Dataset: Behavior of Participants in Hands-on Cybersecurity Training Suitable for Process Mining

This repository contains supplementary materials for the following journal paper: Radek Ošlejšek, Martin Macák, Karolína Dočkalová Burská.Hands-on cybersecurity training behavior data for process mining.In Elsevier Data in Brief. 2023.Available as open-access article on https://doi.org/10.1016/j.dib.2023.109956 Contents Datasets store event logs of trainees participating in hands-on cybersecurity exercises organized in the KYPO Cyber Range. The data includes training scenarios (expected behavior), raw event logs in the JSON format, and aggregated behavioral data suitable for process mining analysis. Data1: A dataset of 52 trainees participating in the Locust 3302 exercise adapted an insider attack scenario. No time restrictions were posed on playtime. The data file is structured as follows: training_definition.json: The exercise content – cybersecurity tasks and hints. The training is based on the Locust 3302 game adapted to an insider attack scenario. training_events: Recorded progress of trainees within the exercise, i.e., the status of completing tasks. command_histories: Recorded commands executed on network hosts. process_mining.csv: Complete PM-ready dataset suitable for process discovery or conformance analysis. process_mining_simplified.csv : Reduced PM-ready dataset with semantically identical events being removed. Data2: A dataset of 48 trainees participating in the original Locust 3302 exercise. Three supervised training sessions were restricted to two hours of playtime. The structure follows the structure of Data1. Tool: A Java application used to aggregate raw JSON data and transform them into a CSV format suitable for process mining techniques. How to cite If you use or build upon the materials, please use the BibTeX entry below to cite the original work. @article{Oslejsek2023dataset,     author = {Radek O\v{s}lej\v{s}ek and Martin Mac\'{a}k and Karol\'{i}na {Do\v{c}kalov\'{a} Bursk\'{a}}},     title = {Hands-on cybersecurity training behavior data for process mining},     journal = {{Data in Brief}}, publisher = {Elsevier}, issn = {2352-3409}, year = {2023}, volume = {52}, doi = {10.1016/j.dib.2023.109956}, url = {https://www.sciencedirect.com/science/article/pii/S2352340923009873} }

本仓库收录了下述期刊论文的补充材料： Radek Ošlejšek、Martin Macák、Karolína Dočkalová Burská. 用于流程挖掘（process mining）的实操网络安全培训行为数据集. 发表于Elsevier旗下《Data in Brief》，2023年。该论文为开源获取文章，访问链接：https://doi.org/10.1016/j.dib.2023.109956 数据集内容 本仓库存储了参与KYPO网络靶场（KYPO Cyber Range）组织的实操网络安全演练的受训者事件日志。数据涵盖训练场景（预期行为）、JSON格式的原始事件日志，以及适用于流程挖掘分析的聚合行为数据。 Data1：包含52名受训者参与适配内网攻击场景的Locust 3302演练的相关数据，本次演练未设置演练时长限制。数据文件结构如下： 1. training_definition.json：演练内容，包含网络安全任务与提示信息。本次训练基于改编为内网攻击场景的Locust 3302游戏开发。 2. training_events：记录受训者在演练中的进展情况，即任务完成状态。 3. command_histories：记录在网络主机上执行的命令历史。 4. process_mining.csv：适用于流程发现或一致性分析的完整流程挖掘就绪数据集。 5. process_mining_simplified.csv：精简版流程挖掘就绪数据集，已移除语义重复的事件。 Data2：包含48名受训者参与原始Locust 3302演练的相关数据。本次演练设置了3次监督式培训环节，且单次演练时长限制为2小时。其文件结构与数据集1一致。 工具说明 工具：一款Java应用程序，用于聚合原始JSON数据并将其转换为适用于流程挖掘技术的CSV格式。 引用指南 若您使用或基于本材料开展二次开发，请使用下述BibTeX条目引用原论文： @article{Oslejsek2023dataset, author = {Radek Ošlejšek and Martin Macák and Karolína {Dočkalová Burská}}, title = {Hands-on cybersecurity training behavior data for process mining}, journal = {{Data in Brief}}, publisher = {Elsevier}, issn = {2352-3409}, year = {2023}, volume = {52}, doi = {10.1016/j.dib.2023.109956}, url = {https://www.sciencedirect.com/science/article/pii/S2352340923009873} }