To address runtime control-flow anomalies in ERTMS/ETCS Level 2 systems—arising from increased complexity, residual faults, environmental evolution, and emerging cyber threats—this paper proposes an online resilience-enhancement method synergizing process mining and unsupervised learning. The approach automatically infers an accurate, lightweight control-flow model from system execution traces, enabling real-time conformance checking and interpretable anomaly detection with precise component-level localization. Its key innovations include dynamic control-flow modeling, instantaneous deviation identification, and label-free anomaly localization. Evaluated on critical RBC–RBC handover scenarios, the method achieves high detection accuracy, low false-positive rates, and robust adaptability to environmental changes. It significantly improves operational resilience and autonomous response capability of railway signaling systems.

Ensuring the resilience of computer-based railways is increasingly crucial to account for uncertainties and changes due to the growing complexity and criticality of those systems. Although their software relies on strict verification and validation processes following well-established best-practices and certification standards, anomalies can still occur at run-time due to residual faults, system and environmental modifications that were unknown at design-time, or other emergent cyber-threat scenarios. This paper explores run-time control-flow anomaly detection using process mining to enhance the resilience of ERTMS/ETCS L2 (European Rail Traffic Management System / European Train Control System Level 2). Process mining allows learning the actual control flow of the system from its execution traces, thus enabling run-time monitoring through online conformance checking. In addition, anomaly localization is performed through unsupervised machine learning to link relevant deviations to critical system components. We test our approach on a reference ERTMS/ETCS L2 scenario, namely the RBC/RBC Handover, to show its capability to detect and localize anomalies with high accuracy, efficiency, and explainability.