An ML model is an algorithm based on machine learning methods tasked with analyzing the telemetry of the monitored asset and detecting anomalies.
An ML model is created by Kaspersky experts or a certified integrator for a specific monitored asset while taking into account the specifications of the asset and the characteristics of telemetry data. The general structure of the algorithm (architecture) is formed during creation of the ML model. Then the ML model is trained based on historical telemetry data and is thereby adjusted to the behavior of a specific object.
An ML model loaded into Kaspersky MLAD to work with a monitored asset consists of one or several elements, each of which is an independent ML model. The overall result of the Anomaly Detector service is formed by combining the results of the ML model elements. Normally, the more complex the industrial processes of the monitored asset are, the more elements the ML model will contain.
A Kaspersky MLAD ML model can be built using one or more detectors running in parallel:
The most common type of ML model is a neural network, which predicts the behavior of an object based on data from its behavior in the recent past. If the difference between the model prediction and the actual observed values exceeds a certain threshold, the Forecaster detector detects an anomaly in the monitored asset behavior and registers an incident. The cumulative indicator of the difference between the predicted values and the actual values (cumulative prediction error) is referred to as the MSE (mean squared error) in the user interface.
The MSE values graph and the MSE threshold which, when exceeded, causes the Forecaster to detect an incident, are displayed in the Monitoring and History sections under the tag graphs. If an ML model contains multiple elements, you can select a model element to view the MSE values calculated by that element.
This detector uses diagnostic rules to detect anomalies. Diagnostic rules describe previously known behavioral traits of the monitored asset that are considered anomalies. Diagnostic rules must be formalized and calculated based on available telemetry data for the object. Diagnostic rules are formulated by subject-area experts and are implemented by Kaspersky experts or a certified integrator in the form of software modules written in Python. Examples of diagnostic rules:
The value of tag A does not change over the course of one minute.
Over the past 12 hours, tag B has trended upward, tag C has trended downward, and tag D has not shown any clear dynamics.
The value of tag X fell below 2800 after it previously rose higher than 2900.
Limit Detector is a special type of ML model element, which registers incidents whenever a tag value falls below the minimum value or exceeds the maximum value. The Limit Detector uses the minimum and maximum permissible values specified in the tag description for the monitored asset. In this case, machine learning is not applied.
If an expert markup of anomalous time intervals and types of anomalies in historical data is available, a widely used machine learning method known as "supervised learning" can be used to train an ML model. XGBoost performs gradient boosting over decision trees. Training this type of ML model results in an XGBoost classifier that determines the probability of detecting anomalies in the data of a monitored asset.
In monitoring mode, an ML model that is based on the XGBoost detector displays a graph of the adjusted probability of anomaly detection. The XGBoost detector registers an incident and identifies the type of incident if the probability exceeds the defined threshold.
An ML model based on the XGBoost detector is provided by Kaspersky experts when specially requested.
In Kaspersky MLAD, an ML model can be imported or created based on a template. In turn, ML model templates are created based on previously added ML models. ML model templates preserve the algorithm structure, set of elements, and the state of the ML model used to create the template. The state of the created ML model will match the training state of the source ML model when the template was created.
Using templates, you can add ML models of the same type to Kaspersky MLAD. These models will analyze data received from equipment of the same type with a similar set of tags. When creating an ML model from a template, you can configure the use of other tags in the ML model by specifying tag IDs that differ from the ones in the source ML model.