Differentially Private Inductive Miner

TL;DR

This paper introduces a differentially private version of the Inductive Miner for process mining, which effectively protects personal data in event traces while maintaining high fidelity in the resulting process models.

Contribution

It presents the first differentially private approximation of the Inductive Miner, enabling privacy-preserving process discovery with minimal utility loss.

Findings

DPIM protects personal data effectively.

DPIM produces process trees similar to the original.

Utility metrics show minimal loss compared to standard Inductive Miner.

Abstract

Protecting personal data about individuals, such as event traces in process mining, is an inherently difficult task since an event trace leaks information about the path in a process model that an individual has triggered. Yet, prior anonymization methods of event traces like k-anonymity or event log sanitization struggled to protect against such leakage, in particular against adversaries with sufficient background knowledge. In this work, we provide a method that tackles the challenge of summarizing sensitive event traces by learning the underlying process tree in a privacy-preserving manner. We prove via the so-called Differential Privacy (DP) property that from the resulting summaries no useful inference can be drawn about any personal data in an event trace. On the technical side, we introduce a differentially private approximation (DPIM) of the Inductive Miner. Experimentally, we compare our DPIM with the Inductive Miner on 14 real-world event traces by evaluating well-known metrics: fitness, precision, simplicity, and generalization. The experiments show that our DPIM not only protects personal data but also generates faithful process trees that exhibit little utility loss above the Inductive Miner.