Abstract: A deep-learning based method evaluates similarities of entities in decentralized identity graphs. One or more processors represent a first identity profile as a first identity graph and a second identity profile as a second identity graph. The processor(s) compare the first identity graph to the second identity graph, which are decentralized identity graphs from different identity networks, in order to determine a similarity score between the first identity profile and the second identity profile. The processor(s) then implement a security action based on the similarity score.

Abstract: An improved computing tool performs an improved computing tool function to identify sensitive data risks in cloud-based deployments. A knowledge graph is built based on data schema information for a cloud-based computing environment, a set of parsed infrastructure logs, and a set of captured application queries. A set of sensitive flows in the knowledge graph are identified representing paths from a sensitive data element to an endpoint in the knowledge graph. The set of sensitive flows are scored based on a scoring algorithm and an alert is issued to an administrator in response to a score of a sensitive flow within the set of sensitive flows exceeding a threshold.

Abstract: Mechanisms are provided in a cloud-based computing environment for identifying sensitive data risks in cloud-based deployments. The mechanisms build a knowledge graph based on data schema information for a cloud-based computing environment, a set of parsed infrastructure logs, and a set of captured application queries. The mechanisms identify a set of sensitive flows in the knowledge graph representing paths from a sensitive data element to an endpoint in the knowledge graph. The mechanisms score the set of sensitive flows based on a scoring algorithm and issue an alert to an administrator in response to a score of a sensitive flow within the set of sensitive flows exceeding a threshold.

Abstract: A method, computer system, and a computer program product for text bias identification and correction are provided. A first text corpus may be received. A designation of a second text corpus may be received. Words of the first text corpus may be embedded as a first word embedding in an embedding model. The first word embedding may be compared to a second word embedding in the embedding model to identify a first biased text in the first text corpus. The second word embedding may be from the second text corpus. A first replacement text portion may be generated as a substitute for the first biased text. The first replacement text portion may include a first unbiased text. The first biased text and the first replacement text portion may be presented.

Abstract: Preserving distributions of data values of a data asset in a data anonymization operation is provided. Anonymizing data values is performed by transforming sensitive data in a set of columns over rows of the data asset while preserving distribution of the data values in the set of transformed columns to a defined degree using a set of autoencoders and loss function. The autoencoders are base trained from preexisting data in a data assets catalog and actively trained during data dissemination. Parametric coefficients of the loss function are configured and the threshold is generated using policies from an enforcement decision for the data asset and data consumer. The loss function value of a selected row is compared to the threshold. Transformed data values of the selected row are transcribed to an output row when the loss function value is greater than the threshold and disseminated to the data consumer.

Abstract: A method creates an embedding for an unlabeled vertex in a hypergraph. The method includes receiving a hypergraph of hyperedges, where each of the hyperedges includes one or more vertices, and at least one of the hyperedges includes an unlabeled vertex; generating a hypergraph of vertices from the hypergraph of hyperedges, where each of the vertices in the hypergraph of vertices includes one or more of the one or more hyperedges from the hypergraph of hyperedges; performing a first type of random walk through the hypergraph of hyperedges; performing a second type of random walk through the hypergraph of vertices; generating a set of vertex embeddings from the first type of random walk and a set of hyperedge embeddings from the second type of random walk; and using results of the first and second random walks to train a neural network to create an embedding for the unlabeled vertex.

Abstract: A method provides a security action based on identity profile scores. One or more processors represent an identity profile as a knowledge graph. The processor(s) associate a set of changes of the identity profile across a plurality of identity networks with a fraud score. The processor(s) then implement a security action based on the fraud score.

Abstract: Mechanisms are provided in a cloud-based computing environment for identifying sensitive data risks in cloud-based deployments. The mechanisms build a knowledge graph based on data schema information for a cloud-based computing environment, a set of parsed infrastructure logs, and a set of captured application queries. The mechanisms identify a set of sensitive flows in the knowledge graph representing paths from a sensitive data element to an endpoint in the knowledge graph. The mechanisms score the set of sensitive flows based on a scoring algorithm and issue an alert to an administrator in response to a score of a sensitive flow within the set of sensitive flows exceeding a threshold.

Abstract: A computer implemented method and related apparatus defend a system against adversarial queries. An enforcement graph is provided and used to enforce data policies for a system. A generative adversarial model (GAN) is used for querying the enforcement graph to detect a potential adversarial query-based attack against the enforcement graph A policy is provided to protect the enforcement graph against the potential adversarial attack.

Abstract: An apparatus and related method defend against adversarial queries. A policy enforcement hypergraph is constructed to express a set of security policies. Then, the hypergraph is repeatedly traversed to determine whether a user behavior is changing over time. The user behavior is measured by reference to a vertex or an edge in the hypergraph. If it is determined that the user behavior has changed over time an enforcement action is taken based on a security policy.

Abstract: Preserving distributions of data values of a data asset in a data anonymization operation is provided. Anonymizing data values is performed by transforming sensitive data in a set of columns over rows of the data asset while preserving distribution of the data values in the set of transformed columns to a defined degree using a set of autoencoders and loss function. The autoencoders are base trained from preexisting data in a data assets catalog and actively trained during data dissemination. Parametric coefficients of the loss function are configured and the threshold is generated using policies from an enforcement decision for the data asset and data consumer. The loss function value of a selected row is compared to the threshold. Transformed data values of the selected row are transcribed to an output row when the loss function value is greater than the threshold and disseminated to the data consumer.

Abstract: A method, computer system, and a computer program product for text bias identification and correction are provided. A first text corpus may be received. A designation of a second text corpus may be received. Words of the first text corpus may be embedded as a first word embedding in an embedding model. The first word embedding may be compared to a second word embedding in the embedding model to identify a first biased text in the first text corpus. The second word embedding may be from the second text corpus. A first replacement text portion may be generated as a substitute for the first biased text. The first replacement text portion may include a first unbiased text. The first biased text and the first replacement text portion may be presented.

Abstract: Enforcement of policies for tabular data access as a collection of columns over a plurality of different information assets is provided. In an enforcement knowledge graph, information asset-assigned terms are found that correspond to information assets in a virtual information asset that references a set of tabular data. Transitive closures of the information asset-assigned terms are found in a business glossary to form a table of business glossary terms. Term intersection is determined between a hash table of any column-assigned terms and the table of business glossary terms. The information assets are assigned to the virtual information asset when the term intersection is not empty. A set of policy rules associated with the set of tabular data and a context of a user making a data access request to the set of tabular data is applied to the virtual information asset to determine an access enforcement decision.

Abstract: A method provides a network-agnostic identity broker for retrieving identity records across heterogeneous identity networks. An identity broker receives a client request from a client to retrieve and evaluate user identity information for confirming an identity of a particular entity. The identity broker utilizes a group membership of the client to select a set of policies for handling the client request, and selects an identity network from multiple heterogeneous identity networks as a selected identity network to which the client request is to be sent. The identity broker sends the client request to the selected identity network, and then receives a response from the selected identity network. The identity broker evaluates the response according to the set of policies, such that the evaluated response conforms with the set of policies, and transmits the evaluated response to the client.

Abstract: Serving data assets based on security policies is provided. A request to access an asset received from a user having a particular context is evaluated based on a set of asset access enforcement policies. An asset access policy enforcement decision is generated based on evaluating the request. It is determined whether the asset access policy enforcement decision is to transform particular data of the asset prior to allowing access. In response to determining that the asset access policy enforcement decision is to transform the particular data of the asset prior to allowing access, a transformation specification that includes an ordered subset of unit transformations for transforming the particular data of the asset is generated based on the particular context of the user and the set of asset access enforcement policies. A transformed asset is generated by applying the transformation specification to the asset transforming the particular data of the asset.

Abstract: A method trains a neural network to recognize whether a resource is authorized to be returned to a requester. One or more processors train a neural network to traverse a policy enforcement hypergraph in order to identify a security policy to be used for a resource request and to authorize a use of a requested resource by a requester. The policy enforcement hypergraph is derived from a policy enforcement graph that expresses a set of security profiles for resources and requesters. The processor(s) receive a resource request for a requested resource from a requester, where the resource request includes a description of the requester. A system/user inputs a description of the received resource request and a description of the policy enforcement hypergraph into the trained neural network in order to selectively return the requested resource to the requester.

Abstract: A method trains a neural network to recognize whether a resource is authorized to be returned to a requester. One or more processors train a neural network to traverse a policy enforcement hypergraph in order to identify a security policy to be used for a resource request and to authorize a use of a requested resource by a requester. The policy enforcement hypergraph is derived from a policy enforcement graph that expresses a set of security profiles for resources and requesters. The processor(s) receive a resource request for a requested resource from a requester, where the resource request includes a description of the requester. A system/user inputs a description of the received resource request and a description of the policy enforcement hypergraph into the trained neural network in order to selectively return the requested resource to the requester.

Abstract: A method creates an embedding for an unlabeled vertex in a hypergraph. The method includes receiving a hypergraph of hyperedges, where each of the hyperedges includes one or more vertices, and at least one of the hyperedges includes an unlabeled vertex; generating a hypergraph of vertices from the hypergraph of hyperedges, where each of the vertices in the hypergraph of vertices includes one or more of the one or more hyperedges from the hypergraph of hyperedges; performing a first type of random walk through the hypergraph of hyperedges; performing a second type of random walk through the hypergraph of vertices; generating a set of vertex embeddings from the first type of random walk and a set of hyperedge embeddings from the second type of random walk; and using results of the first and second random walks to train a neural network to create an embedding for the unlabeled vertex.

Abstract: A method routes an identity query to a particular identity network. An identity broker determines that a candidate identity network is associated with a confidence score that satisfies predetermined criteria. Responsive to determining that the candidate identity network is associated with the confidence score that satisfies the predetermined criteria, the identity broker onboards the candidate identity network into a set of identity networks services, and then routes an identity query for an identity to the candidate identity network that satisfies the predetermined criteria.

Abstract: Enforcement of policies for tabular data access as a collection of columns over a plurality of different information assets is provided. In an enforcement knowledge graph, information asset-assigned terms are found that correspond to information assets in a virtual information asset that references a set of tabular data. Transitive closures of the information asset-assigned terms are found in a business glossary to form a table of business glossary terms. Term intersection is determined between a hash table of any column-assigned terms and the table of business glossary terms. The information assets are assigned to the virtual information asset when the term intersection is not empty. A set of policy rules associated with the set of tabular data and a context of a user making a data access request to the set of tabular data is applied to the virtual information asset to determine an access enforcement decision.