AI for Insider Threat Detection

15/07/2026

Researchers from the Information Processing and Telecommunications Center (IPTC) at the Universidad Politécnica de Madrid have developed a new machine learning approach to improve the detection of insider cyber threats—malicious actions carried out by individuals with legitimate access to an organization’s systems.

Unlike traditional methods that analyze user activity over entire days or weeks, the proposed framework examines each user session (from login to logout), enabling the system to identify suspicious behavior much earlier and with greater precision. The researchers transform raw system logs—including login events, emails, file operations, web activity, and USB device usage—into structured feature vectors that can be analyzed using machine learning algorithms.

The study compares twelve supervised and unsupervised machine learning models using the widely adopted CERT benchmark dataset and validates the best-performing model on the more realistic SPEDIA dataset. Among all evaluated techniques, XGBoost achieved the highest detection performance while maintaining excellent generalization across datasets.

This research contributes to the development of more effective and scalable cybersecurity solutions capable of detecting insider threats before significant damage occurs. The proposed methodology is particularly suitable for integration into Security Operations Centers (SOCs) and enterprise monitoring platforms.

This research has potential applications in sectors where protecting sensitive information is essential, including critical infrastructure, public administration, finance, and healthcare. The proposed approach can help organizations identify suspicious user activity, such as unauthorized access to data, information theft, or sabotage at an earlier stage. By improving the speed and accuracy of threat detection, it enables security teams to respond more effectively and strengthen the overall resilience of their digital infrastructures.

Bibliographic reference:

Mateo-Muñoz, A., Larriva-Novo, X., Sánchez-Zas, C., Álvarez-Campana, M. & Villagra, V.A. A session-based insider threat detection approach leveraging the CERT and SPEDIA datasets in Machine Learning with Applications, 25, 100946, 12 pp. https://doi.org/10.1016/j.mlwa.2026.100946

Xavier Larriva Novo: GS / ORCID / LinkedIn

Carmen Sánchez Zas: GS / ORCID / LinkedIn

Manuel Álvarez-Campana: GS / ORCID / LinkedIn

Víctor Abraham Villagrá González: GS / ORCID / LinkedIn


LinkedIn: https://www.linkedin.com/company/iptc-upm/

For more information: www.iptc.upm.es

Share this: