Abstract: Implementations include a computer-implemented method for reducing cyber-security risk, comprising: accessing a knowledge mesh including a plurality of modules, wherein each module is associated with a respective aspect and maintains a knowledge graph specific to the respective aspect, wherein each knowledge graph is generated using data from one or more cyber-security repositories and includes nodes and connections between the nodes; performing an information completion process to generate connections between nodes of knowledge graphs maintained by different modules of the knowledge mesh, including performing at least one of: inheritance-based inference; natural language processing classifier-based inference; or natural language processing-based object matching inference; and identifying, using the generated connections between the nodes of the knowledge graphs, one or more actions to reduce cyber-security risk.

Abstract: Malicious threat detection through time-series graph analysis, in which a data analysis device receives a data file comprising multiple log data entries. The log data entries include parameters associated with a computer network event in a computing network. The data analysis device produces a graphical model of the computing network based on at least one parameter included in the log data. The data analysis device also identifies a parameter associated with a node of the computer network represented by the graphical model, and performs a time-series analysis on the parameter. The data analysis device further determines, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

Abstract: Graph database analysis for network anomaly detection systems, in which a data analysis device receives multiple log data entries including parameters associated with a computer network event in a computing network. The data analysis device extracts one or more parameters in real-time and generates a network event graph based on at least one of a first graph metric or a second graph metric. The first and second graph metrics are based on the one or more extracted parameters. The data analysis device detects, based on queries performed on the network event graph, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

Abstract: Identification of malicious network domains through use of links analysis of graph representation of network activity, such as a bipartite graphs. An example method includes setting an initial reputation score for each of a plurality of host computers and each of a plurality of domains accessed by the plurality of host computers; until a predefined condition is satisfied, iteratively rescoring the reputation scores for each of the plurality of host computers based upon the reputation scores of the plurality of domains; and rescoring the reputation scores for each of the plurality of domains based upon the reputation scores of the plurality of host computers; and determining, based upon the rescored reputation scores for each of the plurality of host computers and the rescored reputation scores for each of the plurality of domains, whether one or more domains amongst the plurality of domains are exhibiting malicious behavior.

Abstract: Graph database analysis for network anomaly detection systems, in which a data analysis device receives multiple log data entries including parameters associated with a computer network event in a computing network. The data analysis device extracts one or more parameters in real-time and generates a network event graph based on at least one of a first graph metric or a second graph metric. The first and second graph metrics are based on the one or more extracted parameters. The data analysis device detects, based on queries performed on the network event graph, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

Abstract: Malicious threat detection through time-series graph analysis, in which a data analysis device receives a data file comprising multiple log data entries. The log data entries include parameters associated with a computer network event in a computing network. The data analysis device produces a graphical model of the computing network based on at least one parameter included in the log data. The data analysis device also identifies a parameter associated with a node of the computer network represented by the graphical model, and performs a time-series analysis on the parameter. The data analysis device further determines, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

Abstract: Graph database analysis for network anomaly detection systems, in which a data analysis device receives multiple log data entries including parameters associated with a computer network event in a computing network. The data analysis device extracts one or more parameters in real-time and generates a network event graph based on at least one of a first graph metric or a second graph metric. The first and second graph metrics are based on the one or more extracted parameters. The data analysis device detects, based on queries performed on the network event graph, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

Abstract: Malicious threat detection through time-series graph analysis, in which a data analysis device receives a data file comprising multiple log data entries. The log data entries include parameters associated with a computer network event in a computing network. The data analysis device produces a graphical model of the computing network based on at least one parameter included in the log data. The data analysis device also identifies a parameter associated with a node of the computer network represented by the graphical model, and performs a time-series analysis on the parameter. The data analysis device further determines, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing deception networks. One of the systems includes a threat information server configured to monitor and control security threats, a management process orchestration server configured to receive one or more identified security threats from the threat information server and develop a response process applicable to each identified security threat, a network switching controller in communication with one or more network switching devices, a target computing device connected to one of the network switching devices, and an indicator analytics processor configured to generate threat intelligence based on activity observed on the target device and provide the observed threat intelligence to the threat information server. The threat information server can receive threat intelligence information, identify key indicators, and generate identified security threats.

Abstract: Identification of malicious network domains through use of links analysis of graph representation of network activity, such as a bipartite graphs. An example method includes setting an initial reputation score for each of a plurality of host computers and each of a plurality of domains accessed by the plurality of host computers; until a predefined condition is satisfied, iteratively rescoring the reputation scores for each of the plurality of host computers based upon the reputation scores of the plurality of domains; and rescoring the reputation scores for each of the plurality of domains based upon the reputation scores of the plurality of host computers; and determining, based upon the rescored reputation scores for each of the plurality of host computers and the rescored reputation scores for each of the plurality of domains, whether one or more domains amongst the plurality of domains are exhibiting malicious behavior.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing deception networks. One of the systems includes a threat information server configured to monitor and control security threats, a management process orchestration server configured to receive one or more identified security threats from the threat information server and develop a response process applicable to each identified security threat, a network switching controller in communication with one or more network switching devices, a target computing device connected to one of the network switching devices, and an indicator analytics processor configured to generate threat intelligence based on activity observed on the target device and provide the observed threat intelligence to the threat information server. The threat information server can receive threat intelligence information, identify key indicators, and generate identified security threats.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying network security risks. One of the methods includes receiving organizational hierarchy data and receiving access privilege data for a network, generating an adjacency matrix that represents connections between individuals within the organizational hierarchy and various groups, and that represents connections between the individuals and various access privileges, selecting an analytic technique for analyzing the adjacency matrix, determining, for each individual, an individual score that represents a security risk associated with the individual's network account, and in response to determining that the individual score meets a threshold, applying security controls.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying network security risks. One of the methods includes receiving organizational hierarchy data and receiving access privilege data for a network, generating an adjacency matrix that represents connections between individuals within the organizational hierarchy and various groups, and that represents connections between the individuals and various access privileges, selecting an analytic technique for analyzing the adjacency matrix, determining, for each individual, an individual score that represents a security risk associated with the individual's network account, and in response to determining that the individual score meets a threshold, applying security controls.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing a response to one or more security incidents in a computing network. One of the methods includes identifying a security incident based on detecting one or more indicators of compromise associated with the security incident, comparing the security incident with a predefined ontology that maps the security incident to one or more courses of action, selecting a response strategy that includes one or more of the courses of action, and implementing the response strategy as an automated response.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for analyzing threat intelligence information. One of the methods includes receiving by a threat information server, threat intelligence information from one or more intelligence feeds and generating one or more identified security threats, identifying a compromise by a management process orchestration server and retrieving information from the threat information server and identifying one or more actions to be performed, determining by an indicator analytics processor, a composite credibility based on the actions, and determining one or more components for profiling and determining indicators of compromise for each component, and communicating the indicators of compromise to the management process orchestration server.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for identifying network security risks. One of the methods includes receiving organizational hierarchy data and receiving access privilege data for a network, generating an adjacency matrix that represents connections between individuals within the organizational hierarchy and various groups, and that represents connections between the individuals and various access privileges, selecting an analytic technique for analyzing the adjacency matrix, determining, for each individual, an individual score that represents a security risk associated with the individual's network account, and in response to determining that the individual score meets a threshold, applying security controls.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing a response to one or more security incidents in a computing network. One of the methods includes identifying a security incident based on detecting one or more indicators of compromise associated with the security incident, comparing the security incident with a predefined ontology that maps the security incident to one or more courses of action, selecting a response strategy that includes one or more of the courses of action, and implementing the response strategy as an automated response.

Abstract: Malicious threat detection through time-series graph analysis, in which a data analysis device receives a data file comprising multiple log data entries. The log data entries include parameters associated with a computer network event in a computing network. The data analysis device produces a graphical model of the computing network based on at least one parameter included in the log data. The data analysis device also identifies a parameter associated with a node of the computer network represented by the graphical model, and performs a time-series analysis on the parameter. The data analysis device further determines, based on the time-series analysis on the parameter, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.

Abstract: Graph database analysis for network anomaly detection systems, in which a data analysis device receives multiple log data entries including parameters associated with a computer network event in a computing network. The data analysis device extracts one or more parameters in real-time and generates a network event graph based on at least one of a first graph metric or a second graph metric. The first and second graph metrics are based on the one or more extracted parameters. The data analysis device detects, based on queries performed on the network event graph, at least one of an anomalous event associated with the computing network or a malicious event associated with the computing network.