Kaspersky Machine Learning for Anomaly Detection
4.0
English

Contents

Working with manually created ML models

This section provides information about working with manually created ML models and their elements.

If you create an ML model manually, you can add elements of ML models based on neural networks and/or diagnostic rules, modify or delete them.

The ML model needs to be trained before you can run inference on it. To do this, all neural network elements within the ML model need to be pretrained. If necessary, you can view the training results of the neural network elements. Elements based on diagnostic rules are considered as trained.

You can also start inference after publishing the ML model. After inference is started, Kaspersky MLAD will register incidents.

In this section

Creating an ML model

Adding a neural network element to an ML model

Modifying a neural network element of the ML model

Adding an ML model element based on a diagnostic rule

Changing an ML model element based on a diagnostic rule

Removing an ML model element
Page top
[Topic 262147]

Creating an ML model

System administrators and users who have the Create models permission from the Manage ML models group of rights can create ML models.

To create an ML model:

  1. In the main menu, select the Models section.
  2. In the asset tree, next to the name of the asset for which you want to create an ML model, open the vertical menu and select Create model.

    A list of options appears on the right.

  3. In the Name field, specify the ML model name.

    The ML model name must not be longer than 100 characters.

  4. In the Description field, specify the ML model description.
  5. If you need to apply markups when selecting data for ML model inference, select the required markups under Inference indicator.
  6. To view the data that will be selected by the markups, click On graph.

    Markups are displayed in the colors selected when they were created.

  7. In the upper-right corner of the window, click the Save button.

The new ML model displays in the Models group of the asset tree. The Models group is created automatically and displayed as part of the selected section of the asset tree. The Models group contains the Neural networks and Rules subgroups for storing ML model elements based on neural networks and diagnostic rules.

The ML model is assigned the Draft status.

Page top
[Topic 255991]

Adding a neural network element to an ML model

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements.

To add a neural network element to an ML model:

  1. In the main menu, select the Models section.
  2. In the asset tree, next to the Neural networks group within the ML model to which you want to add a neural network element, open the vertical menu and select Create element.

    A list of options appears on the right.

  3. In the Name field, specify the name of the ML model element.
  4. Enter a description for the ML model element in the Description field.
  5. In the General element settings settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Grid step (sec) field, specify the element's UTG period in seconds expressed as a decimal.
    4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
    6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
    7. In the Detection threshold field, specify a prediction error threshold value upon reaching which an incident is logged.
    8. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
  6. Select one of the following ML model neural network element architectures: Dense, RNN, CNN, TCN, or Transformer.
  7. If you need to specify the architecture parameters of a neural network element and the power exponent and smoothing value of the cumulative prediction error, use the toggle switch to enable Advanced neural network settings.
  8. In the Main settings block, do the following:
    1. In the Input tags drop-down list, select one or more tags that serve as the source data for predicting the values of the output tags.

    2. In the Output tags drop-down list, select one or several tags whose behavior is predicted by the model element.

    3. If extended setup mode is enabled, use the MSE power exponent field to specify the cumulative prediction error power exponent in decimal format.
    4. If extended setup mode is enabled, use the Smoothing factor field to specify the cumulative prediction error smoothing value in decimal format.
  9. In the Window settings settings block, do the following:
    1. In the Input window (steps) field, specify the size of the input value window, from which the ML model element predicts the output values.
    2. In the Output window offset field, specify the number of steps by which the beginning of the output window will be shifted relative to the beginning of the input window.
    3. In the Output window (steps) field, specify an output tag prediction length calculated from the input tags on the input window.
  10. If you are adding a neural network element with a dense architecture, do the following:
    1. In the Multipliers for calculating number of neurons per layer field, provide the factors, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons per layer of the ML model element.
    2. In the Activation function per layer field, specify one of the following activation functions on each layer of an ML model element separated by a comma without spaces:
      • relu: A non-linear activation function that converts an input value to a value between 0 and positive infinity.
      • selu: A monotonically increasing function that enables normalization based on the central limit theorem.
      • linear: A linear function that is a straight line proportional to the input data.
      • sigmoid: A non-linear function that converts input values to values between 0 and 1.
      • tanh: A hyperbolic tangent function that converts input values to values between -1 and 1.
      • softmax: A function that converts a vector of values to a probability distribution that adds up to 1.

      The default value of this setting is relu,relu,relu.

  11. If you are adding a neural network element with an RNN architecture, do the following:
    1. In the GRU neurons per layer field, specify the number of GRU neurons on layers separated by a comma without spaces.

      The default value of this parameter is 40,40.

    2. In the Number of neurons in TimeDistributed layer field, specify the number of neurons distributed in time on the layers of the decoder separated by a comma without spaces.

      The default value of this parameter is 40,20.

  12. If you are adding a neural network element with an CNN architecture, do the following:
    1. In the Filter size per layer field, specify the size of the filters for each layer of the element separated by a comma without spaces.

      The default value of this parameter is 2,2,2.

    2. In the Filters per layer field, specify the number of filters for each layer of the ML model element separated by a comma without spaces.

      The default value of this parameter is 50,50,50.

    3. In the MaxPooling window size per layer field, specify the maximum sampling window size on each layer separated by a comma without spaces.

      The default value of this parameter is 2,2,2.

    4. In the Number of neurons in decoder field, specify the number of neurons on the layers of the decoder.

  13. If you are adding a neural network element with an TCN architecture, do the following:
    1. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.

      The default value of this parameter is 0.1.

    2. In the Size of filters field, specify the size of the filters for the ML model element.

      The default value of this parameter is 2.

    3. In the Dilation per layer field, specify the exponential expansion values of the output data on the layers as a comma-separated list.

      The default value of this parameter is 1,2,4.

    4. In the Activation function drop-down list, select one of the following activation functions:
      • linear: A linear activation function whose result is proportional to the input value.
      • relu: A non-linear activation function that converts an input value to a value between zero and positive infinity. If the input value is less than or equal to zero, the function returns a value of zero; otherwise, the function returns the input value.

      The default value of this parameter is linear.

    5. In the Number of stacks of residual blocks field, specify the number of encoders.

      The default value of this parameter is 1.

    6. In the Decoder layer type field, select one of the following types of layer to precede the output layer:
      • TimeDistributedDense (default): A fully connected architecture layer.
      • GRU: A layer with a recurrent architecture.
  14. If you are adding a neural network element with a transformer architecture, do the following:
    1. In the Encoder regularization field, specify the regularization coefficient in the encoder in decimal format.

      The default value of this parameter is 0.01.

    2. In the Number of attention heads field, specify the number of attention heads.

      The default value of this parameter is 1.

    3. In the Number of encoders field, specify the number of encoders.

      The default value of this parameter is 1.

    4. In the Multipliers for calculating number of neurons per layer field, provide the factors, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the decoding layers.

  15. In the upper-right corner of the window, click the Save button.

The new ML model element will be displayed in the Neural networks group within the selected ML model in the asset tree.

The ML model is assigned the Draft status. Before running inference of an ML model, you must train all of its neural network elements.

Page top
[Topic 256033]

Modifying a neural network element of the ML model

You can edit the settings of a neural network element of the ML model.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can edit elements of ML models.

To edit a neural network element of an ML model:

  1. In the main menu, select the Models section.
  2. In the asset tree, select the neural network element that you want to edit.

    A list of options appears on the right.

  3. In the upper-right corner of the window, click the Edit button.
  4. In the Name field, specify a new name for the ML model element.
  5. In the Description field, specify a new description for the ML model.
  6. If necessary, in the General element settings settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Grid step (sec) field, specify the element's UTG period in seconds expressed as a decimal.
    4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
    6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
    7. In the Detection threshold field, specify a prediction error threshold value upon reaching which an incident is logged.
    8. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
  7. If necessary, edit the architecture of the neural network element.

    Kaspersky MLAD supports the following ML model neural network element architectures: Dense, RNN, CNN, TCN, or Transformer.

  8. If you need to change the architecture parameters of a neural network element and the power exponent and smoothing value of the cumulative prediction error, use the toggle switch to enable Advanced neural network settings.
  9. If necessary, in the Main settings settings block, do the following:
    1. In the Input tags drop-down list, select one or more tags that serve as the source data for predicting the values of the output tags.

    2. In the Output tags drop-down list, select one or several tags whose behavior is predicted by the model element.

    3. If extended setup mode is enabled, use the MSE power exponent field to specify the cumulative prediction error power exponent in decimal format.
    4. If extended setup mode is enabled, use the Smoothing factor field to specify the cumulative prediction error smoothing value in decimal format.
  10. If necessary, in the Window settings settings block, do the following:
    1. In the Input window (steps) field, specify the size of the input value window, from which the ML model element predicts the output values.
    2. In the Output window offset field, specify the number of steps by which the beginning of the output window will be shifted relative to the beginning of the input window.
    3. In the Output window (steps) field, specify an output tag prediction length calculated from the input tags on the input window.
  11. If you have selected a neural network element with a dense architecture, do the following:
    1. In the Multipliers for calculating number of neurons per layer field, provide the multipliers, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the ML model element layers.
    2. In the Activation function per layer field, specify one of the following activation functions on each layer of an ML model element separated by a comma without spaces:
      • relu: A non-linear activation function that converts an input value to a value between 0 and positive infinity.
      • selu: A monotonically increasing function that enables normalization based on the central limit theorem.
      • linear: A linear function that is a straight line proportional to the input data.
      • sigmoid: A non-linear function that converts input values to values between 0 and 1.
      • tanh: A hyperbolic tangent function that converts input values to values between -1 and 1.
      • softmax: A function that converts a vector of values to a probability distribution that adds up to 1.

      The default value of this setting is relu,relu,relu.

  12. If you are adding a neural network element with an RNN architecture, do the following:
    1. In the GRU neurons per layer field, specify the number of GRU neurons on layers separated by a comma without spaces.

      The default value of this parameter is 40,40.

    2. In the Number of neurons in TimeDistributed layer field, specify the number of neurons distributed in time on the layers of the decoder separated by a comma without spaces.

      The default value of this parameter is 40,20.

  13. If you have selected a neural network element with a CNN architecture, do the following in the CNN architecture settings settings block:
    1. In the Filter size per layer field, specify the size of the filters for each layer of the element separated by a comma without spaces.

      The default value of this parameter is 2,2,2.

    2. In the Filters per layer field, specify the number of filters for each layer of the ML model element separated by a comma without spaces.

      The default value of this parameter is 50,50,50.

    3. In the MaxPooling window size per layer field, specify the maximum sampling window size values separated by a comma without spaces.

      The default value of this parameter is 2,2,2.

    4. In the Number of neurons in decoder field, specify the number of neurons on the layers of the decoder.

  14. If you have selected a neural network element with a TCN architecture, do the following:
    1. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.

      The default value of this parameter is 0.1.

    2. In the Size of filters field, specify the sizes of the filters for the ML model element.

      The default value of this parameter is 2.

    3. In the Dilation per layer field, specify the exponential expansion values of the output data on the layers separated by a comma without spaces.

      The default value of this parameter is 1,2,4.

    4. In the Activation function drop-down list, select one of the following activation functions:
      • linear: A linear activation function whose result is proportional to the input value.
      • relu: A non-linear activation function that converts an input value to a value between zero and positive infinity. If the input value is less than or equal to zero, the function returns a value of zero; otherwise, the function returns the input value.

      The default value of this parameter is linear.

    5. In the Number of stacks of residual blocks field, specify the number of encoders.

      The default value of this parameter is 1.

    6. In the Decoder layer type field, select one of the following types of layer to precede the output layer:
      • TimeDistributedDense (default): A fully connected architecture layer.
      • GRU: A layer with a recurrent architecture.
  15. If you have selected a neural network element with a transformer architecture, do the following:
    1. In the Encoder regularization field, specify the regularization coefficient in the encoder in decimal format.

      The default value of this parameter is 0.01.

    2. In the Number of attention heads field, specify the number of attention heads.

      The default value of this parameter is 1.

    3. In the Number of encoders field, specify the number of encoders.

      The default value of this parameter is 1.

    4. In the Multipliers for calculating number of neurons per layer field, provide the factors, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the decoding layers.

  16. In the upper-right corner of the window, click the Save button.
Page top
[Topic 256426]

Adding an ML model element based on a diagnostic rule

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements.

To add an ML model element based on a diagnostic rule:

  1. In the main menu, select the Models section.
  2. In the asset tree, next to the Rules group within an ML model to which you want to add a diagnostic rule, open the vertical menu and select Create element.

    A list of options appears on the right.

  3. In the Name field, specify a name for the diagnostic rule.
  4. In the Description field, specify the diagnostic rule description.
  5. In the General element settings settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Grid step (sec) field, specify the element's UTG period in seconds expressed as a decimal.
    4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
    6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
    7. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
  6. If necessary, use the toggle switch to turn on the Treat inconclusive result as positive option.

    If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider a rule to be triggered when this option is enabled.

  7. In the Time filter settings block, do the following:
    1. Click the Add interval button.
    2. In the Interval type drop-down list, select one of the following time interval types:
      • Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.

        You can specify only the beginning or the end of a single interval.

      • Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
    3. If you want to add one more interval, click the Add interval button and complete step 7b.
    4. If you want to delete an interval, move the mouse cursor over the row with the required interval and click the Delete interval (  ) icon.

    You can add one or more time intervals. If no time interval is specified, the diagnostic rule is applied in each UTG node.

  8. To add tag behavior criteria, do the following:
    1. In the Tag conditions settings block, click the Condition button.

    2. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.

      If you want to exclude the selected criterion from the condition block that you are adding, click NOT to the left of the selected tag. The NOT caption in the button will be highlighted in bold.

      For example, click NOT to add a condition that contains no steps with the specified settings.

    3. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
      • Over: the tag value exceeds the specified threshold.
      • Below: the tag value falls below the specified threshold.
      • Rising: the trendline of tag values is increasing.
      • Falling: the trendline of tag values is decreasing.
      • Level: there are no pronounced changes in the trendline of tag values.
      • Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
      • Flat: the selected tag is transmitting the same value.
      • Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
    4. In the Window field, specify the number of UTG steps.
    5. Depending on the value selected for Behavior, do one of the following:
      • If you selected Over or Below, use the Threshold field to specify the tag threshold value, and specify the minimum number of times the threshold value can be breached in a separate window in the Minimum violations field.
      • If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.

        By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.

        By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.

      • If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

      • If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.

        By default, the Value setting is not defined. If the setting is not defined, any repeating tag value triggers the criterion.

      • If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

        The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.

    6. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 8b through 8e.
    7. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows:
      • AND if you need to track both criteria while a diagnostic rule is active.
      • OR if you need to track one of the defined criteria while a diagnostic rule is active.

  9. If you need to check whether the fulfillment of a pre-condition caused the fulfillment of a post-condition in a future UTG node, add a temporal operator:
    1. In the Tag conditions settings block, click the Wait button.

      The Wait button is available after at least one condition has been added.

      A precondition is a block of conditions preceding the temporal operator. A postcondition is a block of conditions following a temporal operator.

      The precondition block is checked in the current UTG node.

    2. In the Recess (steps) field, specify the following time intervals:
      • from: the interval between the current UTG node and the first future UTG node, in which the post-condition block is checked (minimum waiting interval).
      • to: the interval between the current UTG node and the last future UTG node, in which the post-condition block is checked (maximum waiting interval).

      The post-condition block is checked in the UTG nodes between the minimum and maximum waiting intervals.

    3. In the Check drop-down list, select one of the following group operators:
      • To check the fulfillment of tag behavior criteria from the post-conditions block in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
      • To check the fulfillment of tag behavior criteria from the post-conditions block in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.

      The criteria check result is determined in the last node of the maximum waiting interval. If the check of the precondition block in the current UTG node gave a negative result (FALSE) or an undefined result (UNDEFINED), the same value will be the result of the check of the post-condition block.

      If the check of the precondition block in the current UTG node gave a positive result (TRUE), then the check of the post-condition block is performed in each UTG node between the minimum and maximum waiting interval. The result of the check is determined by the fulfillment of the condition depending on the selected group operator: All steps or Any step.

      If more than one condition check is performed using the temporal operator, then the result of the check of the previous temporal condition is a precondition for each subsequent check of the temporal condition.

  10. Select one of the following logical operators between rule blocks:
    • AND if you need to track tag behavior criteria in both blocks while a diagnostic rule is active.
    • OR if you need to track tag behavior criteria in one of the blocks while a diagnostic rule is active.
  11. In the upper-right corner of the window, click the Save button.

The new ML model element will be displayed in the Rules group within the selected ML model in the asset tree.

If an ML model contains only elements based on diagnostic rules, the model is assigned the Trained status. You can start inference for such an ML model. If the ML model contains untrained neural network elements, they must be trained before starting inference.

Page top
[Topic 256047]

Changing an ML model element based on a diagnostic rule

You can change the settings of an ML model element based on a diagnostic rule.

System administrators and users who have the Edit model drafts permission from the Manage ML models group of rights can edit elements of ML models.

To change an element of an ML model based on a diagnostic rule:

  1. In the main menu, select the Models section.
  2. In the asset tree, select the element based on a diagnostic rule that you want to edit.

    A list of options appears on the right.

  3. In the upper-right corner of the window, click the Edit button.
  4. In the Name field, specify a new name for the diagnostic rule.
  5. In the Description field, specify a new description for the diagnostic rule.
  6. If necessary, in the General element settings settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Grid step (sec) field, specify the UTG period for the element in seconds.
    4. In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    5. In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
    6. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
    7. In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
  7. If necessary, use the toggle switch to turn on the Treat inconclusive result as positive option.

    If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider a rule to be triggered when this option is enabled.

  8. If necessary, do the following in the Time filter settings block:
    1. In the Interval type drop-down list, select one of the following time interval types:
      • Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.

        You can specify only the beginning or the end of a single interval.

      • Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
    2. If you want to add one more interval, click the Add interval button and complete step 8a.
    3. If you want to delete an interval, move the mouse cursor over the row with the required interval and click the Delete interval (  ) icon.

    You can add one or more time intervals. If no time interval is specified, the diagnostic rule is applied in each UTG node.

  9. To edit a tag behavior condition, do the following:
    1. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.

      If you want to exclude the selected criterion from the condition block that you are adding, click NOT to the left of the selected tag. The NOT caption in the button will be highlighted in bold.

      For example, click NOT to add a condition that contains no steps with the specified settings.

    2. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
      • Over: the tag value exceeds the specified threshold.
      • Below: the tag value falls below the specified threshold.
      • Rising: the trendline of tag values is increasing.
      • Falling: the trendline of tag values is decreasing.
      • Level: there are no pronounced changes in the trendline of tag values.
      • Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
      • Flat: the selected tag is transmitting the same value.
      • Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
    3. In the Window field, specify the number of UTG steps.
    4. Depending on the value selected for Behavior, do one of the following:
      • If you selected Over or Below, use the Threshold field to specify the tag threshold value, and specify the minimum number of times the threshold value can be breached in a separate window in the Minimum violations field.
      • If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.

        By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.

        By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.

      • If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

      • If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.

        By default, the Value setting is not defined. If the setting is not defined, any repeating tag value triggers the criterion.

      • If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

        The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.

    5. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 9a through 9d.
    6. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows:
      • AND if you need to track both criteria while a diagnostic rule is active.
      • OR if you need to track one of the defined criteria while a diagnostic rule is active.

  10. If you need to edit the temporal operator:
    1. In the Recess (steps) field, specify the following time intervals:
      • from: the interval between the current UTG node and the first future UTG node, in which the post-condition block is checked (minimum waiting interval).
      • to: the interval between the current UTG node and the last future UTG node, in which the post-condition block is checked (maximum waiting interval).

      The post-condition block is checked in the UTG nodes between the minimum and maximum waiting intervals.

    2. In the Check drop-down list, select one of the following group operators:
      • To check the fulfillment of tag behavior criteria from the post-conditions block in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
      • To check the fulfillment of tag behavior criteria from the post-conditions block in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.

      The criteria check result is determined in the last node of the maximum waiting interval. If the check of the precondition block in the current UTG node gave a negative result (FALSE) or an undefined result (UNDEFINED), the same value will be the result of the check of the post-condition block.

      If the check of the precondition block in the current UTG node gave a positive result (TRUE), then the check of the post-condition block is performed in each UTG node between the minimum and maximum waiting interval. The result of the check is determined by the fulfillment of the condition depending on the selected group operator: All steps or Any step.

      If more than one condition check is performed using the temporal operator, then the result of the check of the previous temporal condition is a precondition for each subsequent check of the temporal condition.

  11. Select one of the following logical operators between rule blocks:
    • AND if you need to track tag behavior criteria in both blocks while a diagnostic rule is active.
    • OR if you need to track tag behavior criteria in one of the blocks while a diagnostic rule is active.
  12. In the upper-right corner of the window, click the Save button.
Page top
[Topic 256428]

Removing an ML model element

When removing an ML model element, Kaspersky MLAD also deletes the results of the work of the selected element of the ML model.

System administrators and users who have the Remove models permission from the Manage ML models group of rights can remove elements of ML models.

To remove an ML model element:

  1. In the main menu, select the Models section.
  2. In the asset tree, select the ML model element that you want to delete.

    A list of options appears on the right.

  3. In the upper-right corner of the window, click the trash bin icon ().
  4. In the window that opens, confirm the deletion of the ML model element.
Page top
[Topic 256432]