|Abstract: ||A method and apparatus for managing an attack on a computer system. A
computer identifies actions taken by an adversary in the computer system
and links connecting the actions over time using an ontology defining
linking rules for linking the actions over time. The computer creates a
graph of the actions with the links connecting the actions over time. The
graph shows a number of patterns of behavior for the adversary. The
computer then identifies a protective action to take with respect to the
computer system using the graph of the actions taken by the adversary.