Proactive detection of cyber-physical grid attacks: A pre-attack phase identification and analysis using anomaly-based machine learning models

Cyber-physical power systems (CPPS), such as smart grids, are essential to modern infrastructure but are increasingly vulnerable to sophisticated cyber-attacks. Traditional security approaches often detect threats only after damage occurs, underscoring the need for proactive solutions. This research introduces a proactive anomaly detection framework that focuses on identifying pre-attack behaviors—an underexplored area in current literature. We investigate the effectiveness of machine learning models for early detection of cyber-attacks in smart grids, emphasizing the identification of pre-attack phases. Several unsupervised learning algorithms were applied to time series data simulating normal operations and attack scenarios. Models include Isolation Forest, K-Means Clustering, DBSCAN, and One-Class SVM. Among them, Isolation Forest outperformed others, achieving 100 % accuracy, 100 % sensitivity, and an AUC of 1.0. DBSCAN followed with an AUC of 0.79 and 97.3 % accuracy but showed a higher false positive rate. A key contribution of this study is the use of anomaly scores from Isolation Forest to detect subtle deviations before full-scale attacks. A threshold of 0.3 effectively balanced detection and false positives, capturing multiple pre-attack phases. A higher threshold (0.97) reduced false positives but missed early warning signs, indicating that some attacks may begin abruptly. These findings demonstrate the potential of machine learning, particularly Isolation Forest, in enhancing CPPS security by enabling early warnings and minimizing cyber-attack impact. The proposed framework lays the foundation for proactive threat detection strategies in smart grids and other critical infrastructure systems.