Abstract: Implementations of the present disclosure include receiving analytical attack graph data representative of an analytical attack graph, the analytical attack graph including: one or more rule nodes each representing a network configuration rule; and one or more impact nodes each representing an impact of one or more respective network configuration rules; converting the analytical attack graph to a tactic graph including one or more tactic nodes, each tactic node representing at least one rule node and at least one impact node; determining one or more paths of the tactic graph that lead to a particular network impact; generating a process model based on the paths that lead to the particular network impact, the process model representing network activity for execution of a process that leads to the particular network impact; and executing one or more remedial actions based on the process model to mitigate cyber-security risk to the enterprise network.

Abstract: Implementations include a computer-implemented method for reducing cyber-security risk, comprising: selecting one or more modules for inclusion in a knowledge mesh, wherein each module is associated with a respective aspect and maintains a knowledge graph specific to the respective aspect, wherein each knowledge graph is generated using data from one or more cyber-security repositories and includes nodes and connections between the nodes; receiving a query corresponding to a first node of a first knowledge graph included in the knowledge mesh; generating a response to the query by identifying connections between the first node of the first knowledge graph and at least one node of at least one other knowledge graph included in the knowledge mesh; and identifying, based on the response to the query, one or more actions to reduce cyber-security risk.

Abstract: Implementations include a computer-implemented method for reducing cyber-security risk, comprising: accessing a knowledge mesh including a plurality of modules, wherein each module is associated with a respective aspect and maintains a knowledge graph specific to the respective aspect, wherein each knowledge graph is generated using data from one or more cyber-security repositories and includes nodes and connections between the nodes; performing an information completion process to generate connections between nodes of knowledge graphs maintained by different modules of the knowledge mesh, including performing at least one of: inheritance-based inference; natural language processing classifier-based inference; or natural language processing-based object matching inference; and identifying, using the generated connections between the nodes of the knowledge graphs, one or more actions to reduce cyber-security risk.

Abstract: Implementations include evaluating a first sub-set of rules based on a first sub-set of facts to provide a first set of impacts, evaluating including applying the first sub-set of facts to each rule using a hash join operation to determine whether a rule results in an impact, indexes of arguments of facts being used in a probe phase of the hash join operation, evaluating a second sub-set of rules using impacts of the first set of impacts to provide a second set of impacts, determining whether each goal in a set of goals has been achieved using the first set of impacts and the second set of impacts, each goal being provided as an impact, in response to determining that each goal in the set of goals has been achieved, removing paths of the AAG, each of the paths resulting in an impact that is not a goal.

Abstract: Implementations of the present disclosure include receiving analytical attack graph data representative of an analytical attack graph, the analytical attack graph including: one or more rule nodes each representing a network configuration rule; and one or more impact nodes each representing an impact of one or more respective network configuration rules; converting the analytical attack graph to a tactic graph including one or more tactic nodes, each tactic node representing at least one rule node and at least one impact node; determining one or more paths of the tactic graph that lead to a particular network impact; generating a process model based on the paths that lead to the particular network impact, the process model representing network activity for execution of a process that leads to the particular network impact; and executing one or more remedial actions based on the process model to mitigate cyber-security risk to the enterprise network.

Abstract: Implementations of the present disclosure include executing, within a computer network, multiple instances of a process, each instance including a simulation of execution of the process within the computer network, receiving session datasets representative of sessions performed during execution of each instance of the process, generating a set of session traces, each session trace representing a sequence of sessions performed during an instance of the process within the computer network, processing the set of session traces using a clustering algorithm to cluster sessions of each session trace into two or more clusters, each cluster having an associated label, and providing a process model that generically represents multiple executions of the process within the computer network, the process model comprising a sequence of labels of the two or more clusters corresponding to session traces in the set of session traces.

Abstract: Implementations include evaluating a first sub-set of rules based on a first sub-set of facts to provide a first set of impacts, evaluating including applying the first sub-set of facts to each rule using a hash join operation to determine whether a rule results in an impact, indexes of arguments of facts being used in a probe phase of the hash join operation, evaluating a second sub-set of rules using impacts of the first set of impacts to provide a second set of impacts, determining whether each goal in a set of goals has been achieved using the first set of impacts and the second set of impacts, each goal being provided as an impact, in response to determining that each goal in the set of goals has been achieved, removing paths of the AAG, each of the paths resulting in an impact that is not a goal.

Abstract: Implementations include evaluating a first sub-set of rules based on a first sub-set of facts to provide a first set of impacts, evaluating including applying the first sub-set of facts to each rule using a hash join operation to determine whether a rule results in an impact, indexes of arguments of facts being used in a probe phase of the hash join operation, evaluating a second sub-set of rules using impacts of the first set of impacts to provide a second set of impacts, determining whether each goal in a set of goals has been achieved using the first set of impacts and the second set of impacts, each goal being provided as an impact, in response to determining that each goal in the set of goals has been achieved, removing paths of the AAG, each of the paths resulting in an impact that is not a goal.

Abstract: A combination of two or more offers may be selected from a plurality of offers to be served to potential respondents, in a method performed using one or more processors in a computing system. The method of selecting may comprises receiving a request for a selection of a combination of two or more offers from the sets of offers; in response to the request: performing a series of selection operations each resulting in the selection of one offer to be included in the combination, each selection operation being carried out according to a respective model including one or more variables. The variables of the model for the second and any subsequent selection operation may include at least one selected offer from a previous selection operation. A signal identifying the selected offers may be output to cause the combination of the selected offers to be served to a respondent.

Abstract: Implementations include evaluating a first sub-set of rules based on a first sub-set of facts to provide a first set of impacts, evaluating including applying the first sub-set of facts to each rule using a hash join operation to determine whether a rule results in an impact, indexes of arguments of facts being used in a probe phase of the hash join operation, evaluating a second sub-set of rules using impacts of the first set of impacts to provide a second set of impacts, determining whether each goal in a set of goals has been achieved using the first set of impacts and the second set of impacts, each goal being provided as an impact, in response to determining that each goal in the set of goals has been achieved, removing paths of the AAG, each of the paths resulting in an impact that is not a goal.

Abstract: Implementations of the present disclosure include executing, within a computer network, multiple instances of a process, each instance including a simulation of execution of the process within the computer network, receiving session datasets representative of sessions performed during execution of each instance of the process, generating a set of session traces, each session trace representing a sequence of sessions performed during an instance of the process within the computer network, processing the set of session traces using a clustering algorithm to cluster sessions of each session trace into two or more clusters, each cluster having an associated label, and providing a process model that generically represents multiple executions of the process within the computer network, the process model comprising a sequence of labels of the two or more clusters corresponding to session traces in the set of session traces.

Abstract: A combination of two or more offers may be selected from a plurality of offers to be served to potential respondents, in a method performed using one or more processors in a computing system. The method of selecting may comprises receiving a request for a selection of a combination of two or more offers from the sets of offers; in response to the request: performing a series of selection operations each resulting in the selection of one offer to be included in the combination, each selection operation being carried out according to a respective model including one or more variables. The variables of the model for the second and any subsequent selection operation may include at least one selected offer from a previous selection operation. A signal identifying the selected offers may be output to cause the combination of the selected offers to be served to a respondent.