Abstract: Aspects of the invention include protecting data objects in a computing environment based on physical location. Aspects include receiving, by a computing system, a request to access an encrypted data from an authenticated user, wherein the encrypted data includes information about a data encryption key used to encrypt the encrypted data. Aspects also include providing, by the computing system, the encrypted data to the computer system where the user was authenticated, the computer system including a set of decryption keys protected by a master key stored within a hardware security module associated with the location of the hardware security module. Aspects further include decrypting, by the hardware security module, the encrypted data based on a determination that the data encryption key corresponds to one of the set of decryption keys, wherein the set of decryption keys are determined based on the location of the hardware security module.

Abstract: Techniques for container-based cryptography hardware security module (HSM) management in a computer system are described herein. An aspect includes providing a cryptography work daemon container in a computer system, wherein the cryptography work daemon container in the computer system has privileged access to a cryptography HSM of the computer system. Another aspect includes receiving, by the cryptography work daemon container, a request for a cryptography function of the cryptography HSM from an application container in the computer system. Another aspect includes causing, by the cryptography work daemon container, the cryptography HSM to perform the cryptography function based on receiving the request.

Abstract: Aspects of the invention include protecting data objects in a computing environment based on physical location. Aspects include receiving, by a computing system, a request to access an encrypted data from an authenticated user, wherein the encrypted data includes information about a data encryption key used to encrypt the encrypted data. Aspects also include providing, by the computing system, the encrypted data to the computer system where the user was authenticated, the computer system including a set of decryption keys protected by a master key stored within a hardware security module associated with the location of the hardware security module. Aspects further include decrypting, by the hardware security module, the encrypted data based on a determination that the data encryption key corresponds to one of the set of decryption keys, wherein the set of decryption keys are determined based on the location of the hardware security module.

Abstract: Techniques for container-based cryptography hardware security module (HSM) management in a computer system are described herein. An aspect includes providing a cryptography work daemon container in a computer system, wherein the cryptography work daemon container in the computer system has privileged access to a cryptography HSM of the computer system. Another aspect includes receiving, by the cryptography work daemon container, a request for a cryptography function of the cryptography HSM from an application container in the computer system.

Abstract: Anomaly scores for respective message types in computer log data and confidence intervals for respective anomaly scores are calculated based on a number of appearances of respective message types in a plurality of models generated from a historical set of computer log data. Respective models of the plurality of models can have at least a portion of the historical set of computer log data excluded from the respective models. Respective anomaly scores and respective confidence intervals can be applied to a new set of log data to identify and troubleshoot unusual log data events.

Abstract: Examples of techniques for determining an interval duration and a training period length for log anomaly detection are disclosed. In one example implementation according to aspects of the present disclosure, a computer-implemented method may include: determining, by a processing resource, an interval duration for a time series from a plurality of message IDs; and determining, by the processing resource, a training period length based on the interval duration.

Abstract: Embodiments include identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and dividing the message stream into a plurality of intervals, wherein each interval corresponds to a time period. Aspects also include identifying and removing one or more intervals from the plurality of intervals that include a startup or a shutdown of an element of the IT system, identifying and removing one or more intervals from the plurality of intervals that correspond to a standard level of command activity and an elevated level of user complaint activity, and identifying and removing one or more intervals from the plurality of intervals that correspond to an elevated level of command activity and an standard level of user complaint activity. Aspects further include creating a training set of intervals that consists of the remaining labelled intervals.

Abstract: Techniques are described for monitoring a performance metric. A multiple modeling approach is used to improve predictive analysis by avoiding the issuance of warnings during spikes which occur as a part of normal system processing. This approach increases the accuracy of predictive analytics on a monitored computing system, does not require creating rules defining periodic processing cycles, reduces the amount of data required to perform predictive modeling, and reduces the amount of CPU required to perform predictive modeling.

Abstract: Techniques are described for monitoring a performance metric. A multiple modeling approach is used to improve predictive analysis by avoiding the issuance of warnings during spikes which occur as a part of normal system processing. This approach increases the accuracy of predictive analytics on a monitored computing system, does not require creating rules defining periodic processing cycles, reduces the amount of data required to perform predictive modeling, and reduces the amount of CPU required to perform predictive modeling.

Abstract: Embodiments include method, systems and computer program products for identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and selecting a plurality of messages from the message stream that correspond to an interval. Aspects also include determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score and calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages. Aspects further include identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.

Abstract: Anomaly scores for respective message types in computer log data and confidence intervals for respective anomaly scores are calculated based on a number of appearances of respective message types in a plurality of models generated from a historical set of computer log data. Respective models of the plurality of models can have at least a portion of the historical set of computer log data excluded from the respective models. Respective anomaly scores and respective confidence intervals can be applied to a new set of log data to identify and troubleshoot unusual log data events.

Abstract: Anomaly scores for respective message types in computer log data and confidence intervals for respective anomaly scores are calculated based on a number of appearances of respective message types in a plurality of models generated from a historical set of computer log data. Respective models of the plurality of models can have at least a portion of the historical set of computer log data excluded from the respective models. Respective anomaly scores and respective confidence intervals can be applied to a new set of log data to identify and troubleshoot unusual log data events.

Abstract: Embodiments include identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and dividing the message stream into a plurality of intervals, wherein each interval corresponds to a time period. Aspects also include identifying and removing one or more intervals from the plurality of intervals that include a startup or a shutdown of an element of the IT system, identifying and removing one or more intervals from the plurality of intervals that correspond to a standard level of command activity and an elevated level of user complaint activity, and identifying and removing one or more intervals from the plurality of intervals that correspond to an elevated level of command activity and an standard level of user complaint activity. Aspects further include creating a training set of intervals that consists of the remaining labelled intervals.

Abstract: Examples of techniques for determining an interval duration and a training period length for log anomaly detection are disclosed. In one example implementation according to aspects of the present disclosure, a computer-implemented method may include: determining, by a processing resource, an interval duration for a time series from a plurality of message IDs; and determining, by the processing resource, a training period length based on the interval duration.

Abstract: Embodiments include method, systems and computer program products for identifying unusual intervals in an information technology (IT) system. Aspects include training a log analysis system based on historical data for the IT system, the historical data including a plurality of intervals each having an interval anomaly score and receiving status messages from a plurality of pieces of IT equipment in the IT system. Aspects also include grouping the status messages into an interval and calculating an interval anomaly score for the interval and comparing the interval anomaly score with one or more priority level cutoffs created by the training and responsively generating an alert based on the comparison, wherein the alert indicates that the interval is unusual.

Abstract: Embodiments include method, systems and computer program products for identifying unusual intervals in an information technology (IT) system. Aspects include training a log analysis system based on historical data for the IT system, the historical data including a plurality of intervals each having an interval anomaly score and receiving status messages from a plurality of pieces of IT equipment in the IT system. Aspects also include grouping the status messages into an interval and calculating an interval anomaly score for the interval and comparing the interval anomaly score with one or more priority level cutoffs created by the training and responsively generating an alert based on the comparison, wherein the alert indicates that the interval is unusual.

Abstract: Embodiments include method, systems and computer program products for identifying unusual intervals in an information technology (IT) system. Aspects include training a log analysis system based on historical data for the IT system, the historical data including a plurality of intervals each having an interval anomaly score and receiving status messages from a plurality of pieces of IT equipment in the IT system. Aspects also include grouping the status messages into an interval and calculating an interval anomaly score for the interval and comparing the interval anomaly score with one or more priority level cutoffs created by the training and responsively generating an alert based on the comparison, wherein the alert indicates that the interval is unusual.

Abstract: Embodiments include method, systems and computer program products for identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and selecting a plurality of messages from the message stream that correspond to an interval. Aspects also include determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score and calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages. Aspects further include identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.

Abstract: Embodiments include method, systems and computer program products for identifying unusual intervals in an information technology (IT) system. Aspects include training a log analysis system based on historical data for the IT system, the historical data including a plurality of intervals each having an interval anomaly score and receiving status messages from a plurality of pieces of IT equipment in the IT system. Aspects also include grouping the status messages into an interval and calculating an interval anomaly score for the interval and comparing the interval anomaly score with one or more priority level cutoffs created by the training and responsively generating an alert based on the comparison, wherein the alert indicates that the interval is unusual.

Abstract: Techniques are described for determining what node of a classification and regression tree (CART) should be used by a predictive analysis application. A first approach is to use a standard deviation of the data at a given the level of the CART to determine whether data in the next, lower node is more consistent than the data in the current node. A second approach is to measure a correlation between data points in a given node and the time at which each point was sampled (or other correlation metric) to identify a preferred node.