Abstract: Implementations include determining a set of components within the connected vehicle ecosystem, components within the set of components representing at least one layer within the connected vehicle ecosystem, for each component in the set of components: providing a set of facts representative of the respective component, and providing a component digital twin using the set of facts, defining a set of digital twins including digital twins of components in the set of components, generating, using the set of digital twins, at least one AAG representative of potential lateral movement between components of the at least one layer within the connected vehicle ecosystem, the at least one AAG representing a contextual digital twin of components operating within the connected vehicle ecosystem, and evaluating the connected vehicle ecosystem using the at least one AAG.

Abstract: Methods, systems, and computer-readable storage media for receiving a AAG from computer-readable memory, generating from logical network ontology data, asset inventory data, and asset communication data, a logical topology of the enterprise network as a computer-readable data structure, defining, at least partially by executing community detection over the logical topology, a sub-set of groups within the enterprise network, each group representing a process of a plurality of process, each process being at least partially executed by one or more assets within the enterprise network, processing the AAG based on the sub-set of groups and data from one or more contextual data sources to provide the process aware AAG, the process aware AAG defining a mapping between an infrastructure-layer of the enterprise network and a process-layer of the enterprise network, and executing one or more remedial actions in the enterprise network in response to analytics executed on the process aware AAG.

Abstract: Implementations include a computer-implemented method for reducing cyber-security risk, comprising: accessing a knowledge mesh including a plurality of modules, wherein each module is associated with a respective aspect and maintains a knowledge graph specific to the respective aspect, wherein each knowledge graph is generated using data from one or more cyber-security repositories and includes nodes and connections between the nodes; performing an information completion process to generate connections between nodes of knowledge graphs maintained by different modules of the knowledge mesh, including performing at least one of: inheritance-based inference; natural language processing classifier-based inference; or natural language processing-based object matching inference; and identifying, using the generated connections between the nodes of the knowledge graphs, one or more actions to reduce cyber-security risk.

Abstract: Implementations include a computer-implemented method for reducing cyber-security risk, comprising: selecting one or more modules for inclusion in a knowledge mesh, wherein each module is associated with a respective aspect and maintains a knowledge graph specific to the respective aspect, wherein each knowledge graph is generated using data from one or more cyber-security repositories and includes nodes and connections between the nodes; receiving a query corresponding to a first node of a first knowledge graph included in the knowledge mesh; generating a response to the query by identifying connections between the first node of the first knowledge graph and at least one node of at least one other knowledge graph included in the knowledge mesh; and identifying, based on the response to the query, one or more actions to reduce cyber-security risk.

Abstract: Implementations include methods, systems, computer-readable storage medium for mitigating cyber security risk of an enterprise network. A method includes: receiving an initial analytic attack graph (AAG) that is representative of paths within the enterprise network with respect to at least one target asset, the initial AAG comprising nodes and edges between the nodes; identifying, from the nodes of the initial AAG, a plurality of node groups, each node group including two or more nodes having at least one common attribute; generating an abstract AAG from the initial AAG, the abstract AAG including at least one abstract node, wherein each node group of the initial AAG is represented by a respective abstract node of the abstract AAG; determining a set of remedial actions at least partially based on the abstract AAG; and executing remedial actions in the set of remedial actions to reduce a cyber security risk to the enterprise network.

Abstract: Implementations are directed to methods, systems, and apparatus for ontology-based risk propagation over digital twins. Actions include obtaining knowledge graph data defining a knowledge graph including nodes and edges between the nodes, the nodes including asset nodes representing assets and process nodes representing processes; each edge representing a relation between nodes; determining, from the knowledge graph, an aggregated risk for a first process represented by a first process node, including: identifying, for the first process node, a set of incoming nodes, each incoming node comprising an asset node or a process node and being connected to the first process node by a respective edge; determining a direct risk for the first process; and determining an indirect risk for the first process; and generating, based on the aggregated risk for the first process node, a mitigation recommendation including actions for reducing the aggregated risk for the first process node.

Abstract: Implementations include receiving an AAG that at least partially defines a digital twin of an enterprise network and includes rule nodes each representing an attack tactic that can be used to move along a path, determining security controls each mitigating at least one rule node, executing an iteration of a simulation of a sub-set of security controls in the enterprise network, the iteration including: for each security control in the set of security controls, determining, an influence score that represents a change in a security risk from implementing the security control and a rule distribution, defining the sub-set of security controls based on the first influence scores, and reducing the AAG based on the sub-set of security controls to provide a residual AAG, determining a decrease in a graph risk value and the first AAG, and selectively implementing the sub-set of security controls in the enterprise network.

Abstract: Implementations include systems and methods for decoupling ontologies in distributed data mesh. A computer-implemented method includes obtaining imported information indicating computational resources, requested analyses, and data ontology; creating, from the imported information, a knowledge graph as a computer-readable data structure including nodes and connections between the nodes, the nodes including: data nodes, each data node representing a computational resource, analysis nodes, each analysis node representing a requested analysis, and ontology nodes, each ontology node representing an axiom of the data ontology; generating, from the knowledge graph, a functional data mesh as a computer-readable data structure that identifies computational resources to perform the requested analyses; validating states of the functional data mesh to determine a recommended configuration; and exporting a distributed data mesh based on the recommended configuration.

Abstract: Implementations include obtaining a knowledge graph comprising a computer-readable data structure and including nodes and connections between the nodes, the nodes including: data nodes each representing a computational resource, analysis nodes each representing an analysis, and source nodes each representing a source of a data element; and determining, using the knowledge graph, an access strategy and a synchronization strategy for performing an analysis, by, automatically: identifying a first source node representing a source of a data element on which the analysis is to be performed, identifying a first data node representing a computational resource on which the analysis is to run, identifying a second data node representing a computational resource on which the data element is to reside, determining the access strategy between the first source node and the second data node, and determining the synchronization strategy between the first data node and the second data node.

Abstract: Implementations include methods, systems, computer-readable storage medium for generating ontologies from programmatic specifications. A method includes receiving data indicating a configuration for a data crawler; extracting, by the data crawler, representations of a subset of programmatic specifications; generating a knowledge graph model of the subset of the programmatic specifications; refining the knowledge graph model by classifying nodes in the knowledge graph model to obtain a refined knowledge graph model; and generating an ontology from the refined knowledge graph model. Refining the knowledge graph model comprises: iteratively classifying nodes of the knowledge graph model and refining the knowledge graph model based on the classifications of the nodes to obtain the refined knowledge graph model. the programmatic specifications include application programming interface specifications or databases of tables.

Abstract: Implementations include receiving graph data representative of a process-aware analytical attack graph (AAG) representing paths within an enterprise network with respect to observed facts of the enterprise network, the process-aware AAG at least partially defining a digital twin of the enterprise network, receiving data indicating at least one non-observed fact of the enterprise network, generating, from the graph data and the received data, an augmented process-aware AAG representing paths within the enterprise network with respect to the observed facts and the at least one non-observed fact, determining, by a process-aware risk assessment module, a risk assessment based on the augmented process-aware AAG, and providing, by a mitigation simulator module, a mitigation list based on the process-aware AAG and the risk assessment, the mitigation list comprising a prioritized list of observed facts of the process-aware AAG.

Abstract: Implementations include a computer-implemented method for mitigating cyber security risk of an enterprise network, the method comprising: receiving an analytical attack graph (AAG) representing paths within the enterprise network with respect to at least one target asset, the AAG defining a digital twin of the enterprise network and comprising a set of rule nodes, each rule node representing an attack tactic that can be used to move along a path of the AAG; integrating the AAG with a knowledge graph comprising a set of asset nodes, each asset node representing a digital asset that can be affected by one or more of the attack tactics; determining, based on integrating the AAG with the knowledge graph, a plurality of security controls, each security control having an assigned priority value; and selectively implementing the security controls in the enterprise network based on the assigned priority values of the security controls.

Abstract: Implementations include distributed data nodes for flexible data mesh architectures. A method includes obtaining first configuration data for a data mesh including a plurality of data nodes, wherein each data node of the plurality of data nodes is configured to receive instructions and perform operations based on the instructions, the operations including processing input data and producing output data; simulating operations of the data mesh to generate simulation results using the first configuration data; determining, based on the simulation results, that the first configuration data satisfies criteria for configuring the data mesh; generating, from the first configuration data and based on the simulation results, a set of instructions for the plurality of data nodes of the data mesh; and configuring the data mesh based on the first configuration data by deploying the set of instructions to the plurality of data nodes of the data mesh.

Abstract: Methods, systems, and computer-readable storage media for receiving a process aware AAG from computer-readable memory, the process aware AAG having been generated from the AAG, processing the process aware AAG to consolidate asset nodes to group nodes at least partially by providing metadata describing an asset node to a set of properties of a group node and pruning the asset node and any child nodes of the asset node from the process aware AAG, providing the aggregation graph by identifying relationships between group nodes and, for each relationship, inserting an edge between group nodes, and aggregating one or more of a set of node properties and a set of edge properties for each group node or edge, respectively, storing the aggregation graph to computer-readable memory, and executing one or more remedial actions in the enterprise network in response to analytics executed on the aggregation graph.

Abstract: Implementations are directed to receiving graph data representative of a process-aware AAG that is representative of potential lateral movement of adversaries within a computer network, receiving risk profile data representative of a risk profile of an enterprise with respect to two or more risk aspects, generating, by a process-aware risk assessment module, a risk assessment based on the process-aware AAG and the risk profile, and generating, by a mitigation simulator module, a mitigation list based on the process-aware AAG, the risk profile, and the risk assessment, the mitigation list comprising a prioritized list of two or more facts of the process-aware AAG. Other implementations of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.

Abstract: Implementations include determining a set of components within the connected vehicle ecosystem, components within the set of components representing at least one layer within the connected vehicle ecosystem, for each component in the set of components: providing a set of facts representative of the respective component, and providing a component digital twin using the set of facts, defining a set of digital twins including digital twins of components in the set of components, generating, using the set of digital twins, at least one AAG representative of potential lateral movement between components of the at least one layer within the connected vehicle ecosystem, the at least one AAG representing a contextual digital twin of components operating within the connected vehicle ecosystem, and evaluating the connected vehicle ecosystem using the at least one AAG.

Abstract: Methods, systems, and computer-readable storage media for receiving data representative of two or more AAGs, providing an identifier for each element of each of the two or more AAGs, each identifier being unique within a respective AAG, at least one identifier being non-unique between the two or more AAGs, determining an attribute value for each element of each of the two or more AAGs, storing attribute value to element mappings in an attribute dictionary, providing a differenced AAG based on the attribute value to element mappings in the attribute dictionary, determining a set of remedial actions at least partially based on the differenced AAG, and executing one or more remedial actions in the set of remedial actions to reduce a cyber security risk to the enterprise network.

Abstract: The present disclosure provides a system architecture for designing and monitoring privacy-aware services and improving privacy regulation compliance. A privacy-preserving knowledge graph (PPKG) system provides functionality for modelling and analyzing processes that use, share, or request sensitive data from users and the outcomes of such functionality may be utilized to modify the design of the processes (e.g., to improve security of the process, regulatory compliance of the process, and the like). The PPKG system may also be used to modify the process, such as to write code that may be compiled into executable form and deployed to a run-time environment. A privacy-preserving posture (PPP) system monitors the run-time environment and analyzes where processes obtain, store, and share sensitive data. The PPP system may identify run-time vulnerabilities that may pose risks with respect to the sensitive data, as well as areas where modifications could be made to improve regulatory compliance.

Abstract: Methods, systems, and computer-readable storage media for receiving a process aware AAG from computer-readable memory, the process aware AAG having been generated from the AAG, processing the process aware AAG to consolidate asset nodes to group nodes at least partially by providing metadata describing an asset node to a set of properties of a group node and pruning the asset node and any child nodes of the asset node from the process aware AAG, providing the aggregation graph by identifying relationships between group nodes and, for each relationship, inserting an edge between group nodes, and aggregating one or more of a set of node properties and a set of edge properties for each group node or edge, respectively, storing the aggregation graph to computer-readable memory, and executing one or more remedial actions in the enterprise network in response to analytics executed on the aggregation graph.

Abstract: Methods, systems, and computer-readable storage media for receiving a AAG from computer-readable memory, generating from logical network ontology data, asset inventory data, and asset communication data, a logical topology of the enterprise network as a computer-readable data structure, defining, at least partially by executing community detection over the logical topology, a sub-set of groups within the enterprise network, each group representing a process of a plurality of process, each process being at least partially executed by one or more assets within the enterprise network, processing the AAG based on the sub-set of groups and data from one or more contextual data sources to provide the process aware AAG, the process aware AAG defining a mapping between an infrastructure-layer of the enterprise network and a process-layer of the enterprise network, and executing one or more remedial actions in the enterprise network in response to analytics executed on the process aware AAG.