About ML-models
An ML model is an algorithm based on machine learning methods tasked with analyzing the telemetry of the monitored asset and detecting anomalies.
An ML model is created for a specific monitored asset while taking into account the specifications of the asset and the characteristics of telemetry data. The general structure of the algorithm (architecture) is formed during creation of the ML model. Then the ML model is trained based on historical telemetry data and is thereby adjusted to the behavior of a specific object.
An ML model consists of one or more elements, with each separately analyzing telemetry data to detect anomalies. Normally, the more complex the industrial processes of the monitored asset are, the more elements the ML model will contain. An ML model can include the following elements operating in parallel:
Predictive elements and elements based on elliptic envelopes need to be trained on a dataset. A predictive element learning process may consist of one or several epochs. An epoch is a cycle during which an element is trained on the entire training dataset. The number of training epochs is specified in the element training settings. Elements based on a diagnostic rule do not need to be trained, so they are considered to be pretrained.
The process of using an ML model to analyze telemetry data and detect anomalies is known as inference. In Kaspersky MLAD, ML model inference can be performed on historical data (historical inference) and on telemetry data received in real time (streaming inference). If historical inference is started for multiple ML models, Kaspersky MLAD runs the inference of these ML models in the order of their startup queue. The duration of historical inference is determined by the time interval of the data analyzed by the ML model. If streaming inference is started for multiple ML models, Kaspersky MLAD runs the inference of these ML models simultaneously. Historical inference and streaming inference run in parallel and independently of each other. During the inference process, the ML model registers incidents that can be viewed in the Incidents section.
In addition to incidents, an ML model inference process also generates artifacts. An artifact is a time series of numerical data. An ML model can generate the following artifacts:
- Artifacts associated with tags. An ML model element generates these artifacts for each of its output tags. These artifacts are generated only by the predictive elements of the ML model and represent a predicted tag value and prediction error.
- Artifacts of ML model elements. Each ML model element generates this type of artifact as its primary output. The mathematical nature of an artifact is determined by the analytical algorithms employed by the element. In this context, an artifact for an ML model of any type is uniformly interpreted as the degree to which the behavior of the monitored asset deviates from the expected (normal) behavior. Every artifact has a critical threshold. If this threshold is reached, an incident is recorded.
Any user can view generated artifacts under Monitoring and History.
ML models can be created by Kaspersky specialists or by a certified integrator as part of the Kaspersky MLAD Model-building and Deployment Service. To use such ML models, you must import them to Kaspersky MLAD. You can also create ML models independently and add the necessary elements to them using the model builder.