Kaspersky Machine Learning for Anomaly Detection

Configuring the Anomaly Detector service

In Kaspersky MLAD, an ML model can contain the following detectors:

• Limit Detector detects anomalies whenever the tag value falls below the minimum value or exceeds the maximum value.
• Forecaster predicts the current behavior of an object based on data about its behavior in the recent past.
• XGBoost with a certain probability detects anomalies in the monitored asset data based on the data sample for the examined time interval learned by the XGBoost classifier.
• Rule Detector builds predictions for the tag values during normal operation of the monitored asset and registers incidents whenever one or multiple rules are triggered.

You can configure the procedure for detecting anomalies based on the specific features of your monitored asset by enabling or disabling the necessary detectors in the Anomaly Detector service settings.

Configuration of the Anomaly Detector service is performed by an administrator (Kaspersky employee or certified integrator).

To configure the settings of the Anomaly Detector service in Kaspersky MLAD:

1. In the administrator menu, select System parameters → Anomaly Detector.

   A list of options appears on the right.

2. Move the Use Limit Detector toggle button to the necessary position to enable or disable use of the Limit Detector.
3. Move the Use Forecaster detector toggle button to the necessary position to enable or disable use of the Forecaster detector.
4. Move the Use XGBoost detector toggle button to the necessary position to enable or disable use of the XGBoost detector.
5. Move the Use Rule Detector toggle button to the necessary position to enable or disable use of the Rule Detector.
6. Move the Skip gaps in data toggle button to the necessary position to enable or disable the function for skipping gaps in the incoming data stream.
7. In the Maximum number of records requested from the Message Broker service field, enter the number of records that must be requested from the Message Broker service for subsequent processing in the Anomaly Detector.
8. In the Number of messages sent in one block to the Message Broker service field, enter the number of incidents that must be sent to the Message Broker service at one time.
9. In the Number of simultaneously running models field, enter the maximum number of ML models that can analyze telemetry data at the same time.

   For maximum performance of Kaspersky MLAD, the number of ML models running at the same time must not exceed 80% of the number of cores of the server where Kaspersky MLAD is installed.

10. Click the Save button.