Method for detection of anomolous operation of a system

What is claimed is: 1 . A computer-implemented method of detecting with a computer system an anomalous user action associated with a physical system, the method comprising: developing, by a computing device a plurality of vectors, each vector of the plurality of vectors indicative of an event that occurred at a specific time within the system; combining, with the computing device each vector that occurred within a predefined time duration into one of a plurality of master vectors; performing, with the computing device a cluster analysis to group each master vector of the plurality of master vectors into one of a plurality of states; determining, with the computing device a real-time master vector based at least in part on one or more events that occur within the predefined time duration; classifying, with the computing device the real-time master vector as a real-time state; indicating that the real-time state is anomalous when the real-time state does not match one of the plurality of states. 2 . The computer-implemented method of claim 1 , wherein each event is one of an operating condition, a status, an alarm condition, network data, and process data. 3 . The computer-implemented method of claim 1 , further comprising converting data associated with an event to a vector using a natural language process. 4 . The computer-implemented method of claim 1 , further comprising using log data from prior system operation to develop the plurality of states. 5 . The computer-implemented method of claim 1 , wherein the predetermined predefined time duration is less than five minutes. 6 . The computer-implemented method of claim 1 , wherein the associated user actions include a probability of transitioning from one state to another state. 7 . The computer-implemented method of claim 1 , further comprising: associating an associated user action with each state of the plurality of states; comparing a real-time user action to the associated user action that is associated with the real-time state; and indicating that an anomalous user action has occurred when the real-time user action does not match the associated user action. 8 . The computer-implemented method of claim 7 , wherein the associated user actions include probabilities of two different specific actions for at least one state. 9 . A computer-implemented method of detecting with an engine control system an anomalous user action associated with an engine, the method comprising: developing, by a computing device a plurality of vectors, each vector of the plurality of vectors indicative of one of an operating condition, a status, an alarm condition, network data, and process data that occurred at a specific time within the engine; combining, with the computing device each vector that occurred within a predefined time duration into one of a plurality of master vectors; performing, with the computing device a cluster analysis to group each master vector of the plurality of master vectors into one of a plurality of states; determining, using the computing device a real-time master vector based at least in part on one or more events that occur within the predefined time duration; classifying, using the computing device the real-time master vector as a real-time state; and indicating that the real-time state is anomalous when the real-time state does not match one of the plurality of states. 10 . The computer-implemented method of claim 9 , wherein the engine is a turbogenerator operable to generate electrical power. 11 . The computer-implemented method of claim 9 , further comprising converting data associated with an event to a vector using a natural language process. 12 . The computer-implemented method of claim 9 , further comprising using log data from prior system operation to develop the plurality of states. 13 . The computer-implemented method of claim 9 , wherein the predetermined predefined time duration is less than one minute. 14 . The computer-implemented method of claim 9 , wherein the associated user actions include probabilities of two different specific actions for at least one state. 15 . The computer-implemented method of claim 9 , wherein the associated user actions include a probability of transitioning from one state to another state. 16 . The computer-implemented method of claim 9 , further comprising: associating an associated user action with each state of the plurality of states; comparing a real-time user action to the associated user action that is associated with the real-time state; and indicating that an anomalous user action has occurred when the real-time user action does not match the associated user action. 17 . A computing apparatus comprising: a processor; and a memory storing instructions that, when executed by the processor, configure the apparatus to: develop a plurality of vectors, each vector of the plurality of vectors indicative of an event that occurred at a specific time within the system; combine each vector that occurred within a predefined time duration into one of a plurality of master vectors; perform a cluster analysis to group each master vector of the plurality of master vectors into one of a plurality of states; associate an associated user action with each state of the plurality of states; determine a real-time master vector based at least in part on one or more events that occur within the predefined time duration; classify the real-time master vector as a real-time state which is selected from the plurality of states; compare a real-time user action to the associated user action that is associated with the real-time state; and indicate that an anomalous user action has occurred when the real-time user action does not match the associated user action. 18 . The computing apparatus of claim 17 , wherein each event is one of an operating condition, a status, an alarm condition, network data, and process data. 19 . The computing apparatus of claim 17 , wherein the instructions further configure the apparatus to convert data associated with an event to a vector using a natural language process. 20 . The computing apparatus of claim 17 , wherein the predetermined predefined time duration is less than thirty seconds. 21 . The computing apparatus of claim 17 , wherein the associated user actions include probabilities of two different specific actions for at least one state. 22 . The computing apparatus of claim 17 , wherein the associated user actions include a probability of transitioning from one state to another state.