Machine-learning methods allow to recognize patterns based on example data and to classify them: for example, into the set of permissible values and into the set of impermissible values. Rarely occurring borderline areas are difficult to cover with sample data.

While the number of devices connected to the Internet is increasing in the energy system, it is facing a stronger wave of cyberattacks. Using machine learning to automate threat detection and response can potentially help identify threats more efficiently than other software-driven approaches. The communication between automation components can be classified into the set of permissible and the set of impermissible values by means of machine learning procedures. This classification is learnt using labeled data with selected features. The idea is to regularly collect and process network traffic in a standardized way and then apply classification and clustering algorithms to this data to identify existing attack patterns and network anomalies. However, the attack detection based on existing attack patterns only applies to attacks that have already occurred. In contrast, anomaly detection is used to detect new types of attacks. One difficulty with attack detection using anomaly detection is that system states in boundary areas that are permissible but rarely occur are difficult to learn correctly. This could lead to an increase in the false positive rate. In addition, attacks can not always be correctly detected (false negative).