Abstract: The present disclosure provides a system architecture for designing and monitoring privacy-aware services and improving privacy regulation compliance. A privacy-preserving knowledge graph (PPKG) system provides functionality for modelling and analyzing processes that use, share, or request sensitive data from users and the outcomes of such functionality may be utilized to modify the design of the processes (e.g., to improve security of the process, regulatory compliance of the process, and the like). The PPKG system may also be used to modify the process, such as to write code that may be compiled into executable form and deployed to a run-time environment. A privacy-preserving posture (PPP) system monitors the run-time environment and analyzes where processes obtain, store, and share sensitive data. The PPP system may identify run-time vulnerabilities that may pose risks with respect to the sensitive data, as well as areas where modifications could be made to improve regulatory compliance.

Abstract: Implementations include methods, systems, computer-readable storage medium for compiling ontologies. A method for providing a composite ontology from a plurality of base ontologies, each ontology being provided as a computer-readable data structure, includes: identifying a plurality of base ontologies; and combining the plurality of base ontologies to generate a composite ontology by, automatically: comparing entity names of classes of a first base ontology to classes of a second base ontology, and determining that an entity name of a first class of the first base ontology matches an entity name of a second class of the second base ontology, and in response, providing a class within the composite ontology that represents the first class and the second class at least partially by determining a union of data properties, object properties, and cardinality restrictions of the first class and the second class for the class.

Abstract: Implementations of the present disclosure include providing a graph representative of a network, a set of nodes representing respective assets, each edge representing one or more lateral paths between assets, the graph data including configurations affecting at least one impact that has an effect on an asset, determining multiple sets of fixes for configurations, each fix having a cost associated therewith, incorporating fix data of the sets of fixes into the graph, defining a set of fixes including one or more fixes from the multiple sets of fixes by defining an optimization problem that identifies one or more impacts that are to be nullified and executing resolving the optimization problem to define the set of fixes, each fix in the set of fixes being associated with a respective configuration in the graph, and scheduling performance of each fix in the set of fixes based on one or more operational constraints.

Abstract: Methods, systems, and computer-readable storage media for receiving data representative of a physical entity, generating an initial knowledge graph representative of a process that is executed by the physical entity based on the data, enriching the initial knowledge graph to provide a process aware energy consumption (PAEC) digital twin of the process as an enriched knowledge graph, providing at least two permutations based on the PAEC digital twin, executing analytics at least partially based on the at least two permutations to provide one or more recommendations, and executing at least one recommendation to optimize energy consumption of the physical entity.

Abstract: Implementations of the present disclosure include providing graph data defining a graph that is representative of an enterprise network, the graph including nodes and edges between nodes, each node representing an asset within the enterprise network, and each edge representing one or more lateral attack paths between assets in the enterprise network, determining, for each node, an incoming value based on attributes of a set of incoming edges and an outgoing value based on attributes of a set of outgoing edges, the attributes including a number of edges and semantic types of the edges, at least one cardinality value of each node being determined based on one or more of the incoming value and the outgoing value of the node, receiving input representative of filter parameters, generating a sub-graph based on attributes of the nodes and the filter parameters, and displaying, by the visualization platform, the sub-graph in a display.

Abstract: Implementations of the present disclosure include providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph including nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, and a node representing a process executed within a system of the enterprise, each edge representing at least a portion of one or more lateral paths between assets in the enterprise network, determining, for each asset, a contribution value indicating a contribution of a respective asset to operation of the process, determining, for each asset, an impact value based on a total value of the process and a respective contribution value of the asset, and implementing one or more remediations based on a set of impact values determined for the assets, each remediation mitigating a cyber-security risk within the enterprise network.

Abstract: Implementations of the present disclosure include providing a graph that is representative of an enterprise network and includes nodes and edges, a set of nodes representing assets within the enterprise network, each edge representing a lateral movement path between assets, determining, for each asset, a contribution value indicating a contribution of an asset, determining lateral movements paths between a first asset and a second asset, providing a lateral movement path value representative of a difficulty in traversing a respective lateral movement path, identifying a set of remediations based on remediations defined for one or more vulnerabilities associated with issues identified for assets, each remediation mitigating a cyber-security risk within the enterprise network, and prioritizing the two or more remediations based on contribution values of assets, lateral movement path values of paths, and one of lateral movement complexity values of respective segments of paths and costs of respective remediation

Abstract: Implementations are directed to methods, systems, and apparatus for ontology-based risk propagation over digital twins. Actions include obtaining knowledge graph data defining a knowledge graph including nodes and edges between the nodes, the nodes including asset nodes representing assets and process nodes representing processes; each edge representing a relation between nodes; determining, from the knowledge graph, an aggregated risk for a first process represented by a first process node, including: identifying, for the first process node, a set of incoming nodes, each incoming node comprising an asset node or a process node and being connected to the first process node by a respective edge; determining a direct risk for the first process; and determining an indirect risk for the first process; and generating, based on the aggregated risk for the first process node, a mitigation recommendation including actions for reducing the aggregated risk for the first process node.

Abstract: Implementations of the present disclosure include receiving, from an agile security platform, attack graph (AG) data representative of one or more AGs, each AG representing one or more lateral paths within an enterprise network for reaching a target asset from one or more assets within the enterprise network, processing, by a security platform, data from one or more data sources to selectively generate at least one event, the at least one event representing a potential security risk within the enterprise network, and selectively generating, within the security platform, an alert representing the at least one event, the alert being associated with a priority within a set of alerts, the priority being is based on the AG data.

Abstract: Implementations include receiving an AAG that at least partially defines a digital twin of an enterprise network and includes rule nodes each representing an attack tactic that can be used to move along a path, determining security controls each mitigating at least one rule node, executing an iteration of a simulation of a sub-set of security controls in the enterprise network, the iteration including: for each security control in the set of security controls, determining, an influence score that represents a change in a security risk from implementing the security control and a rule distribution, defining the sub-set of security controls based on the first influence scores, and reducing the AAG based on the sub-set of security controls to provide a residual AAG, determining a decrease in a graph risk value and the first AAG, and selectively implementing the sub-set of security controls in the enterprise network.

Abstract: Implementations include obtaining a knowledge graph comprising a computer-readable data structure and including nodes and connections between the nodes, the nodes including: data nodes each representing a computational resource, analysis nodes each representing an analysis, and source nodes each representing a source of a data element; and determining, using the knowledge graph, an access strategy and a synchronization strategy for performing an analysis, by, automatically: identifying a first source node representing a source of a data element on which the analysis is to be performed, identifying a first data node representing a computational resource on which the analysis is to run, identifying a second data node representing a computational resource on which the data element is to reside, determining the access strategy between the first source node and the second data node, and determining the synchronization strategy between the first data node and the second data node.

Abstract: Implementations include systems and methods for decoupling ontologies in distributed data mesh. A computer-implemented method includes obtaining imported information indicating computational resources, requested analyses, and data ontology; creating, from the imported information, a knowledge graph as a computer-readable data structure including nodes and connections between the nodes, the nodes including: data nodes, each data node representing a computational resource, analysis nodes, each analysis node representing a requested analysis, and ontology nodes, each ontology node representing an axiom of the data ontology; generating, from the knowledge graph, a functional data mesh as a computer-readable data structure that identifies computational resources to perform the requested analyses; validating states of the functional data mesh to determine a recommended configuration; and exporting a distributed data mesh based on the recommended configuration.

Abstract: Implementations are directed to an agile security platform for enterprise-wide cyber-security and performing actions of receiving, from an agile security platform, analytical attack graph (AAG) data representative of one or more AAGs, each AAG representing one or more lateral paths within an enterprise network for reaching a target asset from one or more assets within the enterprise network, determining, for each instance of a plurality of instances of the AAG, a graph value representing a measure of hackability of the enterprise network at respective times, providing a profile of the enterprise network based on a set of graph values determined for instances of the AAG, the profile representing changes in graph values over time, determining an effectiveness of one or more security controls based on the profile, and selectively executing one or more remedial actions in response to the effectiveness.

Abstract: Implementations include receiving graph data representative of a process-aware analytical attack graph (AAG) representing paths within an enterprise network with respect to observed facts of the enterprise network, the process-aware AAG at least partially defining a digital twin of the enterprise network, receiving data indicating at least one non-observed fact of the enterprise network, generating, from the graph data and the received data, an augmented process-aware AAG representing paths within the enterprise network with respect to the observed facts and the at least one non-observed fact, determining, by a process-aware risk assessment module, a risk assessment based on the augmented process-aware AAG, and providing, by a mitigation simulator module, a mitigation list based on the process-aware AAG and the risk assessment, the mitigation list comprising a prioritized list of observed facts of the process-aware AAG.

Abstract: Implementations include distributed data nodes for flexible data mesh architectures. A method includes obtaining first configuration data for a data mesh including a plurality of data nodes, wherein each data node of the plurality of data nodes is configured to receive instructions and perform operations based on the instructions, the operations including processing input data and producing output data; simulating operations of the data mesh to generate simulation results using the first configuration data; determining, based on the simulation results, that the first configuration data satisfies criteria for configuring the data mesh; generating, from the first configuration data and based on the simulation results, a set of instructions for the plurality of data nodes of the data mesh; and configuring the data mesh based on the first configuration data by deploying the set of instructions to the plurality of data nodes of the data mesh.

Abstract: Methods, systems, and computer-readable storage media for receiving data representative of a physical entity, generating an initial knowledge graph representative of a process that is executed by the physical entity based on the data, enriching the initial knowledge graph to provide a process aware energy consumption (PAEC) digital twin of the process as an enriched knowledge graph, providing at least two permutations based on the PAEC digital twin, executing analytics at least partially based on the at least two permutations to provide one or more recommendations, and executing at least one recommendation to optimize energy consumption of the physical entity.

Abstract: Implementations of the present disclosure include executing, within a computer network, multiple instances of a process, each instance including a simulation of execution of the process within the computer network, receiving session datasets representative of sessions performed during execution of each instance of the process, generating a set of session traces, each session trace representing a sequence of sessions performed during an instance of the process within the computer network, processing the set of session traces using a clustering algorithm to cluster sessions of each session trace into two or more clusters, each cluster having an associated label, and providing a process model that generically represents multiple executions of the process within the computer network, the process model comprising a sequence of labels of the two or more clusters corresponding to session traces in the set of session traces.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for reducing carbon emission debt. A method includes actions of obtaining candidate cloud deployment architectures; obtaining a set of requirements for quality attributes, each requirement corresponding to a respective quality attribute of the candidate cloud deployment architectures; selecting, from the candidate cloud deployment architectures, a particular cloud deployment architecture for implementation based on the set of requirements for the quality attributes; determining a wasted carbon emission debt for the particular cloud deployment architecture; selecting a requirement corresponding to a particular quality attribute to adjust based on the wasted carbon emission debt; and providing, for output, an adjusted requirement corresponding to the particular quality attribute. The wasted carbon emission debt includes a difference between the actual carbon emission debt and the theoretical carbon emission debt.

Abstract: Implementations of the present disclosure include providing, by a security platform, graph data defining a graph that is representative of an enterprise network, the graph including nodes and edges between nodes, a set of nodes representing respective assets within the enterprise network, and a node representing a process executed within a system of the enterprise, each edge representing at least a portion of one or more lateral paths between assets in the enterprise network, determining, for each asset, a contribution value indicating a contribution of a respective asset to operation of the process, determining, for each asset, an impact value based on a total value of the process and a respective contribution value of the asset, and implementing one or more remediations based on a set of impact values determined for the assets, each remediation mitigating a cyber-security risk within the enterprise network.

Abstract: Implementations of the present disclosure include providing a graph representative of a network, a set of nodes representing respective assets, each edge representing one or more lateral paths between assets, the graph data including configurations affecting at least one impact that has an effect on an asset, determining multiple sets of fixes for configurations, each fix having a cost associated therewith, incorporating fix data of the sets of fixes into the graph, defining a set of fixes including one or more fixes from the multiple sets of fixes by defining an optimization problem that identifies one or more impacts that are to be nullified and executing resolving the optimization problem to define the set of fixes, each fix in the set of fixes being associated with a respective configuration in the graph, and scheduling performance of each fix in the set of fixes based on one or more operational constraints.