Detecting anomalies in process runtime behavior is crucial: they might reflect, on the one side, security breaches and fraudulent behavior and on the other side desired deviations due to, for example, exceptional conditions. Both scenarios yield valuable insights for process analysts and owners, but happen due to different reasons and require a different treatment. Hence a distinction into malign and benign anomalies is required. Existing anomaly detection approaches typically fall short in supporting experts when in need to take this decision. An additional problem are false positives which could result in selecting incorrect countermeasures. This paper proposes a novel anomaly detection approach based on association rule mining. It fosters the explanation of anomalies and the estimation of their severity. In addition, the approach is able to deal with process change and flexible executions which potentially lead to false positives. This facilitates to take the appropriate countermeasure for a malign anomaly and to avoid the possible termination of benign process executions. The feasibility and result quality of the approach are shown by a prototypical implementation and by analyzing real life logs with injected artificial anomalies. The explanatory power of the presented approach is evaluated through a controlled experiment with users.

检测流程运行时行为中的异常非常重要：一方面，它们可能反映安全漏洞和欺诈行为，另一方面，它们可能反映由于异常情况导致的期望偏差。这两种情况都为过程分析人员和所有者提供了宝贵的见解，但是由于不同的原因而发生并且需要不同的处理方式。因此，需要区分恶性和良性异常。当需要做出此决定时，现有的异常检测方法通常无法为专家提供支持。另一个问题是误报，可能导致选择错误的对策。提出了一种基于关联规则挖掘的异常检测方法。它有助于解释异常及其严重性。此外，该方法能够处理可能导致误报的流程更改和灵活的执行。这有助于针对恶性异常采取适当的对策，并避免良性过程执行的可能终止。该方法的可行性和结果质量通过典型的实现方式以及通过分析注入的人工异常的真实日志来显示。通过与用户进行的受控实验来评估所提出方法的解释力。该方法的可行性和结果质量通过典型的实现方式以及通过分析注入的人工异常的真实日志来显示。通过与用户进行的受控实验来评估所提出方法的解释力。该方法的可行性和结果质量通过典型的实现方式以及通过分析注入的人工异常的真实日志来显示。通过与用户进行的受控实验来评估所提出方法的解释力。