Limitations

Kaspersky MLAD has a number of limitations that are not critical for application operation:

• Alerts about the activation of the Event Processor service monitors are sent to external systems only using the CEF connector. Sending alerts by email is not available.
• Alerts about the activation of the Event Processor service monitors are not saved in the Kaspersky MLAD database.
• The Event Processor service processes only categorical data. All event parameter values are set in or converted to the string data type. Although the string values for each event parameter can be extremely diverse (up to tens of thousands of values), they are finite.
• Data processing performance for the current version of the Event Processor is about five thousand events per second and may decrease due to a large number of attention heads and monitors. A significant amount of RAM is required to work with a large stream of events. The estimate of the required volume depends on the stream of events, the variety of events in the stream, and the attention and monitor configuration settings.
• The Event Processor service is sensitive to how its settings are configured. Incorrectly defined event parameters, episode size and creation time, and attention configuration can significantly reduce service efficiency and performance.
• It is recommended to save the Event Processor service state to the database table. If the service state is saved to a file in bit format, Kaspersky MLAD saves the state of the Event Processor service according to the specified backup creation frequency for the service. It may take some time to save and restore the state of the Event Processor service (up to several minutes if there is a large volume of processed data). Restarting the service results in the loss of data since the last time it was saved to a file in bit format.
• Kaspersky MLAD is compatible with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.
• Kaspersky MLAD is designed to work with a tag stream whose rate does not exceed 10000 tags per second (short-term bursts of no more than 20% are permissible). If the tag stream rate exceeds the specified value, there may be delays in tag processing, prediction, and anomaly detection.
• Computers with Kaspersky MLAD and Kaspersky Industrial CyberSecurity for Networks installed must belong to the same network.
• You can save data during an application update only when updating Kaspersky MLAD 5.0.0-001 or later. To migrate from Kaspersky MLAD 4.0.0 to Kaspersky MLAD 5.0.0 or later, you need to perform a new installation of Kaspersky MLAD and manually import data from the previously installed Kaspersky MLAD 4.0.0. For detailed information on migration from Kaspersky MLAD 4.0.0 to Kaspersky MLAD version 5.0.0 or later, you are advised to contact Kaspersky Technical Support.
• Application rollback to the previously installed version is supported only for Kaspersky MLAD 5.0.0-001 or later.
• There is no capability to use model elements based on the XGBoost detector.
• In the asset tree, the Assets section does not display the icon that is selected when you create or edit tags or assets.
• In the Incidents section, in the period selection window, when moving to the right along the time axis, the blocks for selecting the beginning and end of the period display the year of the beginning of the defined period.
• After loading the configuration of assets and tags, the markups that were previously created for the loaded assets are not displayed in the Models section.
• In the Monitoring and History sections, the vertical axis that appears when you hover the mouse over the graph of the ML model element artifact at the bottom of the page does not coincide with the vertical axis that appears in the graphic areas at the top of the page.
• In the Presets section, a cleared check box is displayed for a tag included in a preset when searching by the name of this tag in the asset tree. If you select the check box for this tag, the Save selection button becomes available when there are no actual changes in the preset tags. The list of tags displayed in the asset tree according to the search query scrolls down when you select a tag within an asset that has a large number of tags.
• In the Models section, in some cases the Import model button is not successfully pressed in the vertical menu of the selected asset. For correct operation, you must move the mouse cursor over the right side of the button and click it.
• In the Models section, you cannot preview a markup if you have selected at least one of its tags for which no observations have been received by Kaspersky MLAD.
• In the Models section, the markup used in the imported ML model is displayed after re-importing the ML model, and a copy of the markup is created.
• In the Assets section, it is impossible to create new assets and/or tags after deleting the head element of the hierarchical structure (Root).
• In the History section, the deleted ML model elements are displayed in the drop-down list for selecting ML model elements.
• The Similar Anomaly service stops working when historical inference is restarted. When restarting historical inference, it is recommended to disable the Similar Anomaly service.
• In the Models section, when you zoom in on a markup, the horizontal scroll bar is not displayed while the markup is being viewed. Some of the markup viewing controls become unavailable.
• Kaspersky MLAD stores the entire history of received tag values and predicted tag values. Therefore, you must estimate the potential storage volume based on the data update rate (tags per second) and the time interval for storing the telemetry data monitoring history.
• The Models section does not always display the results of training a predictive element after it has been successfully trained. You must refresh the page to display the results.
• The value of the Monitored asset time zone setting that is defined by the system administrator in the main settings of Kaspersky MLAD is applied only to dates and times when selecting time intervals for markups. This setting does not apply to other sections of the web interface in which the date and time can be selected for displaying data.