US Patent 11032304 Ontology based persistent attack campaign detection

A mechanism is provided in a data processing system comprising at least one processor and at least one memory, the at least one memory comprising instructions executed by the at least one processor to cause the at least one processor to implement an ontology based persistent attack campaign detection engine. In response to a security incident, the mechanism sends the security incident to an incident model microservice executing within the persistent attack campaign detection engine. The incident model microservice extracts artifacts from the incident, maps the artifacts to a graph topology data structure, and stores the graph topology data structure in a graph data storage. An ontology modeling suite executing within the persistent attack campaign detection engine collects security data from a document data storage, builds a security ontology data structure and storing the security ontology data structure in an ontology data storage, and maps concepts from the security ontology data structure to the graph topology data structure. A custom insight engine executing within the persistent attack campaign detection engine performs insights based on the graph topology data structure and outputs results of the insights to a user in human readable form.