Abstract: Techniques and solutions are described for facilitating the installation of software application extensions in a multi-tenant environment. A package for an extension may include code for a plurality of objects of the extension. Extension objects can be generated or non-generated. Generated objects can be user modifiable or not user modifiable. A software-implemented classification assistant can examine properties of the objects and classify them for deployment to a shared container or prompt a user to select whether an object should be deployed to the shared container or to a tenant-specific container. Properties of objects in the shared container may be set by the classification assistant such they are not modifiable by tenants.

Abstract: Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for secure use and retention of user credentials, as well as methods for dynamic authentication of users and integrity checking of service providers in online environments. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable browser), insulating the user from the threats associated with being online for the purposes of providing secure, policy-based interaction with online services.

Abstract: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.

Abstract: Methods and systems are provided for concurrently upgrading a primary database and a standby database that is synchronized with the primary database, while still protecting the stored data from the risk of hardware or other failure during the upgrade process. The standby database is mounted to an NFS (Network File System) located on a database access node. The upgraded primary and standby databases are built and mounted to the NFS mount point. A level-zero backup and one or more incremental backups of the deprecated standby database are generated. Each backup may be concurrently transferred to the upgraded databases via the mount point. Upon generation of a final incremental backup, the primary database is frozen and the tablespace metadata to transferred to the upgraded databases via the mount point. The upgraded primary database may be started upon importing of the tablespace metadata.

Abstract: A distributed storage server includes a plurality of data server devices and a plurality of metadata server devices. The metadata server devices store metadata associated with data which is distributively stored in the data server devices. A selected metadata server device checks whether a dangling directory occurs by performing a rename operation, based on information associated with a full path of a parent directory of a source and a full path of a parent directory of a target included in a request of the rename operation. When it is determined that the dangling directory does not occur, the selected metadata server device processes transactions directed to the metadata such that the rename operation is performed. The checking whether the dangling directory occurs is performed before a transaction period for processing the transactions.

Abstract: Distributed Service Layer Transactions (DSLTs) may be supported by a DSLT service at a service layer of a communications network to offload applications from the burden of managing the processing of DSLTs.

Abstract: A system for securing electronic devices includes a processor, non-transitory machine readable storage medium communicatively coupled to the processor, security applications, and a security controller. The security controller includes computer-executable instructions on the medium that are readable by the processor. The security application is configured to determine a suspicious file from a client using the security applications, identify whether the suspicious file has been encountered by other clients using the security applications, calculate a time range for which the suspicious file has been present on the clients, determine resources accessed by the suspicious file during the time range, and create a visualization of the suspicious file, a relationship between the suspicious file and the clients, the time range, and the resources accessed by the suspicious file during the time range.

Abstract: Systems and methods of monitoring online activity may include providing, by a server of a linking system, a cookie of the linking system to a client device responsive to receiving a first request from a first resource to access a first link encoded by the linking system and linked to a second resource. The server may identify from the first request, the cookie, the first resource and the second resource. The server may receive from the client device, a second request to access a second link that is encoded by the linking system and linked to a third resource. The server may identify from the second request, the same cookie provided to the client device and the third resource. The server may identify, via the cookie provided to the client device, that the client device has accessed the first, second and third resources.

Abstract: In accordance with a security policy regarding a setting value of an information processing apparatus, restriction information indicating whether to restrict modification of the setting value of information processing apparatus stored in a first storage unit is generated and stored in a second storage unit different to the first storage unit. Based on the restriction information stored in the second storage unit, modification of the setting value of the information processing apparatus is restricted.

Abstract: A cyber security threat detection system for one or more endpoints within a computing environment is disclosed. The system includes one or more collector engines. Each of the collector engines includes a service and an agent operating on a corresponding system endpoint of the system endpoints. The service is configured to take a first snapshot of the corresponding system endpoint. The first snapshot includes event activity information associated with the system endpoint. The agent is configured to take a second snapshot of the corresponding system endpoint. The second snapshot includes behavioral activity information associated with the corresponding system endpoint. The system further includes an aggregator engine configured to aggregate the first snapshot and the second snapshot from each of the system endpoints into an aggregated snapshot.

Abstract: A cyber security threat detection system for one or more endpoints within a computing environment is disclosed. The system comprises a plurality of collector engines. Each of the collector engines is previously installed on an endpoint of a plurality of endpoints and configured to acquire statistical information at the endpoint. The statistical information includes behavioral information, resource information, and metric information associated with the endpoint. The system further comprises an aggregator engine configured to aggregate the statistical information from each of the endpoints into aggregated information. The system further comprises an analytics engine configured to receive the aggregated information, and to invoke learning models to output deviation information for each of the endpoints based on the aggregated information and expected fingerprints associated with the endpoints.

Abstract: An endpoint encrypts local files with a key to protect file contents. If the endpoint or processes on the endpoint becomes exposed to potentially harmful locations or resources, the key can be revoked to prevent access to encrypted files on the endpoint. In order to facilitate continued operation of the endpoint, files that are currently open can be encrypted with a second key so that the corresponding data is isolated from the other encrypted files while remaining accessible to current users.

Abstract: Computer-implemented methods, computerized systems and articles of manufacture for processing sensitive electronic tax return data. A tax logic agent reads runtime data of the electronic tax return from a shared data store and identifies logic computations to be performed given a directed completion graph and runtime data. Certain logic computations involve sensitive runtime data (name, social security number, other personal identification data, and private data such as address, telephone number and account numbers), are indicated as such, and may be processed differently than other logic computations involving runtime data not indicated to be sensitive data. Logic computations involving sensitive data may be performed locally, whereas logic computations not involving sensitive data may be performed by a remote computing resource, in which case computation results are merged and used to generate a non-binding suggestion of a topic or question to present to the user via the user interface controller.

Abstract: A system and method perform calibration of a forecast model for resource allocation. The method includes receiving inputs to the forecast model derived from historical data for a period of time, and executing the forecast model to obtain one or more forecast levels for each interval within the period of time, the forecast level corresponding with a quantified forecast of a forecast parameter that is forecast by the forecast model for the interval. Obtaining an actual level for each interval within the period of time according to the historical data is followed by comparing the one or more forecast levels with the actual level for the period of time according to a metric to adjust a mapping within the forecast model between values of the quantified forecast and the forecast levels based on the comparing to obtain a calibrated forecast model. The calibrated forecast model is used for resource allocation.

Abstract: According to one example embodiment, a remote server includes a memory configured to store computer-readable instructions, and a processor. The processor is configured to execute the computer-readable instructions for installing a medical application at a target destination by determining a deployment configuration of the target destination, determining whether to transform the medical application prior to installing the medical application at the target destination based on the determined deployment configuration of the target destination, and deploying at least one of the medical application or a transformed version of the medical application to the target destination.

Abstract: A system for enforcing restrictive access control with respect to a set of digital objects accessible by a first device and second device of a user. The system includes the first device of the user configured to: detect an update associated with a first system access control rule, wherein the first system access control rule is to block access to at least a first digital object included in the set of digital objects on the first device; determine, based at least in part on the update to the first system access control rule, to block access to at least a second digital object included in the set of digital objects on a second device; and provide, to the second device, the update associated with a first system access control rule to maintain restrictive access control over the set of digital objects on a second device.

Abstract: Provided are a computer program product, system, and method for providing access to data storage services in a network environment. Multi-tenancy information for each of a plurality of clients has at least one tenant assigned to the client, at least one data source assigned to the tenant assigned to the client, and for each of the at least one data source, information on at least one user assigned to the data source and permitted access to the data source. A user is provided an isolate tag comprising a client tag identifying one client, a tenant tag identifying one tenant, and a data source tag identifying one data source to which the user is permitted to access data. A user access request with an isolate tag is processed in response to determining that the multi-tenancy information indicates that the client, tenant, and data source identified by the isolate tag are related.

Abstract: The example embodiments are directed to a system and method for tag mapping. In one example, the method includes receiving a request to perform tag mapping for a target tag of a master data set, the target tag representing a target component of an asset, querying a customer data for a plurality of candidate tag records based on the target tag, tokenizing the plurality of candidate tag records included in the customer data set, reducing an amount of the tokenized tag records in the customer data set based on the target tag and each tokenized candidate tag record, performing tag mapping with the reduced amount of tokenized tag records to identify at least one candidate tag that is a possible match to the target tag, and outputting information concerning the identified at least one matching candidate tag.

Abstract: The disclosed technology is generally directed to firewalls. In one example of the technology, a first firewall is used such that communication is blocked from a first subsystem of a device upon boot of the device. The first firewall is enabled to be configured by secure code subsequent to boot such that code that is not secure code is prevented from configuring the first firewall. After configuration of the first firewall, based on the configuration, the first firewall is used to selectively allow the first subsystem access to the first memory based on ranges of addresses of the first memory configured as accessible to the first subsystem.

Abstract: A device may provide a verification indicator to a device associated with a website. The verification indicator may be associated with verifying access to the website. The device may detect that the verification indicator has been associated with code associated with the website based on processing the code. The device may provide a script to the device. The script may be included in the code. The script may be associated with monitoring operations of the website. The device may receive data related to the operations. The device may analyze the data using a model. The model may be associated with making a prediction related to at least one of: a value to be received via the website, or traffic associated with the website. The device may perform one or more actions related to the website based on a result of the analyzing.

Abstract: An apparatus and a method are provided. The apparatus of data analytics in a key-value solid state device (KVSSD) are disclosed. The KVSSD includes at least one KVSSD data container; and at least one KVSSD analytics container associated with at least one of the at least one KVSSD data container. The KVSSD data and analytics containers may be configured to store data and data analytics results in key-value pairs. The apparatus may include a virtual analytics container which is configured to utilize a field programmable gate array (FPGA) for performing a logical operation on data stored in multiple containers. A key in a key-value pair stored in a KVSSD analytics container may include a KVSSD data container identifier, a logical offset, and a user key that is also a key in a KVSSD data container associated with the KVSSD data container identifier. A value in a key-value pair may include a header of a fixed size, and analytics result information that depends on a type stored in the header.

Abstract: According to one embodiment, a master storage node receives a search query for searching images from a client, where the master storage node is coupled to a number of worker storage nodes over a storage network. The master storage node performs a hash operation on one or more keywords of the search query using a first predetermined hash function, generating a first hash value. A first of the worker storage nodes is identified based on the first hash value. The master storage node redirects the search query to the first worker storage node to allow the first worker storage node service the search query. The first worker storage node is to identify one or more images from a first system memory of the first worker storage node based on the search query and to transmit the one or more images to the client.

Abstract: A system and method for web application navigation control includes updating navigation data models used in navigation constraints with received data from an end-user or system. Without needing a centralized application-specific controller, from a collection of extensible navigation rules associated with each page of a plurality of pages, the extensible navigation rules are automatically selected which depend on changed data values and need re-evaluation. The navigation constraints associated only with the pages potentially changing their ready state to execute from among the plurality of pages in an entire application are evaluated to determine which pages are ready to run based on updated data from the navigation data models. A preferred page to be actually navigated to next is selected from among a set of all available and ready pages by execution of a set of second and separate navigation constraints using results of the navigation constraints of the evaluating step.

Abstract: Methods, systems, and storage media for identifying a sequence of events and participants for record objects are disclosed. Exemplary implementations may: access record objects of a system of record; identify a subset of record objects associated with a group entity and having a first record object status; identify one or more electronic activities linked to the record objects; determine an event-participant pattern based on the electronic activities linked to the record object; identify electronic activities linked with a second record object; determine that a first event is performed by the a participant type and a second event is not yet performed by a second participant type; generate a content item identifying an action to trigger a performance of the second event; and transmit the content item to a device of a participant of at least one electronic activity linked with the second record object.

Abstract: A process for authenticating a communication device may include receiving a request from a communication device to synchronize time with a server, and providing an authorization network time to the communication device. An authentication request including an access credential having a timestamp generated by the communication device may be received by the server. A determination can be made as to whether the communication device had successfully executed a predetermined shutdown sequence by determining whether the access credential has reliable timestamp information. The communication device can be authenticated when the timestamp has a non-reset value indicating that the communication device had successfully executed the predetermined shutdown sequence, and that the access credential has not expired.

Abstract: Methods of detecting a packet forwarding path, UMC servers and non-transitory machine-readable storage mediums are provided. In one aspect, a UMC server distributes a target packet feature pre-configured by a user to a plurality of forwarding devices managed by the UMC server, wherein the target packet feature is a feature of a target packet; receives respective path information transmitted by forwarding devices within the forwarding devices managed by the UMC server, wherein the respective path information is extracted by the forwarding devices from the target packet determined based on the target packet feature; and obtains a forwarding path corresponding to the target packet based on the path information transmitted by the forwarding devices.

Abstract: Systems, methods, and software described herein facilitate an enhanced service architecture for large-scale data processing. In one implementation, a method of providing data to a large-scale data processing architecture includes identifying a data request from a container in a plurality of containers executing on a host system, wherein the plurality of containers each run an instance of a large-scale processing framework. The method further provides identifying a storage repository for the data request, and accessing data associated with the data request from the storage repository. The method also includes caching the data in a portion of a cache memory on the host system allocated to the container, wherein the cache memory comprises a plurality of portions each allocated to one of the plurality of containers.

Abstract: The disclosed embodiments provide a set of methods, systems, data structures, and computer-executable instructions for executing on a compute machine to automatically analyze data associated with an indexed corpora and to generate for graphical display a set of results associated with those analytic operations.

Abstract: A security program installed or in communication with a computer is provided. The security program is configured to intercept disk (I/O) operations that read/write from/to disk. This allows the security program to confirm and control access to data based on security rules. Further, the security program can categorize data based on security rules and then format and store data on disk in a format that prevents access by application(s) of the computer. The security program is further configured to re-format data to be accessible by the application in a format accessible by the application(s) when a request to access the data complies with security rules.

Abstract: Controlling access to business process data is disclosed. An instance of a first business process object configured to contain business process data of a business process is created. An instance of a second business process object configured to contain business process data of the business process is created. A first access control list is associated with the instance of the first business process object and a second access control list is associated with the instance of the second business process object.

Abstract: This disclosure describes a virtual desktop brokering system that brokers a virtual desktop session. During operation, a broker receives a request to establish the session. Next, the broker broadcasts, to a set of agent concentrators, a request to find an available machine for the session, wherein each agent concentrator maintains state information of a respective group of available machines. The broker receives, from at least one agent concentrator, a list of available machines. Subsequently, the broker chooses an available machine from the list for the session, and the broker sends a request to the agent concentrator associated with the chosen machine to initiate the session.

Abstract: A method and apparatus for deep learning based fine-grained body part recognition in medical imaging data is disclosed. A paired convolutional neural network (P-CNN) for slice ordering is trained based on unlabeled training medical image volumes. A convolutional neural network (CNN) for fine-grained body part recognition is trained by fine-tuning learned weights of the trained P-CNN for slice ordering. The CNN for fine-grained body part recognition is trained to calculate, for an input transversal slice of a medical imaging volume, a normalized height score indicating a normalized height of the input transversal slice in the human body.

Abstract: A request is received to copy a file from a source to a destination, the source being associated with a source inode, and the destination being associated with a destination inode. The source and destination inodes are sorted into a sorted order according to inode numbers identifying the source and destination inodes. Based on the sorted order, rename locks are acquired on the source and destination inodes. Based on the sorted order, inode locks are acquired on the source and destination inodes. After the rename and inode locks have been acquired, chunk map entries of the source inode are copied as entries of the destination inode to fulfill the request.

Abstract: A method, computer program product, and computer system for identifying a first user in a network. Access to at least a portion of the network is available to at least one of the first user and a second user based upon, at least in part, one or more attributes of the first user. If there is a determination of a change in an attribute of the one or more attributes of the first user has occurred, removing at least a portion of the access to at least the portion of the network from at least one of the first user and the second user based upon, at least in part, the change in the attribute of the one or more attributes of the first user.

Abstract: Methods and apparatus that allow clients to connect resource instances to virtual networks in provider network environments via private IP. Via private IP linking methods and apparatus, a client of a provider network can establish private IP communications between the client's resource instances on the provider network and the client's resource instances provisioned in the client's virtual network via links from the private IP address space of the virtual network to the private IP address space of the provider network. The provider network client resource instances remain part of the client's provider network implementation and may thus also communicate with other resource instances on the provider network and/or with entities on external networks via public IP while communicating with the virtual network resource instances via private IP.

Abstract: Provided are a computer program product, system, and method for using geographical location information to provision one or more target storages for a source device. A determination is made of a geographical location of the source device and of geographical locations of the target storages. A determination is made of one of the target storages whose distance from the source device based on the geographical locations of the source device and the target storages satisfies at least one distance requirement. A configuration procedure is initiated to configure the source device and the determined target storage to have the source data backed-up from the source device to the target storage over the network.

Abstract: A method, computer program product, and computer system for identifying a first user in a network. Access to at least a portion of the network is available to at least one of the first user and a second user based upon, at least in part, one or more attributes of the first user. If there is a determination of a change in an attribute of the one or more attributes of the first user has occurred, removing at least a portion of the access to at least the portion of the network from at least one of the first user and the second user based upon, at least in part, the change in the attribute of the one or more attributes of the first user.

Abstract: Some embodiments are directed to managing transactions in a computer system, which receives information indicating a first node has at least one right with regard to a second node such that the first node is associated with the second node. An identity network is created, based, on the association between the first node and the second node, representing undirected ties between a plurality of nodes, the plurality of nodes including at least the first and second node. Using the identity network, a rights network is created representing directed ties between the plurality of nodes based, at least in part, on the undirected ties of the identity network and the at least one right the first node has with regard to the second node. The rights network is used to determine whether a transaction initiated by the first node is permissible based, at least in part, on the rights network.

Abstract: Some embodiments provide a method for a system that monitors a network to prevent violations of declared policies. The method stores network state data received from a plurality of data sources as a set of tables. The method receives a declaration of a policy that specifies a set of conditions for a particular set of network state entities received from at least two of the data sources. The set of conditions is specified as an existence of a set of data tuples involving the set of network state entities in the stored set of tables. The method monitors the network state data according to the declared policy.

Abstract: The invention relates to a method for storing data in a relational database, comprising a plurality of tables, wherein the data is stored in these tables, wherein each row of each table is provided with an original primary key for identification, and wherein foreign keys are provided for cross-referencing different tables of the relational database, wherein the primary keys are encrypted, wherein the foreign keys are encrypted based on the encrypted primary keys and wherein for each table where a primary key is referenced as a foreign key an encrypted pointer is stored to link the corresponding encrypted foreign key to the encrypted primary key. The present invention further relates to a relational database server.

Abstract: A method and apparatus for dynamically adjusting an ingestion rate for backup operations on a source system. The method generally includes monitoring a resource utilization related to one or more performance metrics of the source system in performing at least a primary workload. Based on the monitored resource utilization, the backup system determines a data ingestion rate for backup operations on the source system. The backup system ingests data from the source system to a backup repository at the determined data ingestion rate.

Abstract: Provided are a computer program product, system, and method for using geographical location information to provision one or more target storages for a source device. A determination is made of a geographical location of the source device and of geographical locations of the target storages. A determination is made of one of the target storages whose distance from the source device based on the geographical locations of the source device and the target storages satisfies at least one distance requirement. A configuration procedure is initiated to configure the source device and the determined target storage to have the source data backed-up from the source device to the target storage over the network.

Abstract: A data handling system includes a managing resource that manages one or more managed resources. The managed resource inherits tags of its managing resource(s). A user of the data handling system may apply tags to a managing resource via a management console. The tags may be applied via a user interface and utilized to organize the managed and managing resources. The tags may be typeless in that the user may assign any type of meaning to any tag. Tags assigned to the managing resource are applied or inherited to the resources it manages. The pattern of inheritance repeats through ‘n’ generations as managed resources, themselves, can be managing resources.

Abstract: Some embodiments provide a program that receives, from an application, a role-based permission (RBP) request specifying an RBP, a first user, and a second user. The RBP specifies a set of actions, a first set of users authorized to perform the set of actions, a second set of users on which the first set of users is authorized to perform the set of actions, and a relationship condition. When the relationship condition specifies a hierarchy-based relationship, the program determines valid users in the second set of users according to a hierarchy of users. When the relationship condition specifies a non-hierarchy-based relationship, the program determines valid users in the second set of users according to a relationship not based on the hierarchy of users. The program determines whether the first user is authorized to perform the set of actions on the second user based on the determined valid users.

Abstract: A system and method for identifying distributed attacks, such as, but not limited to, distributed denial of service attacks and botnet attacks, in a first network serviced by a first carrier and configured to alert a second network serviced by a second carrier that is different from the first carrier is disclosed. Once an attack has been identified, an attack alert is generated and provided to the second network or other aspects of the first network, or both. The attack alerts may be distributed dynamically with the second network via diameter based security protocol Rs. Such system and method may mitigate distributed malicious attacks by sharing destination internet protocol and bad international mobile subscriber identity information across carriers.

Abstract: Various aspects and embodiments facilitate management of digitally emulated physical resources. Users can access a management system to create pairings between digitally emulated resources and physical resources. The paired resources can be consistently managed through the system, such that any user from any source can access and dynamically reserve physical and digital resources. In further embodiments, the system can create pairings between the digital emulation and physical resources based on merge operations performed on multiple digital emulations of resources, copy and pasting for other digital emulation of resources, and digital altering of existing resources. The system enables efficient management, control, and implements security for digital and physical resources using, for example, a “digital room.” Security rules and enforcement can be specified within the digital rooms based on access rights, content displays, and can be specific to each resource controlled by the digital room.

Abstract: A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN), the method begins by receiving a store data object request from the user device. The method continues by initiating storage of N instances of the received data object in the storage set. The method continues by issuing a status response to the user device when detecting that M instances have been successfully stored and sending an instance i of the data to the user device when receiving a read instance i of the data object request from the user device.

Abstract: Generally discussed herein are systems, devices, and methods for unstructured text analysis. A method can include deconstructing structured data to create unstructured text, creating a first word cloud using the unstructured text, creating a query based on the first word cloud, receiving data corresponding to contents of a specified number of records determined to include data most similar to the first word cloud in a database of records, creating a second word cloud for each of the specified number of records using the data from the specified number of records, determining similarity values indicating how similar the first word cloud is to each of the second word clouds, and providing a similarity indicator for each record of the specified number of records to a user interface, the similarity indicator representing a relative magnitude of the determined similarity values of the specified number of records.

Abstract: A method and apparatus for displaying a product. The three-dimensional model includes objects and a spatial relationship of the objects to each other. A group of the objects in the three-dimensional model is identified based on a policy applied to a user input selecting a portion of the product and assigns a value to a group of attributes associated with the group of the objects. The value assigned to the group of the attributes indicates that the group of the objects is to be displayed on the display system. Other objects in the objects having the attributes without the value are not displayed. The attributes associated with the objects are outputted in which the group of the objects is displayed in three dimensions on the display system using the attributes associated with the objects, enabling a desired level of performance in visualizing the three-dimensional model of the product.

Abstract: A machine may be configured to perform image evaluation of images depicting items for online publishing. For example, the machine performing a user behavior analysis based on data pertaining to interactions by a plurality of users with a plurality of images pertaining to a particular type of item. The machine determines, based on the user behavior analysis, that a presentation type associated with one or more images of the plurality of images corresponds to a user behavior in relation to the one or more images. The machine determines that an item included in a received image is of the particular type of item. The machine generates an output for display in a client device. The output includes a reference to the received image and a recommendation of the presentation type for the item included in the received image, for publication by a web server of a publication system.