Abstract: A method for sharing data in a multi-tenant database includes generating a share object in a first account comprising a share role. The method includes associating one or more access rights with the share role, wherein the one or more access rights indicate which objects in the first account are accessible based on the share object. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account. The method further includes providing a response to the second account based on the data or services of the first account.

Abstract: Methods and devices are provided for determining a service associated with an unclassified traffic flow in a computer network. Classification information for a plurality of classified traffic flows in the computer network are obtained that indicate an association between each of the classified flows and a service. A primary cluster analysis is performed on the plurality of classified flows and the unclassified flow to associate the unclassified flow to a group of classified flows having a common service. The association between the unclassified flow and the common service is provided to a network security management system.

Abstract: Embodiments for validating a dynamically downloaded client-side library using a kernel that downloads the library and computing a hash value of the library using a nonce value received from a server and the library code. The kernel sends the hash value to the server with a file identifier. The server finds the identified library and compares the received hash value to its own computed value calculated over the file and using the same nonce value. If the client sends the correct value, then the server allows the application to connect to the server and use the server's services. If the client sends a value other than the value calculated by the server, the server closes the connection from the client and denies access to the application.

Abstract: Techniques are described for enabling resources within a cloud computing system to interact with each other. In certain embodiments, a resource is assigned a digital token that provides certain access privileges for the duration in which the digital token is valid. The digital token permits the resource to have access for a duration sufficient to perform some operation (e.g., run one-time code or the same code periodically on a scheduled basis), but without extending the level of access for significantly longer than necessary to complete the operation. Each time the resource principal is to perform the operation, the token can be reissued to the resource to provide the resource with time-limited access privileges. The use of this short-lived token avoids having to create permanent credentials for the resource.

Abstract: A system for securely provisioning a plurality of computerized devices of a tenant, is provided. The system includes a processor, and a computer storage medium including instructions that when executed by the processor cause the processor to perform operations. The operations include receiving provisioning requests from r the plurality of computerized devices needing certificates, each provisioning request indicating a tenant identifier identifying the tenant, and transmitting the provisioning requests to a set of security credential management system backend components based on the tenant identifier. The set of SCMS backend components includes enrollment certificate authorities operable to generate enrollment certificates, each provisioning request being transmitted to one of the one or more enrollment certificate authorities based on the tenant identifier of each provisioning request, and a pseudonym certificate authority operable to generate digital assets in response to receiving a provisioning request.

Abstract: A method and system for performing authentication are described. The method and system include receiving, from a client, a communication for a data source at a wrapper. The wrapper includes a dispatcher and a service. The dispatcher receives the communication and is data agnostic. The communication is provided from the dispatcher to the service. The service determines whether the client is authorized to access the data source utilizing multi-factor authentication.

Abstract: Techniques and structures to facilitate anomaly detection within a networking system, including receiving a plurality of performance metric messages at a database system, extracting a plurality of anomaly detection messages included in the performance metric messages, storing the plurality of anomaly detection messages in an in-memory database and executing a machine learning model to process the plurality of anomaly detection messages in the in-memory database to detect whether anomalous usage of the networking system has been detected.

Abstract: The present disclosure relates to techniques for developing artificial intelligence algorithms by distributing analytics to multiple sources of privacy protected, harmonized data. Particularly, aspects are directed to a computer implemented method that includes receiving an algorithm and input data requirements associated with the algorithm, identifying data assets as being available from a data host based on the input data requirements, curating the data assets within a data storage structure that is within infrastructure of the data host, and integrating the algorithm into a secure capsule computing framework. The secure capsule computing framework serves the algorithm to the data assets within the data storage structure in a secure manner that preserves privacy of the data assets and the algorithm. The computer implemented method further includes running the data assets through the algorithm to obtain an inference.

Abstract: Disclosed herein are system, method, and computer program product embodiments for processing tokenization requests in-memory of an application server. Reliance on remote devices, such as hardware security modules, is reduced because functions associated with processing tokenization requests is performed at the application server instead of the remote devices. Applicant server includes a multi-level cache for storing and accessing data for generating, hashing, and encrypting tokens in response to tokenization requests received from client devices.

Abstract: A method and system of providing verification of information of a user relating to an attestation transaction is provided, and includes sending a request for information of the user, wherein the information has been previously attested to in an attestation transaction stored within a centralized or distributed ledger at an attestation address; receiving at a processor associated with a verifier the information of the user; sending a cryptographic challenge nonce; receiving at the processor associated with the verifier the cryptographic challenge nonce signed by the user's private key; verifying user identity with the cryptographic challenge nonce signed by the user's private key; deriving a public attest key by using the information of the user; deriving an attestation address using the public attest key; and verifying the existence of the attestation transaction at the attestation address in the centralized or distributed ledger.

Abstract: The described embodiments perform a proximity unlock operation. For the proximity unlock operation, a first electronic device in a locked operating state detects that an authorized second electronic device is in proximity to the first electronic device. Based on detecting the authorized second electronic device in proximity to the first electronic device, the first electronic device transitions from a locked operating state to an unlocked operating state. In the described embodiments, the transition to the unlocked operating state occurs without the user performing a manual authentication step that is performed in existing electronic devices to cause the transition from the locked operating state to the unlocked operating state.

Abstract: An active distributed ledger may comprise an indication of an inactive permission associated with a user device. An entry comprising such indication added to another distributed ledger that is supplemental to the active distributed ledger. An updated active distributed ledger may be generated that does not comprise the indication of the inactive permission. The updated active distributed ledger may comprise an indication of a new permission associated with the user device. The updated active distributed ledger may be stored on the user device or any other device on a network.

Abstract: A method of sharing data in a multi-tenant database includes inspecting, by a processing device of a multiple tenant database, a sharer account to determine a presence of a grant to a second role object, in a target account, of access rights to a first role object included in the sharer account. The method includes granting the second role object, in the target account, access rights to an alias object. The first role object having one or more grants to the one or more resources of the sharer account. The target account accesses the one or more resources using the one or more grants of the first role object and using the alias object without at least one of copying the one or more resources or transmitting the one or more resources.

Abstract: A first electronic device is configured to operate in a restricted mode of operation, which restricted mode may be terminated or continued by one or more remotely located authorization devices, according to predetermined criteria. In a restricted mode, a first set of permitted applications stored on the first electronic device are executable, and a first set of data is accessible. While operating in the restricted mode, the first device detects a termination condition of the restricted mode and transmits an indication of the termination condition to one or more authorization devices. After transmitting the request, the first electronic devices receives an indication that the restricted mode of the operation has been continued according to predetermined criteria. Responsive to receiving the indication, the first electronic device continues to operate in the restricted mode according to the predetermined criteria.

Abstract: The present disclosure provides systems and methods that perform structure-based access control. In particular, rather than relying upon a user-specific credential scheme, which can require manual sharing of user-specific credentials and/or switching between the multiple accounts to access the particular devices, applications, or services associated with such accounts, the systems and methods of the present disclosure facilitate user credentials to be inherited by or otherwise assigned to a structure identifier associated with a structure (e.g., a home in which the user resides), thereby generating a set of structure credentials. This enables other users in the structure, who may be part of a collaborative user group, to access devices, applications, and/or services using the structure credentials.

Abstract: Access token scope limiting is provided. An access token of a client containing a list of scopes is presented to an authorization application programming interface of the computer. Each scope in the list of scopes defines a permission to access a particular protected resource hosted by a resource server. A new access token is returned to the client containing a decreased number of scopes using a scope alias in response to the authorization application programming interface requesting a decrease in a number of scopes in the list of scopes. The scope alias representing a plurality of specific scopes from the list of scopes contained in the presented access token.

Abstract: Encryption key exchange processes are disclosed. A disclosed method includes initiating communication between a portable communication device including a token and a first limited use encryption key, and an access device. After communication is initiated, the portable communication device receives a second limited use key from a remote server via the access device. The portable communication device then replaces the first limited use key with the second limited use key. The second limited use key is thereafter used to create access data such as cryptograms that can be used to conduct access transactions.

Abstract: A device processes a communication between a source and user equipment. The user equipment is one of a plurality of user equipment connected to a network and the user equipment is associated with an entity. The device determines that the communication is associated with an anomalous traffic pattern. The device implements a provisional blocking of traffic between the source and the plurality of user equipment connected to the network and generates a filtering rule based on determining the anomalous traffic pattern, where the filtering rule prescribes that traffic between the source and the second user equipment is to be blocked. The device transmits a notification to the entity associated with the user equipment that requests that the entity affirm the filtering rule, and the device blocks traffic between the source and the user equipment based on the entity affirming the filtering rule.

Abstract: An example operation may include one or more of receiving a data block for storage on a blockchain from an orderer node, the data block comprising a full-step hash of a storage request and a reduced-step hash of the storage request, performing an approximate hash verification on the data block based on the reduced-step hash of the storage request included in the data block, and in response to a success of the approximate hash verification, committing the data block among a hash-linked chain of data blocks stored within a distributed ledger of a blockchain.

Abstract: Disclosed herein is a social media platform profile identification and social discovery feature. Disclosed social media networks enable introduction of users that may not otherwise know one another based on commonality between those users. Social media profiles are identified by digital objects instead of or in addition to more traditional indexing methods such as real names or screen names. Social discovery on a social network is performed via matching to similar behavior profiles in activity monitored by a block explorer. Machine learning models categorize behavior patterns observed by the block explorer into a machine recognized glossary. Social networks further recommend actions by users based on the monitored online behaviors of social connections.