Adding an ML model element based on a diagnostic rule
System administrators and users who have the Create models permission from the Manage ML models group of rights can add ML model elements.
To add an ML model element based on a diagnostic rule:
- In the main menu, select the Models section.
- In the asset tree, next to the Rules group within an ML model to which you want to add a diagnostic rule, open the vertical menu and select Create element.
A list of options appears on the right.
- In the Name field, specify a name for the diagnostic rule.
- In the Description field, specify the diagnostic rule description.
- In the General element settings settings block, do the following:
- In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.
The default value of this setting is
0
, which corresponds to no reminders. - In the Period of recurring alert suppression (sec) field, specify the period in seconds during which the ML model does not log repeated incidents for the same element.
The default value of this setting is
0
(repeat incidents not suppressed). - In the Grid step (sec) field, specify the element's UTG period in seconds expressed as a decimal.
- In the Incident status drop-down list, select a status to be automatically assigned to incidents logged by the ML model element.
- In the Incident cause drop-down list, select the cause to be automatically set for incidents logged by the ML model element.
- In the Color of incident dot indicators field, select the color of the indicator points of the incidents logged by the ML model element on the graphs in the Monitoring and History sections.
- In the Expert opinion field, specify the expert opinion to be automatically created for incidents logged by the ML model element.
- In the Reminder period (sec) field, specify the period in seconds, upon reaching which the ML model will generate a repeated incident if anomalous behavior is retained in each UTG node.
- If necessary, use the toggle switch to turn on the Treat inconclusive result as positive option.
If Kaspersky MLAD cannot unequivocally evaluate the fulfillment of criteria specified in the Time filter and Tag conditions settings blocks, for example, due to the absence of observations for tags, the application will consider a rule to be triggered when this option is enabled.
- In the Time filter settings block, do the following:
- Click the Add interval button.
- In the Interval type drop-down list, select one of the following time interval types:
- Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.
You can specify only the beginning or the end of a single interval.
- Recurrent. If you select this type of interval, specify the years, dates, days of the week, and daily time interval for periodically validating input data according to the specified criteria.
- Fixed. If you select this type of interval, specify the days of the week and the time interval during which the input data must be validated according to the specified criteria.
- If you want to add one more interval, click the Add interval button and complete step 7b.
- If you want to delete an interval, move the mouse cursor over the row with the required interval and click the Delete interval ( ) icon.
You can add one or more time intervals. If no time interval is specified, the diagnostic rule is applied in each UTG node.
- To add tag behavior criteria, do the following:
- In the Tag conditions settings block, click the Condition button.
- In the Tag drop-down list, select the tag for which to add a tag behavior criterion.
If you want to exclude the selected criterion from the condition block that you are adding, click NOT to the left of the selected tag. The NOT caption in the button will be highlighted in bold.
For example, click NOT to add a condition that contains no steps with the specified settings.
- In the Behavior drop-down list, select one of the following tag behaviors that must be tracked:
- Over: the tag value exceeds the specified threshold.
- Below: the tag value falls below the specified threshold.
- Rising: the trendline of tag values is increasing.
- Falling: the trendline of tag values is decreasing.
- Level: there are no pronounced changes in the trendline of tag values.
- Step change: the trendline of the selected tag is displaying abrupt upward or downward shifts.
- Flat: the selected tag is transmitting the same value.
- Spread: abrupt changes in the spread of values are being observed around the trendline of the selected tag.
- In the Window field, specify the number of UTG steps.
- Depending on the value selected for Behavior, do one of the following:
- If you selected Over or Below, use the Threshold field to specify the tag threshold value, and specify the minimum number of times the threshold value can be breached in a separate window in the Minimum violations field.
- If you selected Rising, Falling, or Level, use the Threshold slope field to specify the trend slope percentage value that must be exceeded for the trend to be considered as growing or falling, and specify the time interval between adjacent trend estimates in the Evaluation period field.
By default, the Threshold slope setting is not defined. If the setting is not defined, Kaspersky MLAD will determine the trend direction automatically.
By default, the Evaluation period setting has a value of
1
. With this value, the trend is estimated at each UTG node. - If you selected Step change, use the Minimum change field to specify the minimum shift value for the tag trendline, and select one of the following tag value change directions from the Direction drop-down list: Any, Up or Down.
By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
- If you selected Flat, use the Value field to specify the value that the tag should transmit, and specify the maximum tag value spread in the Spread field.
By default, the Value setting is not defined. If the setting is not defined, any repeating tag value triggers the criterion.
- If you selected Spread, use the Minimum change field to specify the minimum value by which the tag value spread around the trendline can change, and select one of the following spread change directions in the Direction drop-down list: Any, Flare, or Shrink.
By default, the Minimum change setting is not defined. If the setting is not defined, Kaspersky MLAD will determine it automatically.
The tag behavior criterion is met when the tag spread around the trendline increases and/or decreases.
- To add a tag behavior criterion to a condition block, click the plus sign at the bottom of the condition block and repeat steps 8b through 8e.
- If the block contains more than one tag behavior criterion, select one of the following logical operators between the criterion rows:
- AND if you need to track both criteria while a diagnostic rule is active.
- OR if you need to track one of the defined criteria while a diagnostic rule is active.
- In the Tag conditions settings block, click the Condition button.
- If you need to check whether the fulfillment of a pre-condition caused the fulfillment of a post-condition in a future UTG node, add a temporal operator:
- In the Tag conditions settings block, click the Wait button.
The Wait button is available after at least one condition has been added.
A precondition is a block of conditions preceding the temporal operator. A postcondition is a block of conditions following a temporal operator.
The precondition block is checked in the current UTG node.
- In the Recess (steps) field, specify the following time intervals:
- from: the interval between the current UTG node and the first future UTG node, in which the post-condition block is checked (minimum waiting interval).
- to: the interval between the current UTG node and the last future UTG node, in which the post-condition block is checked (maximum waiting interval).
The post-condition block is checked in the UTG nodes between the minimum and maximum waiting intervals.
- In the Check drop-down list, select one of the following group operators:
- To check the fulfillment of tag behavior criteria from the post-conditions block in all UTG nodes between the minimum and maximum waiting intervals, select the All steps group operator.
- To check the fulfillment of tag behavior criteria from the post-conditions block in at least one UTG node between the minimum and maximum waiting intervals, select the Any step group operator.
The criteria check result is determined in the last node of the maximum waiting interval. If the check of the precondition block in the current UTG node gave a negative result (FALSE) or an undefined result (UNDEFINED), the same value will be the result of the check of the post-condition block.
If the check of the precondition block in the current UTG node gave a positive result (TRUE), then the check of the post-condition block is performed in each UTG node between the minimum and maximum waiting interval. The result of the check is determined by the fulfillment of the condition depending on the selected group operator: All steps or Any step.
If more than one condition check is performed using the temporal operator, then the result of the check of the previous temporal condition is a precondition for each subsequent check of the temporal condition.
- In the Tag conditions settings block, click the Wait button.
- Select one of the following logical operators between rule blocks:
- AND if you need to track tag behavior criteria in both blocks while a diagnostic rule is active.
- OR if you need to track tag behavior criteria in one of the blocks while a diagnostic rule is active.
- In the upper-right corner of the window, click the Save button.
The new ML model element will be displayed in the Rules group within the selected ML model in the asset tree.
If an ML model contains only elements based on diagnostic rules, the model is assigned the Trained status. You can start inference for such an ML model. If the ML model contains untrained neural network elements, they must be trained before starting inference.