About Event Processor

The Kaspersky MLAD Event Processor is designed to detect regularities in the form of recurring

events

A set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment

patterns

Sequence of events or other patterns identified within the stream of events from the monitored asset.

You can also focus the event processor attention on the overall behavior of the monitored asset. The event processor will register generalized events and patterns that lack generalized event parameters.

About events

Data received from monitored assets and from the Anomaly Detector service are processed as events by the Event Processor service. Event is a set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment. The set of event parameters depends on the monitored asset and is defined in the configuration file for the Event Processor service.

The Event Processor is designed to work only with categorical values of the event parameters. Event parameter values are converted to string type. Kaspersky MLAD uses the Anomaly Detector service to work with numeric values of telemetry data when processing the event stream. The system administrator can enable the processing of incidents received from the Anomaly Detector service when configuring the Event Processor service settings.

An event is a phenomenon distinct from other events. There may also be intervals of time during which no events have occurred. Event registration may be affected by such factors as the actions of personnel, changes in the asset operating mode at the facility, or the execution of ICS commands by a specialist.

Examples of situations that may lead to event registration in Kaspersky MLAD

An event is registered once by the Event Processor service. When an event stream is received, the Event Processor recognizes previously detected events. If events are found that do not match those previously detected, the Event Processor registers new events.

You can view the received events as a graph or a table. To view events, you need to upload them to Event Processor → Event history. Event parameters specified in the configuration file for the Event Processor service may not appear in all events received from the monitored asset. Thus, some parameters may be missing when you view the received events.

About patterns

The Event Processor detects regularities in the stream of events arriving from the monitored asset. These regularities are detected as a hierarchy of stable (persistently recurring) patterns, which can be either simple patterns (sequences of events) or composite patterns (sequences of patterns). The patterns that form a composite pattern are called subpatterns.

A sequence of events or patterns is considered recurrent if its constituent elements follow the same order, and the time intervals between similar elements in different sequences differ from each other by no more than a specific maximum range. The allowable range of intervals between the pattern elements is calculated considering the value of the Coefficient defining the permitted dispersion of the pattern duration parameter. Patterns are the result of the specific facility's adopted practices, prescribed procedures, or technical specifics of the industrial process.

The Event Processor presents the detected regularities as a layered hierarchy of nested elements (pattern structure) down to the event level. Events are the first layer elements, simple patterns are the second layer elements, and composite patterns are the third and higher layer elements. Event parameter values are elements of the null layer.

A pattern is registered once by the Event Processor service. When an event stream is received, the Event Processor recognizes previously detected patterns. If patterns are found that do not match previously detected regularities, the Event Processor registers new patterns.

New patterns also include the sequences of events or patterns with a deviation in the order or composition of subpatterns (for example, turning on an industrial unit before the operator has arrived at the workstation) or with significant changes in the intervals between events or subpatterns even though their sequence is preserved (for example, turning on an industrial unit immediately after or a lot later than the operator arrived at the workstation). Thus, the Event Processor registers patterns with a new structure.

New patterns may indicate an anomaly in the monitored asset operation. You can view the structure of the new pattern and examine its deviations from the structure of previously detected patterns.

If a newly identified sequence of events or patterns begins to repeat in a persistent manner, this sequence is converted to a stable pattern.

Event Processor can register patterns where the values of one or more event parameters, such as the name of the employee who turned on the machine, are irrelevant. These patterns are referred to as generalized. To register generalized patterns, set Generalized attention as the attention type when configuring attention. You can also specify Generalized parameter as the condition type when configuring attention subject conditions. Generalized attention subject and condition parameters will not be displayed when viewing the structure of generalized patterns on the Patterns history tab.

About attention

The event stream from the monitored asset usually contains many unrelated events. The Event Processor service supports an attention mechanism to detect patterns based on a specific subset of events from the entire stream.

Attention is a special event processor configuration intended to track events and patterns for specific subsets of event history, and to detect commonalities in the behavior of the monitored asset.

Attention heads form the foundation of attention configuration. They define the attention subject parameter and attention subject condition parameters. The attention subject corresponds to the main event parameter that the event processor will use to register events and patterns. The conditions correspond to additional criteria for registering events and patterns for other event parameters. An attention head processes only those events in the entire incoming event stream that satisfy the specified attention subject and conditions. The event processor can process event streams for multiple attention heads simultaneously.

The event processor can register generalized events and patterns to track general behavior for different attention subject values. To do this, set Generalized attention as the attention type when configuring the attention subject. You can also specify Generalized parameter as the condition type when configuring attention subject conditions. Generalized attention subject and condition parameters will not be displayed when viewing generalized events or patterns. They will, however, influence the rules for extracting these generalized events and patterns from the stream.

You can configure attention in the Event Processor section.

About Event Processor operating modes

Kaspersky MLAD has the following operating modes of the Event Processor service:

• Online mode. In the online mode, the Event Processor processes the incoming stream as episodes. An episode is a sequence of events from the entire stream that is limited by a specific time period and/or the number of events. An episode is formed when one of the following conditions is fulfilled:
  • The episode accumulation time reached the limit defined by the Interval for receiving batch events (sec.) parameter of the Event Processor service.
  • The number of accumulated events reached the limit defined by the Batch size in online mode (number of events) parameter of the Event Processor service.

  Based on an episode received in the event stream, the Event Processor service detects new and/or repeated (stable) events and patterns for each of the defined attention heads. You can configure attention heads in the Event Processor section.

  When an event with the timestamp belonging to a previously processed episode is received, the Event Processor service does not revise the structure of patterns detected during the processing of that episode. The Event Processor service takes into account the events received by Kaspersky MLAD with a delay when detecting patterns during the event history reprocessing in the sleep mode.

• Sleep mode. To improve the quality and structure of the identified patterns, the Event Processor can switch to sleep mode according to the specified schedule. Processing of the event stream in the online mode is paused, and Kaspersky MLAD accumulates incoming events in the internal limited buffer on the server for subsequent processing after the application switches from the sleep mode back to online mode.

  In sleep mode, the Event Processor re-analyzes sequences of events that were previously processed in online mode. To detect more complex pattern structures in the sleep mode, the Event Processor processes sequences of events during longer time intervals than the episode accumulation time in the online mode.

  In the Event Processor service settings, you can configure a schedule for the sleep mode (for example, at the time when the event stream is least intense) and define a time interval for the events analyzed in the online mode to be forwarded for reprocessing in the sleep mode.

About monitors

A monitor is the source of notifications about patterns, events, or values of event parameters detected by the Event Processor according to the defined monitoring criteria. The monitoring criteria define the attention head, additional filters for event parameter values, a sliding time window, and the number of consecutive monitor activations within that window.

You can create monitors for alerts about the following detections in the event stream:

• Values of event parameters. You can create a monitor for alerts about the identification of new or previously encountered values of a specific event parameter. For example, to track new users on a monitored asset, create a monitor with the Parameter values subscription type and configure it to detect new values for the User parameter.
• Events. You can create a monitor for alerts about the identification of new or previously encountered events. You can also focus the attention of the Event Processor on a specific parameter of events. For example, to track new actions of a specific user at the monitored asset, you need to create a monitor with the Events subscription type and specify the name of the user whose actions you want to track in the User event parameter.
• Patterns. You can create a monitor for alerts about the identification of new or previously encountered patterns. For example, to track regularities in the actions of a specific user at the monitored asset, create a monitor with the Patterns subscription type, focus the attention of the Event Processor on the User parameter, and set this parameter to the name of the user whose actions you want to track.
• Similar generalized events or patterns. You can create a monitor to receive alerts about similar generalized events or patterns. If you want to track overall patterns in the actions of different users on a monitored asset, then when creating a monitor, you need to select the Similar generalized subscription type, choose the generalized attention head for User, and select Subscription to patterns for Subscription to events or patterns.
• Unique generalized events or patterns. You can create a monitor to receive alerts about unique generalized events or patterns. For example, to track new overall patterns in the actions of any user, select the Unique generalized subscription type when creating a monitor. For User, select a generalized attention head with conditions for additional parameters that match your expectations of different users' behavior. Select Subscription to patterns for Subscription to events or patterns. For Sliding window (sec.), specify a time interval for the event processor to wait for a similar generalized pattern for other users. If the event processor does not detect such a pattern, the monitor will send an activation alert.

You can set fuzzy filters in the monitoring criteria. For example, you can create a monitor to track situations when a user (monitoring all values of the User parameter) accessed the accounting server (the value of the Server parameter) more than ten times (the value of the Activation threshold field) in the last five minutes (the value of the sliding time interval).

When events, patterns and event parameter values matching the monitoring criteria are detected in the stream of incoming data, the Event Processor activates the monitor. Kaspersky MLAD displays information about the number of monitor activations when viewing a monitor, and sends to the external system alerts about the activation of monitors when the specified threshold is reached for a sliding window using the CEF Connector.

The custom monitors are displayed in the Event Processor section on the Monitoring tab.