Abstract: A cloud network is a complex environment in which hundreds and thousands of users or entities can each host, create, modify, and develop multiple virtual machines. Each virtual machine can have complex behavior unknown to the provider or maintainer of the cloud. Technologies disclosed include methods, systems, and apparatuses to monitor the complex environment to detect network anomalies using machine learning techniques. In addition, techniques to modify and adapt to user feedback are provided allowing the developed models to be tuned for specific use cases, virtual machine types, and users.

Abstract: Implementations of the present disclosure include receiving analytical attack graph data representative of an analytical attack graph, the analytical attack graph including: one or more rule nodes each representing a network configuration rule; and one or more impact nodes each representing an impact of one or more respective network configuration rules; converting the analytical attack graph to a tactic graph including one or more tactic nodes, each tactic node representing at least one rule node and at least one impact node; determining one or more paths of the tactic graph that lead to a particular network impact; generating a process model based on the paths that lead to the particular network impact, the process model representing network activity for execution of a process that leads to the particular network impact; and executing one or more remedial actions based on the process model to mitigate cyber-security risk to the enterprise network.

Abstract: Methods, systems, and computer-readable storage media for receiving data representative of a physical entity, generating an initial knowledge graph representative of a process that is executed by the physical entity based on the data, enriching the initial knowledge graph to provide a process aware energy consumption (PAEC) digital twin of the process as an enriched knowledge graph, providing at least two permutations based on the PAEC digital twin, executing analytics at least partially based on the at least two permutations to provide one or more recommendations, and executing at least one recommendation to optimize energy consumption of the physical entity.

Abstract: Methods, systems, and computer-readable storage media for receiving a AAG from computer-readable memory, generating from logical network ontology data, asset inventory data, and asset communication data, a logical topology of the enterprise network as a computer-readable data structure, defining, at least partially by executing community detection over the logical topology, a sub-set of groups within the enterprise network, each group representing a process of a plurality of process, each process being at least partially executed by one or more assets within the enterprise network, processing the AAG based on the sub-set of groups and data from one or more contextual data sources to provide the process aware AAG, the process aware AAG defining a mapping between an infrastructure-layer of the enterprise network and a process-layer of the enterprise network, and executing one or more remedial actions in the enterprise network in response to analytics executed on the process aware AAG.

Abstract: Implementations include a computer-implemented method for reducing cyber-security risk, comprising: accessing a knowledge mesh including a plurality of modules, wherein each module is associated with a respective aspect and maintains a knowledge graph specific to the respective aspect, wherein each knowledge graph is generated using data from one or more cyber-security repositories and includes nodes and connections between the nodes; performing an information completion process to generate connections between nodes of knowledge graphs maintained by different modules of the knowledge mesh, including performing at least one of: inheritance-based inference; natural language processing classifier-based inference; or natural language processing-based object matching inference; and identifying, using the generated connections between the nodes of the knowledge graphs, one or more actions to reduce cyber-security risk.

Abstract: Implementations include a computer-implemented method for reducing cyber-security risk, comprising: selecting one or more modules for inclusion in a knowledge mesh, wherein each module is associated with a respective aspect and maintains a knowledge graph specific to the respective aspect, wherein each knowledge graph is generated using data from one or more cyber-security repositories and includes nodes and connections between the nodes; receiving a query corresponding to a first node of a first knowledge graph included in the knowledge mesh; generating a response to the query by identifying connections between the first node of the first knowledge graph and at least one node of at least one other knowledge graph included in the knowledge mesh; and identifying, based on the response to the query, one or more actions to reduce cyber-security risk.

Abstract: Implementations are directed to methods, systems, and apparatus for ontology-based risk propagation over digital twins. Actions include obtaining knowledge graph data defining a knowledge graph including nodes and edges between the nodes, the nodes including asset nodes representing assets and process nodes representing processes; each edge representing a relation between nodes; determining, from the knowledge graph, an aggregated risk for a first process represented by a first process node, including: identifying, for the first process node, a set of incoming nodes, each incoming node comprising an asset node or a process node and being connected to the first process node by a respective edge; determining a direct risk for the first process; and determining an indirect risk for the first process; and generating, based on the aggregated risk for the first process node, a mitigation recommendation including actions for reducing the aggregated risk for the first process node.

Abstract: Implementations include methods, systems, computer-readable storage medium for generating ontologies from programmatic specifications. A method includes receiving data indicating a configuration for a data crawler; extracting, by the data crawler, representations of a subset of programmatic specifications; generating a knowledge graph model of the subset of the programmatic specifications; refining the knowledge graph model by classifying nodes in the knowledge graph model to obtain a refined knowledge graph model; and generating an ontology from the refined knowledge graph model. Refining the knowledge graph model comprises: iteratively classifying nodes of the knowledge graph model and refining the knowledge graph model based on the classifications of the nodes to obtain the refined knowledge graph model. the programmatic specifications include application programming interface specifications or databases of tables.

Abstract: Implementations include receiving graph data representative of a process-aware analytical attack graph (AAG) representing paths within an enterprise network with respect to observed facts of the enterprise network, the process-aware AAG at least partially defining a digital twin of the enterprise network, receiving data indicating at least one non-observed fact of the enterprise network, generating, from the graph data and the received data, an augmented process-aware AAG representing paths within the enterprise network with respect to the observed facts and the at least one non-observed fact, determining, by a process-aware risk assessment module, a risk assessment based on the augmented process-aware AAG, and providing, by a mitigation simulator module, a mitigation list based on the process-aware AAG and the risk assessment, the mitigation list comprising a prioritized list of observed facts of the process-aware AAG.

Abstract: Implementations include a computer-implemented method for mitigating cyber security risk of an enterprise network, the method comprising: receiving an analytical attack graph (AAG) representing paths within the enterprise network with respect to at least one target asset, the AAG defining a digital twin of the enterprise network and comprising a set of rule nodes, each rule node representing an attack tactic that can be used to move along a path of the AAG; integrating the AAG with a knowledge graph comprising a set of asset nodes, each asset node representing a digital asset that can be affected by one or more of the attack tactics; determining, based on integrating the AAG with the knowledge graph, a plurality of security controls, each security control having an assigned priority value; and selectively implementing the security controls in the enterprise network based on the assigned priority values of the security controls.

Abstract: Implementations of the present disclosure include receiving analytical attack graph data representative of an analytical attack graph, the analytical attack graph including: one or more rule nodes each representing a network configuration rule; and one or more impact nodes each representing an impact of one or more respective network configuration rules; converting the analytical attack graph to a tactic graph including one or more tactic nodes, each tactic node representing at least one rule node and at least one impact node; determining one or more paths of the tactic graph that lead to a particular network impact; generating a process model based on the paths that lead to the particular network impact, the process model representing network activity for execution of a process that leads to the particular network impact; and executing one or more remedial actions based on the process model to mitigate cyber-security risk to the enterprise network.

Abstract: Methods, systems, and computer-readable storage media for receiving data representative of a physical entity, generating an initial knowledge graph representative of a process that is executed by the physical entity based on the data, enriching the initial knowledge graph to provide a process aware energy consumption (PAEC) digital twin of the process as an enriched knowledge graph, providing at least two permutations based on the PAEC digital twin, executing analytics at least partially based on the at least two permutations to provide one or more recommendations, and executing at least one recommendation to optimize energy consumption of the physical entity.

Abstract: Methods, systems, and computer-readable storage media for receiving a process aware AAG from computer-readable memory, the process aware AAG having been generated from the AAG, processing the process aware AAG to consolidate asset nodes to group nodes at least partially by providing metadata describing an asset node to a set of properties of a group node and pruning the asset node and any child nodes of the asset node from the process aware AAG, providing the aggregation graph by identifying relationships between group nodes and, for each relationship, inserting an edge between group nodes, and aggregating one or more of a set of node properties and a set of edge properties for each group node or edge, respectively, storing the aggregation graph to computer-readable memory, and executing one or more remedial actions in the enterprise network in response to analytics executed on the aggregation graph.

Abstract: Implementations of the present disclosure include executing, within a computer network, multiple instances of a process, each instance including a simulation of execution of the process within the computer network, receiving session datasets representative of sessions performed during execution of each instance of the process, generating a set of session traces, each session trace representing a sequence of sessions performed during an instance of the process within the computer network, processing the set of session traces using a clustering algorithm to cluster sessions of each session trace into two or more clusters, each cluster having an associated label, and providing a process model that generically represents multiple executions of the process within the computer network, the process model comprising a sequence of labels of the two or more clusters corresponding to session traces in the set of session traces.

Abstract: Implementations are directed to receiving graph data representative of a process-aware AAG that is representative of potential lateral movement of adversaries within a computer network, receiving risk profile data representative of a risk profile of an enterprise with respect to two or more risk aspects, generating, by a process-aware risk assessment module, a risk assessment based on the process-aware AAG and the risk profile, and generating, by a mitigation simulator module, a mitigation list based on the process-aware AAG, the risk profile, and the risk assessment, the mitigation list comprising a prioritized list of two or more facts of the process-aware AAG. Other implementations of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.

Abstract: Implementations of the present disclosure include executing, within a computer network, multiple instances of a process, each instance including a simulation of execution of the process within the computer network, receiving session datasets representative of sessions performed during execution of each instance of the process, generating a set of session traces, each session trace representing a sequence of sessions performed during an instance of the process within the computer network, processing the set of session traces using a clustering algorithm to cluster sessions of each session trace into two or more clusters, each cluster having an associated label, and providing a process model that generically represents multiple executions of the process within the computer network, the process model comprising a sequence of labels of the two or more clusters corresponding to session traces in the set of session traces.

Abstract: Methods, systems, and computer-readable storage media for receiving a AAG from computer-readable memory, generating from logical network ontology data, asset inventory data, and asset communication data, a logical topology of the enterprise network as a computer-readable data structure, defining, at least partially by executing community detection over the logical topology, a sub-set of groups within the enterprise network, each group representing a process of a plurality of process, each process being at least partially executed by one or more assets within the enterprise network, processing the AAG based on the sub-set of groups and data from one or more contextual data sources to provide the process aware AAG, the process aware AAG defining a mapping between an infrastructure-layer of the enterprise network and a process-layer of the enterprise network, and executing one or more remedial actions in the enterprise network in response to analytics executed on the process aware AAG.

Abstract: Methods, systems, and computer-readable storage media for receiving a process aware AAG from computer-readable memory, the process aware AAG having been generated from the AAG, processing the process aware AAG to consolidate asset nodes to group nodes at least partially by providing metadata describing an asset node to a set of properties of a group node and pruning the asset node and any child nodes of the asset node from the process aware AAG, providing the aggregation graph by identifying relationships between group nodes and, for each relationship, inserting an edge between group nodes, and aggregating one or more of a set of node properties and a set of edge properties for each group node or edge, respectively, storing the aggregation graph to computer-readable memory, and executing one or more remedial actions in the enterprise network in response to analytics executed on the aggregation graph.