System and methods for automated detection, reasoning and recommendations for resilient cyber systems

What is claimed is: 1. A computer-implemented method of protecting a cyber system, the method comprising: modeling the cyber system as a heterogenous network of nodes using a tripartite user-host-application graph comprising a user-host sub-graph and a host-application sub-graph; transforming the tripartite user-host-application graph into a tabular representation that preserves topological properties of the nodes, wherein each of the nodes from the tripartite user-host-application graph comprise a point in multidimensional vector space within the tabular representation; analyzing user traffic within the cyber system based on the tabular representation to identify one or more anomalies within the cyber system; and generating at least one modification to the cyber system to restrict activity within the cyber system based on the identified anomalies and the modeling. 2. The method of claim 1 , wherein the tripartite user-host-application graph comprises a hierarchical aggregation of information, from high-resolution, narrower context to coarser-resolution, broader context. 3. The method of claim 1 , wherein at least one of the anomalies comprises an abstract event or a kill-chain event. 4. The method of claim 1 , further comprising: performing a graph-walk based on the tripartite user-host-application graph. 5. The method of claim 1 , wherein at least one of the anomalies comprises a graph-walk problem indicative of a lateral attack. 6. The method of claim 1 , wherein the analyzing the user traffic uses a Long-Short Term Memory (LSTM) neural network to ascertain the anomalies. 7. The method of claim 6 , wherein the LSTM neural network comprises an attention layer and a dense network layer. 8. The method of claim 1 , further comprising: calculating respective specificity scores for the identified anomalies indicative of relative importance of the nodes associated with each the respective anomalies; and wherein the generating the modification is further based on the specificity scores. 9. The method of claim 1 , further comprising: calculating coherence scores for the identified anomalies indicative of relative tightness of nodes associated with each of the respective anomalies; and wherein the generating the modification is further based on the coherence scores. 10. The method of claim 1 , further comprising: calculating reachability scores for the identified anomalies indicative of relative numbers of nodes accessible by each of the respective anomalies; and wherein the generating the modification is further based on the reachability scores. 11. The method of claim 10 , wherein the generating the modification comprises inputting the reachability scores into a greedy algorithm. 12. The method of claim 11 , wherein the greedy algorithm outputs respective scopes of restriction for the anomalies based on the reachability scores. 13. A system comprising a series of circuitry that implements a cyber security feature, the cyber security feature configured to: model an associated cyber system as a heterogenous network of nodes using a tripartite user-host-application graph comprising a user-host sub-graph and a host-application sub-graph; transform the tripartite user-host-application graph into a tabular representation that preserves topological properties of the nodes, wherein each of the nodes from the tripartite user-host-application graph comprise a point in multidimensional vector space within the tabular representation; analyze user traffic within the cyber system based on the tabular representation to identify one or more anomalies within the cyber system; and generate at least one modification to the cyber system to restrict activity within the cyber system based on the identified anomalies and the modeling; and output the at least one modification. 14. The system of claim 13 , wherein the system is connected to the associated cyber system. 15. The system of claim 13 , wherein the cyber security feature is further configured to perform one or more graph walks between nodes of the tripartite user-host-application graph. 16. The system of claim 15 , wherein at least one of the anomalies is based on the graph walks. 17. The system of claim 13 , wherein the generating the modification is further based on specificity, coherence, or reachability scores for the anomalies. 18. The system of claim 13 , wherein the multidimensional vector space comprises a 50-dimensional vector space, a 100-dimensional vector space, or a 200-dimensional vector space. 19. The system of claim 13 , wherein: the tripartite user-host-application graph comprises multiple scales; and the cyber security feature is further configured to transform the tripartite user-host-application graph into the tabular representation by transforming the tripartite user-host-application model at each scale. 20. One or more non-transitory computer readable storage media that, when executed by one or more processors, causes the one or more processors to: model an associated cyber system as a heterogenous network of nodes using a tripartite user-host-application graph comprising a user-host sub-graph and a host-application sub-graph; transform the tripartite user-host-application graph into a tabular representation that preserves topological properties of the nodes, wherein each of the nodes from the tripartite user-host-application graph comprise a point in multidimensional vector space within the tabular representation; analyze user traffic within the cyber system based on the tabular representation to identify one or more anomalies within the cyber system; and generate at least one modification to the cyber system to restrict activity within the cyber system based on the identified anomalies and the modeling; and output the at least one modification.