Abstract: Described herein are systems and methods for grouping computing devices in a computing network and predicting future communications links between computing devices for the purpose of developing a computing network microsegmentation policy. In one or more examples, the systems and methods described herein can predict future links in a computing network using a plurality of combinations of node similarity, node grouping, and link prediction methods. Each unique combination of methods can be assessed by comparing the predicted links to observed network traffic to determine the quality of the prediction. The quality of prediction can be assessed by generate F1 curves for each combination of methods. The combination with the highest quality prediction can then be selected and tuned (by adjusting a threshold associated with the combination). Once tuned, the selected combination (i.e., model) can then be used generate and/or modify a microsegmentation policy associated with the computing network.

Abstract: Disclosed herein are system, method, and computer program product embodiments for creating cyber situational understanding in an operational environment. An embodiment operates by normalizing streaming cyber information for a plurality of cyberspace entities and generating cyber-graphs based on relationships between two or more of the plurality of cyberspace entities. A cyber-threat inquiry of the cyber-graphs returns potential cyber-threats that are subsequently visualized as an overlay on a corresponding operational environment.

Abstract: Methods and systems are described for assessing a computer network using a graph model. In some instances, the methods comprise: receiving data from at least one data stream of a plurality of data streams, wherein the plurality of data streams comprise computer network data provided by one or more data brokers, and wherein the data received from different data streams of the plurality comprise different data formats; converting the data received from the at least one data stream to a common data format comprising a node or an edge; updating a graph model comprising a plurality of nodes and edges stored within a graph database according to the node or edge of the converted data; and providing a user of the computer network with a visualization of a status of the computer network.

Abstract: Methods and systems for translating a natural language user query into a graph database query are described. In some instances, the methods may comprise receiving a first input from a user comprising a natural language query regarding data in a graph database; processing the natural language query using a named entity recognition (NER) machine learning model to extract named entities from the natural language query and tag them according to an entity type; processing the tagged named entities using a semantic similarity algorithm to identify corresponding nodes and edges, and their associated properties, in the graph database; processing the natural language query using an intent classification machine learning model to determine a user intent for the natural language query; and applying a user intent-based template to the identified nodes and edges to formulate a graph database query that corresponds to the natural language query.

Abstract: Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.

Abstract: Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.

Abstract: Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.

Abstract: Disclosed is a system for modeling, analyzing, and responding to network attacks. Machines are mapped to components, components are mapped to vulnerabilities, and vulnerabilities are mapped to exploits. Each of the exploits includes at least one precondition mapped to at least one postcondition. An attack graph which defines inter-exploit distances is generated using at least one of the exploits. The attack graph is aggregated. At least one hardening option is determined using the aggregated attack graph. Hardening options include applying at least one corrective measure to at least one initial condition, where the initial condition is the initial state of a precondition.

Abstract: Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.

Abstract: Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.

Abstract: Embodiments of the present invention identify locations to deploy IDS sensor(s) within a network infrastructure and prioritize IDS alerts using attack graph analysis. An attack graph that describes exploitable vulnerability(ies) within a network infrastructure is aggregated into protection domains. Edge(s) that have exploit(s) between two protection domains are identified. Sets that contain edge(s) serviced by a common network traffic device are defined. Set(s) that collectively contain all of the edge(s) are selected. The common network traffic device(s) that service the selected sets are identified as the location(s) to deploy IDS sensor(s) within the network infrastructure.

Abstract: Disclosed is framework for aggregating network attack graphs. A network may be represented as a dependency graph. Condition set(s), exploit set(s) and machine set(s) may be generated using information from the dependency graph. Exploit-condition set(s) may be generated using the condition set(s) and the exploit set(s). Machine-exploit set(s) may be generated using the exploit-condition set(s) and machine set(s).

Abstract: Disclosed is a network hardening mechanism. The mechanism: generates a dependency graph from a multitude of exploits; constructs a goal conditions expression which may then be used to determine set(s) of safe network configurations. A subset of these safe network configuration sets may then be selected for implementation using hardening costs as a criterion.