	US 12,335,293 B2
	Capturing importance in a network using graph theory
Marko Marsenic, London (GB); Carl Joseph Salji, Bedford (GB); Jake Lal, Cambridge (GB); and Matthew Dunn, Ely (GB)
Assigned to Darktrace Holdings Limited, Cambridge (GB)
Filed by Darktrace Holdings Limited, Cambridge (GB)
Filed on Oct. 31, 2022, as Appl. No. 17/977,621.
Claims priority of provisional application 63/396,105, filed on Aug. 8, 2022.
Claims priority of provisional application 63/317,157, filed on Mar. 7, 2022.
Claims priority of provisional application 63/274,376, filed on Nov. 1, 2021.
Prior Publication US 2023/0132703 A1, May 4, 2023
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/1433 (2013.01)

20 Claims

1. An apparatus, comprising:

an importance node module configured to compute, via a mathematical function and use of one or more graphs, an importance of a network node in the one or more graphs based on at least two or more factors that at least include a hierarchy of a user in an organization, a job title of the user in the organization, aggregated account privileges from multiple different network domains for the user, and a level of shared resource access for the user, where the importance node module is further configured to supply the one or more graphs as input into an attack path modeling component, where network nodes in a network include both network devices as well as user accounts,

where the attack path modeling component is configured to i) understand the importance of a particular network node in the network compared to other network nodes in the network, and ii) determine key pathways within the network and associated vulnerable network nodes in the network that a cyber-attack would use during the cyber-attack, via a modeling of the cyber-attack with at least one of 1) a cyber threat attack simulator and 2) a clone network created in a virtual machine environment of the network under analysis, where the attack path modeling component is configured to understand the importance of the network nodes in the network compared to the other network nodes in the network based on the supplied graph input from the importance node module;

where the importance node module and the attack path modeling component are configured to cooperate to analyze the importance of the network nodes in the network compared to other network nodes in the network, and the key pathways within the network and the vulnerable network nodes in the network that the cyber-attack would use during the cyber-attack in order to provide an intelligent prioritization of a remediation action to remediate the cyber-attack for a first network node from the network protected by an Artificial Intelligence (AI) based cyber security system;

a remediation suggester module configured to cooperate with the attack path modeling component to analyze results of the modeling the cyber-attack occurrence for each node in the network and suggest how to perform the intelligent prioritization of a remediation action on the first network node based upon at least an importance of the first network node compared to the other network nodes in at least one of a report and an autonomous remediation action initiated by the remediation suggester module to mitigate against the cyber-attack;

one or more processing units configured to execute software instructions associated with the importance node module, the attack path modeling component, and the remediation suggester module; and

one or more non-transitory storage mediums configured to store at least software associated with the importance node module, the attack path modeling component, and the remediation suggester module.