Abstract: Techniques described herein relate to a method for identifying offline accounts for online adoption targeting, including obtaining an account group data set; generating, using the account group data set, an enhanced account group data set comprising the account group data set and a derived data item; obtaining, using a ML model and the enhanced account group data set, a key metric set; performing a clustering analysis using the key metric set and a portion of the enhanced account group data set to obtain account clusters; assigning a weight to a cluster of the account clusters; performing a similarity computation for an offline account of the account group using the key metric set and the portion of the enhanced account group data set to obtain a weighted similarity score; adding the weighted similarity score to a ranked list of weighted similarity scores; and providing the ranked list to an interested entity.

Abstract: A forensic kit with a granular infected backup. A forensic engine may evaluate a production system that is infected with malware or other corruption and generate a forensic kit. The forensic kit may include copies of components of the production system that are infected or that are sufficiently related to infected components. The forensic kit may be provided to investigators.

Abstract: A method includes searching a group of PITs, identifying one of the PITs as having an indicator of an occurrence of an event involving data associated with the identified PIT, restoring the data, running a production system copy using the data, and while the production system copy is running, taking increasingly granular backups of the data until the event is located. The event may be a corruption of the data, or other problem.

Abstract: A system can determine a first output from an explainable artificial intelligence risk model based on a first input, wherein the first input indicates a first computing configuration, and wherein the first output indicates a first predicted maintenance cost of the first computing configuration during a time period. The system can determine a second output from the explainable artificial intelligence risk model based on a second input, wherein the second input indicates a second computing configuration that differs from the first computing configuration, and wherein the second output indicates a second predicted maintenance cost of the second computing configuration during the time period. The system can, in response to determining that the second predicted maintenance cost is less than the first predicted maintenance cost, saving an indication of a difference between the second predicted maintenance cost and the first predicted maintenance cost.

Abstract: One example method includes receiving, at a remote site from a production site, copies of production site assets, storing, at the remote site, the copies of the production site assets, using, at the remote site, the copies of the production site assets to restore a temporary production site, running the temporary production site at the remote site, and restoring, from the remote site to the production site, the copies of the production site assets.

Abstract: Opportunistically transmitting backups through a time-limited air gap. A data protection system may predict rates of changes for one or more applications. The predicted rate of change allows a size of corresponding backups to be estimated. If there is time during which an air gap is available (closed), at least of the backups is selected and opportunistically transmitted to a vault through the air gap.

Abstract: Disk drive reallocation or replacement is disclosed. When performing a data protection operation, a health score is determined for each of the disk drives associated with the data protection operation. Replacement is recommended for each of the disk drives with an unfavorable health score. The recommendation may also identify a drive class based in part on the write or wear pattern. This allows unhealthy drives to be replaced prior to performing the data protection operation.

Abstract: A system can fit an artificial intelligence risk model to data based on labeled training data to produce a fitted model, wherein the labeled training data comprises respective features of users and products, and corresponding labels of respective maintenance costs applicable to the products, and wherein the fitted model comprises a tree model that is configured to differentiate between groups of the data with differing maintenance cost distributions. The system can, in response to applying a first input to the fitted model, produce an output that indicates a predicted maintenance cost distribution, wherein the first input comprises a feature of a user of the users and a product of the products.

Abstract: One method includes receiving a request to restore data to a particular point in time, scanning a snapshot that corresponds to the point in time, based on the scanning, identifying any invalid data segments pointed to by the snapshot, for each of the invalid data segments, identifying a most recent, valid, version of that segment, and based on the request, restoring a set of valid data segments. In this method, no invalid segments are restored.

Abstract: A system can train an artificial intelligence risk model to produce a trained model, wherein labeled training data for the training comprises respective features of user accounts and products, and corresponding labels of respective support costs applicable to supporting the products. The system can perform reconstructive self-supervised learning on a group of features of a user account to produce a complete group of features that are specified for the user account. The system can, in response to applying an input to the trained model, wherein the input comprises the complete group of features and a product of the products, produce an output that indicates a predicted cost that corresponds to the input.

Abstract: A method includes accessing a group that comprises a group of PITs, replaying the PITs according to respective times at which the snapshots were taken, analyzing the PITs as they are being replayed, and based on the analyzing, identifying an event that has occurred within a time frame spanned collectively by the PITs. Replaying the PITs includes presenting the PITs, in order from oldest to newest, as a continuous stream of events.

Abstract: Redistributing disks based on disk wear patterns is disclosed. The wear patterns of disk drives in a storage system are learned or determined. When a restore operation is performed, the volumes to disk drive mappings are changed to balance the overall wear pattern of the storage system. This insures that, after the restore operation, disks that had comparatively lower wear levels are used more heavily while disks that had comparatively higher wear levels are used less heavily.

Abstract: A system receives a request from a user to execute a command on an air-gapped computer system. If a role-based access control system permits the user to execute the command, the system prompts a number of approvers to determine whether to approve of the user executing the command. If a required number of approvers have approved of the user executing the command, the system encodes the command and incorporates the encoded command in an encoded message. The system uses a simplex communication output device to communicate the encoded message to a simplex communication input device for the air-gapped computer system. The system enables execution of the command by requesting the air-gapped computer system to execute the command, or by providing the user with an access token, received from the air-gapped computer system, which enables the user to physically access the air-gapped computer system and execute the command.

Abstract: One example method includes accessing an appearance history of a person, the appearance history including information concerning an appearance of a person at a particular time, generating, based on the appearance history, a forecast that comprises a probability that the person will appear again at some future point in time, determining that the probability meets or exceeds a threshold, and updating a high probability group database to include a facial image of a face of the person.

Abstract: One example method includes assigning, at a production site, a priority to a portion of a dataset to be backed up, checking to determine if the priority meets or exceeds a threshold priority; and, when the priority meets or exceeds the threshold priority, and when an air gap between the production site and a storage vault is closed, backing up, by way of the closed air gap, the portion of the dataset to the storage vault.

Abstract: One method includes listening, by a storage vault, to a port that is specific to a particular data structure in the storage vault, determining that an air gap between the storage vault and an entity external to the storage vault, is closed, such that communication between the storage vault and the external entity, by way of the port, is enabled, signaling, by the storage vault to the external entity, that the air gap is closed, and receiving, at the storage vault by way of the port, data from the external entity.

Abstract: Data protection including malware response operations are disclosed. When a production system is attacked, the malware is allowed to run in a forensic environment in order to learn its operational characteristics. Once learned, a return malware can be placed in the data. The return malware is transmitted to a malware host system by the malware itself and executed.

Abstract: Automated research experimentation on malware is disclosed. When malware is detected, an infected backup is generated. The infected backup is deployed to multiple working environments as recovered production systems, starting from the same state. Different scenarios are performed on the recovered production systems to learn the operational characteristics of the malware operating in the recovered production systems. The insights may be used to protect against the malware and/or other malware.

Abstract: Data protection including malware response operations are disclosed. When a production system is attacked, the malware is allowed to run in a forensic environment in order to learn its operational characteristics. The forensic environment includes a working scenario that may be prepared in advance with false data that allows the malware to communicate with a malware host system. Once the operational characteristics are learned, a return malware can be placed in the data. The return malware is transmitted to a malware host system by the malware itself and executed.

Abstract: Methods and systems for identifying areas of interest in an image and management of images are disclosed. To manage identification of areas of interest in an image, subject matter expert driven processes may be used to identify the areas of interest. The identified areas of interest may be used to maintain a database usable to guide subsequent use of the images. The database may associate image segments of the images with various landmarks and/or area of interest. The associations may be used to limit the quantity of image segments read from storage during subsequent use of the images.