Abstract: A technology is disclosed for the browser side capturing of user interaction session data and replay of the session data for a high-fidelity reconstruction of the experience the user perceived. In addition to capturing central structuring and markup documents and browser side updates thereof, additional resource documents that are loaded and used by the browser to render the central documents are captured and added to the session recording data. Identification information is created for resource documents, based on the content of those documents, which allows the capturing system to distinguish different versions of those content documents that share the same name but have different content. The captured session data contains data to identify the correct versions of resource documents during replay. Various measures to reduce the amount of transferred resource content data are applied, that consider already captured resource document versions or the usage frequency of a monitored application.

Abstract: A technology to identify processing paths of untrusted input data received by applications that are vulnerable to attacks and to further detect and prevent actual attacks that try to exploit those vulnerabilities is disclosed. Application code is augmented at run-time with sensor code which detects the entry of input-data into the application and further traces the propagation, manipulation and, sanitization of this input-data until its usage in a data sink. The so generated data-flow traces reveal data-flow paths that lack required sanitization measures to neutralize potentially harmful input-data. Such data-flow paths are reported as vulnerabilities. Further, input-data that reaches data-sink interfaces is scanned by data-sink sensors to identify harmful input data. On identification of harmful input data, an attack is reported, and countermeasures are applied to prevent the identified attack.

Abstract: A computer-implemented method is presented for joining tables in a database system. The method includes: a) receiving a request to join tables according to a join query; b) generating a probabilistic data structure for each table specified in the set of join operations; c) for each join operation, calculating a cardinality estimate of table resulting from a particular join operation using the probabilistic data structures for the tables to be joined; d) selecting a join operation in the set of join operations, where the selected join operation has the lowest cardinality estimate amongst the join operations; e) removing the selected join operation from the set of join operations; f) replacing the tables to be joined by the selected join operation with the joint of these tables in the set of join operations; and repeating steps c) to f) until the set of join operations comprises a single join operation.

Abstract: Methods and technologies are disclosed for the sketch efficient estimation of large-scale multi-sets in distributed, stream-oriented environments. Sketch updates are idempotent and commutative, to support duplicate set elements and varying element sequences. They are also mergeable to support distributed sketch recording. The recording process uses stepwise approximated geometric distributions, efficiently generated from NLZ values of received sketch updates, by using only multiplications with powers of two and integer additions. Sketch registers are subdivided into a portion storing an observed max update value for the register, and a portion storing set of flag bits indicating observed next smaller update values for the register. A Max Likelihood base sketch data evaluation, based on the assumption of statistically independent sketch registers is proposed.

Abstract: A computer-implemented method is presented for storing log data generated in a distributed computing environment. The method includes: receiving a data element from a log line, where the data element is associated with a given computing source at which the log line was produced; applying a hash function to the data element to generate a hash value; updating a listing of computing entities with the given computing source, where entries in the listing of computing entities can identify more than one computing source and each entry in the listing of computing entities specifies a unique set of computing sources; and storing the hash value, along with an address, in a probabilistic data structure, where the address maps the hash value to an entry in the listing of computing entities.

Abstract: A computer-implemented method is presented for filtering a data record against a set of pre-defined rules. The method includes: receiving a set of pre-defined rules, where each rule in the set of pre-defined rules includes one or more conditions and an action taken when the one or more conditions are satisfied; enumerating conditions in the set of pre-defined rules for form an ordered list of conditions; removing select conditions from the ordered list of conditions, where each of the select conditions has an identical condition preceding it in the ordered list of conditions; for each given rule in the set of pre-defined rules, connecting conditions in the ordered list of conditions that are associated with a given rule by logical operators to form a transformed rule corresponding to the given rule in the set of pre-defined rules, thereby forming a set of transformed rules.

Abstract: A computer-implemented method is presented for reporting monitoring data in a distributed computing system. The method includes: instrumenting service code with an agent, where the service code executes statelessly in an execution environment; capturing, by the agent, monitoring date during a first execution of the service code in the execution environment, where the monitoring data is indicative performance of the service code during the first execution; storing, by the agent, the monitoring data on an execution instance of the service code; and sending, by the agent, the monitoring data to a remote monitoring server during a second execution of the service code, where the second execution of the service code occurs after the first execution of the service code and the agent is located remotely across a network from the monitoring server.

Abstract: A technology for the optimized capturing of resource file content for resources referred in recorded user interaction sequences is disclosed. Individual resource files are typically referred in multiple recorded resources, therefore it is desired to capture those resources only once and reuse them for all recorded session capturing them. As user interaction sequences are executed and captured in independently operating web-browsers, a direct coordination between recording web-browsers to avoid multiple captures of the same resource is not possible. Data about the global resource capturing and demand situation is generated on a monitoring server that receives all session recording data and transferred to session recording browsers in form of lists identifying resources that are referred in sessions but are still unresolved and should therefore be captured, and for resources that should not captured, because they are already available and capturing them again should be avoided.

Abstract: Tightly coupling cyber deception with software applications is promising in the lab but poses significant technical challenges in production systems. Because security measures are usually the responsibility of a system operator, access is typically limited to built software artifacts rather than their source code. This limitation makes it particularly challenging to deploy cyber deception techniques at application runtime and without full control over the software development lifecycle.

Abstract: Technologies are disclosed for the automated, rule-based generation of models from arbitrary, semi-structured observation data. Context data of received observation data, like data describing the location of on which a phenomenon was observed, is used to identify related observations, to generate entities in a model describing the observed data and to assign observations to model data. Mapping rules may be used for the on-demand generation of models, and different sets of mapping rules may be used to generate different models out of the same observation data for different purposes. Further, observation time data may be used to observer the temporal evolution of the generated model. Possible use cases of the so generated models include the interpretation of observation data that describes unexpected operation conditions in view of the generated model, or to determine how a monitored system reacts on changing conditions, like increased load.

Abstract: A technology is disclosed for the managed execution of custom scripting code that interacts with services provided by a service provider, where the service provider also provides the environment for the managed code execution. The managed execution environment separates functionality that perform interactions with underlying operating system functionality, like access to remote resources from functionality related to the execution of scripting code. To isolate the state of consecutive script executions while maintaining short startup times and high throughput of the managed execution environment, only functionality related to script execution is discarded after individual executions and functionality related to operation system interaction is reused for multiple executions.

Abstract: A technology for the adaptive compression of time series of complex monitoring data records is disclosed. Variants of complex monitoring data may describe multiple observations of the same type and from the same source from different timestamps, or they may describe multiple, related observations from the same source from the same timestamp. Meta-data for individual complex monitoring data records is analyzed to identify portions of the monitoring data record that can be omitted without loss of data to improve the compression rate. Different base compression methods may be applied for individual entities of monitoring data, depending on the data type used to represent the monitoring data entity, like XOR compression for floating point types. Compressed data is stored to a storage stream, where meta-data that is required to determine the omitted portions of complex data records is stored before corresponding observation payload data.

Abstract: A technology is disclosed for the browser side capturing of user interaction session data and replay of the session data for a high-fidelity reconstruction of the experience the user perceived. In addition to capturing central structuring and markup documents and browser side updates thereof, additional resource documents that are loaded and used by the browser to render the central documents are captured and added to the session recording data. Identification information is created for resource documents, based on the content of those documents, which allows the capturing system to distinguish different versions of those content documents that share the same name but have different content. The captured session data contains data to identify the correct versions of resource documents during replay. Various measures to reduce the amount of transferred resource content data are applied, that consider already captured resource document versions or the usage frequency of a monitored application.

Abstract: A technology to identify processing paths of untrusted input data received by applications that are vulnerable to attacks and to further detect and prevent actual attacks that try to exploit those vulnerabilities is disclosed. Application code is augmented at run-time with sensor code which detects the entry of input-data into the application and further traces the propagation, manipulation and, sanitization of this input-data until its usage in a data sink. The so generated data-flow traces reveal data-flow paths that lack required sanitization measures to neutralize potentially harmful input-data. Such data-flow paths are reported as vulnerabilities. Further, input-data that reaches data-sink interfaces is scanned by data-sink sensors to identify harmful input data. On identification of harmful input data, an attack is reported, and countermeasures are applied to prevent the identified attack.

Abstract: A computer-implemented method is presented for identifying vulnerable software from a computer system. The method includes: identifying name of a given software component in a vulnerability database by analyzing text of an entry in the vulnerability database using a large language model, where entries in the vulnerability database have known vulnerabilities; identifying a patch for the given software component in a source code repository by analyzing text of the entry in the vulnerability database using the large language model; identifying the patch for the given software component in the source code repository by analyzing text in the source code repository using the large language model; and reporting the given software component as being vulnerable in response to identifying the patch for the given software component in the source code repository.

Abstract: A technology is disclosed to perform real-time and online identification and prioritization of vulnerabilities of components of software applications. Agents are deployed to components of monitored applications that monitor and report application topology, communication, code execution and code loading activity. Reported code loading and execution activity data is used to detect the loading and execution of vulnerable code, topology and communication data is used to create a topology model of the application containing communication paths, trust boundaries and location of sensitive data. The analysis of code loading and execution data reveals the extend to which vulnerable code is used by monitored application components. The topology data combined with code execution data reveals the extent to which components executing vulnerable code are exposed to untrusted entities and/or accessing sensitive data.

Abstract: A system and method for the analysis of log data is presented. The system uses SuperMinHash based locality sensitive hash signatures to describe the similarity between log lines. Signatures are created for incoming log lines and stored in signature indexes. Later similarity queries use those indexes to improve the query performance. The SuperMinHash algorithm uses a two staged approach to determine signature values, one stage uses a first random number to calculate the index of the signature value that is to update. The two staged approach improves the accuracy of the produced similarity estimation data for small sized signatures. The two staged approach may further be used to produce random numbers that are related, e.g. each created random number may be larger than its predecessors. This relation is used to optimize the algorithm by determining and terminating when further created random numbers have no influence on the created signature.

Abstract: The disclosure concerns the time-based correlation of time series for the root cause analysis of application monitoring data, observability data, and data observability data in the field of application monitoring and observability. The object of the disclosure is to find at least one candidate time series that has a high chance/probability for causing an event in a reference time series. The method shall be time-based and not frequency based. The method includes: constructing a simplified reference time series retaining changes in the reference time series and setting other points to zero; constructing a simplified candidate time series retaining changes in the candidate time series and setting other points to zero; calculating a similarity metric between the simplified candidate time series and the simplified reference time series; and reporting an occurrence of a computing event in response to the similarity metric exceeding a threshold value.

Abstract: A system and method is disclosed for injecting in-process agents into processes executing self-contained, statically linked binaries that do not interact with a dynamic loader mechanism that identifies and resolves required libraries at run time. System calls directed to the execution of binaries in processes are intercepted and the targeted binary is analyzed to determine whether it is statically linked. In case a statically linked binary is identified, a proxy launcher process is started instead of the binary which starts the original binary as traceable child process. After the child process has loaded the original binary into its process memory, the memory image of the child process is copied to the launcher process and the child process is terminated. An agent is loaded into the launcher process to instruments the copied memory image.

Abstract: A computer-implemented method is presented for storing log data generated in a distributed computing environment.