About Kaspersky Machine Learning for Anomaly Detection

Kaspersky Machine Learning for Anomaly Detection

Print Support Send link Get as PDF

Managing ML models

Managing ML models

This section provides instructions on working with ML models, ML model templates and markups.

ML models, templates of ML models and markups are functional elements of the monitored asset hierarchical structure. The hierarchical structure is displayed as an

asset tree

In Kaspersky MLAD, ML models can be imported, created manually, copied, or created based on a template. After adding and training an ML model in Kaspersky MLAD, you can publish it. You can also run a historical or stream inference for the trained or published ML model, and view the data flow graph in the ML model.

In the Models section, you can create markups for generating

learning indicators

inference indicators

. If necessary, you can edit or delete markups.

In this section

Scenario: working with ML models

Working with markups

Working with imported ML models

Working with manually created ML models

Cloning an ML model

Working with ML model templates

Changing the parameters of an ML model

Training a neural network element of an ML model

Viewing the training results of an ML model element

Preparing an ML model for publication

Publishing an ML model

Starting and stopping ML model inference

Viewing the data flow graph of an ML model

Removing an ML model

Page top

Scenario: working with ML models

This section describes the sequence of actions required to work with ML models.

The scenario for working with ML models consists of the following steps:

Adding an ML model
You can add an ML model to Kaspersky MLAD in one of the following ways:
- Upload an ML model created by Kaspersky specialists or by a certified integrator as part of the Kaspersky MLAD Model-building and Deployment Service. After an ML model is uploaded, it must be activated.
- Manually create an ML model. Add neural network elements and/or elements based on diagnostic rules to the created ML model.
- Create an ML model from a template. Create a template based on the relevant ML model in advance. If the original ML model used for the template was manually created, you can add neural network elements and/or elements based on diagnostic rules to the new ML model.
- Clone a previously added ML model. When cloning an ML model that was created manually or from a template based on a manually created ML model, you can add neural network elements and/or the elements based on diagnostic rules to the cloned ML model.
Adding markups
If you need to define specific time intervals for the data that an ML model can use for training or inference, create markups. To generate an inference indicator, specify the created markup in the settings of the corresponding ML model.
Training ML model elements
The ML model needs to be trained before you can run inference on it. To do this, all neural network elements within the ML model need to be pretrained. ML model elements based on diagnostic rules are considered to be already trained.

An ML model uploaded to Kaspersky MLAD has been previously trained by Kaspersky Lab experts or a certified integrator. ML models that are created from a template of an imported ML model or by cloning an imported ML model are also considered to be already trained. If necessary, you can change their training parameters and retrain the neural network elements.

To generate a learning indicator, specify the created markup in the learning parameters of the neural network element.
Preparing an ML model for publication
After its training is finished, prepare the ML model for publication. An ML model ready for publishing cannot be modified.
Publishing an ML model
After preparing the ML model for publication, notify the officer responsible for publishing the ML model that the ML model is ready, or publish the ML model if you have the required permissions. If necessary, the system administrator can create a role that has the right to publish ML models and assign this role to the relevant employee.
Starting ML model inference
Start inference of the ML model. During the inference process, the ML model analyzes telemetry data and registers incidents.

ML model inference can be run on a published ML model as well as on a trained ML model.

Page top

Working with markups

This section provides information on working with markups.

In the Models section, you can create, modify, and delete markups. If required, you can view the graph to see the data time intervals that the ML model will use for training and/or inference.

Markups are used as training or inference indicators to point to data time intervals that the ML model can use for training or inference. To generate an inference indicator, you can select previously created markups when creating or modifying ML model settings. To generate a learning indicator, you can select previously created markups when configuring the training settings of neural network elements of the ML model.

In this section

Creating markup

Viewing the markup chart

Modifying the markup

Removing markup

Page top

Creating markup

You can use markup to generate learning indicators or inference of the ML model.

To create markup:

In the main menu, select the Models section.
In the asset tree, next to the name of the asset for which you want to create a markup, open the vertical menu and select Create markup.
A list of options appears on the right.
Specify the name of the markup in the Name field.
Enter a description for the markup in the Description field.
In the Grid step (sec) field, specify a UTG period for markup in seconds expressed as a decimal.
In the Markup color field, select a color that will be used to highlight data intervals selected by the markup.
If necessary, use the toggle switch to turn on the Treat inconclusive result as positive option.
If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider specified criteria to be fulfilled when this option is enabled.
In the Time filter settings block, do the following:
1. Click the Add interval button.
2. In the Interval type drop-down list, select one of the following time interval types:
  - Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.
    You can specify only the beginning or the end of a single interval.
  - Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
You can add one or more time intervals.
To add tag behavior criteria, do the following:
1. In the Tag conditions settings block, click the Condition button.
2. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.
  If you want to exclude the selected criterion from the condition block that you are adding, click NOT to the left of the selected tag. The NOT caption in the button will be highlighted in bold.
  
  For example, click NOT to add a condition that contains no steps with the specified settings.
3. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
  - Over: the tag value exceeds the specified threshold.
  - Below: the tag value falls below the specified threshold.
  - Rising: the trendline of tag values is increasing.
  - Falling: the trendline of tag values is decreasing.
  - Level: there are no pronounced changes in the trendline of tag values.
  - Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
  - Flat: the selected tag is transmitting the same value.
  - Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
4. In the Window field, specify an interval for analyzing the behavior of tags in the UTG steps.
5. Depending on the value selected for Behavior, do one of the following:
  - If you selected Over or Below, use the Threshold field to specify the tag threshold value, and specify the minimum number of times the threshold value can be breached in a separate window in the Minimum violations field.
  - If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.
    By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.
    
    By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.
  - If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
  - If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.
    By default, the Value setting is not defined. If the setting is not defined, any repeating tag value triggers the criterion.
  - If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
    
    The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.
6. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 9b through 9e.
7. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows:
  - AND if you need to track both criteria in the markup.
  - OR if you need to track one of the defined criteria in the markup.
If you need to check whether the fulfillment of a pre-condition triggered the fulfillment of a post-condition, do the following:
1. Add one of the following temporal operators:
  - Wait if you need to generate the result of the criteria check in the last node of the maximum waiting interval.
  - If ahead if you need to generate the result of the criteria check at the time of a pre-condition check.
  The Wait and If ahead buttons are available after adding at least one condition.
  
  A precondition is a block of conditions preceding the temporal operator. A postcondition is a block of conditions following a temporal operator.
  
  The precondition block is checked in the current UTG node.
  
  Markup with an If ahead temporal operator can be used in learning indicators only.
2. In the Recess (steps) field, specify the following time intervals:
  - from: the interval between the current UTG node and the first future UTG node, in which the post-condition block is checked (minimum waiting interval).
  - to: the interval between the current UTG node and the last future UTG node, in which the post-condition block is checked (maximum waiting interval).
  The post-condition block is checked in the UTG nodes between the minimum and maximum waiting intervals.
3. In the Check drop-down list, select one of the following group operators:
  - To check the fulfillment of tag behavior criteria from the post-conditions block in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
  - To check the fulfillment of tag behavior criteria from the post-conditions block in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.
  If the Wait temporal operator is added, the criteria check result is determined in the last node of the maximum waiting interval. If the check of the precondition block in the current UTG node gave a negative result (FALSE) or an undefined result (UNDEFINED), the same value will be the result of the check of the post-condition block. If the check of the precondition block in the current UTG node gave a positive result (TRUE), then the check of the post-condition block is performed in each UTG node between the minimum and maximum waiting interval. The result of the check is determined by the fulfillment of the condition depending on the selected group operator: All steps or Any step. If more than one condition check is performed using the Wait temporal operator, the result of the previous temporal condition check is the precondition for each subsequent check of the Wait temporal condition.
  
  If the If ahead temporal operator is added, the criteria check result is generated at the time of the precondition check.
Select one of the following logical operators between markup blocks:
- AND if you need to track the tag behavior criteria in both blocks of conditions.
- OR if you need to track the tag behavior criteria in only one of the blocks of conditions.
In the upper-right corner of the window, click the Save button.

The new markup will be displayed in the Markups group of the asset tree. The Markups group is created automatically and displayed as part of the selected section of the asset tree.

Page top

Viewing the markup chart

After creating markup, you can view data time intervals selected by the markup on the graph.

To view the markup chart:

In the main menu, select the Models section.
In the asset tree, select the markup whose chart you want to view.
A list of options appears on the right.
Click the On graph button.
A panel with the markup chart appears on the right.
Select the relevant preset from the Preset drop-down list.
If necessary, in the Markups field, select the markups for displaying data intervals.
If you need to select a date and time for displaying the data, do one of the following:
- In the Graph center field, select the date and time for which you want to display data in the chart.
  The vertical black dotted line will indicate the selected date and time (in the center of the chart).
- Click the New graph center icon (), which is located to the left of the time axis, and select the necessary point on the time axis.
  The selected point will become the new center of the graph. The vertical black dashed line will indicate the new date and time.
If you need to select a time interval for displaying data on the chart, do one of the following:
- If you need to display data for a fixed time interval, select the relevant time interval from the Scale drop-down list. The following time intervals are available by default:
  - 1, 5, 10, 15, and 30 minutes
  - 1, 3, 6, and 12 hours
  - 1, 2, 15, and 30 days
  - 3 and 6 months
  - 1, 2, and 3 years
  If necessary, the system administrator can create, edit, or delete time intervals.
- To display data for a custom time interval, click the New interval () icon to the left of the time axis, select the required interval on the time axis, and click the Apply button. If you need to change the scale again, repeat this step.

The chart will show the data intervals in the colors specified for the selected markups.

Page top

Modifying the markup

You can edit the markup settings.

To edit markup:

In the main menu, select the Models section.
In the asset tree, select the markup that you want to edit.
A list of options appears on the right.
Click the Edit button.
In the Name field, specify a new name for the markup.
Enter a new description for the markup in the Description field.
In the Grid step (sec) field, specify a UTG period for markup in seconds expressed as a decimal.
In the Markup color field, select a color that will be used to highlight data intervals selected by the markup.
If necessary, use the toggle switch to turn on the Treat inconclusive result as positive option.
If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider specified criteria to be fulfilled when this option is enabled.
If you want to edit the markup time intervals in the Time filter settings block, do the following:
1. In the Interval type drop-down list, select one of the following time interval types:
  - Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.
    You can specify only the beginning or the end of a single interval.
  - Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
2. If you want to add an interval, click the Add interval button and complete step 9a.
3. If you want to delete an interval, move the mouse cursor over the row with the required interval and click the Delete interval ( ) icon.
You can add one or more time intervals.
To edit a tag behavior condition, do the following:
1. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.
  If you want to exclude the selected criterion from the condition block that you are adding, click NOT to the left of the selected tag. The NOT caption in the button will be highlighted in bold.
  
  For example, click NOT to add a condition that contains no steps with the specified settings.
2. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
  - Over: the tag value exceeds the specified threshold.
  - Below: the tag value falls below the specified threshold.
  - Rising: the trendline of tag values is increasing.
  - Falling: the trendline of tag values is decreasing.
  - Level: there are no pronounced changes in the trendline of tag values.
  - Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
  - Flat: the selected tag is transmitting the same value.
  - Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
3. In the Window field, specify the number of UTG steps.
4. Depending on the value selected for Behavior, do one of the following:
  - If you selected Over or Below, use the Threshold field to specify the tag threshold value, and specify the minimum number of times the threshold value can be breached in a separate window in the Minimum violations field.
  - If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.
    By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.
    
    By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.
  - If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
  - If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.
    By default, the Value setting is not defined. If the setting is not defined, any repeating tag value triggers the criterion.
  - If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
    
    The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.
5. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 10a through 10d.
6. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows:
  - AND if you need to track both criteria in the markup.
  - OR if you need to track one of the defined criteria in the markup.
7. To delete a tag behavior criterion from a condition block, hover over the row with the required condition and click the cross icon ().
If you want to edit the conditions of the temporal operator Wait and/or If ahead, do the following:
1. In the Recess (steps) field, specify the following time intervals:
  - from: the interval between the current UTG node and the first future UTG node, in which the post-condition block is checked (minimum waiting interval).
  - to: the interval between the current UTG node and the last future UTG node, in which the post-condition block is checked (maximum waiting interval).
  The post-condition block is checked in the UTG nodes between the minimum and maximum waiting intervals.
2. In the Check drop-down list, select one of the following group operators:
  - To check the fulfillment of tag behavior criteria from the post-conditions block in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
  - To check the fulfillment of tag behavior criteria from the post-conditions block in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.
  If the Wait temporal operator is added, the criteria check result is determined in the last node of the maximum waiting interval. If the check of the precondition block in the current UTG node gave a negative result (FALSE) or an undefined result (UNDEFINED), the same value will be the result of the check of the post-condition block. If the check of the precondition block in the current UTG node gave a positive result (TRUE), then the check of the post-condition block is performed in each UTG node between the minimum and maximum waiting interval. The result of the check is determined by the fulfillment of the condition depending on the selected group operator: All steps or Any step. If more than one condition check is performed using the Wait temporal operator, the result of the previous temporal condition check is the precondition for each subsequent check of the Wait temporal condition.
  
  If the If ahead temporal operator is added, the criteria check result is generated at the time of the precondition check.
Select one of the following logical operators between markup blocks:
- AND if you need to track the tag behavior criteria in both blocks of conditions.
- OR if you need to track the tag behavior criteria in only one of the blocks of conditions.
In the upper-right corner of the window, click the Save button.

Page top

Removing markup

You can delete markup if it is not used for training or inference of any ML model.

To delete markup:

In the main menu, select the Models section.
In the asset tree, select the markup that you want to delete.
A list of options appears on the right.
In the upper-right corner of the window, click the trash bin icon ().
In the window that opens, confirm the deletion of the markup.

Page top

Working with imported ML models

This section provides information about working with imported ML models and their elements.

ML models can be provided by Kaspersky specialists or certified integrators within the Kaspersky MLAD Model-building and Deployment Service. Such ML models must be uploaded to Kaspersky MLAD and activated. You cannot create new elements for an imported ML model, or delete existing elements.

Upon uploading into Kaspersky MLAD the ML model is already trained. If necessary, you can additionally train the neural network elements as part of the uploaded ML model before publishing it and/or executing its inference.

In this section

Uploading an ML model

Activating an imported ML model

Changing the parameters of an element of an imported ML model

Page top

Uploading an ML model

If the ML model was created by Kaspersky specialists or a certified integrator, you can load this ML model into Kaspersky MLAD.

Kaspersky MLAD may slow down its operation when uploading an ML model whose size exceeds 1 GB.

System administrators and users who have the Upload models permission from the Manage ML models group of rights can upload ML models.

To upload an ML model:

In the main menu, select the Models section.
In the asset tree, next to the name of the asset for which the ML model is to be imported, open the vertical menu and select Import model.
In the opened window, select the ML model file.
An ML model file is provided as a TAR archive with a maximum size of 1.5 GB.

The ML model will be uploaded to Kaspersky MLAD. The new ML model displays in the Models group of the asset tree. The Models group is created automatically and displayed as part of the selected section of the asset tree. The Models group contains the Neural networks and Rules subgroups for storing ML model elements based on neural networks and diagnostic rules.

After being uploaded, the ML model is assigned the Not activated status. The ML model must be activated. If you upload an ML model that was previously activated and then deleted, you do not need to reactivate the ML model.

Page top

Activating an imported ML model

After an ML model prepared by Kaspersky specialists or a certified integrator has been uploaded into Kaspersky MLAD, it must be activated.

If the ML model activation code is lost, send a request to Kaspersky to receive a new code.

System administrators and users who have the Activate models permission from the Manage ML models group of rights can activate imported ML models.

To activate an imported ML model:

In the main menu, select the Models section.
In the asset tree, select the imported ML model.
The details area appears on the right.
In the Model activation code field, enter the code received from Kaspersky personnel, and click the Activate button in the upper right part of the window.

ML model is activated. It will be assigned the Trained status. You can to start ML model inference to begin the analysis of telemetry data received from the monitored asset.

Page top

Changing the parameters of an element of an imported ML model

You can change some parameters of an element of an imported ML model.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can edit the settings of elements of imported ML models.

To change the parameters of an imported ML model element:

In the main menu, select the Models section.
In the asset tree, select the ML model element that you want to change.
A list of options appears on the right.
In the upper-right corner of the window, click the Edit button.
In the Name field, specify the name of the ML model element.
Enter a description for the ML model element in the Description field.
If necessary, in the General element settings settings block, do the following:
1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.
  The default value of this setting is 0, which corresponds to no reminders.
2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.
  The default value of this setting is 0 (repeat incidents not suppressed).
3. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
4. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
5. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
6. In the Detection threshold field, specify a prediction error threshold value upon reaching which an incident is logged.
  The detection threshold value was set after training an element of the imported ML model. Modifying this setting changes detector sensitivity.
7. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
In the upper-right corner of the window, click the Save button.

Page top

Working with manually created ML models

This section provides information about working with manually created ML models and their elements.

If you create an ML model manually, you can add elements of ML models based on neural networks and/or diagnostic rules, modify or delete them.

The ML model needs to be trained before you can run inference on it. To do this, all neural network elements within the ML model need to be pretrained. If necessary, you can view the training results of the neural network elements. Elements based on diagnostic rules are considered as trained.

You can also start inference after publishing the ML model. After inference is started, Kaspersky MLAD will register incidents.

In this section

Creating an ML model

Adding a neural network element to an ML model

Modifying a neural network element of the ML model

Adding an ML model element based on a diagnostic rule

Changing an ML model element based on a diagnostic rule

Removing an ML model element

Page top

Creating an ML model

System administrators and users who have the Create models permission from the Manage ML models group of rights can create ML models.

To create an ML model:

In the main menu, select the Models section.
In the asset tree, next to the name of the asset for which you want to create an ML model, open the vertical menu and select Create model.
A list of options appears on the right.
In the Name field, specify the ML model name.
The ML model name must not be longer than 100 characters.
In the Description field, specify the ML model description.
If you need to apply markups when selecting data for ML model inference, select the required markups under Inference indicator.
To view the data that will be selected by the markups, click On graph.
Markups are displayed in the colors selected when they were created.
In the upper-right corner of the window, click the Save button.

The new ML model displays in the Models group of the asset tree. The Models group is created automatically and displayed as part of the selected section of the asset tree. The Models group contains the Neural networks and Rules subgroups for storing ML model elements based on neural networks and diagnostic rules.

The ML model is assigned the Draft status.

Page top

Adding a neural network element to an ML model

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements.

To add a neural network element to an ML model:

In the main menu, select the Models section.
In the asset tree, next to the Neural networks group within the ML model to which you want to add a neural network element, open the vertical menu and select Create element.
A list of options appears on the right.
In the Name field, specify the name of the ML model element.
Enter a description for the ML model element in the Description field.
In the General element settings settings block, do the following:
1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.
  The default value of this setting is 0, which corresponds to no reminders.
2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.
  The default value of this setting is 0 (repeat incidents not suppressed).
3. In the Grid step (sec) field, specify the element's UTG period in seconds expressed as a decimal.
4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
7. In the Detection threshold field, specify a prediction error threshold value upon reaching which an incident is logged.
8. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
Select one of the following ML model neural network element architectures: Dense, RNN, CNN, TCN, or Transformer.
If you need to specify the architecture parameters of a neural network element and the power exponent and smoothing value of the cumulative prediction error, use the toggle switch to enable Advanced neural network settings.
In the Main settings block, do the following:
1. In the Input tags drop-down list, select one or more tags that serve as the source data for predicting the values of the output tags.
2. In the Output tags drop-down list, select one or several tags whose behavior is predicted by the model element.
3. If extended setup mode is enabled, use the MSE power exponent field to specify the cumulative prediction error power exponent in decimal format.
4. If extended setup mode is enabled, use the Smoothing factor field to specify the cumulative prediction error smoothing value in decimal format.
In the Window settings settings block, do the following:
1. In the Input window (steps) field, specify the size of the input value window, from which the ML model element predicts the output values.
2. In the Output window offset field, specify the number of steps by which the beginning of the output window will be shifted relative to the beginning of the input window.
3. In the Output window (steps) field, specify an output tag prediction length calculated from the input tags on the input window.
If you are adding a neural network element with a dense architecture, do the following:
1. In the Multipliers for calculating number of neurons per layer field, provide the factors, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons per layer of the ML model element.
2. In the Activation function per layer field, specify one of the following activation functions on each layer of an ML model element separated by a comma without spaces:
  - relu: A non-linear activation function that converts an input value to a value between 0 and positive infinity.
  - selu: A monotonically increasing function that enables normalization based on the central limit theorem.
  - linear: A linear function that is a straight line proportional to the input data.
  - sigmoid: A non-linear function that converts input values to values between 0 and 1.
  - tanh: A hyperbolic tangent function that converts input values to values between -1 and 1.
  - softmax: A function that converts a vector of values to a probability distribution that adds up to 1.
  The default value of this setting is relu,relu,relu.
If you are adding a neural network element with an RNN architecture, do the following:
1. In the GRU neurons per layer field, specify the number of GRU neurons on layers separated by a comma without spaces.
  The default value of this parameter is 40,40.
2. In the Number of neurons in TimeDistributed layer field, specify the number of neurons distributed in time on the layers of the decoder separated by a comma without spaces.
  The default value of this parameter is 40,20.
If you are adding a neural network element with an CNN architecture, do the following:
1. In the Filter size per layer field, specify the size of the filters for each layer of the element separated by a comma without spaces.
  The default value of this parameter is 2,2,2.
2. In the Filters per layer field, specify the number of filters for each layer of the ML model element separated by a comma without spaces.
  The default value of this parameter is 50,50,50.
3. In the MaxPooling window size per layer field, specify the maximum sampling window size on each layer separated by a comma without spaces.
  The default value of this parameter is 2,2,2.
4. In the Number of neurons in decoder field, specify the number of neurons on the layers of the decoder.
If you are adding a neural network element with an TCN architecture, do the following:
1. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.
  The default value of this parameter is 0.1.
2. In the Size of filters field, specify the size of the filters for the ML model element.
  The default value of this parameter is 2.
3. In the Dilation per layer field, specify the exponential expansion values of the output data on the layers as a comma-separated list.
  The default value of this parameter is 1,2,4.
4. In the Activation function drop-down list, select one of the following activation functions:
  - linear: A linear activation function whose result is proportional to the input value.
  - relu: A non-linear activation function that converts an input value to a value between zero and positive infinity. If the input value is less than or equal to zero, the function returns a value of zero; otherwise, the function returns the input value.
  The default value of this parameter is linear.
5. In the Number of stacks of residual blocks field, specify the number of encoders.
  The default value of this parameter is 1.
6. In the Decoder layer type field, select one of the following types of layer to precede the output layer:
  - TimeDistributedDense (default): A fully connected architecture layer.
  - GRU: A layer with a recurrent architecture.
If you are adding a neural network element with a transformer architecture, do the following:
1. In the Encoder regularization field, specify the regularization coefficient in the encoder in decimal format.
  The default value of this parameter is 0.01.
2. In the Number of attention heads field, specify the number of attention heads.
  The default value of this parameter is 1.
3. In the Number of encoders field, specify the number of encoders.
  The default value of this parameter is 1.
4. In the Multipliers for calculating number of neurons per layer field, provide the factors, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the decoding layers.
In the upper-right corner of the window, click the Save button.

The new ML model element will be displayed in the Neural networks group within the selected ML model in the asset tree.

The ML model is assigned the Draft status. Before running inference of an ML model, you must train all of its neural network elements.

Page top

Modifying a neural network element of the ML model

You can edit the settings of a neural network element of the ML model.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can edit elements of ML models.

To edit a neural network element of an ML model:

In the main menu, select the Models section.
In the asset tree, select the neural network element that you want to edit.
A list of options appears on the right.
In the upper-right corner of the window, click the Edit button.
In the Name field, specify a new name for the ML model element.
In the Description field, specify a new description for the ML model.
If necessary, in the General element settings settings block, do the following:
1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.
  The default value of this setting is 0, which corresponds to no reminders.
2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.
  The default value of this setting is 0 (repeat incidents not suppressed).
3. In the Grid step (sec) field, specify the element's UTG period in seconds expressed as a decimal.
4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
7. In the Detection threshold field, specify a prediction error threshold value upon reaching which an incident is logged.
8. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
If necessary, edit the architecture of the neural network element.
Kaspersky MLAD supports the following ML model neural network element architectures: Dense, RNN, CNN, TCN, or Transformer.
If you need to change the architecture parameters of a neural network element and the power exponent and smoothing value of the cumulative prediction error, use the toggle switch to enable Advanced neural network settings.
If necessary, in the Main settings settings block, do the following:
1. In the Input tags drop-down list, select one or more tags that serve as the source data for predicting the values of the output tags.
2. In the Output tags drop-down list, select one or several tags whose behavior is predicted by the model element.
3. If extended setup mode is enabled, use the MSE power exponent field to specify the cumulative prediction error power exponent in decimal format.
4. If extended setup mode is enabled, use the Smoothing factor field to specify the cumulative prediction error smoothing value in decimal format.
If necessary, in the Window settings settings block, do the following:
1. In the Input window (steps) field, specify the size of the input value window, from which the ML model element predicts the output values.
2. In the Output window offset field, specify the number of steps by which the beginning of the output window will be shifted relative to the beginning of the input window.
3. In the Output window (steps) field, specify an output tag prediction length calculated from the input tags on the input window.
If you have selected a neural network element with a dense architecture, do the following:
1. In the Multipliers for calculating number of neurons per layer field, provide the multipliers, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the ML model element layers.
2. In the Activation function per layer field, specify one of the following activation functions on each layer of an ML model element separated by a comma without spaces:
  - relu: A non-linear activation function that converts an input value to a value between 0 and positive infinity.
  - selu: A monotonically increasing function that enables normalization based on the central limit theorem.
  - linear: A linear function that is a straight line proportional to the input data.
  - sigmoid: A non-linear function that converts input values to values between 0 and 1.
  - tanh: A hyperbolic tangent function that converts input values to values between -1 and 1.
  - softmax: A function that converts a vector of values to a probability distribution that adds up to 1.
  The default value of this setting is relu,relu,relu.
If you are adding a neural network element with an RNN architecture, do the following:
1. In the GRU neurons per layer field, specify the number of GRU neurons on layers separated by a comma without spaces.
  The default value of this parameter is 40,40.
2. In the Number of neurons in TimeDistributed layer field, specify the number of neurons distributed in time on the layers of the decoder separated by a comma without spaces.
  The default value of this parameter is 40,20.
If you have selected a neural network element with a CNN architecture, do the following in the CNN architecture settings settings block:
1. In the Filter size per layer field, specify the size of the filters for each layer of the element separated by a comma without spaces.
  The default value of this parameter is 2,2,2.
2. In the Filters per layer field, specify the number of filters for each layer of the ML model element separated by a comma without spaces.
  The default value of this parameter is 50,50,50.
3. In the MaxPooling window size per layer field, specify the maximum sampling window size values separated by a comma without spaces.
  The default value of this parameter is 2,2,2.
4. In the Number of neurons in decoder field, specify the number of neurons on the layers of the decoder.
If you have selected a neural network element with a TCN architecture, do the following:
1. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.
  The default value of this parameter is 0.1.
2. In the Size of filters field, specify the sizes of the filters for the ML model element.
  The default value of this parameter is 2.
3. In the Dilation per layer field, specify the exponential expansion values of the output data on the layers separated by a comma without spaces.
  The default value of this parameter is 1,2,4.
4. In the Activation function drop-down list, select one of the following activation functions:
  - linear: A linear activation function whose result is proportional to the input value.
  - relu: A non-linear activation function that converts an input value to a value between zero and positive infinity. If the input value is less than or equal to zero, the function returns a value of zero; otherwise, the function returns the input value.
  The default value of this parameter is linear.
5. In the Number of stacks of residual blocks field, specify the number of encoders.
  The default value of this parameter is 1.
6. In the Decoder layer type field, select one of the following types of layer to precede the output layer:
  - TimeDistributedDense (default): A fully connected architecture layer.
  - GRU: A layer with a recurrent architecture.
If you have selected a neural network element with a transformer architecture, do the following:
1. In the Encoder regularization field, specify the regularization coefficient in the encoder in decimal format.
  The default value of this parameter is 0.01.
2. In the Number of attention heads field, specify the number of attention heads.
  The default value of this parameter is 1.
3. In the Number of encoders field, specify the number of encoders.
  The default value of this parameter is 1.
4. In the Multipliers for calculating number of neurons per layer field, provide the factors, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the decoding layers.
In the upper-right corner of the window, click the Save button.

Page top

Adding an ML model element based on a diagnostic rule

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements.

To add an ML model element based on a diagnostic rule:

In the main menu, select the Models section.
In the asset tree, next to the Rules group within an ML model to which you want to add a diagnostic rule, open the vertical menu and select Create element.
A list of options appears on the right.
In the Name field, specify a name for the diagnostic rule.
In the Description field, specify the diagnostic rule description.
In the General element settings settings block, do the following:
1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.
  The default value of this setting is 0, which corresponds to no reminders.
2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.
  The default value of this setting is 0 (repeat incidents not suppressed).
3. In the Grid step (sec) field, specify the element's UTG period in seconds expressed as a decimal.
4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
7. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
If necessary, use the toggle switch to turn on the Treat inconclusive result as positive option.
If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider a rule to be triggered when this option is enabled.
In the Time filter settings block, do the following:
1. Click the Add interval button.
2. In the Interval type drop-down list, select one of the following time interval types:
  - Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.
    You can specify only the beginning or the end of a single interval.
  - Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
3. If you want to add one more interval, click the Add interval button and complete step 7b.
4. If you want to delete an interval, move the mouse cursor over the row with the required interval and click the Delete interval ( ) icon.
You can add one or more time intervals. If no time interval is specified, the diagnostic rule is applied in each UTG node.
To add tag behavior criteria, do the following:
1. In the Tag conditions settings block, click the Condition button.
2. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.
  If you want to exclude the selected criterion from the condition block that you are adding, click NOT to the left of the selected tag. The NOT caption in the button will be highlighted in bold.
  
  For example, click NOT to add a condition that contains no steps with the specified settings.
3. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
  - Over: the tag value exceeds the specified threshold.
  - Below: the tag value falls below the specified threshold.
  - Rising: the trendline of tag values is increasing.
  - Falling: the trendline of tag values is decreasing.
  - Level: there are no pronounced changes in the trendline of tag values.
  - Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
  - Flat: the selected tag is transmitting the same value.
  - Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
4. In the Window field, specify the number of UTG steps.
5. Depending on the value selected for Behavior, do one of the following:
  - If you selected Over or Below, use the Threshold field to specify the tag threshold value, and specify the minimum number of times the threshold value can be breached in a separate window in the Minimum violations field.
  - If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.
    By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.
    
    By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.
  - If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
  - If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.
    By default, the Value setting is not defined. If the setting is not defined, any repeating tag value triggers the criterion.
  - If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
    
    The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.
6. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 8b through 8e.
7. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows:
  - AND if you need to track both criteria while a diagnostic rule is active.
  - OR if you need to track one of the defined criteria while a diagnostic rule is active.
If you need to check whether the fulfillment of a pre-condition caused the fulfillment of a post-condition in a future UTG node, add a temporal operator:
1. In the Tag conditions settings block, click the Wait button.
  The Wait button is available after at least one condition has been added.
  
  A precondition is a block of conditions preceding the temporal operator. A postcondition is a block of conditions following a temporal operator.
  
  The precondition block is checked in the current UTG node.
2. In the Recess (steps) field, specify the following time intervals:
  - from: the interval between the current UTG node and the first future UTG node, in which the post-condition block is checked (minimum waiting interval).
  - to: the interval between the current UTG node and the last future UTG node, in which the post-condition block is checked (maximum waiting interval).
  The post-condition block is checked in the UTG nodes between the minimum and maximum waiting intervals.
3. In the Check drop-down list, select one of the following group operators:
  - To check the fulfillment of tag behavior criteria from the post-conditions block in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
  - To check the fulfillment of tag behavior criteria from the post-conditions block in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.
  The criteria check result is determined in the last node of the maximum waiting interval. If the check of the precondition block in the current UTG node gave a negative result (FALSE) or an undefined result (UNDEFINED), the same value will be the result of the check of the post-condition block.
  
  If the check of the precondition block in the current UTG node gave a positive result (TRUE), then the check of the post-condition block is performed in each UTG node between the minimum and maximum waiting interval. The result of the check is determined by the fulfillment of the condition depending on the selected group operator: All steps or Any step.
  
  If more than one condition check is performed using the temporal operator, then the result of the check of the previous temporal condition is a precondition for each subsequent check of the temporal condition.
Select one of the following logical operators between rule blocks:
- AND if you need to track tag behavior criteria in both blocks while a diagnostic rule is active.
- OR if you need to track tag behavior criteria in one of the blocks while a diagnostic rule is active.
In the upper-right corner of the window, click the Save button.

The new ML model element will be displayed in the Rules group within the selected ML model in the asset tree.

If an ML model contains only elements based on diagnostic rules, the model is assigned the Trained status. You can start inference for such an ML model. If the ML model contains untrained neural network elements, they must be trained before starting inference.

Page top

Changing an ML model element based on a diagnostic rule

You can change the settings of an ML model element based on a diagnostic rule.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can edit elements of ML models.

To change an element of an ML model based on a diagnostic rule:

In the main menu, select the Models section.
In the asset tree, select the element based on a diagnostic rule that you want to edit.
A list of options appears on the right.
In the upper-right corner of the window, click the Edit button.
In the Name field, specify a new name for the diagnostic rule.
In the Description field, specify a new description for the diagnostic rule.
If necessary, in the General element settings settings block, do the following:
1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.
  The default value of this setting is 0, which corresponds to no reminders.
2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.
  The default value of this setting is 0 (repeat incidents not suppressed).
3. In the Grid step (sec) field, specify the UTG period for the element in seconds.
4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
7. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
If necessary, use the toggle switch to turn on the Treat inconclusive result as positive option.
If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider a rule to be triggered when this option is enabled.
If necessary, do the following in the Time filter settings block:
1. In the Interval type drop-down list, select one of the following time interval types:
  - Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.
    You can specify only the beginning or the end of a single interval.
  - Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
2. If you want to add one more interval, click the Add interval button and complete step 8a.
3. If you want to delete an interval, move the mouse cursor over the row with the required interval and click the Delete interval ( ) icon.
You can add one or more time intervals. If no time interval is specified, the diagnostic rule is applied in each UTG node.
To edit a tag behavior condition, do the following:
1. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.
  If you want to exclude the selected criterion from the condition block that you are adding, click NOT to the left of the selected tag. The NOT caption in the button will be highlighted in bold.
  
  For example, click NOT to add a condition that contains no steps with the specified settings.
2. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
  - Over: the tag value exceeds the specified threshold.
  - Below: the tag value falls below the specified threshold.
  - Rising: the trendline of tag values is increasing.
  - Falling: the trendline of tag values is decreasing.
  - Level: there are no pronounced changes in the trendline of tag values.
  - Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
  - Flat: the selected tag is transmitting the same value.
  - Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
3. In the Window field, specify the number of UTG steps.
4. Depending on the value selected for Behavior, do one of the following:
  - If you selected Over or Below, use the Threshold field to specify the tag threshold value, and specify the minimum number of times the threshold value can be breached in a separate window in the Minimum violations field.
  - If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.
    By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.
    
    By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.
  - If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
  - If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.
    By default, the Value setting is not defined. If the setting is not defined, any repeating tag value triggers the criterion.
  - If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.
    By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
    
    The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.
5. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 9a through 9d.
6. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows:
  - AND if you need to track both criteria while a diagnostic rule is active.
  - OR if you need to track one of the defined criteria while a diagnostic rule is active.
If you need to edit the temporal operator:
1. In the Recess (steps) field, specify the following time intervals:
  - from: the interval between the current UTG node and the first future UTG node, in which the post-condition block is checked (minimum waiting interval).
  - to: the interval between the current UTG node and the last future UTG node, in which the post-condition block is checked (maximum waiting interval).
  The post-condition block is checked in the UTG nodes between the minimum and maximum waiting intervals.
2. In the Check drop-down list, select one of the following group operators:
  - To check the fulfillment of tag behavior criteria from the post-conditions block in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
  - To check the fulfillment of tag behavior criteria from the post-conditions block in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.
  The criteria check result is determined in the last node of the maximum waiting interval. If the check of the precondition block in the current UTG node gave a negative result (FALSE) or an undefined result (UNDEFINED), the same value will be the result of the check of the post-condition block.
  
  If the check of the precondition block in the current UTG node gave a positive result (TRUE), then the check of the post-condition block is performed in each UTG node between the minimum and maximum waiting interval. The result of the check is determined by the fulfillment of the condition depending on the selected group operator: All steps or Any step.
  
  If more than one condition check is performed using the temporal operator, then the result of the check of the previous temporal condition is a precondition for each subsequent check of the temporal condition.
Select one of the following logical operators between rule blocks:
- AND if you need to track tag behavior criteria in both blocks while a diagnostic rule is active.
- OR if you need to track tag behavior criteria in one of the blocks while a diagnostic rule is active.
In the upper-right corner of the window, click the Save button.

Page top

Removing an ML model element

When removing an ML model element, Kaspersky MLAD also deletes the results of the work of the selected element of the ML model.

System administrators and users who have the Remove models permission from the Manage ML models group of rights can remove elements of ML models.

To remove an ML model element:

In the main menu, select the Models section.
In the asset tree, select the ML model element that you want to delete.
A list of options appears on the right.
In the upper-right corner of the window, click the trash bin icon ().
In the window that opens, confirm the deletion of the ML model element.

Page top

Cloning an ML model

System administrators and users who have the Copy models permission from the Manage ML models group of rights can clone ML models.

You can create an ML model by cloning a previously added ML model. When cloning, a new ML model is created. The new ML model contains the same elements, parameters of the ML model and its elements, as well as the training state of the neural network elements as the ones of the ML model being cloned at the time of its cloning.

When cloning an ML model that was created manually or from a template based on a manually created ML model, you can add neural network elements and/or the elements based on diagnostic rules to the cloned ML model, as well as modify or delete them.

When cloning an ML model that was imported into the application or created using a template based on an imported ML model, you cannot change the set of elements of the cloned ML model.

Before running inference, you can change the training settings and retrain the neural network elements of the copied ML model. You can also start inference after the ML model has been published.

To clone an ML model:

In the main menu, select the Models section.
In the asset tree, select the ML model that you want to copy.
A list of options appears on the right.
In the upper-right corner of the window, click the Copy model () icon.
The Model copying pane appears on the right.
In the Name field, specify the ML model name.
The ML model name must not be longer than 100 characters.

By default, an ML model is assigned a name in the following format: < name of the original ML model>_Cloned_ <date and time of cloning>.
In the Asset drop-down list, select the asset to which you want to assign the new ML model.
Click the Save button.

Page top

Working with ML model templates

This section provides instructions on working with ML model templates.

You can create a template of an existing ML model to reuse its algorithm structure, set of elements, and training state at the time of the template creation. You can use a created template to add new ML models.

If the original ML model used as a template was created manually, you can add neural network elements and/or elements based on diagnostic rules to the ML model created based on such template, as well as modify or delete them.

If the original ML model used to create a template was imported to Kaspersky MLAD, the set of elements of the ML model created based on such a template cannot be changed.

Before inference, the ML model needs to train all its neural network elements. You can also start inference if the ML model has been published.

In this section

Creating a template based on an ML model

Editing an ML model template

Creating an ML model based on a template

Removing an ML model template

Page top

Creating a template based on an ML model

System administrators and users who have the Create model templates permission from the Manage ML models group of rights can create templates based on ML models.

You can create an ML model template based on a previously added ML model. The created templates retain the algorithm structure, set of elements, tag composition, and the training state of the source ML model.

You can create a template based on a previously added ML model if this ML model includes a neural network element for which input and output tags are defined, and/or an element based on a diagnostic rule for which rule conditions have been created.

To create a template based on an ML model:

In the main menu, select the Models section.
In the asset tree, next to the name of the ML model based on which you want to create a template, open the vertical menu and select Create template.
A list of options appears on the right.
Enter the template name in the Name field.
You can enter up to 100 characters.

By default, a template is assigned a name in the format Template_<ML model name>_<date and time of template creation>.
To change the names of the template tags, in the Template tag name column specify the new names for the relevant tags.
If the tags used in the ML model you are using to create the template were loaded or created in the Assets section of the administrator menu, their names are automatically assigned to the tags in the template. If a tag used in the ML model was not detected in Kaspersky MLAD, this tag will be assigned the default name in the format Tag <Model tag ID>.

You can specify a template tag name different from the tag names in the Assets section of the administrator menu. Template tags and tags in the Assets section are mapped based on the IDs of the ML model tags, which you can specify when creating an ML model from a template.
Click the Save button.

The new ML model template appears in the Templates group of the asset tree. The Templates group is created automatically and displayed as part of the selected section of the asset tree.

Page top

Editing an ML model template

You can edit the settings of a created ML model template.

System administrators and users who have the Edit model templates permission from the Manage ML models group of rights can edit ML model templates.

To edit an ML model template:

In the main menu, select the Models section.
In the asset tree, select the template that you want to edit.
A list of options appears on the right.
In the upper-right corner of the window, click the Edit button.
In the Name field, enter the new template name.
You can enter up to 100 characters.

By default, a template is assigned a name in the format Template_<ML model name>_<date and time of template creation>.
To change the names of the template tags, in the Template tag name column specify the new names for the relevant tags.
You can specify a template tag name different from the tag names in the Assets section of the administrator menu. Template tags and tags in the Assets section are mapped based on the IDs of the ML model tags, which you can specify when creating an ML model from a template.
Click the Save button.

Page top

Creating an ML model based on a template

System administrators and users who have the Create models permission from the Manage ML models group of rights can create ML models based on templates.

You can create a new ML model based on available templates. When creating an ML model, you can specify the IDs of tags that should be used in the new ML model.

To create an ML model based on a template:

In the main menu, select the Models section.
In the asset tree, next to the name of the template that you want to use to create an ML model, open the vertical menu and select Create model.
The Creating a model pane opens on the right.
Enter a name for the new ML model in the Model name field.
The ML model name must not be longer than 100 characters.
In the Model tag name column, select the tag names for each tag of the created ML model.
Template tags and tags in the Assets section in the administrator menu are mapped based on the names of the ML model tags.
Click the Save button.

The state of the created ML model will match the training state of the source ML model when the template was created.

Page top

Removing an ML model template

System administrators and users who have the Delete model templates permission from the Manage ML models group of rights can remove ML model templates.

You can remove an ML model template from Kaspersky MLAD. Deleting a template does not remove ML models based on this template.

To remove an ML model template:

In the main menu, select the Models section.
In the asset tree, select the ML model template that you want to delete.
A list of options appears on the right.
In the upper-right corner of the window, click the trash bin icon ().
Confirm deletion of the ML model template.

The selected ML model template will be removed from Kaspersky MLAD.

Page top

Changing the parameters of an ML model

You can change the settings of an ML model that was created manually, imported into Kaspersky MLAD, created from a template, or copied.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can edit the settings of ML model elements.

To change the parameters of an ML model:

In the main menu, select the Models section.
In the asset tree, select the ML model whose settings you want to edit
A list of options appears on the right.
In the upper-right corner of the window, click the Edit button.
In the Name field, specify the ML model name.
The ML model name must not be longer than 100 characters.
In the Description field, specify the ML model description.
If the ML model was not imported into the application or was created on the basis of an imported ML model, in the Inference indicator settings block, select the markups for conducting inference.
To view the data selected by the markups, click On graph.
Markups are displayed in the colors selected when they were created.
In the upper-right corner of the window, click the Save button.

Page top

Training a neural network element of an ML model

With Kaspersky MLAD, you can train a neural network element for an ML model that was created manually, imported into Kaspersky MLAD, created from a template, or copied.

System administrators and users who have the Train models permission from the Manage ML models group of rights can train elements of ML models.

To train an ML model element:

In the main menu, select the Models section.
In the asset tree, select the neural network element that you want to train.
A list of options appears on the right.
Open the Training tab and click the Edit button in the upper-right corner of the window.
In the Data selection interval field, specify the data time interval on which you want to train the ML model.
To apply markups when selecting data for training the ML model within a selected interval, select one or several markups in the Markups field.
The selected markups will form a learning indicator.
To view the data that will be selected by the markups, click On graph.
Markups are displayed in the colors that were specified when they were created.
If necessary, enable Advanced training settings and do the following:
1. In the Maximum training duration (sec) field, specify a maximum time in seconds that the Kaspersky MLAD server can spend for training an ML model.
2. In the Validation split field, use a decimal value to specify the share of the validation sample as a percentage of the entire dataset used to train the ML model.
  You can specify a value in the range of 0 to 1.
  
  The default value of this parameter is 0.2.
3. In the Maximum epoch count field, specify the maximum number of epochs for training the ML model.
  The default value of this parameter is 500.
4. In the Patience field, specify the number of epochs with no improvement in training quality to wait before stopping the ML model training process early.
  Stopping the ML model training early avoids overfitting of the model. Training in this case is considered to be completed successfully.
  
  The default value of this parameter is 15.
5. In the Resolution of training results graphs field, use a decimal value to specify the graph resolution for displaying training results on the Training results tab.
  You can specify a value in the range of 0 to 1.
6. In the Batch size field, specify the number of selection items that must be sent for training within the iteration.
  The default value of this parameter is 16.
7. In the Block count field, specify the number of blocks into which you want to split the dataset for training the ML model.
  The default value of this parameter is 4.
8. In the Inference mode drop-down list, select one of the following values:
  - If you want to load all batches into RAM, select Fast inference.
    This inference mode allows you to perform inference faster.
  - If you want to load data batches into RAM one at a time, select Memory saving mode.
    This inference mode allows inference to be performed with minimal expenditure of RAM, but it will take place slower than in Fast inference mode.
  The selected inference mode is applied only while training a neural network element of an ML model.
9. In the Training mode drop-down list, select one of the following values:
  - If you want to load the entire dataset for training the model into RAM, select Load whole dataset to RAM.
  - If you want to load one data block at a time into RAM and generate validation blocks from the end of the dataset, select Validate at the end of the dataset.
  - If you want to load one data block at a time into RAM without generating validation blocks, select Run validation in each training data block.
    Validation data is generated from each training data block.
10. In the Memory allocation mode drop-down list, select one of the following settings:
  - Reserve minimum amount of free RAM. If this setting is selected, the Trainer service will make sure that the minimum amount of memory specified in the Amount of RAM, MB field remains free when training the ML model.
  - Reserve maximum available amount of RAM for model training. If this setting is selected, the Trainer service will use the maximum amount of RAM specified in the Amount of RAM, MB field when training the ML model.
11. To consider previous training results while training an ML model on new data, enable the option to Initialize model weights with values from previous training results.
12. If you want to shuffle the data to improve the quality of ML model training, enable the Shuffle data option.
In the upper-right corner of the window, click the Save button.
In the information block located above the training settings, click the Train element button.

The information block will show the number of the current training epoch of the ML model element. After the training is complete, you can view the training results of an ML model element in the Training results tab.

After training all the neural network elements within an ML model, the model is assigned the Trained status. If required, you can retrain the ML model element by clicking Restart training.

Page top

Viewing the training results of an ML model element

You can view the results of training the neural network elements of an ML model.

System administrators and users who have the Train models permission from the Manage ML models group of rights can view the results of training ML model elements.

To view the training results of an ML model element:

In the main menu, select the Models section.
In the asset tree, select the ML model element whose training result you want to view.
A panel with the settings of the selected element will appear on the right.
Select the Training results tab.

If the ML model element has been successfully trained, the following information about the training results is displayed in the Training results tab:

Message about successful completion of training of an ML model element.
If you want to view the training settings for an element that were specified during its creation, click the Training settings link.
User: The name of the user who started training the ML model element.
Training interval: The time spent by the Kaspersky MLAD server for training the ML model element.
Start of training: The date and time when the Trainer service began training the ML model element.
End of training: The date and time that training of the ML model element finished. ML model element weights have been updated by the Trainer service.
Total training duration: The duration of data time intervals considering the markups in the training dataset.
Number of UTG nodes: The number of UTG nodes included in the training set.
Training and validation errors: A graph showing the training and validation errors for each training epoch.
Model prediction: Graphs showing model predictions for the output tags and the overall prediction error.

Page top

Preparing an ML model for publication

After training the ML model, you can prepare it for publication. An ML model ready for publishing cannot be modified.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can prepare an ML model for publication.

To prepare an ML model for publication:

In the main menu, select the Models section.
In the asset tree, select the ML model you want to prepare for publication.
A list of options appears on the right.
Click the Prepare to publish button.

The ML model is assigned the Ready for publication status. Notify the officer responsible for publishing the ML model that it is ready, or, if you have the required permissions, publish the ML model.

To make changes to the ML model before publishing, click the Back to edit mode button. The ML model will revert to a status of Trained.

Page top

Publishing an ML model

You can publish an ML model for logging incidents based on the operational data from the monitored asset.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can publish ML models.

To publish an ML model:

In the main menu, select the Models section.
In the asset tree, select the ML model that you want to publish.
A list of options appears on the right.
Click Publish.

The ML model is assigned the Published status.

When the inference is started, the ML model will log incidents.

Page top

Starting and stopping ML model inference

You can start or stop the inference of an ML model with a status of Trained or Published on historical or newly received telemetry data.

To start the ML model inference:

In the main menu, select the Models section.
In the asset tree, select the ML model whose inference you want to run.
A list of options appears on the right.
Select the Inference tab.
In the Inference type drop-down list, select one of the following values:
- Historical to run ML model inference on historical telemetry data. If you select this value, specify the data time interval for running the ML model.
- Real-time to run ML model inference on telemetry data that is being received in real time.
Click the Start button.

If historical inference was started, Kaspersky MLAD will add the ML model to the inference queue.

To stop the ML model inference:

In the main menu, select the Models section.
In the asset tree, select the ML model whose inference you want to stop.
A list of options appears on the right.
Select the Inference tab.
Click the Stop button.

Kaspersky MLAD will stop inference for the selected ML model.

Page top

Viewing the data flow graph of an ML model

You can view the data flow graph in ML models.

To view the data flow graph in an ML model:

In the main menu, select the Models section.
In the asset tree, select a neural network element, the data flow graph that you want to view.
A list of options appears on the right.
Select the Data flow graph tab.
The ML model data flow graph is displayed on the right.
If you need to view the settings of an ML model, move the mouse cursor over it.
A window listing the values of settings of the selected element will be displayed.

ML model data flow graph

Page top

Removing an ML model

You can remove one or more ML models from Kaspersky MLAD.

After the ML model is removed, its artifacts, such as predictions, individual errors, prediction errors, or rule progress indicators, as well as incidents registered by the ML model, will be deleted.

System administrators and users who have the Remove models permission from the Manage ML models group of rights can remove ML models.

To remove an ML model:

In the main menu, select the Models section.
In the asset tree, select the ML model to be deleted.
A list of options appears on the right.
In the upper-right corner of the window, click the trash bin icon ().
Confirm deletion of the ML model.

The selected ML model will be removed from Kaspersky MLAD.

Page top

Contents

Managing ML models

Scenario: working with ML models

Working with markups

Creating markup

Viewing the markup chart

Modifying the markup

Removing markup

Working with imported ML models

Uploading an ML model

Activating an imported ML model

Changing the parameters of an element of an imported ML model

Working with manually created ML models

Creating an ML model

Adding a neural network element to an ML model

Modifying a neural network element of the ML model

Adding an ML model element based on a diagnostic rule

Changing an ML model element based on a diagnostic rule

Removing an ML model element

Cloning an ML model

Working with ML model templates

Creating a template based on an ML model

Editing an ML model template

Creating an ML model based on a template

Removing an ML model template

Changing the parameters of an ML model

Training a neural network element of an ML model

Viewing the training results of an ML model element

Preparing an ML model for publication

Publishing an ML model

Starting and stopping ML model inference

Viewing the data flow graph of an ML model

Removing an ML model