Kaspersky Machine Learning for Anomaly Detection

Adding an ML model element based on a diagnostic rule

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements. The functionality is available after a license key is added.

To add an ML model element based on a diagnostic rule:

  1. In the main menu, select the Models section.
  2. To add a diagnostic rule, do the following:
    1. In the asset tree, next to the name of the ML model to which you want to add a diagnostic rule, open the vertical menu An icon in the form of three dots arranged horizontally. and select Create element.
    2. In the window that opens, select the Rule element type.
    3. Click the Create button.

    A list of options appears on the right.

  3. In the Name field, specify a name for the diagnostic rule.
  4. In the Description field, specify the diagnostic rule description.
  5. In the General element settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Anomaly observation interval (sec) field, enter the period (in seconds) during which the anomalous behavior of the tag is monitored to make a decision regarding incident registration.
    4. In Anomaly duration share in interval, enter as a decimal fraction the proportion of the period in Anomaly observation interval (sec) that must elapse for the ML model element to register an incident.

      You can specify a value in the range of 0 to 1.

    5. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections. This color will also be used to display the graph of the artifact generated by this element.
    6. If necessary, in the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    7. If necessary, in the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element if this cause is known in advance.
    8. If required, in the Expert opinion field, specify the expert opinion that will be automatically generated for incidents registered by the ML model element if the contents of this opinion are known in advance.
  6. In the Rule settings block, do the following:
    1. In the Grid step (sec) field, specify the element's UTG period (in seconds) expressed as an integer or in decimal format.
    2. If necessary, turn on the Treat inconclusive result as positive toggle switch.

      If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider a rule to be triggered when this option is enabled.

  7. In the Time filter settings block, do the following:
    1. Click the Add interval button.
    2. In the Interval type drop-down list, select one of the following time interval types:
      • Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.

      • Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
    3. If you want to add one more interval, click the Add interval button and complete step 7b.
    4. To delete an interval, click A cross-shaped icon. to the right of the interval.

    You can add one or more time intervals. If no time interval is specified, the diagnostic rule is applied in each UTG node.

  8. To add tag behavior criteria, do the following:
    1. In the Tag conditions settings block, click the Condition button.

    2. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.

      If you need to check the behavior directly opposite of the selected behavior criterion from the condition block, click the NOT button on the left of the selected tag. The NOT caption in the button will be highlighted in bold.

      For example, click the NOT button if you need to add a condition that contains no steps with the specified settings.

    3. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
      • Over: the tag value exceeds the specified threshold.
      • Below: the tag value falls below the specified threshold.
      • Rising: the trendline of tag values is increasing.
      • Falling: the trendline of tag values is decreasing.
      • Level: there are no pronounced changes in the trendline of tag values.
      • Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
      • Flat: the selected tag is transmitting the same value.
      • Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
    4. In the Window field, specify the number of UTG steps.
    5. Depending on the value selected for Behavior, do one of the following:
      • If you selected Over or Below, specify a tag threshold value in the Threshold field and specify the minimum number of times the threshold value can be breached within a window in the Minimum violations field.
      • If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.

        By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.

        By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.

      • If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

        The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.

      • If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

      • If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.

        The Spread parameter is set to zero by default. With this value, any repeating tag value triggers the criterion.

    6. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 8b through 8e.
    7. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows by clicking logical operator button:
      • AND if you require all of the block criteria to be fulfilled at the same time.
      • OR if at least one of the block criteria must be fulfilled.

  9. If you need to check whether the fulfillment of a pre-condition caused the fulfillment of a post-condition in a future UTG node, add a temporal operator:
    1. In the Tag conditions settings block, click the Wait button.

      The Wait button is available after at least one condition has been added.

    2. In the Recess (steps) field, specify the following time intervals:
      • from is the interval between the pre-condition check node and the UTG node where the post-condition check will start (minimum waiting interval).
      • to is the interval between the pre-condition check node and the UTG node where the post-condition check will finish (maximum waiting interval).

      The post-condition is checked in the UTG nodes between the minimum and maximum waiting intervals.

    3. In the Check drop-down list, select one of the following group operators:
      • If you require fulfillment of tag behavior criteria from the post-conditions in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
      • To require fulfillment of tag behavior criteria from the post-conditions in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.

      The criteria check result is determined in the last node of the maximum waiting interval.

      If more than one condition check is performed using the temporal operator, then the result of the check of the previous temporal condition is a precondition for each subsequent check of the temporal condition.

  10. Select one of the following logical operators between rule blocks by clicking the logical operator button:
    • AND if you require the criteria of both condition blocks to be fulfilled.
    • OR if the criterion of at least one of the condition blocks must be fulfilled.
  11. In the upper-right corner of the window, click the Save button.

When the first ML model element is created, a Rules group will be automatically created in the asset tree. The newly created element appears in this group.

If an ML model contains only elements based on diagnostic rules, the model is assigned the Trained status. You can start inference for such an ML model. If the ML model contains untrained predictive elements and/or elliptic envelope-based elements, these must be trained before starting the inference.