{"id":"https://openalex.org/W4416191319","doi":"https://doi.org/10.1016/j.cose.2025.104743","title":"Design and generation of a dataset for training insider threat prevention and detection models: The SPEDIA dataset","display_name":"Design and generation of a dataset for training insider threat prevention and detection models: The SPEDIA dataset","publication_year":2025,"publication_date":"2025-11-13","ids":{"openalex":"https://openalex.org/W4416191319","doi":"https://doi.org/10.1016/j.cose.2025.104743"},"language":"en","primary_location":{"id":"doi:10.1016/j.cose.2025.104743","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.cose.2025.104743","pdf_url":null,"source":{"id":"https://openalex.org/S12529635","display_name":"Computers & Security","issn_l":"0167-4048","issn":["0167-4048","1872-6208"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers &amp; Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1016/j.cose.2025.104743","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5119676835","display_name":"David \u00c1lvarez Mu\u00f1iz","orcid":"https://orcid.org/0000-0003-1985-4930"},"institutions":[{"id":"https://openalex.org/I88060688","display_name":"Universidad Polit\u00e9cnica de Madrid","ror":"https://ror.org/03n6nwv02","country_code":"ES","type":"education","lineage":["https://openalex.org/I88060688"]}],"countries":["ES"],"is_corresponding":true,"raw_author_name":"David \u00c1lvarez Mu\u00f1iz","raw_affiliation_strings":["ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0003-1985-4930","affiliations":[{"raw_affiliation_string":"ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain","institution_ids":["https://openalex.org/I88060688"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5092632782","display_name":"Lu\u00eds Miguel","orcid":"https://orcid.org/0000-0002-8216-8039"},"institutions":[{"id":"https://openalex.org/I88060688","display_name":"Universidad Polit\u00e9cnica de Madrid","ror":"https://ror.org/03n6nwv02","country_code":"ES","type":"education","lineage":["https://openalex.org/I88060688"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Luis Perez Miguel","raw_affiliation_strings":["ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0002-8216-8039","affiliations":[{"raw_affiliation_string":"ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain","institution_ids":["https://openalex.org/I88060688"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102393861","display_name":"Miguel","orcid":"https://orcid.org/0000-0003-4575-698X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Miguel","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Alberto Mateo Mu\u00f1oz","orcid":null},"institutions":[{"id":"https://openalex.org/I88060688","display_name":"Universidad Polit\u00e9cnica de Madrid","ror":"https://ror.org/03n6nwv02","country_code":"ES","type":"education","lineage":["https://openalex.org/I88060688"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Alberto Mateo Mu\u00f1oz","raw_affiliation_strings":["ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain","institution_ids":["https://openalex.org/I88060688"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5081908281","display_name":"Xavier Larriva-Novo","orcid":"https://orcid.org/0000-0001-5335-5698"},"institutions":[{"id":"https://openalex.org/I88060688","display_name":"Universidad Polit\u00e9cnica de Madrid","ror":"https://ror.org/03n6nwv02","country_code":"ES","type":"education","lineage":["https://openalex.org/I88060688"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Xavier Larriva-Novo","raw_affiliation_strings":["ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0001-5335-5698","affiliations":[{"raw_affiliation_string":"ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain","institution_ids":["https://openalex.org/I88060688"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5069287431","display_name":"Manuel \u00c1lvarez-Campana","orcid":"https://orcid.org/0000-0003-2747-9798"},"institutions":[{"id":"https://openalex.org/I88060688","display_name":"Universidad Polit\u00e9cnica de Madrid","ror":"https://ror.org/03n6nwv02","country_code":"ES","type":"education","lineage":["https://openalex.org/I88060688"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Manuel Alvarez-Campana","raw_affiliation_strings":["ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0003-2747-9798","affiliations":[{"raw_affiliation_string":"ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain","institution_ids":["https://openalex.org/I88060688"]}]},{"author_position":"last","author":{"id":null,"display_name":"Diego Rivera","orcid":"https://orcid.org/0000-0002-7076-9048"},"institutions":[{"id":"https://openalex.org/I88060688","display_name":"Universidad Polit\u00e9cnica de Madrid","ror":"https://ror.org/03n6nwv02","country_code":"ES","type":"education","lineage":["https://openalex.org/I88060688"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Diego Rivera","raw_affiliation_strings":["ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain"],"raw_orcid":"https://orcid.org/0000-0002-7076-9048","affiliations":[{"raw_affiliation_string":"ETSI Telecomunicaci\u00f3n, Universidad Polit\u00e9cnica de Madrid (UPM), Av. Complutense, 30 28040, Madrid, Spain","institution_ids":["https://openalex.org/I88060688"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5119676835"],"corresponding_institution_ids":["https://openalex.org/I88060688"],"apc_list":{"value":3190,"currency":"USD","value_usd":3190},"apc_paid":{"value":3190,"currency":"USD","value_usd":3190},"fwci":2.9051,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.93697548,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":98},"biblio":{"volume":"161","issue":null,"first_page":"104743","last_page":"104743"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.6078000068664551,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.6078000068664551,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.20980000495910645,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.032999999821186066,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/insider-threat","display_name":"Insider threat","score":0.9681000113487244},{"id":"https://openalex.org/keywords/insider","display_name":"Insider","score":0.8201000094413757},{"id":"https://openalex.org/keywords/class","display_name":"Class (philosophy)","score":0.36239999532699585},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.33180001378059387},{"id":"https://openalex.org/keywords/network-security","display_name":"Network security","score":0.31189998984336853},{"id":"https://openalex.org/keywords/work","display_name":"Work (physics)","score":0.3000999987125397},{"id":"https://openalex.org/keywords/service","display_name":"Service (business)","score":0.2750000059604645}],"concepts":[{"id":"https://openalex.org/C2776633304","wikidata":"https://www.wikidata.org/wiki/Q6038026","display_name":"Insider threat","level":3,"score":0.9681000113487244},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8679999709129333},{"id":"https://openalex.org/C2778971194","wikidata":"https://www.wikidata.org/wiki/Q1664551","display_name":"Insider","level":2,"score":0.8201000094413757},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.531499981880188},{"id":"https://openalex.org/C2777212361","wikidata":"https://www.wikidata.org/wiki/Q5127848","display_name":"Class (philosophy)","level":2,"score":0.36239999532699585},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3416999876499176},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.33180001378059387},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.32659998536109924},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.31470000743865967},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.31189998984336853},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.3000999987125397},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.28450000286102295},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.2750000059604645},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.2727000117301941},{"id":"https://openalex.org/C16910744","wikidata":"https://www.wikidata.org/wiki/Q7705759","display_name":"Test data","level":2,"score":0.2720000147819519},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.2669999897480011},{"id":"https://openalex.org/C136389625","wikidata":"https://www.wikidata.org/wiki/Q334384","display_name":"Supervised learning","level":3,"score":0.26190000772476196},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.257099986076355},{"id":"https://openalex.org/C2777211547","wikidata":"https://www.wikidata.org/wiki/Q17141490","display_name":"Training (meteorology)","level":2,"score":0.2508000135421753}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1016/j.cose.2025.104743","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.cose.2025.104743","pdf_url":null,"source":{"id":"https://openalex.org/S12529635","display_name":"Computers & Security","issn_l":"0167-4048","issn":["0167-4048","1872-6208"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers &amp; Security","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1016/j.cose.2025.104743","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.cose.2025.104743","pdf_url":null,"source":{"id":"https://openalex.org/S12529635","display_name":"Computers & Security","issn_l":"0167-4048","issn":["0167-4048","1872-6208"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers &amp; Security","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G6464336390","display_name":null,"funder_award_id":"PE_123/23","funder_id":"https://openalex.org/F4320327970","funder_display_name":"Instituto Nacional de Ciberseguridad"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"},{"id":"https://openalex.org/F4320322138","display_name":"Universidad Polit\u00e9cnica de Madrid","ror":"https://ror.org/03n6nwv02"},{"id":"https://openalex.org/F4320327970","display_name":"Instituto Nacional de Ciberseguridad","ror":null}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":21,"referenced_works":["https://openalex.org/W2025519999","https://openalex.org/W2043690777","https://openalex.org/W2901922477","https://openalex.org/W2976051608","https://openalex.org/W3045880080","https://openalex.org/W3130625521","https://openalex.org/W3153493802","https://openalex.org/W3202733154","https://openalex.org/W3216334198","https://openalex.org/W4246793006","https://openalex.org/W4288083473","https://openalex.org/W4313245390","https://openalex.org/W4385819961","https://openalex.org/W4390343272","https://openalex.org/W4390871511","https://openalex.org/W4391285268","https://openalex.org/W4392151675","https://openalex.org/W4392405523","https://openalex.org/W4401887212","https://openalex.org/W4410842987","https://openalex.org/W4411460686"],"related_works":[],"abstract_inverted_index":{"\u2022":[0,14,29,41,54],"Hybrid":[1],"methodology":[2,106],"for":[3,25,57,80,86,107,169,219,229],"insider":[4,58,74,111,171,238],"threat":[5,59,112,239],"dataset":[6,174],"generation":[7,109],"combining":[8],"real,":[9],"simulated,":[10],"and":[11,34,51,63,67,140,163,190,200,213,242],"synthetic":[12,142],"data.":[13,53],"Realistic":[15],"cyber":[16,129],"exercise":[17],"scenario":[18],"aligned":[19],"with":[20,193],"the":[21,108,115,146,155,161,235,243],"MITRE":[22,197],"ATT&CK":[23,198],"framework":[24,228],"dynamic":[26],"attack":[27],"simulation.":[28],"Balanced":[30],"distribution":[31,210],"of":[32,73,110,117,165,179,211,237,245],"malicious":[33,212],"non-malicious":[35,214],"events":[36],"to":[37,159,196,234],"facilitate":[38],"supervised":[39,220],"learning.":[40,221],"Rich":[42],"event-level":[43,177],"logging":[44],"including":[45],"commands,":[46],"file":[47,184],"actions,":[48],"network":[49,191],"activity,":[50,181],"email":[52],"Enhanced":[55],"support":[56,160],"detection":[60,88,240],"model":[61],"training":[62,87],"validation":[64],"in":[65],"academic":[66],"research":[68,241],"settings.":[69],"The":[70,152,173],"increasing":[71],"complexity":[72],"threats":[75],"poses":[76],"a":[77,104,127,207,226],"critical":[78],"challenge":[79],"modern":[81],"cybersecurity.":[82],"Existing":[83],"datasets":[84,113],"used":[85],"systems":[89],"often":[90],"lack":[91],"realism,":[92],"suffer":[93],"from":[94,145],"severe":[95],"class":[96],"imbalance,":[97],"or":[98],"are":[99],"outdated.":[100],"This":[101,222],"paper":[102],"presents":[103],"novel":[105],"through":[114],"integration":[116],"three":[118],"data":[119,143],"sources:":[120],"(1)":[121],"real":[122],"user":[123,133,180],"behavior":[124],"collected":[125],"during":[126],"controlled":[128],"exercise,":[130],"(2)":[131],"simulated":[132],"activity":[134],"modeled":[135],"on":[136],"realistic":[137],"work":[138,223],"roles,":[139],"(3)":[141],"derived":[144],"CERT":[147],"Insider":[148],"Threat":[149],"Test":[150],"dataset.":[151],"result":[153],"is":[154],"SPEDIA":[156,205],"dataset,":[157],"designed":[158],"development":[162,244],"evaluation":[164],"machine":[166],"learning":[167],"models":[168],"detecting":[170],"threats.":[172],"includes":[175],"detailed":[176],"logs":[178],"such":[182],"as":[183],"manipulation,":[185],"command":[186],"execution,":[187],"service":[188],"usage,":[189],"behavior,":[192],"annotations":[194],"mapped":[195],"tactics":[199],"techniques.":[201],"Unlike":[202],"previous":[203],"datasets,":[204,232],"achieves":[206],"more":[208],"balanced":[209],"events,":[215],"enhancing":[216],"its":[217],"suitability":[218],"also":[224],"provides":[225],"replicable":[227],"generating":[230],"similar":[231],"contributing":[233],"advancement":[236],"robust,":[246],"real-world":[247],"mitigation":[248],"strategies.":[249]},"counts_by_year":[{"year":2026,"cited_by_count":1}],"updated_date":"2026-01-20T17:24:06.736184","created_date":"2025-11-13T00:00:00"}