About Kaspersky Machine Learning for Anomaly Detection

The early anomaly detection system known as Kaspersky Machine Learning for Anomaly Detection (hereinafter also referred to as Kaspersky MLAD or "the application") is specialized software designed to prevent failures, accidents or degradation of industrial installations, technological processes, and complex cyberphysical systems. By analyzing telemetry data using machine learning techniques (artificial intelligence), Kaspersky MLAD detects signs of an abnormal situation before it is detected by traditional monitoring systems.

Kaspersky MLAD detects anomalies in industrial processes regardless of their causes. Anomalies may be caused by the following:

• Physical factors, such as damage to equipment or malfunctioning sensors.
• The human factor, such as intentional or inadvertent inappropriate actions by the operator, hardware configuration, change of operating mode or settings, or a switch to manual control.
• Cyberattacks.

Main capabilities of Kaspersky MLAD:

• Detects abnormal behavior of the monitored asset in real time.
• Identifies signals that display the largest deviations from normal behavior.
• Allows you to analyze incidents taking into account information about similar incidents.
• Allows expert classification and annotation of incidents.
• Allows you to notify users about detected incidents through the web interface, by email, by sending messages to Kaspersky Industrial CyberSecurity for Networks, and using industrial data transfer protocols.
• Allows you to use models based on both machine learning and arbitrary rules for anomaly detection.
• Displays historical and real-time data as graphs according to the specified tag sets, along with the results of processing this data with ML models.
• Lets you manage the log of detected incidents.
• Allows you to create ML models and add predictive elements, elliptic envelope-based elements, and diagnostic rule-based elements to it.
• Provides training of predictive elements and elliptic envelope-based elements.
• Allows to create templates based on the added ML models and add ML models to Kaspersky MLAD based on the created templates.
• Allows you to define the way to organize the data of the monitored asset in the form of an asset tree.

• Allows you to receive telemetry data over HTTP, OPC UA, MQTT, AMQP, CEF, and WebSocket protocols, and via a specialized protocol over HTTPS from Kaspersky Industrial CyberSecurity for Networks.
• Detects and handles terminations and interruptions of the incoming data stream, and restores missed observations.
• Based on data on events received from external systems, recognizes principles as repeated events or patterns, and identifies new events and patterns in the event stream.
• Displays the detected events as a graph and a table, and shows detected patterns as a layered hierarchy of nested items.
• Sends alerts about the detection of certain events, patterns, or values of the event parameters received by the Event Processor in the data stream from the monitored asset.