ML models

An ML model is an algorithm based on machine learning methods tasked with analyzing the telemetry of the monitored asset and detecting anomalies.

An ML model is created for a specific monitored asset while taking into account the specifications of the asset and the characteristics of telemetry data. The general structure of the algorithm (architecture) is formed during creation of the ML model. Then the ML model is trained based on historical telemetry data and is thereby adjusted to the behavior of a specific object.

An ML model consists of one or several elements, each of which is an independent ML model. The overall result of the Anomaly Detector service is formed by combining the results of the ML model elements inference. Normally, the more complex the industrial processes of the monitored asset are, the more elements the ML model will contain.

Inference is the process of running telemetry data in an ML model to identify anomalous behavior. In Kaspersky MLAD, ML model inference can be performed on historical data (historical inference) and on telemetry data received in real time (streaming inference). If historical inference is started for multiple ML models, Kaspersky MLAD runs the inference of these ML models in the order of their startup queue. The duration of historical inference is determined by the time interval of the data analyzed by the ML model. If streaming inference is started for multiple ML models, Kaspersky MLAD runs the inference of these ML models simultaneously. Historical inference and streaming inference run in parallel and independently of each other.

During the inference process, the ML model registers incidents that can be viewed in the Incidents section.

ML models can be created by Kaspersky specialists or by a certified integrator as part of the Kaspersky MLAD Model-building and Deployment Service. To use such ML models, you must download them to Kaspersky MLAD. You can also create ML models independently and add the necessary elements to them using the model builder.

An ML model can include the following elements operating in parallel:

• Element based on a neural network
• Element based on a diagnostic rule

In Kaspersky MLAD, a ML model can be assigned one of the following statuses:

• Not activated: the ML model is imported but is not activated.
• Draft: the ML model is activated, or the ML model is created manually and contains untrained neural network elements.
• Trained: all the elements in the ML model are trained. Inference can be run on a trained ML model.
• Ready for publication: the ML model is prepared for publication and cannot be modified.
• Published: the ML model has been published. Inference can be run on a published ML model.

Element of an ML model based on a neural network

The most common type of ML model is a neural network, which predicts the behavior of an object based on data from its behavior in the recent past. This ML model is based on the Forecaster detector.

If the difference between the model prediction and the actual observed values exceeds a certain threshold, the Forecaster detector detects an anomaly in the monitored asset behavior and registers an incident. The cumulative indicator of the difference between the predicted values and the actual values (cumulative prediction error) is referred to as the MSE (mean squared error) in the user interface.

The MSE values graph and the MSE threshold which, when exceeded, causes the Forecaster to detect an incident, are displayed in the Monitoring and History sections under the tag graphs. If an ML model contains multiple elements, you can select a model element to view the MSE values calculated by that element.

Kaspersky MLAD model builder supports the following neural network architectures for elements of an ML model:

• Dense. Element of an ML model with a fully connected architecture. When creating an ML model element, you must specify the multipliers for calculating the number of neurons on inner layers and the activation functions on them.
• TCN. Element of an ML model with a hierarchical time-based convolutional architecture. When creating an ML model element, you must specify the activation function, filter size, extensions on layers, and the number of encoders.
• CNN. Element of an ML model with a convolutional architecture. When creating an ML model element, you must specify the number of convolutional layers, the size and number of filters on layers, and the size of the maximum sampling window (MaxPooling).
• RNN. Element of an ML model with a recurrent architecture. When creating an ML model element, you must specify the number of GRU neurons on layers and the number of time-distributed neurons on the layers of the decoder.
• Transformer. Element of an ML model with a transformer architecture. When creating an element of the ML model, the number of attention heads and the number of transformer encoders are specified.

Element of an ML model based on a diagnostic rule

Diagnostic rules describe previously known behavioral traits of the monitored asset that are considered anomalies. Diagnostic rules must be formalized and calculated based on available telemetry data for the object. Diagnostic rules are based on the Rule Detector.

Diagnostic rules are formulated by subject-area experts and are implemented by Kaspersky experts or a certified integrator as a JSON file in a serialized rule structure format. You can also formulate diagnostic rules on your own using the model builder.

Examples of diagnostic rules:

• The value of tag A does not change over the course of one minute.
• Over the past 12 hours, tag B has trended upward, tag C has trended downward, and tag D has not shown any clear dynamics.
• The value of tag X fell below 2800 after it previously rose higher than 2900.