A method of computer security for a host computer system in communication with remote computer systems includes generating an attack map modelling individual events leading to an exploitation of the host computer system by collecting a log of each of a plurality of attack events occurring at the host, using stacked autoencoders to extract features from the log event in each attack, and generating a directed graph representation based on each of the extracted features. The method further includes determining a subset of nodes in the attack map corresponding to events in one or more attacks, determining a component of the host computer system involved in each attack event represented by each of the nodes in the subset, and deploying one or more security facilities at each of the determined components of the host computer system so as to mitigate attacks according to each of the attack patterns.