Anomalies

Expand all | Collapse all

An anomaly is any deviation in a monitored asset's behavior that is abnormal, not provided for by the current work procedure, and not normally caused by the industrial process.

Kaspersky MLAD registers only incidents. A specific incident can be identified as an anomaly only by an ICS specialist after conducting an analysis of incidents registered by the application. An incident analysis may result in one of the following conclusions:

• The incident is an anomaly that requires certain actions from a responding operator of the monitored asset.
• The incident is not actually an anomaly, but instead was a false positive by the triggered detector.

  If the detector is persistently triggered by recurring false positives, you need to identify the reason for the deteriorating quality of the detector used in the ML model, perform additional configuration, or conduct additional training of the ML model. Additional configuration of a detector or additional training of an ML model is performed by Kaspersky experts as part of the Kaspersky MLAD Model-building and Deployment Service.

• The detector utilized in the ML model was correctly triggered but the incident is not an anomaly.

  The incident was a result of temporarily switching the monitored asset to a non-standard operating mode (preventative maintenance or testing) or was caused by short-term impacts from non-standard external factors (unusual weather conditions or startup of a neighboring unit). In this case, there is no need for any responsive actions from an operator of the monitored asset.

Incidents are analyzed and assessed by a subject-matter expert. In some cases, like when registering incidents detected by diagnostic rules or incidents that occur repeatedly, similar incidents can be automatically grouped and assessed.

The detector utilized in the ML model may fail to detect an actual anomaly. In this case, the anomaly will not be correlated to any registered incidents and will not be reflected in the Kaspersky MLAD history. If according to the expert or operator observations or external sources a detector is repeatedly not triggered, you need to identify the reason for the deteriorating quality of the detector, perform additional configuration, or conduct additional training of the ML model. Additional training of the ML model can be performed only by Kaspersky experts or certified integrators.

New events, patterns, and values of the event parameters detected by the Event Processor service in the stream of incoming events can also indicate an anomaly in the operation of a monitored asset. When new events, patterns or values of event parameters are detected, the Event Processor service does not register incidents. To view new detections in the Event Processor section, you can view the history of registered patterns, filtering them by the New type. You can also create a monitor for tracking new events, patterns, or values of event parameters. The Event Processor service activates the monitor when it detects events, patterns, or event parameter values that match the specified search criteria. When the specified threshold for the number of monitor activations in a sliding window is reached, the Event Processor service sends an alert about the monitor activation to the external system using the CEF Connector.

Sequence of events or other patterns identified within the stream of events from the monitored asset.

Set of values describing a change in the state of a monitored asset based on a predefined list of parameters, with the timestamp of the change.