Abstract: A method is disclosed. The method comprises analyzing, using a processing apparatus, event log entries of a plurality of devices, the plurality of devices forming part of a group of devices sharing a common attribute, wherein event log entries of a device relate to events that have taken place during a first period of interest in respect of that device. The method also comprises determining, using the processing apparatus, for a given device in the group of devices, based on the analysis of event log entries, a predicted entry that is expected to appear in the event log of the given device during the first period of interest. An apparatus and a machine-readable medium are also disclosed.

Abstract: An apparatus and method is described comprising: classifying service ticket data relating to a service request into a service topic, wherein the service ticket data is obtained from the service request relating to a device; determining, for the service request, an extent to which the service topic matches a telemetry data class, wherein the telemetry data class relates to activities at the device; and providing an output according to said determination.

Abstract: A method of validating software including maintaining, in a trusted computing system, a copy of at least portions of data of the software, the software comprising data in an untrusted computing system. The method includes, with the trusted computing system, specifying selected data from data included in the copy as hash data, generating an executable file for generating a hash based on the specified hash data, executing the executable file to generate a check hash using the specified selected data from the copy as the hash data, and determining whether the software is valid based, at least in part, on a comparison of the check hash to an access hash generated by execution of the executable file by the untrusted computing system using the specified selected data from the untrusted computing system as the hash data.

Abstract: In an example, a method includes analysing data collected from a service. A value representative of the number of anomalies in the data is generated, this value then being compared with a threshold. Depending on whether the value is greater or less than the threshold, a performance parameter of the monitoring service may be evaluated.

Abstract: Configuring analytics to be performed at an endpoint device, comprising receiving at least one analytic input determined from instrumented processes operated at the endpoint device, performing at least one analytic of a set of analytics stored in the endpoint device, to produce a respective analytic output, transmitting the at least one analytic output to the server, receiving, from the server, at least one analytics configuration update, based on measures indicative of the usefulness of the analytics calculated at the server, to reconfigure at least one of the set of analytics stored in the endpoint device. Based on the received analytics configuration updates, the endpoint device reconfigures at least one of the set of analytics by at least one of: stopping or starting performing the analytic, and tuning how the analytic is performed.

Abstract: In examples, there is provided a method for modifying a data item from a source apparatus, the data item associated with an event, in which the method comprises, within a trusted environment, parsing the data item to generate a set of tuples relating to the event and/or associated with the source apparatus, each tuple comprising a data item, and a data identifier related to the data item, applying a rule to a first tuple to pseudonymise a first data item to provide a transformed data item, and/or generate a contextual supplement to the first data item, generating a mapping between the transformed data item and the first data item, whereby to provide a link between the transformed data item and the first data item to enable subsequent resolution of the first data item using the transformed data item, and forwarding the transformed data item and the data identifier related to the first data item to an analytics engine situated logically outside of the trusted environment.

Abstract: In an example there is provided a method to certify a cryptographic key. The method comprises accessing an identifier stored at a secure location on the computing device, generating a cryptographic key according to a key generation process and certifying the cryptographic key is authentically generated during the boot process of the computing device, on the basis of the identifier.

Abstract: Apparatus and methods to process received results of an analytical process performed on first external data at a first computer at a server, to obtain sensitizing data; and provide the sensitizing data from the server to a second computer for use in performing a sensitized analytical process on second external data received at the second computer.

Abstract: An example computing device includes a memory accessible at startup of the computing device, a buffer, and a set of instructions. The memory stores a configuration setting that is configurable by the application of a change request. The memory also stores a first public key and a second public key. The buffer stores change requests submitted by a remote entity, including a first change request to make a first setting change and a second change request to make a second setting change. The first change request is signed by a first private key corresponding to the first public key, and the second change request is signed by a second private key corresponding to the second public key. The set of instructions retrieves a change request from the buffer, determines whether the change request is authenticated by a public key, and if authenticated, applies the change request.

Abstract: An example computing device includes a user interface, a network interface, a non-volatile memory, a processor coupled to the user interface, the network interface, and the non-volatile memory, and a set of instructions stored in the non-volatile memory. The set of instructions, when executed by the processor, is to perform a hardware initialization of the computing device according to a setting, establish a local trust domain and a remote trust domain, use a local-access public key to issue a challenge via the user interface to grant local access to the setting, and use a remote-access public key to grant remote access via the network interface to remote access to the setting.

Abstract: In an example, a method includes receiving, at a server device, a record of an event transmitted from a client device which occurred on the client device. At the server device, a record of the event is generated, by a processor. The received record is compared with the record generated at the server device. When at least a portion of the record generated at the server device is not found in the received record, an alert is issued.

Abstract: In an example, a method includes analysing data collected from a service. A value representative of the number of anomalies in the data is generated, this value then being compared with a threshold. Depending on whether the value is greater or less than the threshold, a performance parameter of the monitoring service may be evaluated.

Abstract: In an example, there is provided a method for tracking domain name server (DNS) requests, wherein the method comprises determining whether a DNS request has resolved; and for each non-resolving DNS request decomposing the domain name of the request into multiple components, determining, for each component, a value of a metric representing the occurrence of the component in a corpus, generating a scaling factor for the request on the basis of the values for each component, and incrementing a count of the total number of non-resolving DNS requests by a scaled value on the basis of the scaling factor.

Abstract: An apparatus comprises a memory to store data and a processor coupled to the memory. The processor may modify a plurality of data elements using a semantic relationship between the plurality of data elements and a pre-selected data security policy and to store data representing the modified plurality of data elements in the memory.

Abstract: An example system in accordance with an aspect of the present disclosure includes a cache engine, a validate engine, and an access engine. The cache engine is to cache, into an address cache of an object reference, an object address corresponding to an object, in response to performing a lookup of the object via at least one indirection. The validate engine is to validate that an object ID of the object located at the cached object address corresponds to a reference object ID that is stored in the object reference and associated with the object. The access engine is to access the object via a lookup of the object address cached in the address cache of the object reference, in response to validating the reference object ID.

Abstract: A method of validating software including maintaining, in a trusted computing system, a copy of at least portions of data of the software, the software comprising data in an untrusted computing system. The method includes, with the trusted computing system, specifying selected data from data included in the copy as hash data, generating an executable file for generating a hash based on the specified hash data, executing the executable file to generate a check hash using the specified selected data from the copy as the hash data, and determining whether the software is valid based, at least in part, on a comparison of the check hash to an access hash generated by execution of the executable file by the untrusted computing system using the specified selected data from the untrusted computing system as the hash data.

Abstract: An example system in accordance with an aspect of the present disclosure includes a cache engine, a validate engine, and an access engine. The cache engine is to cache, into an address cache of an object reference, an object address corresponding to an object, in response to performing a lookup of the object via at least one indirection. The validate engine is to validate that an object ID of the object located at the cached object address corresponds to a reference object ID that is stored in the object reference and associated with the object. The access engine is to access the object via a lookup of the object address cached in the address cache of the object reference, in response to validating the reference object ID.

Abstract: An apparatus comprises a memory to store data and a processor coupled to the memory. The processor may modify a plurality of data elements using a semantic relationship between the plurality of data elements and a pre-selected data security policy and to store data representing the modified plurality of data elements in the memory.

Abstract: In one example in accordance with the present disclosure, a method for data type management may include adding a first data to a first data set. The first data set may belong to a plurality of data sets stored in a memory and each data set in the plurality may correspond to a type table defining data types in the corresponding data set. The method may further include determining that a first data type of the first data is not in a first type table corresponding to the first data set and generating an identifier corresponding to the first data type. The identifier may identify uses of the first data type within each data set in the plurality and may be a standardized value that is used by each data set in the plurality. The method may also include inserting the identifier into the first type table.

Abstract: There is provided a memory access control method and system in which one or more memory blocks are allocated to hold data for a dataset and the one or more memory blocks are associated with metadata related to the dataset and a policy related to allowing access to the one or more memory blocks for attachment of the memory blocks to a node. Upon receiving a request from a requesting entity to access an allocated memory block for attachment of the requested memory block to a node, the policy is enforced to determine whether to allow access to the requested memory block for the attachment of the requested memory block to the node given a set of memory blocks already attached to the node.