Kaspersky Machine Learning for Anomaly Detection
4.0
English

Contents

[Topic 248123]

Settings of a .env configuration file

The settings of the configuration file can be changed only by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

The .env configuration file is filled in to configure the CEF Connector and has the settings described in the table below.

Settings of a .env configuration file

Setting

Description

CEF_CONNECTOR_INCOMING_IP

IP address used to connect an external event source to the CEF Connector.

CEF_INCOMING_PORT

Port number used to connect an external event source to the CEF Connector.

To apply changes to the configuration file, restart Kaspersky MLAD.

Page top
[Topic 248124]

Settings and example of the Excel file containing tag and asset configuration

The configuration file is created by a qualified technical specialist of the Customer, a Kaspersky employee or a certified integrator. The system administrator loads the configuration of assets and tags into a hierarchical structure in the Assets section in the administrator menu.

The configuration file contains the following tabs:

  • readme: A tab containing general information about the configuration file.
  • directory_types: A tab that describes the hierarchical structure asset types using the following settings:
    • directory_type_id: The asset type ID. The ID is assigned automatically when exporting the asset tree.
    • directory_type: A unique name for the asset type.
    • parameter<parameter number>_label: Names of special parameters, where <parameter number> corresponds to a value in the range from 1 to 5. If an asset of a given type does not have any special parameter, leave the corresponding field in the configuration file blank.
    • description: The description of the asset type. This field is optional.
  • directories: A tab that describes assets of the hierarchical structure using the following settings:
    • directory_id: The asset ID. The ID is assigned automatically when exporting the asset tree.
    • directory_type: The type of asset. The type is selected from the asset types specified on the directory_types tab.
    • directory_type row: The number of the row on the directory_types tab that describes the selected asset type. The field is filled in automatically.
    • directory_name: The unique name of an asset within its parent asset.
    • directory_info: The description of the asset. This field is optional.
    • parent: The parent asset. If the imported asset is at the top level of the asset hierarchy, leave the parent field blank.
    • parent row: The number of the row on which the selected parent asset is described. The field is filled in automatically.
    • parent_id: The ID of the parent asset. The ID is assigned automatically when exporting the asset tree.
    • parameter<parameter number>: Names of special parameters, where <parameter number> corresponds to a value in the range from 1 to 5. Names of special parameters are filled in automatically if special parameters are defined for the selected asset type.
    • value <parameter number>: Values of special parameters, where <parameter number> corresponds to a value in the range from 1 to 5. If an asset does not have a special parameter, leave the field for entering the corresponding value blank.
  • tags: A tab that describes tags of the hierarchical structure using the following parameters:
    • tag_id refers to the tag ID. The ID is assigned automatically when exporting primary elements of the hierarchical structure.
    • tag_name is the unique name of the tag.
    • alternate_name: A unique alternative name for the tag. This field is optional.
    • tag_description refers to a description of the tag.
    • parent: The parent asset to which the tag belongs. If the head element of the hierarchical structure is the tag imported by the parent element, leave the parent field blank.
    • parent_row: The number of the row on the directories tab that describes the selected parent asset. The field is filled in automatically.
    • parent_id: The ID of the parent asset. The ID is assigned automatically when exporting the asset tree.
    • tag_type: Type of tag. This field is optional.
      • PV: To designate measurements or observed values of physical parameters.
      • CV: To designate calculated values of physical parameters.
      • IV: To designate tags that are independent of other tags.
      • SV: To designate a setpoint.
      • MV: To designate the controlled values of physical parameters.
      • B: To designate tags in bit format.
      • X: To designate cases that are not tagged.

      If you are finding it difficult to determine the tag type, you can use a question mark (?) as the tag type instead.

    • tag_units: The unit of measure for the tag.
    • red_min: Lower blocking threshold, upon reaching which it is necessary for the ICS to take emergency response measures. This field is optional.
    • red_max: Upper blocking threshold, upon reaching which it is necessary for the ICS to take emergency response measures. This field is optional.
    • yellow_min: Lower signaling threshold, upon reaching which the operator should pay attention to the tag behavior. This field is optional.
    • yellow_max: Upper signaling threshold, upon reaching which the operator should pay attention to the tag behavior. This field is optional.
    • validity_min: The lower threshold for physically possible tag values. This field is optional.
    • validity_max: The upper threshold for physically possible tag values. This field is optional.
    • display_min: The lower boundary for displaying tag values on graphs. This field is optional.
    • display_max: The upper boundary for displaying tag values on graphs. This field is optional.
    • scale: The expression used to calculate the tag value from the value passed to Kaspersky MLAD. Instead of an expression, you can specify a specific number by which the value of the transmitted tag is to be multiplied. If the tag value does not need to be recalculated, leave this field blank.
    • comment: A comment relating to the tag.
    • X is the coordinate of the monitored asset's sensor location. This field is optional.
    • Y is the Y coordinate of the monitored asset's sensor location. This field is optional.
    • Z is the Z coordinate of the monitored asset's sensor location. This field is optional.

Below is an example of a XLSX file containing descriptions of assets and tags and their configuration.

Directory_types tab

directory_type_id

directory_type

parameter1_label

parameter2_label

parameter3_label

parameter4_label

parameter5_label

description

 

Factory

Process

Region

 

 

 

Separate production unit

 

Unit

Vendor

Model

Year of manufacture

Responsible

 

Industrial installation

 

Setpoints

 

 

 

 

 

Set of setpoints

Directories tab

directory_id

directory_type

directory_type row

directory_name

directory_info

parent

parent row

parent_id

parameter1

value1

parameter2

value2

parameter3

value3

parameter4

value4

parameter5

value5

 

Factory

2

Chemical plant

Tennessee Eastman Process

 

 

 

Process=

TEP

Region=

United States

 

 

 

 

 

 

 

Unit

3

Reactor

Chemical reactor

Chemical plant

2

 

Vendor=

Chemical Machines

Model=

R1/12-13

Year of manufacture=

2001

Responsible=I.I.Ivanov

 

 

 

 

Setpoints

4

Setpoints

Reactor setpoints

Chemical plant; Reactor

3

 

 

 

 

 

 

 

 

 

 

 

tags tab

tag_id

tag_name

alternate_tag_name

tag_description

parent

parent_row

parent_id

tag_type

tag_units

red_min

red_max

yellow_min

yellow_max

validate_min

validate_max

display_min

display_max

scale

comment

X

Y

Z

 

Reactor_pressure_setpoint

 

Reactor pressure setpoint

Chemical plant; Reactor; Setpoints

4

 

SV

kPa

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A_feed_stream1

 

Reagent consumption A

Chemical plant; Reactor

3

 

PV

thousand cubic meters/h

 

0.6

 

 

 

 

 

 

 

 

 

 

 

 

No reactor temperature response

 

Rule

Chemical plant

2

 

PV

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Page top
[Topic 248125]

Example JSON file containing a preset configuration

Below is an example of a JSON file containing descriptions of presets.

Only a qualified Kaspersky employee can create a configuration file. Preset configuration is uploaded by the user in the Presets section.

{

"presets": [

{

"name": "Product",

"tag_list": [

51,

52,

53,

49,

50

],

"evaluations": {

"axis_x_name": "",

"evaluations": []

},

"css_class": null,

"icon": "logout-signout"

},

...

{

"name": "Cooler",

"tag_list": [

64

],

"evaluations": {

"axis_x_name": "",

"evaluations": []

},

"css_class": null,

"icon": "graph"

}

]

}

Page top
[Topic 256180]

Example JSON file containing a configuration for the Event Processor service

Below is an example of a JSON file containing a configuration for the Event Processor service. The file contains a description of the event parameters for the Event Processor.

Only a Kaspersky employee can create a configuration file. The system administrator uploads the Event Processor configuration file when configuring the Event Processor service settings.

{

"timestamp_field": "TimeStamp",

"timestamp_scale": "ms",

"fields": [

"User_Host",

"User_Name",

"Destination_Host",

"Access_Result"

],

"groupBy": [

"User_Host",

"User_Name",

"Destination_Host",

"Access_Result"

],

"nodes": [

{

"name": "User_Name",

"depth": 0,

"tooltip": {

"templates": [

"User: {{User_Name}}"

]

}

},

{

"name": "User_Host",

"depth": 1,

"tooltip": {

"templates": [

"User host: {{User_Host}}"

]

}

},

{

"name": "Destination_Host",

"depth": 2,

"tooltip": {

"templates": [

"Destination: {{Destination_Host}}"

]

}

}

],

"links": [

{

"source": "User_Name",

"target": "User_Host",

"value": "interval_count",

"tooltip": {

"templates": [

"{{User_Name}} » {{User_Host}}",

"Count: {{interval_count}}"

]

},

"isGraphGroup": true

}, {

"source": "User_Host",

"target": "Destination_Host",

"value": "interval_count",

"tooltip": {

"templates": [

"{{User_Host}} » {{Destination_Host}}",

"DeviceEventClassID: {{Access_Result}}",

"Count: {{interval_count}}"

]

}

}

]

}

 

Page top
[Topic 248126]

Viewing the Kaspersky MLAD log

Kaspersky MLAD uses the Grafana logging system to monitor the state of application services and to track information security events.

Tracking information security events of Kaspersky MLAD in the logging subsystem

The table below shows the types of information security events that are tracked in Kaspersky MLAD.

Types of information security events

Information security event ID in the logging system

Information security event type

login

Connecting and attempting to connect users to Kaspersky MLAD

access_control

Verifying user rights when performing actions in the Kaspersky MLAD web interface

logout

Terminating a Kaspersky MLAD user connection

service_control

Starting, stopping, and restarting Kaspersky MLAD services

user_control

Editing user accounts

system_settings_control

Changing Kaspersky MLAD settings

model_control

Creating, modifying, and deleting models

tag_control

Importing, creating, modifying, and deleting tags

log_control

Deleting information security event logs from the Kaspersky MLAD database when the log storage volume is exceeded or when their storage term expires

Each entry about an information security event contains the following parameters:

  • event_id is the ID of the information security event.
  • timestamp is the date and time of the information security event.
  • event_type is the ID of the information security event type.
  • sub_type specifies the type of information security event.
  • severity is the importance of the information security event. Kaspersky MLAD provides the following severity levels for information security events:
    • 1 (low).

      These information security events include entries involving users being granted access to perform a specific action in the web interface, and regarding the successful completion of any user actions.

    • 5 (medium).

      These information security events include entries involving user actions in the web interface for managing ML models, tags, user accounts and passwords, and entries regarding exceeded thresholds for storage time and volume of information security event logs.

    • 8 (high).

      These information security events include entries involving users entering an incorrect login and/or password when connecting to the web interface of the application, and entries regarding unsuccessful attempts to change a password.

    • 10 (highest).

      These information security events include entries involving attempts to connect to the application web interface using a system account or a blocked account, and entries regarding attempts to perform specific actions in the application without the appropriate access rights.

  • username is the name of the user whose actions resulted in the information security event entry.
  • ip_address is the IP address of the computer from which the user performed the action logged into the information security event log.
  • outcome is the result of an information security event. The OK result corresponds to successful completion of the operation by the user. The FAIL result corresponds to failure of the user to perform the operation.
  • msg is a brief summary of the information security event.
  • info is a detailed description of the information security event.

Tracking the state of Kaspersky MLAD services in the logging subsystem

Kaspersky MLAD services whose states are monitored in the logging subsystem are identified based on the names of their corresponding containers or images in Docker. In most cases, the abbreviated name of the service is used as the name of the image. The container name is formed according to the following template:

<application directory>-<image name>-#,

where # is the number of the Docker container.

By default, Kaspersky MLAD uses the mlad-release-4.0.2-<installation build number> directory.

The Kaspersky MLAD log stores entries about the state of application services only for the last 48 hours.

The table below presents the correspondence between Kaspersky MLAD services and the names of Docker containers and images.

Correspondence between Kaspersky MLAD services and the names of Docker containers and images

Kaspersky MLAD service

Image name

Container name

Anomaly Detector

anomaly_detector

mlad-release-4.0.2-<installation build number>-anomaly_detector-1

Time Series Database

influxdb

mlad-release-4.0.2-<installation build number>-influxdb-1

Message Broker

kafka

mlad-release-4.0.2-<installation build number>-kafka-1

Keeper

keeper

mlad-release-4.0.2-<installation build number>-keeper-1

Logger

logger

mlad-release-4.0.2-<installation build number>-logger-1

Database

postgres

mlad-release-4.0.2-<installation build number>-postgres-1

Similar Anomaly

similar_anomaly

mlad-release-4.0.2-<installation build number>-similar_anomaly-1

Event Processor

event-processor

mlad-release-4.0.2-<installation build number>-event-processor-1

Stream Processor

stream-processor

mlad-release-4.0.2-<installation build number>-stream-processor-1

Trainer

trainer

mlad-release-4.0.2-<installation build number>-trainer-1

Web Server

nginx-ui

mlad-release-4.0.2-<installation build number>-nginx-ui-1

API Server

web-server

mlad-release-4.0.2-<installation build number>-web-server-1

Mail Notifier

postman

mlad-release-4.0.2-<installation build number>-postman-1

OPC UA Connector

opcua-connector

mlad-release-4.0.2-<installation build number>-opcua-connector-1

MQTT Connector

mqtt-connector

mlad-release-4.0.2-<installation build number>-mqtt-connector-1

AMQP Connector

amqp-connector

mlad-release-4.0.2-<installation build number>-amqp-connector-1

HTTP Connector

gate

mlad-release-4.0.2-<installation build number>-gate-1

KICS Connector

kics3-connector

mlad-release-4.0.2-<installation build number>-kics3-connector-1

CEF Connector

cef-connector

mlad-release-4.0.2-<installation build number>-cef-connector-1

WebSocket Connector

ws-connector

mlad-release-4.0.2-<installation build number>-ws-connector-1

 

webstatic

mlad-release-4.0.2-<installation build number>-webstatic-1

 

migrations

mlad-release-4.0.2-<installation build number>-migrations-1

The Info logging level is used for the Time Series Database, Message Broker, Logger, Database and Web Server services, and for webstatic and migrations images. The logging levels for all other Kaspersky MLAD services are defined by the system administrator when configuring the application settings.

Page top
[Topic 248127]

Scenario: viewing information security event logs

Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.

The maximum volume and storage time for information security event entries are defined when configuring the security settings.

Information security event logs are written to the Kaspersky MLAD database automatically. If necessary, the system administrator can specify the settings of an external system to which the information security event logs should be sent.

The scenario for viewing information security event logs consists of the following steps:

  1. Navigating to the logging subsystem

    Navigate to the logging system by clicking the button Kaspersky MLAD logs can be viewed in another application.

    Available only to the system administrators and users with the Working with application logs permission.

  2. Navigating to the section containing information security event logs

    Go to the Security audit section.

  3. Analyzing information security event logs

    Analyze the information security event log entries for the selected period. You can filter them based on parameters of the information security event logs. To do so, click the filtering icon () in the column containing the relevant log parameter, select the check boxes next to the necessary filtering criteria, and click OK. To reset the filtering criteria, clear the relevant check boxes and click OK.

  4. Exporting information security event logs

    To export the information security event logs for the selected period to a text file, in the Security audit section, use the Security audit drop-down list above the information security event log table to select InspectData, and click the Download CSV button in the opened pane.

Page top
[Topic 248128]

Scenario: assessing the main metrics of Kaspersky MLAD

Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.

When connecting to the logging subsystem for the first time, you must change the default password.

This subsection provides a sequence of actions that must be performed to assess the health and general state of Kaspersky MLAD.

The scenario for assessing the health and general state of Kaspersky MLAD consists of the following steps:

  1. Navigating to the logging subsystem

    Navigate to the logging system by clicking the button Kaspersky MLAD logs can be viewed in another application.

    Available only to the system administrators and users with the Working with application logs permission.

  2. Analyzing the main metrics of Kaspersky MLAD

    In the Summary docker metrics section, analyze the graphs of the main Kaspersky MLAD metrics for the selected period.

    The following metrics are displayed for each container of Kaspersky MLAD services:

    • CPU usage – history of central processor workload caused by the container. This is measured as a percentage.
    • RAM usage – history of the container's RAM usage. This is measured in bytes.
    • Disk usage – history of the container's load on the disk subsystem (read/write operations). This is measured in bytes.
    • Network usage – history of the container's use of network resources. This is measured in bytes per second.
Page top
[Topic 248129]

Scenario: viewing container logs and metrics

Before starting to work with the logging subsystem, it is recommended to read the Grafana User Guide.

The Kaspersky MLAD log stores entries only for the last 48 hours.

This subsection provides steps for assessing the performance and viewing the logs of a specific container from the Kaspersky MLAD distribution kit.

The scenario for assessing the performance and viewing the logs of a specific container consists of the following steps:

  1. Navigating to the logging subsystem

    Navigate to the logging system by clicking the button Kaspersky MLAD logs can be viewed in another application.

    Available only to the system administrators and users with the Working with application logs permission.

  2. Navigating to the section with container logs and metrics

    Go to the Service detailed monitoring section and select the relevant container from the Container drop-down list.

  3. Analyzing container metrics

    In the Service detailed monitoring section, analyze the graphs of Kaspersky MLAD metrics for the selected container during the relevant period.

    The Service detailed monitoring section provides the following metrics:

    • Memory – history of the container's RAM usage. This is measured in bytes.
    • CPU – history of central processor workload caused by the container. This is measured as a percentage.
    • File system – history of the container's load on the disk subsystem (read/write operations). This is measured in bytes.
    • Network – history of the container's use of network resources. This is measured in bytes per second.
  4. Analyzing container logs

    Analyze the container log records for the selected period, which are displayed under the metrics dashboard. You can search the container log records. To do so, enter a search query in the Log search field and press the ENTER key. To reset the search results, clear the Log search field and press the ENTER key.

  5. Exporting container logs

    To export container logs for the selected period to a text file, in the Service detailed monitoring section, select InspectData from the Service log drop-down list and click Download CSV in the opened pane.

Page top
[Topic 248130]

Special characters of regular expressions

You can use regular expressions to search for events, patterns and values of event parameters in the Event Processor section. Kaspersky MLAD supports use of the following special characters in regular expressions:

  • ^ – Corresponds to the start of the parameter value. For example, ^A means that the event parameter search will look for values beginning with the letter A.
  • $ – Corresponds to the end of the parameter value. For example, A$ means that the event parameter search will look for values ending with the letter A.
  • . – Corresponds to any single character.
  • | – Splits permissible options for characters or a set of characters in a parameter value. For example, c(o|a)t matches both the cot and cat values.
  • \ – Indicates that the next character is an ordinary character (not a special character) in the parameter value. You can use the \ character to search for special characters in a parameter value. For example, \. describes a dot in the parameter value, while \\ describes a backslash.
  • [] – Corresponds to any character from the set of permissible characters. For example, [abc] matches the occurrence of any one of the three specified characters.

    To search for a range of values, you can use the - character. To find the characters that are not within the specified range, you can use the ^ character in the square brackets. For example, [^0-9] means any character except numerals can be present.

You can use the following special characters to indicate the necessary number of repetitions of an expression in the values of event parameters:

  • ? – Character indicating that the preceding expression may occur zero or one time in a parameter value.
  • * – Character indicating that the preceding expression may occur zero or more times in a parameter value.
  • + – Character indicating that the preceding expression may occur one or more times in a parameter value.
  • {} – Character class that lets you indicate the necessary number of repetitions of the preceding expression. You can specify the repetition count in one of the following ways:
    • {n} – The expression preceding the curly brackets occurs in the parameter value exactly n times.
    • {m,n} – The expression preceding the curly brackets occurs in the parameter value from m to n times inclusive.
    • {m,} – The expression preceding the curly brackets occurs in the parameter value at least m times.
    • {,n} – The expression preceding the curly brackets occurs in the parameter value no more than n times.

You can also use parentheses () to group elements of an expression. For example,(c[oa]t){2} matches cotcot, catcat, cotcat, and catcot.

Page top
[Topic 248131]

Cipher suites for secure TLS connection

It is recommended to use the following cipher suite for a secure TLS connection via the TLS-1.2 protocol:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.

It is recommended to use the following cipher suite for a secure TLS connection via the TLS-1.3 protocol:

  • TLS_AES_128_GCM_SHA256;
  • TLS_AES_256_GCM_SHA384;
  • TLS_CHACHA20_POLY1305_SHA256;
  • TLS_AES_128_CCM_SHA256.
Page top
[Topic 260272]