Kaspersky Machine Learning for Anomaly Detection
- About Kaspersky Machine Learning for Anomaly Detection
- What's new
- Kaspersky MLAD architecture
- Common deployment scenarios
- Telemetry and event data flow diagram
- Ports used by Kaspersky MLAD
- Installing and removing the application
- Installing the application
- Updating the application
- Checking the integrity of Kaspersky MLAD archive files
- Backing up the application
- Rolling back the application to the previous installed version
- Scenario for restoring Kaspersky MLAD from a backup
- Getting started
- Starting and stopping Kaspersky MLAD
- Switching between Kaspersky MLAD state control modes
- Updating Kaspersky MLAD certificates
- First startup of Kaspersky MLAD
- Removing the application
- Kaspersky MLAD web interface
- Connecting to Kaspersky MLAD and terminating a user session
- Changing a user account password
- Selecting the localization language for the Kaspersky MLAD web interface
- Licensing the application
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the license key file
- Available functionality of Kaspersky MLAD depending on the specific license
- Adding a license key
- Viewing information about an added license key
- Removing a license key
- Processing and storing data in Kaspersky MLAD
- System administrator tasks
- Managing user accounts
- Manage roles
- Managing incident notifications
- Configuring Kaspersky MLAD
- Configuring the main settings of Kaspersky MLAD
- Configuring the security settings of Kaspersky MLAD
- Configuring the Anomaly Detector service
- Configuring the Keeper service
- Configuring the Mail Notifier service
- Configuring the Similar Anomaly service
- Configuring the Stream Processor service
- Configuring the HTTP Connector
- Configuring the MQTT Connector
- Configuring the AMQP Connector
- Configuring the OPC UA Connector
- Configuring the KICS Connector
- Configuring the CEF Connector
- Configuring the WebSocket Connector
- Configuring the Event Processor service
- Configuring the statuses and causes of incidents
- Configuring logging for Kaspersky MLAD services
- Configuring time intervals for displaying data
- Configuring how the Kaspersky MLAD menu items are displayed
- Export and import of Kaspersky MLAD settings
- Managing assets and tags
- About monitored asset hierarchical structure
- About tags
- Create asset
- Change asset settings
- Create tag
- Adding a tag to an asset
- Editing a tag
- Moving assets and tags
- Deleting an asset or tag
- Checking the current structure of tags
- Uploading tag and asset configuration to the system
- Saving tag and asset configuration to a file
- Working with the main menu
- Scenario: working with Kaspersky MLAD
- Viewing summary data in the Dashboard section
- Viewing incoming data in the Monitoring section
- Viewing data in the History section
- Viewing data in the Time slice section
- Viewing data for a specific preset in the Time slice section
- Selecting a specific element of the ML model in the Time slice section
- Selecting a date and time interval in the Time slice section
- Navigating through time in the Time slice section
- Configuring how graphs are displayed in the Time slice section
- Working with events and patterns
- Working with incidents and groups of incidents
- About incidents
- About incidents detected by a predictive element of an ML model
- About incidents detected by an ML model element based on a diagnostic rule
- About incidents detected by an ML model element based on an elliptic envelope
- About incidents detected by the Limit Detector
- About incidents detected by the Stream Processor service
- About anomalies
- Scenario: analysis of incidents
- Viewing incidents
- Viewing the technical specifications of a registered incident
- Viewing incident groups
- Studying the behavior of the monitored asset at the moment when an incident was detected
- Adding a status, cause, expert opinion or note to an incident or incident group
- Exporting incidents to a file
- About incidents
- Managing ML models
- About ML models
- About statuses and states of ML models and their elements
- About ML model templates
- About markups
- About conditions included in markups and diagnostic rules
- Scenario: working with ML models
- Search and filter objects in the Models section
- Working with markups
- Working with imported ML models
- Working with manually created ML models
- Creating an ML model
- Adding a predictive element to an ML model
- Modifying an ML model predictive element
- Adding an ML model element based on a diagnostic rule
- Changing an ML model element based on a diagnostic rule
- Adding an elliptic envelope-based ML model element
- Editing an elliptic envelope-based ML model element
- Cloning of the ML model element
- Removing an ML model element
- Cloning an ML model
- Working with ML model templates
- Changing the parameters of an ML model
- Training an ML model predictive element
- Training an elliptic envelope-based ML model element
- Viewing the training results of an ML model element
- Starting and stopping ML model inference
- Viewing the data flow graph of an ML model
- Preparing an ML model for publication
- Publishing an ML model
- Removing an ML model
- Managing presets
- Managing services
- Troubleshooting
- When connecting to Kaspersky MLAD, the browser displays a certificate warning
- The hard drive is running out of free space
- The operating system restarted unexpectedly
- Cannot connect to the Kaspersky MLAD web interface
- Data graphs or graphic areas are not displayed in the History and Monitoring sections
- Events are not transmitted between Kaspersky MLAD and external systems
- Cannot load data to view in the Event Processor section
- Data is incorrectly processed in the Event Processor section
- Events are not displayed in the Event Processor section
- Previously created monitors and the specified attention settings are not displayed in the Event Processor section
- A markup result is not displayed
- A Trainer service stopped message is displayed
- Training of an ML model element completed with an error
- Email notifications about incidents are not being received
- You need to change the Help localization language
- Contacting Technical Support
- Limitations
- Appendix
- Settings of a .env configuration file
- Settings and example of the Excel file containing tag and asset configuration
- Settings and an example of JSON file that describes presets
- Settings and an example of JSON file containing a configuration for the Event Processor service
- Viewing the Kaspersky MLAD log
- Special characters of regular expressions
- Cipher suites for secure TLS connection
- Glossary
- Information about third-party code
- Trademark notices
Working with the main menu > Working with incidents and groups of incidents > Viewing the technical specifications of a registered incident
Viewing the technical specifications of a registered incident
Viewing the technical specifications of a registered incident
The functionality is available after a license key is added.
In the Incidents section, you can view the technical specifications of registered incidents. To do so, click the 
button near the relevant incident in the incidents table. The following technical specifications will be displayed for the selected incident:
- Incident is the section containing information about the incident.
- Model name refers to the name of the ML model whose element registered the incident. This is absent if the incident was registered by Stream Processor.
- Model element refers to the name of the ML model element that registered the incident. This is absent if the incident is registered by Limit Detector or Stream Processor.
- Detector refers to the type of the registered incident: Elliptic Envelope, Forecaster, Limit Detector, Rule Detector, or Stream Processor.
- ML model element artifact value refers to deviation of the monitored asset's behavior from normal at the time of incident registration. This is absent if the incident is registered by Limit Detector or Stream Processor.
- Threshold value refers to the specific value at which the ML model element registered the incident. For any incident detected by Limit Detector, the specific threshold (upper or lower) reached by the tag is recorded.
- Top tag is a section that contains information about the tag that had the greatest impact on incident registration.
- Top tag name (top tag ID) is the name and ID of the tag that had the greatest impact on incident registration.
If the incident has been registered by a predictive element of the ML model, the application displays the name of the tag for which the greatest deviation from the forecast was recorded. If the incident is registered by an elliptic envelope, the application displays the name of the tag whose exclusion from the ML model results in the smallest deviation of the observation from the normal state. If the incident is registered by a Limit Detector, the application displays the tag whose value exceeded the blocking threshold defined for this tag.
- Top tag value is the value of the top tag registered when the incident occurred.
- Blocking threshold refers to maximum permissible top tag values.
Limit Detector requires these settings to function correctly. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.
- Description refers to a description of the top tag.
- Measurement units refer to the units for measuring the top tag values.
- Top tag name (top tag ID) is the name and ID of the tag that had the greatest impact on incident registration.
- Stream Processor service incident parameters is a section containing information about the parameters of the incident registered by the Stream Processor service. This group of parameters is displayed if the current incident is registered by the Stream Processor service.
- Incident type is the type of incident registered by the Stream Processor service. The Stream Processor service registers incidents when it detects observations that were received too early or too late, or if the incoming data stream from a certain tag is terminated or interrupted.
- Data date and time is the date and time when the observation was generated according to the monitored asset time. This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
- Lag / Lead is the amount of time by which the observation generation time lags behind or is ahead of the time the observation was received in Kaspersky MLAD. If data is received too early, the parameter value is displayed with a plus sign (+). If data is received too late, the parameter value is displayed with a minus sign (-). This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
- Incident cause is the field for selecting the cause of the incident. This field is completed by an expert (process engineer or ICS specialist). If necessary, the system administrator can create, edit, or delete causes of incidents.
An incident cause can be assigned automatically if a cause is specified in the parameters of the ML model element that registered the incident.
- Expert opinion is the field for adding an expert opinion based on an analysis of the registered incident. This field is completed by an expert (process engineer or ICS specialist).
An expert opinion can be assigned automatically if an opinion is specified in the parameters of the ML model element that registered the incident.
- Note is the field for entering a comment for the selected incident. If necessary, you can provide a comment for the incident.
Article ID: 248091, Last review: Nov 21, 2024