Abstract: A cyber security restoration engine prioritizes nodes in a graph of nodes in a computer network or system that are involved in a cyber attack for remediation actions. The cyber security restoration engine performs this prioritization by, for each node, determining one or more edges linking the node to other nodes in the graph, the edges representing interactions between two nodes; obtaining metadata indicative of a type of interaction between two nodes connected by the edge and the roles of the two nodes in that interaction; determining how severe the interaction represented by that edge is within the context of the cyber attack, based on the metadata of that edge; and determining a severity score for the node by combining the severity score for each of the one or more edges connected to the node. The cyber security restoration engine prioritizes nodes for remediation action based on the severity scores for the nodes.

Abstract: A cyber security system includes an importance node module to compute and use graphs to compute an importance of a node based on factors including a hierarchy and a job title of the user, aggregated account privileges from network domains and a level of shared resource access for the user. The graphs are supplied into an attack path modeling component to understand an importance of the network nodes and determine key pathways within the network that a cyber-attack would use, via a modeling the cyber-attack on a simulated and a virtual device version of the network. The cyber security system provides an intelligent prioritization of remediation action to a remediation suggester module to analyze results of the modeling the cyber-attack for each node and suggest how to perform intelligent prioritization of remediation action on a network node in one of a report and an autonomous remediation action.

Abstract: An apparatus may include a set of modules and artificial intelligence models to detect a cyber incident, a simulator to simulate an actual cyber attack of the cyber incident on a network including physical devices being protected by the set of modules and artificial intelligence models; and a feedback loop between i) the set of modules and artificial intelligence models and ii) the simulator, during an ongoing detected cyber incident. An attack path modeling module is configured to feed details of the detected incident by a cyber threat module into an input module of the simulator, and to run one or more hypothetical simulations of that detected incident in order to predict and control an autonomous response to the detected incident. Any software instructions forming part of the set of modules, the artificial intelligence models, and the simulator are stored in an executable form in memories and executed by processors.