Installing and removing the application

This section contains step-by-step instructions on installing and removing Kaspersky MLAD.

Installing the application

This section contains a step-by-step description of Kaspersky MLAD installation. During installation, Kaspersky MLAD creates the first application user with the system administrator role.

Installation of Kaspersky MLAD is performed by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

Only the software specified in the hardware and software requirements should be installed on the Kaspersky MLAD server.

Kaspersky MLAD is installed according to the described procedure for application installation. Installation and use of Kaspersky MLAD is possible only on one server. Installation and use of different services and connectors on multiple servers is not possible.

To install Kaspersky MLAD:

1. Unpack the archive named Kaspersky_MLAD_4.0.2.-<build number>_ru-RU_en-US.tar.xz that is included in the distribution kit:

   tar xf Kaspersky_MLAD_4.0.2.< build number >_ru-RU_en-US.tar.xz

2. Navigate to the directory named mlad-release-4.0.2-<build number>:

   cd mlad-release-4.0.2-<build number>

3. Run the setup.sh installation script:

   sudo ./setup.sh

4. Follow the instructions of the Application Setup Wizard.

   Using the Application Setup Wizard, you can change the name and password of the first application user with the system administrator role.

To install Kaspersky MLAD in non-interactive mode:

1. Unpack the archive named Kaspersky_MLAD_4.0.2.-<build number>_ru-RU_en-US.tar.xz that is included in the distribution kit:

   tar xf Kaspersky_MLAD_4.0.2.< build number >_ru-RU_en-US.tar.xz

2. Navigate to the directory named mlad-release-4.0.2-<build number>:

   cd mlad-release-4.0.2-<build number>

3. Run the setup.sh installation script with the following switches:

   sudo ./setup.sh -q -e accept

   where:

   -q means that the application is installed in non-interactive mode. When installing the application in non-interactive mode, Kaspersky MLAD creates the first application user with the system administrator role and assigns it a default user name and password. To obtain the default user name and password, contact a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

   -e accept means that you accept the terms of the End User License Agreement. You must accept the terms of the End User License Agreement to install the application. If you do not add the -e accept switch, installation of the application will not continue.

   You can read the text of the End User License Agreement in the text file named license_en.txt located in the 'legal' directory.

The application will be installed on the computer. After installing the application, start it.

Updating the application

This section contains a step-by-step description of the Kaspersky MLAD update procedure.

Updating Kaspersky MLAD is possible starting with application version 4.0.1-001. When Kaspersky MLAD is updated, all of the following data that was uploaded, received, or processed by the previous version of Kaspersky MLAD will be saved: tag configurations, presets, ML models, and settings of Kaspersky MLAD.

Only the software specified in the hardware and software requirements should be installed on the Kaspersky MLAD server.

Kaspersky MLAD is updated to fix security flaws and application vulnerabilities or when new versions of the application are released under the current Technical Support Agreement. The application update is performed by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

To update Kaspersky MLAD from the command line:

1. Unpack the archive named mlad-4.0.2-<new build number>.tar.xz that is included in the distribution kit:

   tar xf mlad-4.0.2-<new build number>.tar.xz

2. Navigate to the directory where you unpacked Kaspersky MLAD:

   cd mlad-4.0.2-<new build number>

3. Run the application update script named upgrade.sh:

   sudo ./upgrade.sh -u -f <full path to the release.txt file of the application assembly being updated>

   You can run the upgrade.sh script with the -h switch if you want to call up the assistant in the Kaspersky MLAD update interface:

   sudo ./upgrade.sh -h

4. Follow the instructions of the Application Upgrade Wizard.

Kaspersky MLAD will be updated to the version specified in the build number. All application files are located in the directory where Kaspersky MLAD is installed (mlad-release-4.0.2-<installation build number> by default). A directory named upgrade_backup-4.0.2-<previous build number> will also be created there and will contain a backup copy of the previous version of Kaspersky MLAD.

You can move the directory containing the backup copy of the application to another storage location in accordance with your company regulations.

Backing up the application

You can back up the application in accordance with your company regulations. Kaspersky MLAD also automatically creates a backup copy when the application is updated.

The application is backed up using the upgrade.sh upgrade script.

Kaspersky MLAD backup capabilities are available starting with application version 4.0.1-001. The Kaspersky MLAD backup procedure saves all of the following data that was uploaded, received, or processed by Kaspersky MLAD: tag configurations, presets, ML models, and settings of Kaspersky MLAD.

To back up Kaspersky MLAD from the command line:

1. Go to the directory where Kaspersky MLAD is installed:

   cd mlad-release-4.0.2-<build number>

2. To back up the application, run the upgrade.sh upgrade script with the -b key:

   sudo ./upgrade.sh -b

This script creates a directory named backup-4.0.2-<date and time of backup> for storing all application backup files within the Kaspersky MLAD installation directory (mlad-release-4.0.2-<build number> by default).

You can move the directory containing the backup copy of the application to another storage location in accordance with your company regulations.

Rolling back the application to the previous installed version

This section contains a step-by-step description of the procedure for rolling back the application to the previous installed version using the upgrade.sh script.

Kaspersky MLAD rollback capabilities are available starting with application version 4.0.1-001.

When rolling back Kaspersky MLAD to the previous installed version, all data received and processed by Kaspersky MLAD from the moment the application was upgraded to the moment of the rollback to the previous version will be lost. You are advised to verify that you have a full backup copy of all Kaspersky MLAD data.

To roll back Kaspersky MLAD to the previous installed version:

1. Go to one of the following directories containing the relevant backup copy of Kaspersky MLAD that the application rollback should restore:
   • upgrade_backup-4.0.2-<build number> – directory storing the application version created automatically during an application upgrade. To go to the directory, run the following command:

     cd upgrade_backup-4.0.2-<previous build number>

   • backup-4.0.2-<date and time of backup> – directory storing the application version created when the application was backed up. To go to the directory, run the following command:

     cd backup-4.0.2-<date and time of backup>

     When rolling back the application to the previous version, the backup-4.0.2-<date and time of backup> directory must be located in the directory where Kaspersky MLAD is installed (mlad-release-4.0.2-<build number> by default).

2. To roll back the application to the previous version, run the application upgrade script named upgrade.sh with the -r switch:

   sudo ./upgrade.sh -r

3. Follow the instructions of the Application Upgrade Wizard.

Kaspersky MLAD will be rolled back to the previous installed version.

Scenario for restoring Kaspersky MLAD from a backup

If the server hosting Kaspersky MLAD malfunctions, you can restore the application on another server from a backup copy of Kaspersky MLAD using the upgrade.sh script.

The scenario for restoring the application from a backup copy consists of the following steps:

1. Installing Kaspersky MLAD

   Install the same version of Kaspersky MLAD that was used for the backup on the server.

2. Moving a backup copy of the application to the Kaspersky MLAD server

   Move the directory containing the application backup to the directory where Kaspersky MLAD is installed (mlad-release-4.0.2-<installation build number> by default).

3. Restoring Kaspersky MLAD

   Go to the directory containing the backup copy of Kaspersky MLAD by running the following command:

   cd <directory containing the application backup copy>

   To restore the application from a backup copy, run the application upgrade script named upgrade.sh with the -r switch:

   sudo ./upgrade.sh -r

   Follow the instructions of the Application Upgrade Wizard.

Getting started

Before starting to work with Kaspersky MLAD, you must make sure that the following conditions are fulfilled:

1. The telemetry data source is enabled and configured to send data to Kaspersky MLAD.
2. The data transfer network is prepared to deliver telemetry data from the data source to the Kaspersky MLAD server, the network equipment is properly configured, and data transfer is allowed.
3. Configuration settings and/or configuration files are prepared for the connector that will be used in Kaspersky MLAD to receive telemetry data or events from external systems. The connector must be configured and activated after Kaspersky MLAD is started.
4. Descriptions of tags of received telemetry and assets of the hierarchical structure are prepared as a XLSX file to be imported into Kaspersky MLAD. A description of the presets is supplied in the form of a file in JSON format. The files are created by a qualified technical specialist of the Customer, a Kaspersky specialist or a certified integrator.
5. One or more ML models have been created, trained on historical telemetry data. The ML models are prepared for import into Kaspersky MLAD as TAR files if the files were created by a Kaspersky specialist or a certified integrator within the scope of the Kaspersky MLAD Model-building and Deployment Service.
6. The Kaspersky MLAD system administrator has been sent the codes for activating ML models. The ML model activation codes are stored in a secure storage location.

Starting and stopping Kaspersky MLAD

To start the application after it has been stopped:

1. Go to the directory where Kaspersky MLAD is installed (mlad-release-4.0.2-<installation build number> by default).
2. In the command line, run the following command:

   ./mlad-start.sh

Kaspersky MLAD will be started.

To stop the application:

1. Go to the directory where Kaspersky MLAD is installed (mlad-release-4.0.2-<installation build number> by default).
2. In the command line, run the following command:

   ./mlad-stop.sh

Kaspersky MLAD will be stopped.

Updating Kaspersky MLAD certificates

The following certificates are used in Kaspersky MLAD:

• Certificates for connecting to Kaspersky MLAD using the web interface.
• Certificates for connecting connectors and services.

It is recommended to update certificates in the following cases:

• Current certificates have been compromised.
• Certificates have expired.
• Certificates need to be updated in accordance with the enterprise information security requirements.

Updating a certificate for connecting to Kaspersky MLAD using the web interface

By default, Kaspersky MLAD uses a self-signed certificate that is automatically generated during the application installation to connect to the web interface. When using a self-signed certificate to connect to the Kaspersky MLAD web interface, the browser displays a warning that the security certificate or the established connection is not trusted.

To use trusted certificates to connect to the Kaspersky MLAD web interface, you can replace the self-signed certificate with a certificate received from a recognized certification authority or with a custom certificate that complies with the security standards of your organization.

By default, Kaspersky MLAD uses the mlad-4.0.2-<installation build number>/ssl/nginx/ directory to store certificates for connecting to the web interface.

The certificate for connecting to Kaspersky MLAD using the web interface can be updated by a qualified technical specialist of the Customer, a Kaspersky employee or a certified integrator.

To update certificates for connecting to Kaspersky MLAD using the web interface:

1. Obtain a trusted certificate and a key for this certificate to connect to the Kaspersky MLAD web interface.

   A certificate must be received for the IP address and domain name of the server on which Kaspersky MLAD is installed.

2. Go to the directory containing the trusted certificate and the key to this certificate.
3. In the command line, run the following commands:

   sudo chown root:root <new certificate.crt> <new certificate key.key>
sudo chmod 640 <new certificate.crt> <new certificate key.key>
sudo cp <new certificate.crt> mlad-4.0.2-<installation build number>/ssl/nginx/mlad_nginx.crt
sudo cp <new certificate key.key> mlad-4.0.2-<installation build number>/ssl/nginx/mlad_nginx.key

   The new certificate and its key are saved in the mlad-4.0.2-<installation build number>/ssl/nginx/ directory as the mlad_nginx.crt and mlad_nginx.key files, respectively.

4. Restart Kaspersky MLAD by executing the following commands in the command line:

   mlad-4.0.2-<installation build number>/mlad-stop.sh
mlad-4.0.2-<installation build number>/mlad-start.sh

After restarting, Kaspersky MLAD uses the new certificate to connect to the web interface.

Updating a certificate for connecting connectors and services

In Kaspersky MLAD, you can use a secure connection for MQTT Connector, AMQP Connector, WebSocket Connector, and the Mail Notifier service. You can update certificates for connecting these connectors and the Mail Notifier service using a secure connection in the System parameters section of the administrator menu.

To connect the MQTT Connector, AMQP Connector, and WebSocket Connector as well as the Mail Notifier service over a secure connection, it is recommended to use certificates created according to the X.509 standard with a certificate key length of at least 4,096 bits.

The certificate for connecting the KICS Connector is contained in the communication data package, which you can update in Kaspersky Industrial CyberSecurity for Networks. You can upload the updated communication data package to Kaspersky MLAD when configuring the KICS Connector. For detailed information about creating a communication data package, please refer to the Kaspersky Industrial CyberSecurity for Networks Help Guide.

Kaspersky Machine Learning for Anomaly Detection is compatible with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.

First startup of Kaspersky MLAD

This section describes the sequence of application configuration steps that must be performed by the system administrator when Kaspersky MLAD is started for the first time.

The first startup of Kaspersky MLAD consists of the following steps:

1. Starting Kaspersky MLAD

   Start Kaspersky MLAD. The following services required for Kaspersky MLAD operation will be started:

   • API Server.
   • Web Server.
   • Message Broker.
   • Keeper.
   • Time Series Database.
   • Database.
   • Logger
2. Connecting to the Kaspersky MLAD web interface

   Open the application web interface in a supported browser and enter the user name and password of the first Kaspersky MLAD user with the system administrator role defined during installation of the application. Change the password for your user account. For a secure connection to Kaspersky MLAD web interface, install a trusted certificate.

3. Configuring services

   In the System parameters section of the administrator menu, configure the services that you need to use for your monitored asset. In the Services section, check the statuses of the services and start them, if necessary. For example, the Anomaly Detector service must be running for correct anomaly detection.

4. Uploading a configuration of tags and assets of the hierarchical structure to Kaspersky MLAD and creating presets

   Configuration of tags, assets and presets is created by a Kaspersky expert or integrator while deploying the application and building an ML model. Tag and asset configuration is described in a XLSX file. A preset configuration is described in a JSON file. For examples of descriptions of the configuration of tags and assets, as well as preset configuration, see the Appendix.

   For subsequent operation, upload tag and asset configuration to Kaspersky MLAD. Download preset configuration or create new presets from tags.

5. Uploading and creating ML models

   An ML model is not included in the application distribution kit but is provided as part of the Kaspersky MLAD Model-building and Deployment Service.

   Download the ML model, if it was provided as part of the Kaspersky MLAD Model-building and Deployment Service, or create it yourself using the Model Builder. Activate the downloaded ML model. To activate the ML model, you must enter a model activation code.

6. Configuring connectors

   To work with data, configure the connectors used at your monitored asset. You can configure the following connectors:

   • KICS Connector.
   • OPC UA Connector.
   • CEF Connector.
   • HTTP Connector.
   • MQTT Connector.
   • AMQP Connector.
   • WebSocket Connector.
7. Connecting to a data source

   When the above connectors are configured, start the connectors used for your monitored asset. Go to the Dashboard section and make sure that data is being received by Kaspersky MLAD in online mode.

8. Configure attention

   To work with events and patterns, configure attention settings and display of event parameters. The Event Processor service detects events and patterns only for the attention directions defined in the attention settings.

9. Creating user accounts

   Create accounts for users of the application and assign the necessary roles to them. Configure incident notifications for users.

Kaspersky Machine Learning for Anomaly Detection is prepared for operation, and the application is receiving and processing data.

Users can start working with Kaspersky MLAD using the web interface.

Removing the application

Removal of Kaspersky MLAD must be performed by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

When Kaspersky MLAD is removed, all Kaspersky MLAD data that was received, uploaded, and processed since the application was installed will be lost. You are advised to verify that you have a full backup copy of all Kaspersky MLAD data. When you update the application, Kaspersky MLAD automatically creates a backup copy of the previous application version. You can also manually back up the application.

To remove Kaspersky MLAD:

1. Go to the directory where Kaspersky MLAD is installed (mlad-release-4.0.2-<installation build number> by default):

   cd mlad-release-4.0.2-<build number>

2. Run the setup.sh installation script with the -u switch:

   sudo ./setup.sh -u

3. Confirm removal of Kaspersky MLAD services.

Kaspersky MLAD will be removed.