Abstract: Techniques for sharing query results in a multi-tenant database system are described. The query results can be shared between users of the same account or organization in the multi-tenant network-based database system using security tokens. A first user executes a query, and the results are stored in the network-based database system. The first user can invoke a function to create a security token to provide access to the stored query results to other users in the same account. The first user can share the security token with the other users, who can directly access the stored results in the network-based database system instead of having to download local copies of the query results.

Abstract: An information handling system may receive, from a first sensor of the information handling system, first sensor data. The information handling system may receive, from a second sensor of the information handling system, second sensor data. Based, at least in part, on the first sensor data and the second sensor data, the information handling system may generate a plurality of security profiles for the information handling system. Based, at least in part, on the first sensor data and the second sensor data, the information handling system may apply a security profile of the plurality of security profiles to the information handling system.

Abstract: In certain instances, a data management application (software application) that manages moving data files, and the like, from a primary high-speed storage system. An end-user can configure the data management application for particular files via management policies. Based on the management policies, after a file is migrated from the primary storage system to a targeted secondary storage system, a breadcrumb pointing to a webpage for the migrated file is left behind in the primary storage system. The webpage can be used to manage the migrated file, such as moving the migrated file back to the primary storage system.

Abstract: Example solutions are disclosed for performing a distributed data query for a connected data set, such as a property graph or a relational database, distributed across a plurality of regions (e.g., different geographic regions) under data flow limitations. For a restrictive limitation, a first region stores a data entity that is subject to a data flow limitation, and a second region stores only a reference to the data entity (e.g., a pseudonymous reference). The query is executed in the first region, and at least a partial representation of the state is injected into the query for execution in the second region. The query locates the reference to the data entity in the second region, and the state of the query from the second region is returned. Query results from the plurality of regions are synthesized into a final result. Further solutions address prohibitive limitations when references are not permitted.

Abstract: To facilitate improved email and device security, embodiments of systems and methods include intercepting, by a processor associated with an entity, an internet request, where the internet request is produced by a link received in an email at a first computing device. The processor determines that the link is externally bound relative to an entity network. The processor determines an existence of a sandbox environment instance in a set of existing sandbox environment instances. The processor routes the link through the sandbox environment instance. The processor updates the sandbox log in the database based on the sandbox environment instance and the link. The processor causes to display on a screen of the first computing device a user interface for interacting with the link in the sandbox environment instance, and the processor logs activities associated with interacting with the link in a security log.

Abstract: The present application discloses a method, system, and computer system for monitoring tasks with respect to information stored in a database system. The method includes receiving a request to execute a task with respect to a database, wherein the request is associated with an identifier corresponding to a user that inputs a query for the request; determining whether the task is authorized for the user; in response to a determination that the task is authorized for the user, obtaining a set of information that is to be returned for the task; determining a subset of the set of information, wherein the subset of the set of information comprises one or more parts of the set of information for which the user has access permission; and storing a record of the request to execute the task, wherein the record comprises an indication of the user, and an indication of subset of the set of information.

Abstract: A storage system has priority queues for real time-class file system messaging and backup-class file system messaging. The storage system includes servers, coupled as a storage cluster, storage devices and a network coupling the servers and the storage devices. The servers have priority queues. The servers operate the priority queues for messaging from the servers to the storage devices via the network in accordance with a real time-class file system and a backup-class file system. A first subset of the priority queues has higher priority on the network for real time-class file system messaging of at least one type. A second subset of the priority queues has lower priority on the network for backup-class file system messaging of at least one type.

Abstract: A device, system, and method for sharing information of a selected media modality via communication devices is provided. A device determines a type of a community member associated with an incident, the incident further associated with a first responder. The device determines a plurality of media modalities of information associated with the incident. The device selects, from the plurality of media modalities of the information, a media modality of the information based on the type of the community member. The device causes sharing of the media modality of the information with the community member via one or more of a first responder communication device, associated with the first responder, and a community member communication device, associated with the community member.

Abstract: A method includes determining a first set of query rules and receiving a query from a requesting entity. The first set of query rules is filtered to generate a proper subset of the first set of query rules by selecting only ones of the first set of query rules with parameter data comparing favorably to parameters of the query. Compliance data indicating whether the query complies with the first set of query rules is generated by determining whether the query complies with the proper subset of the first set of query rules. When the compliance data indicates the query complies with the first set of query rules, a query result is determined for the query and the query result is transmitted to the requesting entity. When the compliance data indicates the query does not comply with the first set of query rules, transmission of the query is foregone.

Abstract: Cybersecurity active defense in data storage systems are disclosed herein. An example system includes a file system, and an architecture installed on the file system, the architecture being configured to protect the file system in a zero trust manner from a malicious attack by a source system, the architecture including a controller that is configured to determine file-level operations of files in the file system that are indicative of a malicious event, block a user account or machine address interacting with the files, prevent data exfiltration or data corruption of the files, and provide an alert to an administrator regarding the files.

Abstract: A data model identifying a first and second table may be stored, the first table comprising a first and second attribute, the second table comprising a third attribute. A first filter parameter of a first filter and a second filter parameter of a second filter may be obtained. A first tag value may be associated with the first and second filters. A set of filters including the first and second filters may be determined in response to a determination that the first and second filters are associated with the first tag value. An argument indicating the first and second filter parameters may be generated based on the set of filters. A call to the first table may be executed based on the argument, the execution of the call causing values of the first and second attributes to be obtained based on the first and second filter parameters.

Abstract: Message processing for job title extraction includes receiving a job title query for a message in a message inbox of a communications application and parsing the message into a corpus of text. Message processing for job title extraction further includes identifying a sender of the message from a header in the corpus of text and locating below the header within the corpus of text of a name of the identified sender. Message processing for job title extraction yet further includes constructing a set of n-grams from a portion of the corpus of text positionally adjacent to the located name and mapping the set of n-grams to an index of job titles in order to identify a best matching one of the job titles. Finally, message processing for job title extraction includes responding to the job title query with the matching one of the job titles.

Abstract: The described implementations relate to an access control framework for a database system. One implementation can receive, from a user, a request for data that identifies a resource, such as a view that obtains data from a database. The implementation can check the identity of the user to identify user roles associated with the user. The implementation can identify an access policy that is associated with the resource, and a rule that is associated with the access policy and applies to the user roles associated with the user. The rule can be applied to the request for data using attributes of the access policy. For example, if the request for data is a query on a view, the query can be rewritten to apply the rule.

Abstract: A multi-tenant computer system authenticates access to a shared datastore by a shared service running on the multi-tenant computer system. The shared service is operable to access the shared datastore to execute requests from a plurality of multi-tenant cloud computing services. The requests include an indication of a particular tenant and a particular tenant grouping indicator. Requests are authenticated by cryptographically verifying the request and verifying that the particular tenant is associated with the particular tenant grouping indicator. In response to authenticating a request, the shared service accesses the shared datastore to execute the first request.

Abstract: A data querying system is disclosed that provides improved computer functionality that enables efficient permissioning and querying of specific portions of a data table, such that users (e.g., based on user roles or user attributes) are only allowed access to specific portions (e.g., particular data items/rows, and particular data items attributes/columns) of the data. The system advantageously provides efficient and improved querying and permissioning of specific portions of a data table through replication of the data table, or portions of the data table, and does not require permissioning of each individual cell of the data table. Further, the data table replication, querying, and permissioning techniques of the present disclosure, according to various implementations, advantageously integrate with a wide variety of data table query or search services to provide improved functionality, efficiency, and data permissioning.

Abstract: Disclosed are various examples for web application security through containerization. In one example, a web application is executed within a container application. The container application includes a management software development kit (SDK). A security policy for the web application is retrieved from a management service. The security policy is applied to the web application using the management SDK of the container application.

Abstract: An interactive gaming application which integrates real time data streaming from live sporting events in combination with user decisions which are based on the users intimate knowledge of sports, player positions and personal perspective regarding how fans believe professional sports players and coaches should perform and respond to real life circumstances which are observable and anticipated situations as they develop during the course of a game with integrated scoring, control and decision tracking methodologies to allow the game to synchronize with a live broadcast and the inputs provided by a multitude of players actively playing the game simultaneously.

Abstract: A query processing system operates by determining a set of query rules, receiving a query from a requesting entity, and generating compliance data by determining whether the query complies with the set of query rules prior to an execution of the query. When the compliance data indicates the query complies with the set of query rules: generating a query result by facilitating the execution of the query against a database system; and transmitting the query result to the requesting entity. When the compliance data indicates the query does not comply with the set of query rules: foregoing facilitation of the execution of the query.

Abstract: Aspects of the disclosure relate to management of databases in different server environments. In particular, various aspects of this disclosure relate to correction, synchronization, and/or migration of databases between different database servers. A feed file that is rejected from loading in a database associated with a source server may prioritized in a destination server. A feed file hierarchy of the rejected feed file may be determined and the destination server may process loading of the rejected feed file to a database based on the determine feed file hierarchy. Any corrections applied at the destination server may also be applied at the source server.

Abstract: A computer-implemented system and method for generating and maintaining at least one data center procedure is provided. The system includes a communication network, a storage device configured to store a plurality of basic unit instructions, one or more of the basic unit instructions having at least one procedure identifier, at least one processor coupled to the storage device and the communication network, and one or more components executable by the at least one processor and collectively configured to receive at least one data value associated with a data center, select at least one procedure identifier based on the at least one data value, identify a plurality of basic unit instructions associated with the at least one procedure identifier, assemble a data center procedure from the plurality of identified basic unit instructions, and provide the data center procedure to a user interface.

Abstract: Enabling auto-completion of database commands includes receiving, at a database command execution device from a client device, a request to execute a database command where the request includes a first indicator of a first set of tokens of the database that is available at the client device; executing the database command; transmitting, from the database command execution device to the client device, a response to the request that includes a status of the execution of the database command and a second indicator of a second set of tokens of the database that is different from the first set of tokens; receiving, at the database command execution device and from the client device, an update-tokens request that includes the first indicator; and transmitting, from the database command execution device and to the client device, data indicative of differences between the second set of tokens and the first set of tokens.

Abstract: In an embodiment, a central repository of rights may be implemented, and accessing entities (e.g. clients) and entities for which access is controlled (e.g. files, servers, etc.) may rely on the central repository. The rights may vary on a client-by-client basis. In an embodiment, the rights may be managed as a value that is interpreted by the access-controlled entity. Accordingly, the definition of access rights may vary based on the entity. In an embodiment, visibility to the access rights may be limited. For example, the central repository may provide a handle that is associated with the access rights, but the access rights themselves may not be provided. When an accessing entity attempts to access the access-controlled entity, the handle may be used to identify the access rights. The handle may be presented to the central repository by the access-controlled entity to confirm access rights.

Abstract: A server includes a data cache for storing data objects requested by users logged in under different user roles. Different user roles may have different permissions to access individual fields within a data object. When a cache miss occurs, the cache may begin loading portions of a requested data object from various data sources. Instead of waiting for the entire object to load to change the object state to “valid,” the cache may incrementally update the state through various levels of validity based on the user role of the request. When a portion of the data object used by a low-level user role is received, the object state can be upgraded to be valid for that user role while data for higher-level user roles continues to load. The portion of the data object can then be sent to the low-level user roles without waiting for the rest of the data object to load.

Abstract: A system for a video sharing service for inmates in correctional facilities is disclosed. The system includes an inmate device of an inmate, a database storing inmate profiles, and a video sharing server configured to receive a registration request from the inmate device for registration of an inmate for the video sharing service, the registration request including user credentials of the inmate, retrieve an inmate profile of the inmate from the database, authenticate the inmate based on the user credentials and the inmate profile, create an account for the inmate for the video sharing service in response to authentication of the inmate, receive an upload request to upload a video from the inmate device, analyze the video for restricted content, and assign a rating to the video based on the analysis.

Abstract: Computer-readable media, methods, and systems are disclosed for displaying a visual indication that an analytics rendering is authentic, and the integrity of the data is accurate and trusted. An analytics rendering comprising at least one table, chart, or graphic rendered from a plurality of aggregated data inputs from a plurality of microsystems may be selected. In a user interface for the analytics rendering, one or more structural identifiers associated with each data input of the plurality of aggregated data inputs can be displayed. A data input from the plurality of data inputs can then be selected and, responsive to receiving an instruction from a user, a visual indicator can be applied to the data input. If the one or more data inputs having an applied visual indicator is modified, the visual indicator will be visually altered in response the modification to the one or more data inputs.

Abstract: A spreadsheet supports formulas in cells that trigger queries of a data source. The parameters for queries can include or depend on values in other cells in the spreadsheet. Thus, the precise query submitted to the data source is dynamic, being dependent on the data and formulas in the spreadsheet. Furthermore, on receiving the query results, they are added to cells in the spreadsheet, which can be parameters for other queries defined in other cells. Changing the value of a single cell can automatically trigger an update of an arbitrarily deep hierarchy of calculations that can include an arbitrary number of data source queries.

Abstract: System and method for universal file access control in which a processor determines whether or not a user or process requesting access to a file has been granted an access privilege to the file by reading an access control list associated with the user or process or with a group to which the user is a member; if the user or process is determined to have been granted access privilege, retrieve stored directory descriptor information associated with the requested file; obtain a unique file handle associated with the user or process and the requested file; determine if the unique file handle has been used before by comparing the obtained unique file handle with a plurality of stored prior-used file handles; and if the unique file handle has not been used before, retrieve the requested file according to a local access protocol.

Abstract: Methods and systems for request orchestration. One system includes an electronic processor configured to receive a request including request metadata and identify a data attribute associated with the request. The electronic processor is also configured to determine an execution plan for enriching the request metadata based on the data attribute. The electronic processor is also configured to execute an application function according to the execution plan to enrich the request metadata. The electronic processor is also configured to evaluate the enriched request metadata. The electronic processor is also configured to generate and transmit a response to the request based on the evaluation of the enriched request metadata.

Abstract: Techniques are described for in-service configuration data migration for distributed micro service-based applications. In one example, a network device comprises a plurality of legacy data repositories comprising configuration data in key-value pair format that specifies a plurality of parameters and corresponding values for operation of the network device, and a hierarchical configuration data model having a plurality of nodes arranged in a hierarchical organization having a root node and a plurality of leaf nodes. Each of the nodes of the configuration data model is configured to store a set of configuration data parameters for the network device. One or more of the nodes includes a plurality of external references to respective parameters of the plurality of parameters stored within the plurality of legacy data repositories. Process circuitry is configured to perform a migration of the configuration data from the legacy data repositories to the hierarchical data model.

Abstract: Embodiments of a multi-tenant cloud system include a first data center adapted to authenticate a first plurality of registered clients and located in a first geographic area, and a second data center adapted to authenticate a second plurality of registered clients and located in a second geographic area that is different from the first geographic area. The first data center receives a request from a first client of the first plurality of registered clients to access a resource of the second data center and validates the request from the first client and issues a global access token. The second data center receives the request with the global access token. A cloud gate at the second data center, based on the global access token, validates the request and provides the resource to the first client.

Abstract: Methods and systems for revoking electronic messages. One method includes storing, for each of a plurality of forwarded messages, a record in a data store, each record including a link to an original message for the forwarded message, and receiving a request to revoke a forwarded message. In response to receiving the request, the method includes identifying an original message the forwarded message via a record stored in the data store and notifying, with an electronic processor, a user associated with the original message of the request to revoke the forwarded message. In response to receiving an instruction revoking the original source message from the user, the method includes identifying each forward of the original message via records stored in the data store and revoking the original message and each message associated with each record stored in the data store including a link to the original message.

Abstract: An apparatus comprises a processing device configured to monitor, over time intervals each comprising multiple time slices, client requests to access software container instances hosted by container host devices of a geographically-distributed software container platform, and to generate cluster pattern data comprising geographic clusters for the software container instances in each of the time slices. The processing device is also configured to predict, for a given time slice in a given subsequent time interval, formation of a geographic cluster of client requests for a given software container instance based on the cluster pattern data. The processing device is further configured to calculate network distances from the predicted geographic cluster to each of the container host devices, to select one of the container host devices based on the calculated network distances, and to proactively replicate the given software container instance in the selected container host device.

Abstract: Devices, systems, and methods are provided for classifying voice search queries. A system may receive voice data associated with a voice utterance, the system being associated with a network. The system may determine that the voice data is associated with a question, and may determine an absence of an answer to the question. The system may determine a score associated with the question, the score indicative of a risk of disclosure of sensitive information associated with a person. The system may determine that the score fails to satisfy a threshold, and may send the question to a device, wherein the device is remote from the network. The system may receive data associated with the question.

Abstract: In certain instances, a data management application (software application) that manages moving data files, and the like, from a primary high-speed storage system. An end-user can configure the data management application for particular files via management policies. Based on the management policies, after a file is migrated from the primary storage system to a targeted secondary storage system, a breadcrumb pointing to a webpage for the migrated file is left behind in the primary storage system. The webpage can be used to manage the migrated file, such as moving the migrated file back to the primary storage system.

Abstract: Aspects of the disclosure relate to management of databases in different server environments. In particular, various aspects of this disclosure relate to correction, synchronization, and/or migration of databases between different database servers. A feed file that is rejected from loading in a database associated with a source server may prioritized in a destination server. A feed file hierarchy of the rejected feed file may be determined and the destination server may process loading of the rejected feed file to a database based on the determine feed file hierarchy. Any corrections applied at the destination server may also be applied at the source server.

Abstract: To facilitate improved email and device security, embodiments of systems and methods include intercepting, by a processor associated with an entity, an internet request, where the internet request is produced by a link received in an email at a first computing device. The processor determines that the link is externally bound relative to an entity network. The processor determines an existence of a sandbox environment instance in a set of existing sandbox environment instances. The processor routes the link through the sandbox environment instance. The processor updates the sandbox log in the database based on the sandbox environment instance and the link. The processor causes to display on a screen of the first computing device a user interface for interacting with the link in the sandbox environment instance, and the processor logs activities associated with interacting with the link in a security log.

Abstract: The technology disclosed includes a system to efficiently classify sensitivity of document generated by and downloaded from cloud-based provider services. The system monitor's a user's network traffic at an endpoint that initiates generation of the document and receives a web page identifying the document generated. The system parses the user's network traffic that selects the document for download and intercepts a critical metadata in an API parameter string used to download the document. The system interprets the critical metadata to analyze sensitivity of the document to assign a sensitive classification to the document. Data exfiltration prevention measures are triggered upon detection of attempted exfiltration of the document based on the sensitivity classification.

Abstract: Methods and systems for data collection in an industrial refining environment with haptic feedback and data storage control are disclosed. A system may include a data collector communicatively coupled to a plurality of input channels, wherein the data collector collects data based on a selected data collection routine, a data storage structured to store a plurality of collector routes and collected data, wherein the plurality of collector routes each include a different data collection routine, a data acquisition circuit structured to interpret the collected data and determine an occurrence of an anomalous condition, a data analysis circuit to evaluate a data storage constraint of the monitoring system and to adjust a volume of collected data stored in response to the evaluation, and a haptic user device for generating a haptic stimulation in response to an occurrence of a specified anomalous condition in the refining environment.

Abstract: A method utilized in a mobile device includes: sending a file management command from the mobile device to a flash memory controller; receiving a file entry table from the flash memory controller; calculating a sum of data amounts of a plurality of entries corresponding to file(s) and/or sub-directory(s) in a specific directory; and comparing the sum of data amounts with a specific maximum data amount to determine a message reported to the specific application of the mobile device.

Abstract: A method and an apparatus for file transmission are provided. The method may include receiving a file sending request initiated by a source user for a preset file; sending an approval message for the file sending request to an approval user corresponding to the source user when the source user does not have a transmission privilege for the preset file; and setting the preset file as an obtainable state for a target user corresponding to the file sending request in response to the approval message being approved by the approval user. The technical solutions of the present disclosure can prevent an approval operation of a file from interrupting a communication process between users, help to simplify user operations, and improve the smoothness of the communication process.

Abstract: A multi-tenant, elastically scalable cache as a service is disclosed. Embodiments of the cache service eliminate the need for applications to manage their own cache tier. The multi-tenant cache service is implemented by maintaining/creating multiple named caches in a cache cluster and mapping each tenant's cache to a named cache in the cluster. Strict quotas are enforced on cache sizes This allows caches with different replication attributes to co-exist on the same cache server, allows migration of a cache from one cluster to another for load balancing purposes, and allows a cache to inflate/deflate to meet business needs. A network load balancer is used to route cache items to servers.

Abstract: A data querying system is disclosed that provides improved computer functionality that enables efficient permissioning and querying of specific portions of a data table, such that users (e.g., based on user roles or user attributes) are only allowed access to specific portions (e.g., particular data items/rows, and particular data items attributes/columns) of the data. The system advantageously provides efficient and improved querying and permissioning of specific portions of a data table through replication of the data table, or portions of the data table, and does not require permissioning of each individual cell of the data table. Further, the data table replication, querying, and permissioning techniques of the present disclosure, according to various implementations, advantageously integrate with a wide variety of data table query or search services to provide improved functionality, efficiency, and data permissioning.

Abstract: Described are techniques for an access management protocol including a method comprising associating a granted permission set and a constrained permission set to a user profile in an access management system. Respective granted permissions in the granted permission set authorize the user profile to perform the respective granted permissions, and respective constrained permissions in the constrained permission set preclude the user profile from performing the respective constrained permissions. The method further comprises receiving a permission-based request at the access management system and from the user profile and determining that the permission-based request is associated with a permission that is included in both the granted permission set and the constrained permission set. The method further comprises rejecting the permission-based request.

Abstract: Methods and systems for providing a cost effective and robust security solution for shared files stored by file sharing software solutions are described herein. The methods and systems for generating a ledger associated with shared files, which may include scanning data received from applications associated with a number of client devices and from a cloud based scanner. An access manager may control file permissions granted to users based on requests for scan data from each user device requesting access to a shared file. A plurality of different scanning applications may provide data that is collected for each shared file to provide a diverse analysis of a shared file to increase user confidence in a file security status.

Abstract: Systems and methods are provided for provisioning access rights to physical computing resources using an IAM system implementing an IAM data model. The IAM data model may identify logical and physical computing resources. An access request handler may receive an access request and identify a set of logical permissions based on the access request. The access request handler may derive a set of logical entitlements based on the set of logical permissions. An entitlement translator may translate the set of logical entitlements to a physical entitlement specification based on a set of physical permission specifications associated with the set of logical permissions. A physical permission specification may be obtained by mapping a logical permission to one or more physical permissions. An access control manager may then provision access rights to at least one physical computing resource indicated in the physical entitlement specification.

Abstract: Systems and methods are described for attributing online actions to previously delivered electronic advertisements on a plurality of devices using a plurality of device identifier (ID) clusters without use of central IDs. Each device ID cluster is associated with a device, and each device has device characteristics. Each device ID cluster includes one or more device identifiers. Device-related ad impression data and online action data is received. This data includes a device identifier associated with the device. The device identifier is used to identify the device ID cluster associated with the device to which the ad impression was delivered or the online action took place on. Copy devices are selected and paired with respective devices, and the same ad impression data or online action data are assigned to respective copy devices, thereby anonymizing the devices for which the device-related ad impression data or online action data was received.

Abstract: Techniques for improving database searches are described herein.

Abstract: Techniques described herein can allow users to share cached results of an original query with other users while protecting sensitive information. The techniques described herein can check whether the other users have access to the underlying data queried before allowing those users to see the stored query results. That is, the system may perform privilege checks on the shared users before giving them access to the stored query results but without having to re-run the original query.

Abstract: The present disclosure relates generally to threat detection, and more particularly, to techniques for managing user access to resources in an enterprise environment. Some aspects are directed to the concept of managing access to a target resource based on a threat perception of a user that is calculated using a rule or policy based risk for the user and a behavior based risk for the user. Other aspects are directed to preventing insider attacks in a system based on a threat perception for each user logged into the system that is calculated using a rule or policy based risk for each user and a behavior based risk for each user. Yet other aspects are directed to providing a consolidated view of users, applications being accessed by users, and the threat perception, if any, generated for each of the users.

Abstract: Application layering is a technology that separates applications from an operating system image. In some cases, information inside an application layer needs to be modified when that layer is delivered to a computer to be executed correctly in a specific environment. Described is a technique to allow those operations to be defined and executed outside of the operating system that will be running the application layer, so that a single application layer can be delivered to heterogeneous end points without the need to take up additional computation on the guest machine it is being delivered to, to ensure application compatibility when applications reside in more than one layer, to install applications into a layer without knowledge of a specific platform, and to modify the image to provide the required drivers and services to support any platform.