WP5 has a threefold objective: (i) To transform raw data into suitable representations and to address the gap between ML development and operation
for security testing; (ii) To improve the detection of anomalies by the convergence of different learning approaches and explainability; (iii) To support security testing by means of ML-based attacks in order to validate defense and countermeasures.

• T5.1 Data transformation (M1-M6): Data transformation methods, extraction of metrics and augmentation of conventional security data sources; methods to deal with the issues of ML, from imperfect labeling to feature selection and hyperparameters.
• T5.2 Anomaly/attack detection (M1-M6): methods to minimize false positives/negatives, to gain insight on the runtime and to drive the generation of effective attacks for security testing.
• T5.3 ML-based attack generation (M6-M18): ML-based approaches to generate attack cases for security testing based on CTI, IoC and direct insights from runtime monitors and anomaly detectors; Integration of results of this task within the Threat-Attack-Asset knowledge base