticsmanagement systems. But with the integration of mar-ket and production planning into one homogeneous sys-tem, supply-chain tracking exceeds the potential of cur-rent visualizations when the analyst is concerned withan in-depth analysis of causal and temporal dependen-cies of incidents. In an event-driven approach, all therequired information from the production systems overthe transport chain to the market is incorporated and uni-fied in the captured events. In the following, we presenttypical analysis tasks that can be accomplished with theevent-tunnel analysis-framework. The results are basedon long-term tests of an event-driven logistics applica-tion with simulated data.
6.2.1 Supply-Chain Tracing
Questions like: ”What delayed the delivery of order12345?”, ”Why are the transports of carrier A slowerthan those of carrier B” or ”Why is the current de-mand in Madrid not covered and the stock level con-tinuously increases?” arise regularly in the daily busi-ness of logistics managers. All these questions containa valuable clue, an order ID, a carrier name or a loca-tion, that allows querying the event space for events re-lated to these entities. An immediate reconstruction ofrelated occurrences is possible. Figure 9a shows a plotof logistics supply chains related to a selected location.
The sequence of occurrences can be interpreted as fol-lows: After a demand is detected (demand event, figure9a.1), available transports are proposed by the system(multiple available transport events, figure 9a.2). Af-ter a transport is chosen, the shipment is created andthe transport starts (transport start event, figure 9a.3).Concurrently, several internal checks are performed, re-flected in a set of simultaneous events (figure 9a.4). Af-ter the transport is completed, a final fulfillment check isperformed (fulfillment checked event, figure 9a.5). Thissequence of activities presents a template of the com-pany’s supply-chain processes. If a process strongly di-verges from this template, an abnormal process execu-tion can be assessed.
Figure 9: Supply chains in an event-driven logistics ap-plication (a); available transports and their decision-relevant parameters (b)
6.2.2 Evaluation of Automated System Regulations
By tracing supply chains, the analyst is able to per-form root cause and cause-effect analyses. Especiallywhen systems automatically carry out decisions madein the planning process (e.g., automated reorganizationof transports, reordering of products for stock level reg-ulation), it is crucial to monitor these decisions and toperform regular checks. Knowing the parameters that in-fluence automatic decision processes, the event-tunnelanalysis-framework helps to evaluate the system be-havior. Figure 9b illustrates this process: As describedabove, transports are automatically scheduled by the
12 REFERENCES
system if a demand notification is received. The sys-tem assesses all available transportation entities (carri-ers) and supply locations in real-time according to thefollowing parameters: current stock level at the supply-ing location, transport costs, transport duration and re-cent carrier reliability. We have configured a relativemapping of these four parameters to sphere colors: Thebest values in the result set map to white, the worst toblack. The six available transport events shown in figure9b do provide varying quality of service (with respect tothe current demand). In this case, the system has cho-sen the transport from London (red location mapping)to fulfill a demand in Madrid. The transport results ina negative fulfillment check (see highlighted fulfillmentchecked event in figure 9a). One interpretation could bethat the system omits decisive parameters. In this case,the spatial proximity of the demand and available trans-port location was not taken into consideration.
7 Conclusion and future work
In this paper, we presented the event-tunnel visualiza-tion, an interactive view into a stream of complex busi-ness events. We demonstrated the integration of theevent tunnel into a complete analysis workspace cou-pled with query mechanisms and various configurationoptions. The possibility to encode multiple data dimen-sions in colors and sizes and to configure placementpolicies enables precise investigations and allows totrack and pinpoint specific occurrences and coherences.We intentionally chose a simple metaphor for our time-centered event visualization, i.e., a cylindrical tunnelwhich we show from a top and a side view. Early userfeedback on the system confirms that this metaphor isunderstood quickly and eases the analysis work. Eventclustering enables the handling of large data sets by pro-viding an in-place drill-down exploration mechanism.It supports the analysis of value distributions amonggroups of correlated events.
We set our focus on data navigation which is reflectedin the evaluation results. The integration with query andfilter mechanisms allows for a continuous oscillation be-tween overview and detail, from detected outliers andvisually depicted conspicuities to event-level traces. Weconsider the presented implementation as a solid ba-sis that will be extended by future projects. For exam-ple, condition-based operations (i.e., coloring, filtering,querying) are limited to absolute matching of event dataattributes. Semantic similarity operations would enrichthe power of these retrieval and highlighting mecha-nisms. The characterization of event-sequence patterns
is one of the strengths of the event-tunnel visualization.Mechanisms to extract data that follow a given visualreference pattern would be a logical extension to the cur-rent query engine.
AcknowledgementsThe authors thank the development team at SENAC-TIVE IT-Dienstleistungs GesmbH for their outstandingsupport throughout the implementation of the analysisframework.
References[1] B. B. Bederson, J. Meyer, and L. Good. Jazz: an
extensible zoomable user interface graphics toolkitin Java. In UIST ’00: Proceedings of the 13th an-nual ACM symposium on User interface softwareand technology, pages 171–180, New York, NY,USA, 2000. ACM Press.
[2] J. V. Carlis and J. A. Konstan. Interactive visual-ization of serial periodic data. In UIST ’98: Pro-ceedings of the 11th annual ACM symposium onUser interface software and technology, pages 29–38, New York, NY, USA, 1998. ACM Press.
[3] T. Fawcett and F. Provost. Adaptive fraud de-tection. Data Mining and Knowledge Discovery,1(3):291–316, 1997.
[4] M. C. Hao, D. A. Keim, U. Dayal, and J. Schnei-dewind. Business process impact visualizationand anomaly detection. Information Visualization,5(1):15–27, 2006.
[5] S. Kapoor, D. L. Gresh, J. Schiefer, P. Chowd-hary, and S. Buckley. Visual analysis fora sense-and-respond enterprise. In IASTEDConf. on Software Engineering, pages 136–141.IASTED/ACTA Press, 2004.
[6] D. C. Luckham. The Power of Events: An In-troduction to Complex Event Processing in Dis-tributed Enterprise Systems. Addison-WesleyLongman Publishing Co., Inc., Boston, MA, USA,2001.
[7] A. S. Maniatis, P. Vassiliadis, S. Skiadopoulos, andY. Vassiliou. Advanced visualization for olap. InDOLAP ’03: Proceedings of the 6th ACM interna-tional workshop on Data warehousing and OLAP,pages 9–16, New York, NY, USA, 2003. ACMPress.
REFERENCES 13
[8] T. M. Nguyen, J. Schiefer, and A. M. Tjoa. Sense& response service architecture (SARESA): an ap-proach towards a real-time business intelligencesolution and its use for a fraud detection applica-tion. In DOLAP ’05: Proceedings of the 8th ACMinternational workshop on Data warehousing andOLAP, pages 77–86, New York, NY, USA, 2005.ACM Press.
[9] S. Rozsnyai, R. Vecera, J. Schiefer, and A. Schat-ten. Event cloud - searching for correlated busi-ness events. To appear in The 4th IEEE Inter-national Conference on Enterprise Computing, E-Commerce, and E-Services, 2007.
[10] E. A. Rundensteiner, M. O. Ward, J. Yang, andP. R. Doshi. XmdvTool: visual interactive data ex-ploration and trend discovery of high-dimensionaldata sets. In SIGMOD ’02: Proceedings of the2002 ACM SIGMOD international conference onManagement of data, pages 631–631, New York,NY, USA, 2002. ACM Press.
[11] M. M. Sebrechts, J. V. Cugini, S. J. Laskowski,J. Vasilakis, and M. S. Miller. Visualization ofsearch results: a comparative evaluation of text,2D, and 3D interfaces. In SIGIR ’99: Proceedingsof the 22nd annual international ACM SIGIR con-ference on Research and development in informa-tion retrieval, pages 3–10, New York, NY, USA,1999. ACM Press.
[12] K. Techapichetvanich and A. Datta. Interactive vi-sualization for olap. In Proceedings of the Interna-tional Conference on Computational Science andits Applications, pages 206–214, 2005.
[13] M. Weber, M. Alexa, and W. Muller. Visualiz-ing time-series on spirals. In INFOVIS ’01: Pro-ceedings of the IEEE Symposium on InformationVisualization 2001, pages 7–14, Washington, DC,USA, 2001. IEEE Computer Society.
[14] K.-P. Yee, D. Fisher, R. Dhamija, and M. Hearst.Animated exploration of dynamic graphs with ra-dial layout. In INFOVIS ’01: Proceedings ofthe IEEE Symposium on Information Visualization2001, pages 43–51, Washington, DC, USA, 2001.IEEE Computer Society.
