ML models

An ML model is an algorithm based on machine learning methods tasked with analyzing the telemetry of the monitored asset and detecting anomalies.

An ML model is created for a specific monitored asset while taking into account the specifications of the asset and the characteristics of telemetry data. The general structure of the algorithm (architecture) is formed during creation of the ML model. Then the ML model is trained based on historical telemetry data and is thereby adjusted to the behavior of a specific object.

An ML model consists of one or several elements, each of which is an independent ML model. The overall result of the Anomaly Detector service is formed by combining the results of the ML model elements inference. Normally, the more complex the industrial processes of the monitored asset are, the more elements the ML model will contain.

Inference is the process of running telemetry data in an ML model to identify anomalous behavior. In Kaspersky MLAD, ML model inference can be performed on historical data (historical inference) and on telemetry data received in real time (streaming inference). If historical inference is started for multiple ML models, Kaspersky MLAD runs the inference of these ML models in the order of their startup queue. The duration of historical inference is determined by the time interval of the data analyzed by the ML model. If streaming inference is started for multiple ML models, Kaspersky MLAD runs the inference of these ML models simultaneously. Historical inference and streaming inference run in parallel and independently of each other.

During the inference process, the ML model registers incidents that can be viewed in the Incidents section.

ML models can be created by Kaspersky specialists or by a certified integrator as part of the Kaspersky MLAD Model-building and Deployment Service. To use such ML models, you must download them to Kaspersky MLAD. You can also create ML models independently and add the necessary elements to them using the model builder.

An ML model can include the following elements operating in parallel:

• Element based on a neural network
• Element based on a diagnostic rule

In Kaspersky MLAD, a ML model can be assigned one of the following statuses:

• Not activated: the ML model is imported but is not activated.
• Draft: the ML model is activated, or the ML model is created manually and contains untrained neural network elements.
• Trained: all the elements in the ML model are trained. Inference can be run on a trained ML model.
• Ready for publication: the ML model is prepared for publication and cannot be modified.
• Published: the ML model has been published. Inference can be run on a published ML model.

In this section Element of an ML model based on a neural network Element of an ML model based on a diagnostic rule

See also: Managing ML models

Page top