About anomalies
An anomaly is any deviation in a monitored asset's behavior that is abnormal, not provided for by the current work procedure, and not normally caused by the industrial process.
Kaspersky MLAD registers only incidents. A specific incident can be identified as an anomaly only by an ICS specialist after conducting an analysis of incidents registered by the application. An incident analysis may result in one of the following conclusions:
- The incident is an anomaly that requires certain actions from a responding ICS specialist.
- The incident is not actually an anomaly, but instead was a false positive by the ML model.
If an ML model consistently produces false positive results, you need to find out what is causing the decline in performance, adjust the settings of the ML model and/or its elements, or further train the elements.
- The ML model worked correctly, but the incident is not an anomaly.
The incident was a result of temporarily switching the monitored asset to a non-standard operating mode (preventative maintenance or testing) or was caused by short-term impacts from non-standard external factors (unusual weather conditions or startup of a neighboring unit). The ICS operator does not need to take any response action.
Incidents are analyzed and assessed by a subject-matter expert. In some cases, like when registering incidents detected by diagnostic rules or incidents that occur repeatedly, similar incidents can be automatically grouped and assessed.
The ML model might miss a real anomaly. In this case, the anomaly will not be correlated to any registered incidents and will not be reflected in the Kaspersky MLAD history. If observations from an expert, an ICS operator, or external sources reveal repeated instances of an ML model failing to activate, you need to identify the cause of the decline in performance, adjust the settings of the ML model and/or its elements, and further train the elements of the ML model.
New
, , and values of the event parameters detected by the Event Processor service in the stream of incoming events can also indicate an anomaly in the operation of a monitored asset. When new events, patterns or values of event parameters are detected, the Event Processor service does not register incidents. To view new detections in the Event Processor section, you can view the history of registered patterns, filtering them by the New type. You can also create a monitor for tracking new events, patterns, or values of event parameters. The Event Processor service activates the monitor when it detects events, patterns, or event parameter values that match the specified search criteria. When the specified threshold for the number of monitor activations in a sliding window is reached, the Event Processor service sends an alert about the monitor activation to the external system using the CEF Connector.