Kaspersky Machine Learning for Anomaly Detection
5.0
English

Contents

Viewing the technical specifications of a registered incident

Expand all | Collapse all

The functionality is available after a license key is added.

In the Incidents section, you can view the technical specifications of registered incidents. To do so, click the A green closing angle bracket icon. button near the relevant incident in the incidents table. The following technical specifications will be displayed for the selected incident:

  • Incident is the section containing information about the incident.
    • Model name refers to the name of the ML model whose element registered the incident. This is absent if the incident was registered by Stream Processor.
    • Model element refers to the name of the ML model element that registered the incident. This is absent if the incident is registered by Limit Detector or Stream Processor.
    • Detector refers to the type of the registered incident: Elliptic Envelope, Forecaster, Limit Detector, Rule Detector, or Stream Processor.
    • ML model element artifact value refers to deviation of the monitored asset's behavior from normal at the time of incident registration. This is absent if the incident is registered by Limit Detector or Stream Processor.
    • Threshold value refers to the specific value at which the ML model element registered the incident. For any incident detected by Limit Detector, the specific threshold (upper or lower) reached by the tag is recorded.

  • Top tag is a section that contains information about the tag that had the greatest impact on incident registration.
    • Top tag name (top tag ID) is the name and ID of the tag that had the greatest impact on incident registration.

      If the incident has been registered by a predictive element of the ML model, the application displays the name of the tag for which the greatest deviation from the forecast was recorded. If the incident is registered by an elliptic envelope, the application displays the name of the tag whose exclusion from the ML model results in the smallest deviation of the observation from the normal state. If the incident is registered by a Limit Detector, the application displays the tag whose value exceeded the blocking threshold defined for this tag.

    • Top tag value is the value of the top tag registered when the incident occurred.
    • Blocking threshold refers to maximum permissible top tag values.

      Limit Detector requires these settings to function correctly. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.

    • Description refers to a description of the top tag.
    • Measurement units refer to the units for measuring the top tag values.

  • Stream Processor service incident parameters is a section containing information about the parameters of the incident registered by the Stream Processor service. This group of parameters is displayed if the current incident is registered by the Stream Processor service.
    • Incident type is the type of incident registered by the Stream Processor service. The Stream Processor service registers incidents when it detects observations that were received too early or too late, or if the incoming data stream from a certain tag is terminated or interrupted.
    • Data date and time is the date and time when the observation was generated according to the monitored asset time. This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
    • Lag / Lead is the amount of time by which the observation generation time lags behind or is ahead of the time the observation was received in Kaspersky MLAD. If data is received too early, the parameter value is displayed with a plus sign (+). If data is received too late, the parameter value is displayed with a minus sign (-). This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
  • Incident cause is the field for selecting the cause of the incident. This field is completed by an expert (process engineer or ICS specialist). If necessary, the system administrator can create, edit, or delete causes of incidents.

    An incident cause can be assigned automatically if a cause is specified in the parameters of the ML model element that registered the incident.

  • Expert opinion is the field for adding an expert opinion based on an analysis of the registered incident. This field is completed by an expert (process engineer or ICS specialist).

    An expert opinion can be assigned automatically if an opinion is specified in the parameters of the ML model element that registered the incident.

  • Note is the field for entering a comment for the selected incident. If necessary, you can provide a comment for the incident.
Page top
[Topic 248091]