Abstract: Implementations include methods, systems, computer-readable storage medium for mitigating cyber security risk of an enterprise network. A method includes: receiving an initial analytic attack graph (AAG) that is representative of paths within the enterprise network with respect to at least one target asset, the initial AAG comprising nodes and edges between the nodes; identifying, from the nodes of the initial AAG, a plurality of node groups, each node group including two or more nodes having at least one common attribute; generating an abstract AAG from the initial AAG, the abstract AAG including at least one abstract node, wherein each node group of the initial AAG is represented by a respective abstract node of the abstract AAG; determining a set of remedial actions at least partially based on the abstract AAG; and executing remedial actions in the set of remedial actions to reduce a cyber security risk to the enterprise network.

Abstract: Implementations include methods, systems, computer-readable storage medium for generating ontologies from programmatic specifications. A method includes receiving data indicating a configuration for a data crawler; extracting, by the data crawler, representations of a subset of programmatic specifications; generating a knowledge graph model of the subset of the programmatic specifications; refining the knowledge graph model by classifying nodes in the knowledge graph model to obtain a refined knowledge graph model; and generating an ontology from the refined knowledge graph model. Refining the knowledge graph model comprises: iteratively classifying nodes of the knowledge graph model and refining the knowledge graph model based on the classifications of the nodes to obtain the refined knowledge graph model. the programmatic specifications include application programming interface specifications or databases of tables.

Abstract: Implementations include a computer-implemented method for mitigating cyber security risk of an enterprise network, the method comprising: receiving an analytical attack graph (AAG) representing paths within the enterprise network with respect to at least one target asset, the AAG defining a digital twin of the enterprise network and comprising a set of rule nodes, each rule node representing an attack tactic that can be used to move along a path of the AAG; integrating the AAG with a knowledge graph comprising a set of asset nodes, each asset node representing a digital asset that can be affected by one or more of the attack tactics; determining, based on integrating the AAG with the knowledge graph, a plurality of security controls, each security control having an assigned priority value; and selectively implementing the security controls in the enterprise network based on the assigned priority values of the security controls.

Abstract: Methods, systems, and computer-readable storage media for receiving data representative of two or more AAGs, providing an identifier for each element of each of the two or more AAGs, each identifier being unique within a respective AAG, at least one identifier being non-unique between the two or more AAGs, determining an attribute value for each element of each of the two or more AAGs, storing attribute value to element mappings in an attribute dictionary, providing a differenced AAG based on the attribute value to element mappings in the attribute dictionary, determining a set of remedial actions at least partially based on the differenced AAG, and executing one or more remedial actions in the set of remedial actions to reduce a cyber security risk to the enterprise network.