Abstract: Techniques are described for providing an access control list (ACL) assisted process for filtering the analysis and display of dependency relationships among software application components (e.g., packages, files, classes, etc.), e.g., as part of modernization processes aimed at decomposing monolithic applications, identifying anti-patterns, or otherwise analyzing such applications. A software modernization service of a cloud provider network provides discovery agents and other tools that are capable of creating an inventory of users' software applications and collecting application artifacts (e.g., source code or bytecode files) associated with the software applications in users' computing environments. Various techniques are described for using ACLs containing entries enabling or disabling the analysis or display of various application components to customize various modernization processes and results displays.

Abstract: A system includes a central server and one or more user devices connected by a network. The central server receives a request initiated by a user using a user device for a data interaction associated with a data file. The central server checks whether the user is authorized to perform the requested data interaction based on a list of user authorizations. If the user is authorized to perform the data interaction, the central server checks whether the data interaction satisfies at least one rule defined for the user relating to a type of the requested data interaction. If the data interaction satisfies the at least one rule, the central server performs an additional level of authorization to verify an identity of the user. The central server further processes the data interaction when the additional level of authorization is successful.

Abstract: A system and method for authenticating users of a data processing platform stores a mapping of a unique user platform identifier to multiple user identity provider identifiers associated with multiple realms for a same user. In some examples, the method includes receiving a request from a client device to establish an access session to perform one or more actions on data of the data processing platform and receiving, from at least one of the first external identity provider of the first realm or the second external identity provider of the second realm, a user identity provider identifier associated with the request. In certain examples, the method includes granting permission to perform the one or more actions on the data of the data processing platform based at least in part on the received user identity provider identifier.

Abstract: A client application is specified by a target tenant and represented in an OAuth provider, along with a corresponding secret. A source tenant consents to permissions to be executed by the client application on a resource of the source tenant. A target service uses the secret to obtain an access token from an authorization server coupled to the source tenant and uses the access token to obtain access, specified by the permissions, to the resource served by a source service acting on behalf of the source tenant.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Based on identity and audit data received from a set of cloud deployments, and according to a cloud intelligence model, a set of permissions associated with each of a set of identities are determined. For each identity, and based on a set of identity chains extracted from the cloud intelligence model, a set of identity account action paths (IAAPs) are then determined. An IAAP defines how the identity obtains an ability to perform a given action in a given account. Using the identity account action paths together with context information, one or more roles, groups and accounts in the enterprise that are propagating permissions within the public cloud environment are then identified.

Abstract: According to some embodiments, a method performed by a classification scanner comprises receiving an electronic message and determining whether the electronic message includes an express indication from the user indicating that a classification applies to the electronic message. In response to determining that the electronic message does not include the express indication that the classification applies to the electronic message, the message further comprises sending the electronic message to a machine learning scanner. The machine learning scanner is adapted to use a machine learning policy to determine whether the classification applies to the electronic message.

Abstract: In one embodiment, a malware analysis method includes receiving a file on a virtual machine (VM). The VM includes, a web debugging proxy, a system resource monitor, and a file analysis tool. The method also includes performing, with the file analysis tool, a static analysis on the file. The static analysis includes determining a set of file properties of the file, and storing the determined file properties in a repository. The method further includes performing, with the web debugging proxy and the system resource monitor, a dynamic analysis on the file, the dynamic analysis. The dynamic analysis includes running the file on the VM, determining, with the web debugging proxy, web traffic of the virtual machine, determining, with the system resource monitor, executed commands and modifications to system resources of the VM originating from the file, and storing the determined traffic and executed commands in the repository.

Abstract: The disclosure is directed towards the real-time detection and mitigation of security threats to a domain name system (DNS) for a communication network. A graph-theoretic method is applied to detect compromised DNS assets (e.g., DNS servers and web servers that DNS servers map domain names to). A graph is generated from domain name resolution (DNR) transactions. The nodes of the graph represent the DNS assets and edges between the nodes represent the DNR transactions. The graph is analyzed to detect features that signal compromised assets. The detection of such features serves to act as a binary classifier for the represented assets. The binary classifier acts to classify each node as non-compromised or compromised. The analysis is guided by supervised and/or unsupervised machine learning methods. Once the assets are classified, DNR transactions are analyzed in real-time. If the transaction involves a compromised asset, an intervention is performed that mitigates the threat.

Abstract: An unauthorized frame detection device that can keep an unauthorized ECU from spoofing as a legitimate server or client while suppressing an overhead during communication is provided. The unauthorized frame detection device includes a plurality of communication ports corresponding to the respective of networks, a communication controller, and an unauthorized frame detector. The plurality of communication ports are each connected to a corresponding predetermined network among the plurality of networks and each transmit or receive a frame via the predetermined network. The unauthorized frame detector determines whether an identifier of a service, a type of the service, and port information that are each included in the frame match a permission rule set in advance and outputs a result of the determination.

Abstract: Systems and methods for performing multi-feed classification of security events to facilitate automated IR orchestration are provided. According to one embodiment a cloud-based security service protecting a private network provides a plurality of data feeds, wherein each data feed of the plurality of data feeds independently classify a given security event and produce a classification result. In response to an event associated with a process of an endpoint device that is part of the private network an endpoint protection platform running on the endpoint device performs an initial classification of the event and transmits the classification result to the cloud-based security service for final classification.

Abstract: A deep-learning based method evaluates similarities of entities in decentralized identity graphs. One or more processors represent a first identity profile as a first identity graph and a second identity profile as a second identity graph. The processor(s) compare the first identity graph to the second identity graph, which are decentralized identity graphs from different identity networks, in order to determine a similarity score between the first identity profile and the second identity profile. The processor(s) then implement a security action based on the similarity score.

Abstract: A method of detecting anomalous user behavior in a cloud environment includes calculating a first vector that is representative of actions taken during a plurality of previous time intervals; calculating a similarity between the first vector and a second vector that comprises counts of actions taken by the user during a current time interval; comparing the similarity to a baseline threshold to determine whether one or more anomalous actions have occurred; and generating an alert based at least in part on a determination that the one or more anomalous actions have occurred in the cloud environment.

Abstract: A device that is configured to receive user activity information that includes information about user interactions with a network device for a plurality of users. The device is further configured to input the user activity information into a first machine learning model that is configured to receive user activity information and to output a set of bad actor candidates based on the user activity information. The device is further configured to filter the user activity information based on the set of bad actor candidates. The device is further configured to input the filtered user activity information into a second machine learning model that is configured to receive the filtered user activity information and to output system exposure information that identifies network security threats. The device is further configured to identify network security actions based on the network security threats and to execute the network security actions.

Abstract: An integration manager identifies one or more services accessible by a computer system; determines a set of action components associated with the computer system, wherein each action component of the set of action components is configured to provide a functionality associated with at least one of the one or more services; receives, from a user of the computer system, a selection of a first action component from the set of action components; determines, based at least in part on the first action component, a second action component from the set of action components; links the first action component with the second action component, wherein an output of the first action component is linked to an input of the second action component; and generates an executable workflow, the executable workflow comprising the first action component linked with the second action component.

Abstract: The present invention relates to a method for evaluating quality of signature-based detections in an infrastructure provided with a plurality of sensors, comprising defining predefined rules for the rule-based detections, wherein the rules are of a silent type such that operate without generating alerts to the user of the infrastructure, collecting telemetry events at each of the sensors, storing the telemetry events of each of the sensors to respective local sensor databases operatively connected to the sensors, aggregate, at predetermined aggregating time intervals, the telemetry events from the local sensor databases to a central database, analyzing the telemetry events at the central database, by evaluating the telemetry events with respect to the rules and calculating the quality measurements of the rules, according to a plurality of predefined quality metrics in a predefined metrics time interval, wherein the quality metrics comprise precision metric, by counting the instances of false positives of the

Abstract: The present disclosure describes a system that notifies users regarding specific user decisions with respect to solution phishing emails. The system notifies users when users perform specific actions with respect to the untrusted phishing emails. The system pauses execution of these actions and prompts the user to confirm whether to take the actions or to revert back to review the actions. In contrast from anti-ransomware technologies which are entirely in control, the system gives the user autonomy in deciding actions relating to untrusted phishing emails. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.

Abstract: A packet-filtering system configured to filter packets in accordance with packet-filtering rules may receive data indicating network-threat indicators and may configure the packet-filtering rules to cause the packet-filtering system to identify packets comprising unencrypted data, and packets comprising encrypted data. A portion of the unencrypted data may correspond to one or more of the network-threat indicators, and the packet-filtering rules may be configured to cause the packet-filtering system to determine, based on the portion of the unencrypted data, that the packets comprising encrypted data correspond to the one or more network-threat indicators.

Abstract: A system detects and responds to malicious acts directed towards machine learning models. Data fed into and output by a machine learning model is collected by a sensor. The data fed into the model includes vectorization data, which is generated from raw data provided from a requester, such as for example a stream of timeseries data. The output data may include a prediction or other output generated by the machine learning model in response to receiving the vectorization data. The vectorization data and machine learning model output data are processed to determine whether the machine learning model is being subject to a malicious act (e.g., attack). The output of the processing may indicate an attack score. A response for handling the request by a requester may be selected based on the output that includes the attack score, and the response may be applied to the requestor.

Abstract: Techniques, methods and/or apparatuses are disclosed that enable passive scanning of a network. Through the disclosed techniques, methods and/or apparatuses, endpoint passive scanners are deployed at endpoints of the network to provide more comprehensive view of assets and asset information of the network. Also, this can enable better correlation of network data to location, and also enable improved vulnerability analysis for endpoint products.

Abstract: A method for identifying gaps in an organization's cyber defenses, and identifying and prioritizing remediations that are designed to eliminate those gaps, including using multiple choice questionnaires, wherein the answers to a series of multiple choice questions are scored for inherent risk, selecting security controls and calculating expected maturity scores for these controls based on the inherent risk score, using multiple choice questionnaires, wherein the answers to a series of multiple-choice questions are scored for actual control maturity, aggregating said actual and expected maturity scores and comparing these to identify and quantify gaps, and recommending and prioritizing control improvements that are designed to raise the score to an expected level. These steps are implemented using a computing device. In this manner the organization can identify a sequenced set of concrete steps it can take to achieve reasonable and effective security.

Abstract: The present invention relates to a method for verifying vulnerabilities of network device using Common Vulnerabilities and Exposures (“CVE)” entries comprising generating a CVE tree from each of the CVE entry and defining an indexed CVE entry, that identifies vulnerable configuration fields and extracts a set of vulnerable conditions comprising an operator attribute and nested CPE records. The CVE tree is provided with the operator attribute as node and with Common Platform Enumeration (“CPE”) records as leaves from the node, wherein the decoding comprises tokenizing of the decoded string in a sequence of plurality of n-grams having predefined sizes, and wherein the matching comprises a lookup of the sequence of plurality of n-grams into the CVE tree, that raises an alert when the operator attribute corresponds a match between CPE records.

Abstract: Various aspects involve determining legitimacy of an email address for risk assessment or other purposes. For instance, a risk assessment computing system receives a risk assessment query that identifies an email address. The risk assessment computing system determines a set of features for the email address. For each feature, the risk assessment computing system calculates an illegitimacy score by calculating a deviation of the feature from an expected safe value for the feature that is determined from historical email addresses. The risk assessment computing system aggregates the illegitimacy scores of the plurality of features into an aggregated illegitimacy score and further transmits a legitimacy risk value to a remote computing system. The legitimacy risk value indicates the aggregated illegitimacy score and can be used in controlling access of a computing device associated with the email address to one or more interactive computing environments.

Abstract: An information processing apparatus detects an unauthorized attack and transmits attack detection information concerning the detected attack to a communication control device. The communication control device selects an attack countermeasure instruction associated with an attack detection content that matches the attack detection information and an attack countermeasure function of the information processing apparatus by using the transmitted attack detection information and the attack countermeasure information stored in advance, decides a countermeasure method to be executed against the attack, and transmits the attack countermeasure instruction information including the decided countermeasure method to the information processing apparatus. The information processing apparatus is characterized to decide the countermeasure method to be executed against the attack from the received attack countermeasure instruction information and to execute the decided countermeasure method against the attack.

Abstract: Attacks on a network device, e.g. an IoT device, are detected by analyzing network traffic and subsequently quarantining or blocking the network device on the network to prevent lateral movement of malware. The techniques described herein relate to developing a baseline of network device activity corresponding with a network device during a learning period and comparing the baseline of network device activity with new network activity by the network device in order to identify potentially unusual network device activity by the network device. If unusual network activity is found, remedial actions such as quarantining the network device or restricting some access to a network may be initiated.

Abstract: A valid route origin authorization (ROA) for a specified IP address is published and a distributed denial-of-service (DDoS) attack to a given IP address is detected. A flowspec rule is advertised from a given autonomous system network to one or more neighboring autonomous system networks in response to the detection of the distributed denial-of-service (DDoS) attack. A modified Resource Public Key Infrastructure (RPKI) validation is performed using the published valid route origin authorization (ROA) in response to the advertisement of the flowspec rule. The flowspec rule is implemented to mitigate the distributed denial-of-service (DDoS) attack in response to the validation of the flowspec rule.

Abstract: Example implementations relate to the processing of refresh token requests at an API gateway. The API gateway determines a first time associated with receipt of the refresh token request and a second time associated with the generation of a current access token. The current access token and a refresh token in the refresh token request are provided by the API gateway to the client device for accessing a backend service. The API gateway determines whether a difference between the first time and the second time is within a pre-defined threshold duration. When the difference between the first time and the second time is within the pre-defined threshold, the API gateway denies the refresh token request for generating the new access token and transmits the current access token back to the client device.

Abstract: Devices and techniques are generally described for detection of network anomalies. In various examples, first data describing network communication between a plurality of source entities and a plurality of destination entities may be received. In some examples, respective feature data representing network communication between a respective source entity and one or more of the plurality of destination entities may be generated. In some examples, an unsupervised machine learning model may be used to determine a first number of clusters of the feature data. In various cases, a first source entity that is an outlier with respect to the first number of clusters may be determined based at least in part on the first number of clusters. The first source entity may be classified as an anomalous entity.

Abstract: Malicious attacks by certain devices against a radio access network (RAN) can be detected and mitigated, while allowing communication of priority messages. A security management component (SMC) can determine whether a malicious attack against the RAN is occurring based on a defined baseline that indicates whether a malicious attack is occurring. The defined baseline is determined based on respective characteristics associated with respective devices that are determined based on analysis of information relating to the devices. In response to determining there is a malicious attack, SMC determines whether to block connections of devices to the RAN based on respective priority levels associated with respective messages being communicated by the devices.

Abstract: A generalized localization system based on a physical layer aided spoofing signal attacks detection and an identification verification for hybrid heterogeneous networks including aerial and terrestrial communication systems is provided. The generalized localization system includes: a data preprocessing and separation block, a parameter extraction block, a local localization engine, a reliability assessment and trust management block, a location based anomaly detector block and a global fusion center.

Abstract: A cloud-native global file system, in which one or more filers are associated with a volume of a versioned files system in a private, public or hybrid cloud object store, is augmented to include a rapid ransomware recovery service. Upon detecting a ransomware attack associated with one or more files or directories of the volume, read and write access to the volume is restricted. A recovery filer is then activated or designated in the cloud. A restore operation is then initiated at the recovery filter. Following completion of the restore operation, a new clean (healthy) snapshot of the volume is then created using the recovery filer For any filer other than the recovery filer, a determination is made whether the filer has completed a merge operation with respect to the new clean snapshot. If so, read and write access to the volume is re-enabled from that filer.

Abstract: A system and method for digital wallet integration and scanning. A module is implemented with a digital wallet such that the module is adapted to intercept and scan calls to the digital wallet. The module may have limited communication capabilities that prevent leaking of data from the wallet with which the module is integrated while allowing for testing websites with which the module communicates. For example, the module may be configured to transmit only transactions and simulated RPC responses, and not to transmit any other data of the wallet or of a device associated with a user of the wallet. In some implementations, the module may be realized as a binary large object (blob) which is unilaterally pushed to a system on which the module will be deployed.

Abstract: An approach for dynamically transitioning mobile client devices from one location to another within edge computing is disclosed. The approach includes retrieving locations for near edges and far edges and collecting one or more SCC (security compliance center) rules. The approach includes identifying edge access from one or more client devices and determining mobility pattern associated with the edge access. The approach includes determining edge recommendation based on the mobility patterns and applying the edge recommendation.

Abstract: Methods, systems, and computer programs are presented for enabling any sandboxed user-defined function code to securely access the Internet via a cloud data platform. A remote procedure call is received by a cloud data platform from a user-defined function (UDF) executing within a sandbox process. The UDF includes code related to at least one operation to be performed. The cloud data platform provides an overlay network to establish a secure egress path for UDF external access. The cloud data platform enables the UDF executing in the sandbox process to initiate a network call.

Abstract: A system is provided for determining vulnerability metrics for graph-based configuration security. During operation, the system generates a multi-layer graph for a system with a plurality of interconnected components. The system determines, based on the multi-layer subgraph, a model for a multi-step attack on the system by: calculating, based on a first set of variables and a first set of tunable parameters, a likelihood of exploiting a vulnerability in the system; and calculating, based on a second set of variables and a second set of tunable parameters, an exposure factor indicating an impact of exploiting a vulnerability on the utility of an associated component. The system determines, based on the model, a set of attack paths that can be used in the multi-step attack and recommends a configuration change in the system, thereby facilitating optimization of system security to mitigate attacks on the system while preserving system functionality.

Abstract: One aspect described in this application provides a unified policy broker. During operation, the system receives configuration information from the set of network devices. At least two network devices in the network can be equipped with a first and a second policy enforcement engine, respectively, for enforcing one or more given policy rules. The system can determine, based on the configuration information, a first and a second representation of the similar policy function corresponding to the first and the second policy enforcement engine, respectively. The system can apply a unified policy model to perform a first mapping from a unified representation of the similar policy function to the first and the second representation. The system can create a unified API based on the unified representation. The system applies, via a user interface, the unified API to configure the similar policy function across the first and the second policy enforcement engines.

Abstract: Certain aspects of the present disclosure provide techniques for adjusting access control policies of access controlled systems, such as techniques for identifying a vulnerability or for identifying parameters and values achieving a specified result from a system whose access is controlled by the policy. Requests to the system can be made using a testing system that executes test scripts using avatars having various parameter types and values. The avatar information and results of the test scripts are provided as training data to a machine learning model training system to generate a model that provides recommendations for parameter types and values likely to achieve a particular result. The recommendations are used to execute the test script to determine results including a rate of success for the recommended parameters and/or values. Various actions, such as adjusting or adding a rule to an access control policy, can be performed based on the results.

Abstract: A first mobile communication device is configured to transmit video and audio content to a second mobile communication device utilizing a server. The first mobile communication device, via the server, transmits a share request or “knock” with the second mobile communication device. The second device must either accept the request or reject the request. If the second mobile communication device accepts the knock, it transmits a share accept message to the server. The first mobile communication device then transmits the video and audio content to the second mobile communication device via the server.

Abstract: A system of multi-modal transmission of packetized data in a voice activated data packet based computer network environment is provided. A natural language processor component can parse an input audio signal to identify a request and a trigger keyword. Based on the input audio signal, a direct action application programming interface can generate a first action data structure, and a content selector component can select a content item. An interface management component can identify first and second candidate interfaces, and respective resource utilization values. The interface management component can select, based on the resource utilization values, the first candidate interface to present the content item. The interface management component can provide the first action data structure to the client computing device for rendering as audio output, and can transmit the content item converted for a first modality to deliver the content item for rendering from the selected interface.

Abstract: A network service system, a computer storage medium for communication, and a network service method are provided. The system includes: a communication module and a data processor, the data processor including a storage module, the storage module storing an identification code; and the communication module is configured to receive a communication request from a user terminal, the communication request including the identification code; and the communication module is further configured to establish a communication connection to a target terminal according to the identification code set by the network service system and a target code, the target code enabling the target terminal to communicate with the user terminal in real time by using an Internet Protocol (IP) network.

Abstract: A computer-implemented method for improving conference session management is provided. The method comprises determining a participation level for a participant during a conference session, determining a presence expectation for the participant during the conference session, in response to determining the participation level and the presence expectation for the participant, evaluating an impact of the participant departing the conference session, and in response to determining that that the impact exceeds a threshold, sending a departure notification corresponding to a departure of the participant.

Abstract: A system and method for filtering chirp noise as it passes through a Radio over Internet Protocol (RoIP) gateway in a communication network is disclosed. Radio signals often include a short burst of chirp noise. Incoming signals are buffered and any chirp noise is detected. A chirp filter performs the filtering operation to remove chirp signal while ensuring true audio is not clipped. Without audio clipping the integrity of the audio signals are preserved.

Abstract: Disclosed are various embodiments facilitating a holistic engagement with a user across multiple communication channels of an organization or an enterprise based at least in part on a determined user intent. As users interact with various services associated with the organization through one or more communication channels, interaction data can be captured and stored. In various examples, the interaction data that is stored by the various services can be obtained and organized according to a predefined schema. The organized interaction data can be applied to a trained intent model that outputs a user intent based at least in part on observations of other users with similar histories. The predicted intent can be provided to the different services such that subsequent interactions between the user and the organization can be based at least in part on the intent in a consistent manner, regardless of the communication channel associated with the interaction.

Abstract: The present invention relates to a method for generating and causing display of a communication interface that facilitates the sharing of emotions through the creation of 3D avatars, and more particularly with the creation of such interfaces for displaying 3D avatars for use with mobile devices, cloud based systems and the like.

Abstract: An embodiment for automatically controlling peripheral devices based on online meeting participant information. The embodiment may detect participants of an online meeting and generate a participant information table. The embodiment may generate a participant group table including one or more preliminary participant groups based on the participant information. The embodiment may generate and send audio through peripheral devices associated with at least one participant in each of the one or more preliminary participant groups to identify the participants in physically shared meeting spaces. The embodiment may update the participant group table to include confirmed participant groups based on the identified participants in the physically shared meeting spaces. The embodiment may determine a presenter for each of the confirmed participant groups and update the participant information.

Abstract: A method for delivering multimedia content during a communal session at a media system commutatively coupled with a streaming application. The method includes authenticating access to multimedia content for user devices participating in a communal session, receiving a first recording from a first user device, the first recording being generated from a first set of cameras of the first user device, receiving social media content generated the user devices, the social media content including a second recording generated simultaneously with the first recording on the first user device, the second recording being generated from a second set of cameras of the first user device, and synchronizing delivery of the first recording and the social media content by exchanging playback control messages with the streaming application to direct synchronized transmissions of the first recording and the social media content to the user devices.

Abstract: Described herein are various embodiments directed to skipping the opening sequence of streaming content. An embodiment operates by streaming content to a display device and determining an end of a teaser portion has been reached using crowdsourced metadata. Responsive to the determining, a skin icon is provided to the display device for display. A selection of the skip icon is received to advance past the title sequence/opening credits portion of the content. An end to the title sequence/opening credits portion of the content is determined using the crowdsourced metadata. The streaming of the content is advanced to the end of the title sequence/opening credits portion of the content.

Abstract: Packaging media for optimizing immersive media distribution of a media steam performed by at least one processor, is provided, including: receiving immersive media data for an immersive presentation; acquiring asset information associated with media assets corresponding to a set of scenes included in the immersive media data for the immersive presentation; analyzing characteristics of the media assets based on the asset information, the characteristics comprising an asset type associated with a respective media asset and a frequency that indicates a number of times the respective media asset is used among the set of scenes included in the immersive presentation; ordering the media assets in a sequence based on the asset type and the frequency associated with each of the media assets; and streaming the immersive media data for the immersive presentation based on the ordered sequence of the media assets.

Abstract: Embodiments are directed to verifying performance and operation of live services. Applications operative in a computing environment and directed to a plurality of organizations may be provided such that the applications include data associated with different organizations. Templates that declare template objects may be provided such that the template objects may be directed to verifying features of the applications. Data associated with the organization may be provided based on the template objects. Verification objects may be generated based on the template objects and the provided data. The verification objects may be employed to verify the features of the applications based on verification conditions and the provided data. Reports that include results based on verification conditions and the provided data may be provided.

Abstract: An edge device operates in an online mode of operation during a first period of time, wherein during the online mode of operation, the edge device obtains broadcast-related information originating from media automation applications. The edge device operates in a local mode of operation during a second period of time, wherein during the local mode of operation the edge device obtains locally stored broadcast-related information, and emulates services provided by the media automation applications. The edge device operates in a disaster recovery mode of operation during recovery from the local mode of operation, wherein during the disaster recovery mode of operation the edge device obtains stored broadcast-related information from a content recovery database.

Abstract: An application on a viewer client device receives a user input to access a live stream, sends a request to access the live stream, presents information allowing a user to indicate a first anchor of a plurality of anchors of the live stream, the first anchor corresponding to a timestamp for starting a portion of the live stream, receives the live stream and data indicating the timestamp corresponding to the first anchor of the live stream, and displays the live stream beginning at the timestamp corresponding to the first anchor of the live stream.