Abstract: Configuration monitoring is performed using a computer-based system and method by identifying misconfigured settings through the collection of large amounts of configuration data from diverse sources. The configuration data is then analyzed to identify misconfigured items. Automation of such configurations is implemented using machine learning to analyze existing configurations as well as new configurations. By using machine learning, the computer-based system and method can predict a pass state or a fail state of the configuration of a newly connected system in an organization. A logistic regression classifier is trained using old complying configuration data and data reflecting industry standards. The trained classifier can predict and classify whether a new configuration passes or fails the industry standards based on the training data of old configuration data.

Abstract: A management server retrieves access logs associated with a plurality of identities and generates a plurality of behavioral scores for the plurality of identities. The behavioral score for a particular identity increases responsive to access approvals and decreases responsive to access denials for that particular identity. A proxy server receives a first request to access a resource associated with a first identity of the plurality of identities and determines a zero trust access policy for the resource. When a first behavioral score for the first identity satisfies a behavioral score threshold for the zero trust access policy, the proxy server provides the resource. The proxy server receives a second request to access the resource associated with a second identity. When a second behavioral score for the second identity fails to satisfy the behavioral score threshold, the proxy server performs an action defined in the zero trust access policy.

Abstract: A system and method for securing virtual cloud assets in a cloud computing environment against cyber threats. The method includes: determining a location of a snapshot of at least one virtual disk of a protected virtual cloud asset, wherein the virtual cloud asset is instantiated in the cloud computing environment; accessing the snapshot of the virtual disk based on the determined location; analyzing the snapshot of the protected virtual cloud asset to detect potential cyber threats risking the protected virtual cloud asset; and alerting detected potential cyber threats based on a determined priority.

Abstract: Methods, computer program products, and systems are presented. The method computer program products, and systems can include, for instance: receiving, by a manager node, from a plurality of compute nodes metrics data, the manager node and the plurality of compute nodes defining a first local cluster of a first computing environment, wherein nodes of the compute nodes defining the first local cluster have running thereon container based applications, wherein a first container based application runs on a first compute node of the plurality of compute nodes defining the first local cluster, and wherein a second compute node of the plurality of compute nodes defining the first local cluster runs a second container based application; wherein the manager node has received from an orchestrator availability data specifying a set of compute nodes available for hosting the first application.

Abstract: Disclosed is a system to optimize rule weights for classifying access requests so as to manage rates of false positives and false negative classifications. A rules suggestion engine may suggest a profile of classification rules to a merchant for access requests. The system can optimize weights for the profile of rules using a cost function based on a training set of historical access requests, for example using stepwise regression or machine learning (ML). The system can compute a profile score based on the optimized weights, for example by summing the weights. The system statistically analyzes the profile score using classification thresholds and the historical access requests. The system can perform receiver operating characteristic (ROC) analysis for various threshold values, enabling a user to select a suitable threshold. The system can further optimize by adding or removing rules from the profile of rules.

Abstract: The innovation disclosed and claimed herein, in one or more aspects thereof, illustrates systems and methods for providing a technical control to a technically pervasive problem of inadvertent capture of items in a computing environment, returning control of what happens to such items in technical environments that have become widespread and intrusive. The innovation provides a system for users to control the types of items that pervasive computing environment elements may process without their express control and with technical countermeasures in a relatively unobtrusive manner.

Abstract: The technology disclosed herein enable a consumer to verify the integrity of services running in trusted execution environments. An example method may include: receiving, by a broker device, a request to verify that a service is executing in a trusted execution environment, wherein the request comprises data identifying the service; determining, by the broker device, a computing device that is executing the service; initiating, by the broker device, a remote integrity check of the computing device executing the service; receiving, by the broker device, integrity data of the trusted execution environment of the computing device; and providing, by the broker device, the integrity data to a consumer device associated with the service.

Abstract: Systems, methods and non-transitory computer readable media for controlling access in privacy firewalls are provided. A request to access a content of an element may be received, the content of the element may include a first portion and a second portion, the first portion may include identifiable information and the second portion may include no identifiable information. A permission record corresponding to the element may be accessed. In response to a first value in the permission record, access may be provided to the content of the element, including access to the first and second portions, and in response to a second value in the permission record, partial access may be provided to the content of the element, the partial access may include access to the second portion and may exclude access to the first portion.

Abstract: Described herein are techniques for providing one or more users with access to content obtained from a plurality of content providers. In some embodiments, such techniques may comprise maintaining a number of access credentials associated with a plurality of different content providers, obtaining access to a plurality of media content libraries, each of the plurality of media content libraries managed by a content provider of the plurality of different content providers, and providing the plurality of media content libraries to at least one user device as a single library of media content. Such techniques may further comprise receiving, from the user device, a selection of a media content from the single library of media content and providing, to the user device, access to the selected media content within a corresponding media content library of the plurality of media content libraries using an access credential.

Abstract: A terminal receiving a push message is provided. The terminal sets service control condition which specifies application identifier (app ID) corresponding to service that the terminal is allowed to receive, wherein the service control condition is contained in push message control policy. And the terminal then receives a push message, matching the push message control policy, sent by a server.

Abstract: Techniques for providing innocent until proven guilty (IUPG) solutions for building and using adversary resistant and false positive resistant deep learning models are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of content associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the content associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy.

Abstract: A data transmission method includes receiving, by a gateway of an integration platform as a service (iPaaS) system, a data transmission request transmitted by the iPaaS system, the iPaaS system being deployed on a first virtual private cloud (VPC) in a cloud network. The method further includes determining an address identifier of the service to be accessed by the iPaaS system, and a first transmission connection between the gateway and a data transmission circuitry associated with the service. The data transmission circuitry is connected to an Intranet, and the service is deployed in the Intranet or in a second VPC. The method further includes transmitting the data transmission request and the address identifier of the service from the gateway to the data transmission circuitry through the first transmission connection, where the data transmission circuitry transmits the data transmission request of the iPaaS system to the service.

Abstract: A security apparatus for a local network is in communication with an external electronic communication system and a first electronic device. The apparatus includes a memory device configured to store computer-executable instructions, and a processor in operable communication with the memory device. The processor is configured to implement the stored computer-executable instructions to cause the apparatus to determine a complexity score for the first electronic device, establish a behavioral pattern for the first electronic device operating within the local network, calculate a confidence metric for the first electronic device based on the determined complexity score and the established behavioral pattern, and control access of the first electronic device to the external communication system according to the calculated confidence metric.

Abstract: A network compromise activity monitoring system includes a network connector, a compromise activity analyzer, and a compromise defender. The network connector has a public network port, at least one private network port, and an associated network connector traffic log concerning data packet traffic of the network connector. The compromise activity analyzer has access to suspect destination metadata, egress traffic metadata, and network device metadata, and is operative to determine a compromise activity level of one or more devices coupled to the at least one private network port. The compromise defender is responsive to the determined compromise activity level of the one or more devices and is operative to at least one of block, alert and notify in accordance with at least one rule.

Abstract: Disclosed in some examples are methods, systems, devices, and machine-readable mediums which utilize digital tracking tags attached to data to monitor and/or control the data as it moves between applications and/or computing devices. The digital tracking tag may be embedded in the data (e.g., as a digital watermark) or associated with the data e.g., as metadata. In some examples, the digital tracking tag may include an address of a tracking database with which to record one or more events related to the data. For example, recipients, senders, or other participants in a data transfer event may register the data transfer event with the tracking database.

Abstract: According to examples, an apparatus may include a processor and a memory on which are stored machine-readable instructions that when executed by the processor, may cause the processor to receive a request from a client for a status of the client, and based on the status of the client, generate a token associated with application programming interface (API) calls to be received from the client. In some examples, the token may include a value representing a priority for determining an adaptive rate limiting of the API calls to be received from the client. The processor may send a response to the request, in which the response may include the status of the client and the token.

Abstract: Some embodiments of the invention provide a method for performing intrusion detection operations on a host computer. The method receives a data message sent by a machine executing on the host computer. For the data message's flow, the method identifies a set of one or more contextual attributes that are different than layers 2, 3 and 4 header values of the data message. The identified set of contextual attributes are provided to an intrusion detection system (IDS) engine that executes on the host computer to enforce several IDS rules. The IDS engine uses the identified set of contextual attributes to identify a subset of the IDS rules that are applicable to the received data message and that do not include all of the IDS rules enforced by the IDS engine. The IDS engine then examines the subset of IDS rules for the received data message to ascertain whether the data message is associated with a network intrusion activity.

Abstract: An apparatus for preventing unauthorized software or firmware upgrades between two or more computing devices connected on a data bus includes a cryptographic engine, memory, and at least one processor coupled with the cryptographic engine and memory. The cryptographic engine stores cryptographic metadata for authorized upgrade images for updating at least one target computing device coupled to the data bus. The cryptographic metadata includes a manifest list of upgrade images. The processor is configured to monitor the data bus for transmissions of striped update hashes from a maintenance device, to receive signed striped hashes corresponding to an upgrade image file transmitted by the maintenance device, to validate the striped update hashes using information in the manifest list, to log that an unauthorized upload has been attempted when at least one of the striped update hashes fails validation, and to perform a mitigation action(s) in response to the attempted unauthorized upload.

Abstract: A method for ensuring secure wireless communication of a first device in a communication system includes: retrieving information about a type of trustiness of a first communication link of a first access technology and about a type of trustiness of a second communication link of a second access technology, wherein a second device and the first device are configured to communicate data with each other via the first communication link and the second communication link; determining, by a processor of the first device and/or a processor of the second device, security levels based on the information about the type of trustiness of the first communication link and about the type of trustiness of the second communication link.

Abstract: A non-transitory computer-readable storage medium storing a program that causes a processor included in an authorization server to execute a process, the process includes storing an association relationship between a plurality of users who are owners of data, and a consent portal with which each of the plurality of users performs user registration, when consent of a user to access to data of a first condition is asked for by a client, detecting a target user who is an owner of data that matches the first condition, extracting a consent portal with which the target user performs user registration, from the association relationship, and obtaining an intention of consent or non-consent to access to the data, from the target user by using the extracted consent portal, and controlling an access by the client to data in the resource server, in accordance with the obtained intention.

Abstract: Systems and methods for modernizing workspace and hardware lifecycle management in an enterprise productivity ecosystem are described. In some embodiments, a client Information Handling System (IHS) may include a processor and a memory, the memory having program instructions that, upon execution by the processor, cause the client IHS to: receive, from a workspace orchestration service, one or more files or policies configured to enable the client IHS to instantiate a first workspace based upon a first workspace definition; allow a user to execute a non-vetted application in the first workspace; determine that the first workspace is compromised; and receive, in response to the determination, from the workspace orchestration service, one or more other files or policies configured to enable the client IHS to instantiate a second workspace based upon a second workspace definition, where the second workspace definition allows execution of a vetted application corresponding to the non-vetted application.

Abstract: Systems and methods include obtaining a plurality of parameters associated with a host; determining a fingerprint of the host utilizing the plurality of parameters; and providing the fingerprint to cloud service for enrollment and management of the host in the cloud service. The cloud service can include microsegmentation of the host. The cloud service can include any of Internet access for the host and private resource access by the host.

Abstract: The technology disclosed relates to a DHCP relay-based steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a steering logic that is interposed between a plurality of special-purpose devices on a network segment of a network and a DHCP server on the network segment. The steering logic is configured to intercept DHCP requests broadcasted to the DHCP server by special-purpose devices in the plurality of special-purpose devices, forward the intercepted DHCP requests to the DHCP sever 522, receive, from the DHCP server, DHCP responses to the intercepted DHCP requests, receive, from a device classification logic, a positive determination that the special-purpose devices are special-purpose devices and not general-purpose devices, modify the received DHCP responses by replacing the default gateway with an inline secure forwarder on the network segment, and send the modified DHCP responses to the special-purpose devices.

Abstract: The technology disclosed relates to a DHCP server-based steering logic for policy enforcement on IoT devices. In particular, the technology disclosed provides a steering logic running on a DHCP server on a network segment of a network. The steering logic is configured to receive DHCP requests broadcasted to the DHCP server by a plurality of special-purpose devices on the network segment, access DHCP responses generated by the DHCP server for the DHCP requests, receive, from a device classification logic, a positive determination that special-purpose devices in the plurality of special-purpose devices are special-purpose devices and not general-purpose devices, modify the accessed DHCP responses by replacing the default gateway with an inline secure forwarder on the network segment, and send the modified DHCP responses to the special-purpose devices.

Abstract: Techniques are disclosed for automatically inferring software-defined network policies from the observed workload in a computing environment. The disclosed techniques include monitoring network traffic flow originating from network interfaces corresponding to containers that execute components of an application, recording details of a new network connection or a change in the existing network connection, obtaining information concerning the components of the application, identifying metadata for a component involved in the new network connection or the change in an existing network connection based on a comparison of the details of the new network connection or a change in the existing network connection and the information concerning the components of the application, generating a network policy for the component using at least the metadata for the component, and integrating the network policy for the component into a deployment package for the application.

Abstract: Systems and methods are described herein for managing peering relationships and applying peering policy between service providers and content distribution networks. Aspects discussed herein relate to establishing secure peering connections between service providers to exchange application and/or network information. In some embodiments, an application peering manager may apply peering policy based on token information or other suitable information configured to uniquely identify an application and/or subscriber. In other embodiments, policy enforcement points or other elements residing within a network may be configured to accept and/or apply peering policy to application sessions.

Abstract: Techniques are described for providing users of a data intake and query system with pre-trained ML models capable of identifying malicious threats (e.g., malware, botnets, ransomware, etc.) in users' computing environments based on an analysis of Domain Name System (DNS) log data collected from DNS servers in users' environments. DNS log data is ingested by a data intake and query system and processed to obtain searchable timestamped event data. This event data can then be used as input to ML models provided by a security ML application described herein to detect potential occurrences of malicious activity within users' computing environments.

Abstract: A cloud-based security service that includes external evaluation for accessing a third-party application. The security service receives a request to access a third-party application from a client device. The security service enforces a set of one or more access policies configured for the third-party application including an external evaluation rule. As part of enforcing the external evaluation rule, the security service transmits an external evaluation request to an external endpoint defined in the external evaluation rule. The external evaluation request includes an identity of a user associated with the request. The security service receives the result of the external evaluation. If the external evaluation passed, the security service grants access to the third-party application based at least in part on its passing.

Abstract: A request to perform a prediction using a machine learning model of a specific entity is received. A specific security key for the machine learning model of the specific entity is received. At least a portion of the machine learning model is obtained from a multi-tenant machine learning model storage. The machine learning model is unlocked using the specific security key and the requested prediction is performed. A result of the prediction is provided from a prediction server.

Abstract: An enclave manager of a network enclave obtains a request to retrieve configuration information and state information corresponding to compute devices and network devices comprising a network enclave. The request specifies a set of parameters of the configuration information and the state information usable to generate a response to the request. The enclave manager evaluates the compute devices, the network devices, and network connections among these devices within the network enclave to obtain the configuration information and the state information. Based on the configuration information and the state information, the enclave manager determines whether the network enclave is trustworthy. Based on the parameters of the request, the enclave manager generates a response indicating a summary that is used to identify the trustworthiness of the network enclave.

Abstract: Various embodiments include a method for deploying field device into an Internet of Things (IoT). The method may include: acquiring information from a field device using an edge device; transmitting the acquired information to a cloud platform; wherein the information comprises data and an industrial IoT model; converting the industrial IoT model into a graph; performing similarity analysis based on the graph; classifying the industrial IoT model based on the similarity analysis; generating a first industrial IoT model comprising a type or an example; performing data mapping on the first industrial IoT model; and operating the field device as part of the IoT.

Abstract: An image matching system for determining visual overlaps between images by using box embeddings is described herein. The system receives two images depicting a 3D surface with different camera poses. The system inputs the images (or a crop of each image) into a machine learning model that outputs a box encoding for the first image and a box encoding for the second image. A box encoding includes parameters defining a box in an embedding space. Then the system determines an asymmetric overlap factor that measures asymmetric surface overlaps between the first image and the second image based on the box encodings. The asymmetric overlap factor includes an enclosure factor indicating how much surface from the first image is visible in the second image and a concentration factor indicating how much surface from the second image is visible in the first image.

Abstract: A server system obtains, for machines in a distributed system, system risk information, such as information identifying open sessions between respective users and respective machines, information identifying vulnerabilities in respective machines; and administrative rights information identifying groups of users having administrative rights to respective machines. The server system determines security risk factors, including risk factors related to lateral movement between logically coupled machines, and generates machine risk assessment values for at least a subset of the machines, based on a weighted combination of the risk factors. A user interface that includes a list of machines, sorted in accordance with the machine risk assessment values is presented to a user.

Abstract: Systems and methods provide for provisioning services for an unmanned aerial system (UAS) in a 3GPP network, enabling communication for command and control in 5G systems, and enabling UAS service for identification and operation in a 3GPP system.

Abstract: Systems and methods for anomaly detection in workspaces are disclosed. For example, sensor data from sensors associated with a device is gathered and compared with contextual data associated with the device, the environment in which the device is situated, and/or sensitive data that is being accessed to determine whether an anomaly is detected indicating that the environment is unsecure for accessing the sensitive information. An automated action is performed to mitigate unsecure use of the sensitive information based at least in part on the detected anomaly.

Abstract: Systems and methods for automated actions for application policy violations are disclosed. For example, policy violation evaluation components may monitor requests and/or responses from one or more applications to identify content policy violations. When a violation is identified, an automated decision engine utilizes data representing the policy violation along with, in example, contextual information about the policy violation to identify a rule from a rules database that is associated with the policy violation. An action is determined from the selected rule, and a command is generated to perform the action in response to the policy violation.

Abstract: A method for a well intervention program is provided. The method includes selecting, from a number of well intervention mandates generated by a number of originators in an oil and gas industry hierarchy, mid-level mandates based on respectively originator rankings, wherein each of the number of well intervention mandates relates to a well intervention activity of the well intervention program, generating, based on respective pre-defined cycle times of the mid-level mandates, a most frequent timeframe, performing, based on a pre-determined audit criterion and over the most frequent timeframe, an audit of the well intervention program to generate an audit result, and presenting the audit result to the number of originators.

Abstract: Systems and methods for accessing credentials from a blockchain are provided. A computing device requests for a server to process a transaction. In response to the request, the server transmits a server public key to the computing device. A key generator of the computing devices uses the user private key and the server public key to generate a user public key. The user public key includes permissions to access credentials that are stored on blockchain. The server receives the user public key and generates a request for credentials to blockchain. The request includes the user public key and the server private key. The blockchain receives the request and generates an identity token. The identity token includes credentials that are specified in the user public key. The blockchain transmits the identity token to the server and the server uses the identity token to processes the transaction.

Abstract: A method of asset verification implemented by a computing device as part of an asset verification system. The asset verification utilizes unique identifying information of the asset. The method collects asset information from a user, collects asset information from the computing device, generates a unique identifier from the asset information, adds the unique identifier and the asset information to a blockchain, and stores the asset information in a distributed storage system.

Abstract: Validating microservice calls is provided. It is determined whether a microservice call to a microservice hosted by a computer is valid based on a policy in a proactive condition map of a validation proxy that matches the microservice call. In response to determining that the microservice call is invalid based on the policy in the proactive condition map that matches the microservice call, the microservice call is blocked to the microservice. It is determined whether the microservice call needs to be redirected to another microservice based on the policy. In response to determining that the microservice call does need to be redirected to another microservice based on the policy, the microservice call is redirected to the other microservice with a callback to the microservice.

Abstract: A system and method for analyzing in-page behavior. A method includes recording sessions of users browsing a website, wherein a session is time-ordered collection of a user's interactions with one or more webpages belonging to the website; analyzing recorded sessions to generate session insights, wherein the session insights are based in part on user experience factors, wherein each user experience factor relates to behavior of a user within each webpage visited during a session; and reporting the generated experience insights.

Abstract: A unified platform may comprise a combination of independent frameworks that have been integrated and configured to collaboratively operate seamlessly. In some aspects, the unified platform may comprise one or more of an authentication and authorization framework, a dynamic user interface framework, a workflow state management framework, a notification and active data loss and prevention (DLP) engine framework, and an orchestration engine framework. Each of the frameworks included in the unified platform may comprise one or more of the plurality of computing devices executing computer-readable program instructions.

Abstract: Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks are disclosed. One method occurring at a first network node of a first network comprises: obtaining, from at least one authentication and key agreement (AKA) procedure related message associated with a user device communicating via a second network, authentication information identifying the user device; storing the authentication information in a data store for validating subsequent messages; receiving a request message associated with the user device; determining, using the authentication information, that the request message is invalid; and in response to determining that the request message is invalid, performing an invalid message action.

Abstract: A computing system for generating tamper-proof electronic messages is disclosed herein. A service provider application receives an electronic message from a client application. The electronic message comprises an authorization provider (AuP) token that includes a public key of a local signing authority (LSA) and a signed payload that has been signed by the LSA using a private key of the LSA that forms a cryptographic key pair with the public key, the signed payload comprising an indication of a programmatic task to be executed by the service provider application. Responsive to validating the AuP token in the electronic message, the service provider application extracts the public key from the electronic message. Responsive to validating the signed payload based upon the extracted public key of the LSA, the service provider application executes the programmatic task.

Abstract: A system and a method for modeling topic-based message-oriented middleware (MoM) are provided. The method commences with connecting with a MoM system and converting information associated with the MoM system into a standardized object model. The standardized object model may include a topic-based node associated with a topic, at least one producer application, and at least one consumer application. The at least one producer application provides one or more messages related to the topic to the topic-based node. The at least one consumer application receives the one or more messages from the topic-based node. The method continues with generating a standardized graph of relationships between producers and consumers over a period of time. The method further includes creating a policy, periodically analyzing the standardized graph for at least one deviation from the policy, and issuing an alert in response to detecting the at least one deviation.

Abstract: In implementations of NGAC graph evaluations, a computing device implements a next generation access control (NGAC) graph that includes user elements representing users, object elements representing resources, and multiple policy classes. Policy binding nodes can be modeled as user attributes in the NGAC graph for each of the multiple policy classes, and each policy binding node is assigned to a corresponding one of the multiple policy classes. A user element is assigned as a member of a policy binding node, and the policy binding node delineates at least one policy permission on an object element and grants the policy permission on the object element to the user element. The computing device implements a policy decision module to evaluate the NGAC graph with a graph evaluation procedure to determine graph analysis information relative to at least one of the user element, the granted policy permission, or the object element.

Abstract: Provided herein are systems and methods for targeted attack protection using predictive sandboxing. In exemplary embodiments, a method includes retrieving a Uniform Resource Locator (URL) from a message of a user and performing a preliminary determination to see if the URL can be discarded if it is not a candidate for sandboxing. The exemplary method includes computing a plurality of selection criteria factors for the URL if the URL passes the preliminary determination, each selection criteria factor having a respective factor threshold. The method can further include determining if any of the selection criteria factors for the URL exceeds the respective factor threshold for the respective selection criteria factor. Based on the determining, if any of the selection criteria factors exceeds the factor threshold for the selection criteria factor, the exemplary method includes automatically placing the URL in a sandbox for analysis.

Abstract: An example method for discovering and grouping application endpoints in a network environment is provided and includes discovering endpoints communicating in a network environment, calculating affinity between the discovered endpoints, and grouping the endpoints into separate endpoint groups (EPGs) according to the calculated affinity, each EPG comprising a logical grouping of similar endpoints for applying common forwarding and policy logic according to logical application boundaries. In specific embodiments, the affinity includes a weighted average of network affinity, compute affinity and user specified affinity.

Abstract: A method including determining, by a first device having an established virtual private network (VPN) connection with a VPN server and an established meshnet connection with a second device in a mesh network, a transmission packet to be transmitted by the first device; and determining, by the first device, whether the transmission packet is to be transmitted by utilizing the VPN connection or by utilizing the meshnet connection based at least in part on determining a destination associated with the transmission packet. Various other aspects are contemplated.

Abstract: The present disclosure relates to systems and methods for a machine-learning platform for the safe serialization of a machine-learning application. Individual library components (e.g., a pipeline, a microservice routine, a software module, and an infrastructure model) can be encrypted using one or more keys. The keys can be stored in a location different from the storage location of the machine-learning application. Prior to incorporation of the library component into a machine-learning model, one or more keys can be retrieved from the remote storage location to authenticate that the one or more encrypted library components are authentic. The process can reject any of the one or more component, when the encrypted library component fails authentication. If a component is rejected, the system can roll back to a previous, authenticated version of the library component. The authenticated library components can be compiled into machine-learning software.