About Kaspersky Machine Learning for Anomaly Detection
December 6, 2023
The early anomaly detection system known as Kaspersky Machine Learning for Anomaly Detection (hereinafter also referred to as Kaspersky MLAD or "the application") is specialized software designed to prevent failures, accidents or degradation of industrial installations, technological processes, and complex cyberphysical systems. By analyzing telemetry data using machine learning techniques (artificial intelligence), Kaspersky MLAD detects signs of an abnormal situation before it is detected by traditional monitoring systems.
Kaspersky MLAD detects anomalies in industrial processes regardless of their causes. Anomalies may be caused by the following:
- Physical factors, such as damage to equipment or malfunctioning sensors.
- Human factors (such as intentional or inadvertent inappropriate actions of the operator, hardware configuration, change of operating modes or equipment, or switch to manual control).
Main capabilities of Kaspersky MLAD:
- Detects abnormal behavior of the monitored asset in real time.
- Identifies signals that display the largest deviations from normal behavior.
- Allows you to analyze incidents taking into account information about similar incidents.
- Allows expert classification and annotation of incidents.
- Allows you to alert users about detected incidents through the web interface, by email, by sending messages to Kaspersky Industrial CyberSecurity for Networks, and using industrial data transfer protocols.
- Allows you to use models based on both machine learning and arbitrary rules for anomaly detection.
- Displays observed and predicted tag values and prediction errors as the graphs both in the online monitoring mode and in the retrospective analysis of telemetry history mode.
- Lets you manage the log of detected incidents.
- Allows you to perform retraining and additional training of the ML model being used.
- Allows you to create ML models and add elements to it based on neural networks and diagnostic rules.
- Allows to create templates based on the added ML models and add ML models to Kaspersky MLAD based on the created templates.
- Allows you to define the way to organize the data of the monitored asset in the form of an asset tree.
- Allows you to receive telemetry data over HTTP, OPC UA, MQTT, AMQP, CEF, and WebSocket protocols, and via a specialized protocol over HTTPS from Kaspersky Industrial CyberSecurity for Networks.
- Displays historical and real-time data as graphs according to the specified sets of tags.
- Detects and handles terminations and interruptions of the incoming data stream, and restores missed observations.
- Based on data on events received from external systems, recognizes principles as repeated events or patterns, and identifies new events and patterns in the event stream.
- Displays the detected events as a graph and a table, and shows detected patterns as a layered hierarchy of nested items.
- Sends alerts about the detection of certain events, patterns, or values of the event parameters received by the Event Processor in the data stream from the monitored asset.