About Kaspersky Machine Learning for Anomaly Detection

The early anomaly detection system known as Kaspersky Machine Learning for Anomaly Detection (hereinafter also referred to as Kaspersky MLAD or "the application") is specialized software designed to prevent failures, accidents or degradation of industrial installations, technological processes, and complex cyberphysical systems. By analyzing telemetry data using machine learning techniques (artificial intelligence), Kaspersky MLAD detects signs of an abnormal situation before it is detected by traditional monitoring systems.

Kaspersky MLAD detects anomalies in industrial processes regardless of their causes. Anomalies may be caused by the following:

• Physical factors, such as damage to equipment or malfunctioning sensors.
• The human factor, such as intentional or inadvertent inappropriate actions by the operator, hardware configuration, change of operating mode or settings, or a switch to manual control.
• Cyberattacks.

Main capabilities of Kaspersky MLAD:

• Detects abnormal behavior of the monitored asset in real time.
• Identifies signals that display the largest deviations from normal behavior.
• Allows you to analyze incidents taking into account information about similar incidents.
• Allows expert classification and annotation of incidents.
• Allows you to notify users about detected incidents through the web interface, by email, by sending messages to Kaspersky Industrial CyberSecurity for Networks, and using industrial data transfer protocols.
• Allows you to use models based on both machine learning and arbitrary rules for anomaly detection.
• Displays historical and real-time data as graphs according to the specified tag sets, along with the results of processing this data with ML models.
• Lets you manage the log of detected incidents.
• Allows you to create ML models and add predictive elements, elliptic envelope-based elements, and diagnostic rule-based elements to it.
• Provides training of predictive elements and elliptic envelope-based elements.
• Allows to create templates based on the added ML models and add ML models to Kaspersky MLAD based on the created templates.
• Allows you to define the way to organize the data of the monitored asset in the form of an asset tree.

• Allows you to receive telemetry data over HTTP, OPC UA, MQTT, AMQP, CEF, and WebSocket protocols, and via a specialized protocol over HTTPS from Kaspersky Industrial CyberSecurity for Networks.
• Detects and handles terminations and interruptions of the incoming data stream, and restores missed observations.
• Based on data on events received from external systems, recognizes principles as repeated events or patterns, and identifies new events and patterns in the event stream.
• Displays the detected events as a graph and a table, and shows detected patterns as a layered hierarchy of nested items.
• Sends alerts about the detection of certain events, patterns, or values of the event parameters received by the Event Processor in the data stream from the monitored asset.

Distribution kit

Kaspersky MLAD is delivered as an archive file named Kaspersky_MLAD_5.0.0.-<build number>_ru-RU_en-US.tar.xz, which contains the following files:

• Installation script and all files required for system installation.
• Scripts for updating, checking, and backing up the application.
• Files containing the text of the End User License Agreement in English and in Russian.
• Files containing information about the application (Release Notes) in English and in Russian.
• File containing information about third-party code (legal_notices.txt) in English.

After you unpack the archive, the "legal" directory will contain a text file named license_en.txt in which you can view the End User License Agreement. The End User License Agreement specifies the terms of use of the application.

Hardware and software requirements

The hardware requirements for each protected facility must be adjusted considering the model being used, the number of processed tags and events, the average speed of data acquisition (number of observations per second), and the volume of stored data. The more data is processed and the more sophisticated the used ML model is, the more hardware resources are required for installing the server part of Kaspersky MLAD.

Requirements for Kaspersky MLAD server

To ensure proper operation of the application, the Kaspersky MLAD server must meet the following minimum requirements.

List of supported processors:

• Intel Xeon E3 v3, v4, v5, v6
• Intel Xeon E5 v3, v4
• Intel Xeon E7 v3, v4
• Intel Xeon Scalable processors
• The 2nd and 3rd generation Intel Xeon Scalable processors
• Intel Xeon E
• Intel Xeon W
• Intel Xeon D
• The 4th generation and later Intel Core i5, i7
• Intel Core i9 processor
• Intel Core M

Minimum hardware requirements:

• 8 cores
• 32 GB of RAM
• 200 GB of free space on the hard drive (SSD recommended)

  If Kaspersky MLAD receives a large data stream, increase the amount of free space on the hard drive.

You can install Kaspersky MLAD on a server with another x86 64-bit processor released in 2013 or later. The processor must meet the minimum hardware requirements listed above and support the following extensions required for the TensorFlow 2.15.1 library:

• Advanced Vector Extensions (avx)
• Advanced Vector Extensions 2 (avx2)

Supported operating systems:

• Ubuntu 22.04 LTS or later

The following software must be installed prior to deployment of Kaspersky MLAD:

• docker 24.0.9 or later
• docker compose 2.12.2 or later

Use the official Docker repository for installation of the software on the Kaspersky MLAD server.

To update and back up the application, the jq utility must be installed. You can install the jq utility by using the apt package manager.

User computer requirements

To work with the web interface of Kaspersky MLAD, the user's computer must meet the following minimum requirements:

• Intel Core i5 CPU;
• 8 GB of RAM;
• 64-bit operating system;
• Google Chrome browser version 107 or later
• The minimum screen resolution to display the web interface properly is 1600x900.

Security recommendations

To ensure secure operation of Kaspersky MLAD at an enterprise, it is recommended to restrict and control access to equipment on which the application is running.

Physical security of equipment

When deploying Kaspersky MLAD, it is recommended to take the following measures to ensure secure operations:

• Restrict access to the room housing the server with Kaspersky MLAD installed, and to the equipment of the dedicated network. Access to the room must be granted only to trusted persons, such as personnel who are authorized to install and configure the application.
• Employ technical resources or a security service to monitor physical access to equipment on which the application is running.
• Use security alarm equipment to monitor access to restricted rooms.
• Conduct video surveillance in restricted rooms.

Information security

The ML model settings directly affect anomaly detection, so only system administrators and users in the Manage ML models group are allowed to edit these. The change history is available only in application logs, which are saved for only a limited amount of time.

When using the web interface, it is recommended to take the following measures to ensure the data security of the intranet system:

• Provide users with access to the application through the web interface only.
• Install certificates to users' computers for authorization of the Kaspersky MLAD server with their browser. To use a trusted certificate, you need to contact a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.
• Ensure protection of traffic within the intranet system.
• Ensure protection of connections to external networks.
• Use a secure TLS connection for data transfer.
• Change the name and password of the first application user with the system administrator role when installing the application.
• Change the account password when it expires. The password expiration date is defined in the application security settings. The default password expiration is set to 180 days.
• For connections through the web interface, use passwords that meet the following requirements:
  • Must not match previously used account passwords. The specific number of most recently used passwords that must not be reused is defined when configuring the application security settings. The password must be different from the five previous passwords by default.
  • Must contain at least 8 characters.
  • Must contain one or more uppercase letters of the English alphabet.
  • Must contain one or more lowercase letters of the English alphabet.
  • Must contain one or more numerals.
  • Must contain one or more of the following special characters: _ ! @ # $ % ^ & *.
• Ensure that passwords are confidential and unique. If the password has been possibly compromised, change the password.
• Set a time limit for a user web session.
• After you are finished working in the browser, manually terminate the application connection session by using the Sign out option in the web interface.
• Periodically install updates for the operating system on the server where Kaspersky MLAD is deployed.
• Use access permission control to restrict user access to application functions.

Data security

While working with Kaspersky MLAD, it is recommended to take the following measures to ensure data security:

• Configure the operating system and provide the necessary access to files of the server where Kaspersky MLAD is installed in accordance with the Recommendations on secure configuration of Linux operating systems issued by the Federal Service for Technical and Export Control (FSTEC) of Russia.
• Perform periodic data backups of the server that has Kaspersky MLAD installed in accordance with the internal company procedure.
• Periodically test the performance of the interface and services of the application. Special attention should be directed to the notification service and logging system.
• Check communication channels to make sure they are secure and working properly.
• Periodically test the performance of the server:
  • SMART disk check
  • Availability of sufficient free space and memory
  • RAM utilization
• Use the monitoring system to make sure that there are no problems with the server protocols.
• Store sensitive data in a secure storage location.

Fixing vulnerabilities and installing critical updates

Kaspersky may release application updates aimed at eliminating vulnerabilities and security flaws (critical updates). Urgent update packages are supplied and installed in accordance with the current Technical Support Agreement. Notifications regarding the release of critical updates are sent to the email addresses specified in the current Technical Support Agreement.

It is recommended that the personnel responsible for application operation also periodically (at least once every three months) verify the absence of detected vulnerabilities in the application by referring to the Kaspersky website.

You can report security flaws or program vulnerabilities with a PGP-encrypted message to vulnerability@kaspersky.com. Please provide the following information in your email:

• Your contact details.
• The product name, version, and type of operating system installed on the asset where the vulnerability was found.
• A detailed description of the vulnerability.
• Any plans to share information about the vulnerability with a third party.

  Do not publish any information about the vulnerability until fixed by Kaspersky.

Managing access to application functions

In Kaspersky MLAD, you can use roles to restrict users' access to application functions depending on the tasks performed by users. A role is a set of rights to access application functions that you can assign to a user.

Depending on the assigned role, users may have access to the following functions of Kaspersky MLAD:

Accessible functions of the application

All application users have the following default rights:

• Viewing summary data in the Dashboard section
• View primary and operational data by tags in the History and Monitoring sections
• Viewing the values of the process parameters received from the monitored asset's sensors at a certain point in time in the Time slice section.
• Working with events and patterns:
  • Configuring attention settings and display of event parameters
  • Creating and deleting monitors
  • Viewing the event and pattern history
• Working with incidents and groups of incidents:
  • Viewing incidents and incident groups
  • Adding a status, cause, expert opinion or note to an incident or incident group
  • Exporting incidents to a file
• The following actions in the Models section:
  • Creating, modifying, and deleting markups
  • Starting and stopping ML model inference
  • Viewing the data flow graph of an ML model
• Manage presets:
  • View presets
  • Create, modify, and delete models
  • Load a preset configuration from a file
  • Save a preset configuration to a file
• Change your own password

You can also create a role with a Rights to all actions permission. Users with this role have access to system administrator functions.

You can view the available user roles and their access rights to application functions in the Roles section of the administrator menu.

You can view application functionality access rights for specific users in the Users section of the administrator menu.