Abstract: Techniques for implementing a scalable automated training framework for anomaly and ransomware detection are disclosed. A computer system may instantiate one or more virtual machines (VMs). Each VM may be loaded with a corresponding file system. The computer system may simulate, on the one or more VMs, user actions and ransomware, which may cause changes to the corresponding file systems loaded on to the VMs. The computer system may obtain snapshots of the VMs that indicate changes to the corresponding file system of each of the VMs. The computer system may generate a metadata file for each VM based on the corresponding snapshot. The computer system may generate training data for training a ransomware detection model using a machine learning algorithm based on the metadata files for each of the VMs.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: Techniques unmasking ransomware attacks are disclosed. In some embodiments, a computer system performs operations comprising: generating a first prediction that a file system comprising a plurality of files has been attacked by ransomware based on snapshot metadata of the file system using a snapshot-level machine learning prediction model, the snapshot metadata comprising a plurality of file change data indicating a plurality of file change events that have been performed on the file system; in response to the first prediction, generating a classification for each one of the files based on the file change data using a file-level machine learning prediction model, the classification indicating whether the files have been targeted by the ransomware for encryption; determining that one or more files have been targeted by the ransomware based on the classification; and displaying the classification for the one or more files on a computing device of a user.

Abstract: Techniques for implementing a scalable automated training framework for anomaly and ransomware detection are disclosed. In some embodiments, a computer system performs operations comprising: instantiating a plurality of virtual machines, each one of the virtual machines being loaded with a corresponding file system; simulating user actions and ransomware on the virtual machines, the simulating of user actions and ransomware on the virtual machines causing changes to the corresponding file systems of the virtual machines; for each one of the plurality of virtual machines, generating a corresponding metadata file based on one or more corresponding snapshots of the virtual machine, the one or more corresponding snapshots indicating the changes to the corresponding file system of the virtual machine; and training a ransomware detection model using a machine learning algorithm and training data, the training data being based on the corresponding metadata files of the virtual machines.

Abstract: Techniques for implementing proactive data security operations for files using an analysis of access permission levels for the files are disclosed. In some embodiments, a computer system performs operations comprising: determining that data of a file includes sensitive information based on an analysis of the data using a data classification model; determining that access to the file is open using an access classification model; and based on the determination that the data of the file includes sensitive information and the determination that the access to the file is open, causing a notification to be displayed on a computing device of a user, the notification comprising an indication that the file includes sensitive information and that access to the file is open.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: Techniques for implementing proactive data security operations for files using an analysis of access permission levels for the files are disclosed. In some embodiments, a computer system performs operations comprising: determining that data of a file includes sensitive information based on an analysis of the data using a data classification model; determining that access to the file is open using an access classification model; and based on the determination that the data of the file includes sensitive information and the determination that the access to the file is open, causing a notification to be displayed on a computing device of a user, the notification comprising an indication that the file includes sensitive information and that access to the file is open.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: A method and system include detecting a user activity associated with a file change of a first file, invoking a plurality of analyzers to scan content of the first file, the plurality of analyzers including a first analyzer, matching the first analyzer with a first sensitive data item in the first file, identifying a first policy based on a first pre-determined set of analyzers that includes the first analyzer, and causing display of a first notification in a user interface of a client device, the first notification including a first indication that the first policy may be violated based on the file change associated with the first file.

Abstract: A data management system having a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a shard snapshot of each of the plurality of shards; receiving the shard snapshots asynchronously; ordering the received shard snapshots sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered shard snapshots. The operations may further include maintaining a flow control queue that limits a number of the requested shard snapshots.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: Techniques for implementing proactive data security operations for files using an analysis of access permission levels for the files are disclosed. In some embodiments, a computer system performs operations comprising: determining that data of a file includes sensitive information based on an analysis of the data using a data classification model; determining that access to the file is open using an access classification model; and based on the determination that the data of the file includes sensitive information and the determination that the access to the file is open, causing a notification to be displayed on a computing device of a user, the notification comprising an indication that the file includes sensitive information and that access to the file is open.

Abstract: Techniques unmasking ransomware attacks are disclosed. In some embodiments, a computer system performs operations comprising: generating a first prediction that a file system comprising a plurality of files has been attacked by ransomware based on snapshot metadata of the file system using a snapshot-level machine learning prediction model, the snapshot metadata comprising a plurality of file change data indicating a plurality of file change events that have been performed on the file system; in response to the first prediction, generating a classification for each one of the files based on the file change data using a file-level machine learning prediction model, the classification indicating whether the files have been targeted by the ransomware for encryption; determining that one or more files have been targeted by the ransomware based on the classification; and displaying the classification for the one or more files on a computing device of a user.

Abstract: Techniques for implementing a scalable automated training framework for anomaly and ransomware detection are disclosed. In some embodiments, a computer system performs operations comprising: instantiating a plurality of virtual machines, each one of the virtual machines being loaded with a corresponding file system; simulating user actions and ransomware on the virtual machines, the simulating of user actions and ransomware on the virtual machines causing changes to the corresponding file systems of the virtual machines; for each one of the plurality of virtual machines, generating a corresponding metadata file based on one or more corresponding snapshots of the virtual machine, the one or more corresponding snapshots indicating the changes to the corresponding file system of the virtual machine; and training a ransomware detection model using a machine learning algorithm and training data, the training data being based on the corresponding metadata files of the virtual machines.

Abstract: A method, system, and computer program storage product determine determining a trajectory information type of a receipt submitted by an employee. Trajectory information associated with the receipt submitted by the employee is retrieved based on the trajectory information type. Trajectory information corresponding to a device associated with the employee is also retrieved. The receipt is determined as a valid receipt in response to the trajectory information associated with the receipt submitted by the employee matching the trajectory information associated with the device associated with the employee.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: A data management system comprises: a storage appliance configured to store a snapshot of a virtual machine; and one or more processors in communication with the storage appliance. The one or more processors are configured to perform operations including: identifying a plurality of shards of the virtual machine; requesting a snapshot of each of the plurality of shards; receiving the shards asynchronously; ordering the received snapshot shards sequentially into a results queue; and storing a single snapshot of the virtual machine based on the ordered snapshot shards. Operations may further include maintaining a flow control queue that limits the number of snapshot shards requested.

Abstract: A method, system, and computer program storage product determine determining a trajectory information type of a receipt submitted by an employee. Trajectory information associated with the receipt submitted by the employee is retrieved based on the trajectory information type. Trajectory information corresponding to a device associated with the employee is also retrieved. The receipt is determined as a valid receipt in response to the trajectory information associated with the receipt submitted by the employee matching the trajectory information associated with the device associated with the employee.