Limitations

Kaspersky MLAD has a number of limitations that are not critical for application operation:

• Alerts about the activation of the Event Processor service monitors are sent to external systems only using the CEF connector. Sending alerts by email is not available.
• Alerts about the activation of the Event Processor service monitors are not saved in the Kaspersky MLAD database.
• It is recommended to save the Event Processor service state to the database table. If the service state is saved to a file in bit format, Kaspersky MLAD saves the state of the Event Processor service according to the specified backup creation frequency for the service. It may take some time to save and restore the state of the Event Processor service (up to several minutes if there is a large volume of processed data). Restarting the service results in the loss of data since the last time it was saved to a file in bit format.
• The Event Processor service processes only categorical data. All event parameter values are set in or converted to the string data type. Although the string values for each event parameter can be extremely diverse (up to tens of thousands of values), they are finite.
• Data processing performance for the current version of the Event Processor is about five thousand events per second and may decrease due to a large number of attention directions.
• As the stream of events approaches maximum capacity (about five thousand events per second) and the diversity of event parameter values increases, the Event Processor service requires substantial computing resources.
• The Event Processor service is sensitive to how its settings are configured. Incorrectly defined event parameters, episode size and creation time, and attention configuration can significantly reduce service efficiency and performance.
• Kaspersky MLAD is designed to work with a tag stream whose rate does not exceed 10000 tags per second (short-term bursts of no more than 20% are permissible). If the tag stream rate exceeds the specified value, there may be delays in tag processing, prediction, and anomaly detection.
• Computers with Kaspersky MLAD and Kaspersky Industrial CyberSecurity for Networks installed must belong to the same network.
• Kaspersky MLAD stores the entire history of received tag values and predicted tag values. Therefore, you must estimate the potential storage volume based on the data update rate (tags per second) and the time interval for storing the telemetry data monitoring history.
• The Trainer service can only train neural network ML models.
• You can save data during an application update only when updating Kaspersky MLAD 4.0.1-001 or later. To migrate from Kaspersky MLAD 3.0.0 to Kaspersky MLAD 4.0.1 or later, you need to perform a new installation of Kaspersky MLAD and manually import data from the previously installed Kaspersky MLAD 3.0.0. For detailed information on migration from Kaspersky MLAD 3.0.0 to Kaspersky MLAD version 4.0.1 or later, you are advised to contact Kaspersky Technical Support.
• Application rollback to the previously installed version is supported only for Kaspersky MLAD 4.0.1-001 or later.
• If you are using an ML model that consists of multiple elements of the same type, anomalies are not grouped by single-type tags that are associated with different elements of the ML model.
• A large number of simultaneously running ML models (more than 80) can result in the number of connections to the database being exhausted. Restart Kaspersky MLAD if this happens.
• There is no capability to use model elements based on the XGBoost detector.
• In the asset tree, the Assets section does not display the icon that is selected when you create or edit tags or assets.
• In the Incidents section in the period selection window, you can select only those years for which Kaspersky MLAD contains data.
• The History and Monitoring sections do not correctly display graphs of tags for which display boundaries on Y coordinate were specified when creating or modifying a tag.
• In the Models section, you cannot clone an ML model if it contains no elements or if there is at least one untrained neural network element.
• The Models section does not always display the results of training a neural network element after it has been successfully trained. You must refresh the page to display the results.
• The value of the Monitored asset time zone setting that is defined by the system administrator in the main settings of Kaspersky MLAD is applied only to dates and times when selecting time intervals for markups. This setting does not apply to other sections of the web interface in which the date and time can be selected for displaying data.