Kaspersky Machine Learning for Anomaly Detection
5.0
English

Contents

Working with manually created ML models

This section provides information about working with manually created ML models and their elements.

The functionality is available after a license key is added.

When creating an ML model manually, you can add predictive ML model elements, elliptic envelope-based elements, and/or diagnostic rule-based elements, and edit or delete these.

The ML model needs to be trained before you can run inference on it. To do this, all predictive elements and elliptic envelope-based elements within the ML model must be pretrained. If necessary, you can view the training results of the elements. Elements based on diagnostic rules do not need to be trained, so they are considered to be pretrained.

In this section

Creating an ML model

Adding a predictive element to an ML model

Modifying an ML model predictive element

Adding an ML model element based on a diagnostic rule

Changing an ML model element based on a diagnostic rule

Adding an elliptic envelope-based ML model element

Editing an elliptic envelope-based ML model element
Page top
[Topic 262147]

Creating an ML model

System administrators and users who have the Create models permission from the Manage ML models group of rights can create ML models. The functionality is available after a license key is added.

To create an ML model:

  1. In the main menu, select the Models section.
  2. In the asset tree, next to the name of the asset for which you want to create an ML model, open the vertical menu An icon in the form of three dots arranged horizontally. and select Create model.

    A list of options appears on the right.

  3. In the Name field, specify the ML model name.

    The ML model name must not be longer than 100 characters.

  4. In the Description field, specify the ML model description.
  5. If you need to apply markups when selecting data for ML model inference, select the required markups under Inference indicator.
  6. To view the data that will be selected by the markups, click On graph.

    Markups are displayed in the colors selected when they were created.

  7. In the upper-right corner of the window, click the Save button.

The new ML model displays in the Models group of the asset tree. The Models group is created automatically and displayed as part of the selected section of the asset tree.

Page top
[Topic 255991]

Adding a predictive element to an ML model

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements. The functionality is available after a license key is added.

To add a predictive element to an ML model:

  1. In the main menu, select the Models section.
  2. To add a predictive element, do the following:
    1. In the asset tree, next to the name of the ML model to which you want to add a predictive element, open the vertical menu An icon in the form of three dots arranged horizontally. and select Create element.
    2. In the window that opens, select the element type Predictive element.
    3. Click the Create button.

    A list of options appears on the right.

  3. In the Name field, specify the name of the ML model element.
  4. Enter a description for the ML model element in the Description field.
  5. In the General element settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Anomaly observation interval (sec) field, enter the period (in seconds) during which the anomalous behavior of the tag is monitored to make a decision regarding incident registration.
    4. In Anomaly duration share in interval, enter as a decimal fraction the proportion of the period in Anomaly observation interval (sec) that must elapse for the ML model element to register an incident.

      You can specify a value in the range of 0 to 1.

    5. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections. This color will also be used to display the graph of the artifact generated by this element.
    6. If necessary, in the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    7. If necessary, in the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element if this cause is known in advance.
    8. In the Detection threshold field, specify a prediction error threshold value upon reaching which an incident is logged.

      The value of this parameter will be automatically adjusted after training the ML model element. If necessary, you can change the value of this parameter.

    9. If required, in the Expert opinion field, specify the expert opinion that will be automatically generated for incidents registered by the ML model element if the contents of this opinion are known in advance.
  6. Select one of the following ML model predictive element architectures: Dense, RNN, CNN, TCN, Transformer, or LR.
  7. If necessary, turn on the Advanced neural network settings toggle switch.

    The toggle switch is only available for elements with a Dense, RNN, CNN, TCN, or Transformer architecture.

  8. In the Main settings block, do the following:
    1. In the Grid step (sec) field, specify the element's UTG period (in seconds) expressed as an integer or decimal.
    2. In the Input tags drop-down list, select one or more tags that serve as the source data for predicting the values of the output tags.

    3. In the Output tags drop-down list, select one or several tags whose behavior is predicted by the model element.

    4. In the Smoothing factor field, specify the cumulative prediction error smoothing factor in decimal format.

      The higher the coefficient, the less smoothing is applied to the data.

    5. In the Prediction error power exponent field, specify the power to which the prediction error value is raised at each UTG node before calculating the cumulative error.
  9. In the Window settings block, do the following:
    1. In the Input window (steps) field, specify the size of the input value window, from which the ML model element predicts the output values.

      The window size is indicated in the number of UTG steps.

    2. In the Output window offset field, specify the number of UTG steps by which the beginning of the output window will be shifted relative to the beginning of the input window.
    3. In the Output window (steps) field, specify an output tag prediction length calculated from the input tags on the input window.
  10. If extended setup mode is enabled and you are adding an element with a Dense architecture, do the following:
    1. In the Multipliers for calculating number of neurons per layer field, provide the multipliers, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the ML model element layers.

      The default value of this parameter is 8,4,8.

    2. In the Activation function per layer field, specify one of the following activation functions on each layer of an ML model element separated by a comma without spaces:
      • relu: A non-linear activation function that converts an input value to a value between 0 and positive infinity.
      • selu: A monotonically increasing function that enables normalization based on the central limit theorem.
      • linear: A linear function that is a straight line proportional to the input data.
      • sigmoid: A non-linear function that converts input values to values between 0 and 1.
      • tanh: A hyperbolic tangent function that converts input values to values between -1 and 1.
      • softmax: A function that converts a vector of values to a probability distribution that adds up to 1.

      The default value of this setting is relu,relu,relu.

    3. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.

      The default value of this parameter is 0.

  11. If extended setup mode is enabled and you are adding an element with an RNN architecture, do the following:
    1. In the GRU neurons per layer field, specify the number of GRU neurons on layers separated by a comma without spaces.

      The default value of this parameter is 40,40.

    2. In the Number of neurons in TimeDistributed layer field, specify the number of neurons distributed in time on the layers of the decoder separated by a comma without spaces.

      The default value of this parameter is 40,20.

    3. If you need to restore data received as input to the network, turn on Use autoencoder toggle switch.
    4. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.

      The default value of this parameter is 0.

  12. If extended setup mode is enabled and you are adding an element with an CNN architecture, do the following:
    1. In the Filter size per layer field, specify the size of the filters for each layer of the element separated by a comma without spaces.

      The default value of this parameter is 2,2,2.

    2. In the Number of filters per layer field, specify the number of filters for each layer of the ML model element separated by a comma without spaces.

      The default value of this parameter is 50,50,50.

    3. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.

      The default value of this parameter is 0.

    4. In the MaxPooling window size per layer field, specify the maximum sampling window size on each layer separated by a comma without spaces.

      The default value of this parameter is 2,2,2.

    5. In the Number of neurons in decoder field, specify the number of neurons on the layers of the decoder.
    6. If you need to restore data received as input to the network, turn on Use autoencoder toggle switch.

  13. If extended setup mode is enabled and you are adding an element with an TCN architecture, do the following:
    1. In the Regularization field, specify the regularization coefficient in decimal format to prevent overfitting of the ML model element.

      The default value of this parameter is 0.

    2. In the Size of filters field, specify the size of the filters for the ML model element.

      The default value of this parameter is 3.

    3. In the Number of layers in residual block field, specify the number of residual block layers.

      The default value of this parameter is 1.

    4. In the Number of filters per layer field, specify the number of filters for each ML model element layer.

      The default value of this parameter is 64.

    5. In the Dilation per layer field, specify the exponential expansion values of the output data on the layers as a comma-separated list.

      The default value of this parameter is 1,2,4,8,16.

    6. In the Decoder layer type field, select one of the following types of layer to precede the output layer:
      • TimeDistributedDense (default): A fully connected architecture layer.
      • GRU: A layer with a recurrent architecture.
    7. In the Activation function drop-down list, select one of the following activation functions:
      • linear: A linear activation function whose result is proportional to the input value.
      • relu: A non-linear activation function that converts an input value to a value between zero and positive infinity. If the input value is less than or equal to zero, the function returns a value of zero; otherwise, the function returns the input value.

      The default value of this parameter is linear.

  14. If extended setup mode is enabled and you are adding an element with a Transformer architecture, do the following:
    1. In the Encoder regularization field, specify the regularization coefficient in the encoder in decimal format.

      The default value of this parameter is 0.01.

    2. In the Number of attention heads field, specify the number of attention heads.

      The default value of this parameter is 1.

    3. In the Number of encoders field, specify the number of encoders.

      The default value of this parameter is 1.

    4. In the Multipliers for calculating number of neurons per layer field, provide the factors, separated by a comma without spaces, by which to multiply the number of input tags to calculate the number of neurons in the decoding layers.

      The default value of this parameter is 10,5,10.

  15. In the upper-right corner of the window, click the Save button.

When the first item in the ML model is created, a Predictive elements group will be automatically created in the asset tree. The newly created element appears in this group.

The ML model element will be assigned the Not trained status, and the ML model to which the added element belongs will be assigned the Not trained status. To run inference on the ML model, all of its predictive elements and elliptic envelope-based elements must be trained.

Page top
[Topic 256033]

Modifying an ML model predictive element

You can edit the settings of an ML model predictive element.

Parameters cannot be changed if the ML model is assigned the Ready for publication or Published status.

System administrators and users who have the Edit untrained models permission from the Manage ML models group of rights can edit elements of ML models. The functionality is available after a license key is added.

To edit an ML model predictive element:

  1. In the main menu, select the Models section.
  2. In the asset tree, select the predictive element that you want to edit.

    A list of options appears on the right.

  3. In the upper-right corner of the window, click the Edit button.
  4. Adjust the settings of the predictive ML model element, if needed. For a description of the settings, see the instructions on adding a predictive ML model element.

    Editing the Reminder period (sec), Period of recurring alert suppression (sec), Anomaly observation interval (sec), Anomaly duration share in interval, Detection threshold, and/or Smoothing factor settings changes anomaly detection sensitivity. These parameters are unavailable for editing if the ML model is in the Historical inference in progress or Streaming inference in progress state.

  5. In the upper-right corner of the window, click the Save button.
  6. If you have edited the neural network element architecture settings, and the options in Main settings and/or Window settings, confirm that you want to save the changes.

    After changes are made to these parameters, the ML model element must be retrained.

The element will be assigned the Not trained status.

Page top
[Topic 256426]

Adding an ML model element based on a diagnostic rule

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements. The functionality is available after a license key is added.

To add an ML model element based on a diagnostic rule:

  1. In the main menu, select the Models section.
  2. To add a diagnostic rule, do the following:
    1. In the asset tree, next to the name of the ML model to which you want to add a diagnostic rule, open the vertical menu An icon in the form of three dots arranged horizontally. and select Create element.
    2. In the window that opens, select the Rule element type.
    3. Click the Create button.

    A list of options appears on the right.

  3. In the Name field, specify a name for the diagnostic rule.
  4. In the Description field, specify the diagnostic rule description.
  5. In the General element settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Anomaly observation interval (sec) field, enter the period (in seconds) during which the anomalous behavior of the tag is monitored to make a decision regarding incident registration.
    4. In Anomaly duration share in interval, enter as a decimal fraction the proportion of the period in Anomaly observation interval (sec) that must elapse for the ML model element to register an incident.

      You can specify a value in the range of 0 to 1.

    5. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections. This color will also be used to display the graph of the artifact generated by this element.
    6. If necessary, in the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    7. If necessary, in the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element if this cause is known in advance.
    8. If required, in the Expert opinion field, specify the expert opinion that will be automatically generated for incidents registered by the ML model element if the contents of this opinion are known in advance.
  6. In the Rule settings block, do the following:
    1. In the Grid step (sec) field, specify the element's UTG period (in seconds) expressed as an integer or in decimal format.
    2. If necessary, turn on the Treat inconclusive result as positive toggle switch.

      If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider a rule to be triggered when this option is enabled.

  7. In the Time filter settings block, do the following:
    1. Click the Add interval button.
    2. In the Interval type drop-down list, select one of the following time interval types:
      • Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.

      • Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
    3. If you want to add one more interval, click the Add interval button and complete step 7b.
    4. To delete an interval, click A cross-shaped icon. to the right of the interval.

    You can add one or more time intervals. If no time interval is specified, the diagnostic rule is applied in each UTG node.

  8. To add tag behavior criteria, do the following:
    1. In the Tag conditions settings block, click the Condition button.

    2. In the Tag drop-down list, select the tag for which to add a tag behavior criterion.

      If you need to check the behavior directly opposite of the selected behavior criterion from the condition block, click the NOT button on the left of the selected tag. The NOT caption in the button will be highlighted in bold.

      For example, click the NOT button if you need to add a condition that contains no steps with the specified settings.

    3. In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
      • Over: the tag value exceeds the specified threshold.
      • Below: the tag value falls below the specified threshold.
      • Rising: the trendline of tag values is increasing.
      • Falling: the trendline of tag values is decreasing.
      • Level: there are no pronounced changes in the trendline of tag values.
      • Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
      • Flat: the selected tag is transmitting the same value.
      • Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
    4. In the Window field, specify the number of UTG steps.
    5. Depending on the value selected for Behavior, do one of the following:
      • If you selected Over or Below, specify a tag threshold value in the Threshold field and specify the minimum number of times the threshold value can be breached within a window in the Minimum violations field.
      • If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.

        By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.

        By default, the Evaluation period setting has a value of 1. With this value, the trend is estimated at each UTG node.

      • If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

        The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.

      • If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.

        By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.

      • If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.

        The Spread parameter is set to zero by default. With this value, any repeating tag value triggers the criterion.

    6. To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 8b through 8e.
    7. If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows by clicking logical operator button:
      • AND if you require all of the block criteria to be fulfilled at the same time.
      • OR if at least one of the block criteria must be fulfilled.

  9. If you need to check whether the fulfillment of a pre-condition caused the fulfillment of a post-condition in a future UTG node, add a temporal operator:
    1. In the Tag conditions settings block, click the Wait button.

      The Wait button is available after at least one condition has been added.

    2. In the Recess (steps) field, specify the following time intervals:
      • from is the interval between the pre-condition check node and the UTG node where the post-condition check will start (minimum waiting interval).
      • to is the interval between the pre-condition check node and the UTG node where the post-condition check will finish (maximum waiting interval).

      The post-condition is checked in the UTG nodes between the minimum and maximum waiting intervals.

    3. In the Check drop-down list, select one of the following group operators:
      • If you require fulfillment of tag behavior criteria from the post-conditions in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
      • To require fulfillment of tag behavior criteria from the post-conditions in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.

      The criteria check result is determined in the last node of the maximum waiting interval.

      If more than one condition check is performed using the temporal operator, then the result of the check of the previous temporal condition is a precondition for each subsequent check of the temporal condition.

  10. Select one of the following logical operators between rule blocks by clicking the logical operator button:
    • AND if you require the criteria of both condition blocks to be fulfilled.
    • OR if the criterion of at least one of the condition blocks must be fulfilled.
  11. In the upper-right corner of the window, click the Save button.

When the first ML model element is created, a Rules group will be automatically created in the asset tree. The newly created element appears in this group.

If an ML model contains only elements based on diagnostic rules, the model is assigned the Trained status. You can start inference for such an ML model. If the ML model contains untrained predictive elements and/or elliptic envelope-based elements, these must be trained before starting the inference.

Page top
[Topic 256047]

Changing an ML model element based on a diagnostic rule

You can change the settings of an ML model element based on a diagnostic rule.

Parameters cannot be changed if the ML model is assigned the Ready for publication or Published status.

System administrators and users who have the Edit untrained models permission from the Manage ML models group of rights can edit elements of ML models. The functionality is available after a license key is added.

To change an element of an ML model based on a diagnostic rule:

  1. In the main menu, select the Models section.
  2. In the asset tree, select the element based on a diagnostic rule that you want to edit.

    A list of options appears on the right.

  3. In the upper-right corner of the window, click the Edit button.
  4. Adjust the diagnostic rule settings, if needed. For a description of the settings, see the instructions on adding a diagnostic rule-based ML model element.

    Editing the Reminder period (sec), Period of recurring alert suppression (sec), Anomaly observation interval (sec), and/or Anomaly duration share in interval settings changes anomaly detection sensitivity. These parameters are unavailable for editing if the ML model is in the Historical inference in progress or Streaming inference in progress state.

  5. In the upper-right corner of the window, click the Save button.
  6. If Grid step (sec) has been edited, confirm the changes.
Page top
[Topic 256428]

Adding an elliptic envelope-based ML model element

System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements. The functionality is available after a license key is added.

To add an elliptic envelope-based ML model element:

  1. In the main menu, select the Models section.
  2. To add an elliptic envelope, do the following:
    1. In the asset tree, next to the name of the ML model you want to add an elliptic envelope to, open the vertical menu An icon in the form of three dots arranged horizontally. and select Create element.
    2. In the window that opens, select the Elliptic envelope item type.
    3. Click the Create button.

    A list of options appears on the right.

  3. In the Name field, specify the name of the ML model element.
  4. Enter a description for the ML model element in the Description field.
  5. In the General element settings block, do the following:
    1. In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.

      The default value of this setting is 0, which corresponds to no reminders.

    2. In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.

      The default value of this setting is 0 (repeat incidents not suppressed).

    3. In the Anomaly observation interval (sec) field, enter the period (in seconds) during which the anomalous behavior of the tag is monitored to make a decision regarding incident registration.
    4. In Anomaly duration share in interval, enter as a decimal fraction the proportion of the period in Anomaly observation interval (sec) that must elapse for the ML model element to register an incident.

      You can specify a value in the range of 0 to 1.

    5. In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections. This color will also be used to display the graph of the artifact generated by this element.
    6. If necessary, in the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
    7. If necessary, in the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element if this cause is known in advance.
    8. In the Detection threshold field, specify the threshold value upon reaching which an incident is registered.

      The value of this parameter will be automatically adjusted after training the ML model element. If necessary, you can change the value of this parameter.

    9. If required, in the Expert opinion field, specify the expert opinion that will be automatically generated for incidents registered by the ML model element if the contents of this opinion are known in advance.
  6. In the Grid step (sec) field, specify the element's UTG period (in seconds) expressed as an integer or decimal.
  7. In the Input tags drop-down list, select one or several tags to include in the ML model.
  8. In the upper-right corner of the window, click the Save button.

When creating the first ML model element, an Elliptic envelopes group will be automatically created in the asset tree. The newly created element appears in this group.

The ML model element will be assigned the Not trained status, and the ML model to which the added element belongs will be assigned the Not trained status. To run inference on the ML model, all of its predictive elements and elliptic envelope-based elements must be trained.

Page top
[Topic 275787]

Editing an elliptic envelope-based ML model element

You can edit the settings of an elliptic envelope-based ML model element.

Parameters cannot be changed if the ML model is assigned the Ready for publication or Published status.

System administrators and users who have the Edit untrained models permission from the Manage ML models group of rights can edit elements of ML models. The functionality is available after a license key is added.

To edit an elliptic envelope-based ML model element:

  1. In the main menu, select the Models section.
  2. In the asset tree, select the elliptic envelope-based element that you want to edit.

    A list of options appears on the right.

  3. In the upper-right corner of the window, click the Edit button.
  4. Adjust the elliptic envelope settings, if needed. For a description of the settings, see the instructions on adding an elliptic envelope-based ML model element.

    Editing the Reminder period (sec), Period of recurring alert suppression (sec), Anomaly observation interval (sec), Anomaly duration share in interval, and/or Detection threshold settings changes anomaly detection sensitivity. These parameters are unavailable for editing if the ML model is in the Historical inference in progress or Streaming inference in progress state.

  5. In the upper-right corner of the window, click the Save button.
  6. If you have edited Grid step (sec) and/or Input tags, confirm that you want to save the changes.

    After changes are made to these parameters, the ML model element must be retrained.

The element will be assigned the Not trained status.

Page top
[Topic 275862]