Abstract: Shared content privilege modification is provided. An electronic message is identified containing an address for accessing shared content, where the message is for communication to a set of recipients. Existing privileges are determined for the shared content for each recipient in the set of recipients. A requested action regarding the shared content is determined by analyzing the communication using natural language processing. Privileges for the shared content are modified for at least one recipient based on the existing privileges for the at least one recipient being insufficient to perform the requested action.

Abstract: Systems, methods, and computer-readable media for asynchronous (async) querying are described. In embodiments, an application server obtains a user-issued query comprising one or more query components; identifies data space characteristics of a data storage space associated with a user that issued the user-issued query; and analyzes the one or more query components to obtain performance data. The performance data is indicative of resource consumption for execution of the user-issued query. The application server selects a query execution engine to execute the user-issued query from among a plurality of query execution engines, and provides the user-issued query to the selected query execution engine. The selection is based on the data space characteristics and the performance data. Other embodiments may be described and/or claimed.

Abstract: A universal cloud connector is proposed to intake client data using an integrated application programming interface (API) that is capable of processing various client data. Specifically, the integrated API includes at least two layers: (i) an authentication layer authenticates a client based on a client-level secret ID such that the client can only access data resource that is accessible to this particular client; (ii) a data segregation layer that integrates with the client's system so that users of the client (bank) can view and interact with their bank records that are pulled through the authentication layer. Thus, the integration API may act as a collection of micro-services that allow a client's system to synchronize data and workflow states with the server in real-time.

Abstract: Example systems and methods for efficient data governance are disclosed. Metadata associated with file objects is analyzed to estimate, for each file object, the likelihood that the file object includes sensitive data. The estimates are used to prioritize the file objects for analysis of the file objects' content to determine the whether the file objects include data deemed to be of a sensitive nature. In cloud-based systems/methods the estimates are also used to prioritize the file objects for transfer from a remote file storage system to the cloud-based system for analysis of content. The disclosed systems and methods significantly reduce the time required to identify sensitive file content in a large number of file objects.

Abstract: A device is configured to index file system names and paths of a single chain of backed-up snapshots. The device is configured to obtain a first snapshot of the file system. Further, the device is configured to scan the first snapshot of the file system to obtain a first scan of the nodes and the tree structure at a first time point. The device is further configured to insert the first scan into a database. Then the device is configured to index the nodes in the database.

Abstract: An automatic terminology linking system includes a candidate generator configured to identify candidate nodes for each terminology that is to be linked to a node of the knowledge base. A pseudo-candidate generator is configured to identify pseudo-candidate nodes for candidate-less terminologies. A candidate scorer is configured to respectively score the candidate nodes and the pseudo-candidate nodes by collective inference using occurrence statistics and co-occurrence statistics for these nodes. The pseudo-candidate generator is configured to identify knowledge base nodes that are semantically-related to candidate-less terminology as the pseudo-candidate nodes for the candidate-less terminology.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for automatically determining accuracy of entity recognition of text. An example method includes segmenting a service entity recognition analysis of the text and a gold entity recognition analysis of the text into common superstrings that define entity spans. The example method further includes classifying each of the entity spans based on an accuracy of entity recognition in the service analysis of the text corresponding to the entity spans using a classification system that differentiates accurately identified but improperly bounded entities into at least three subcategories to obtain an entity accuracy classification. The example method also includes obtaining a score report based on the entity accuracy classification. The example method additionally includes performing an action set based on the entity accuracy classification.

Abstract: Disclosed techniques provide a permission framework to control access to operations performed by cryptoprocessor. The techniques can identify a permission policy linked to a cryptographic operation. The permission policy can include data identifying the cryptographic operation and data identifying permission information for the cryptographic operation. The permission policy can be evaluated to determine whether to allow or deny execution of the cryptographic operation.

Abstract: This application relates to apparatus and methods for automatically determining and providing personalized user personas of a customer for specific platforms (e.g., applications). In some examples, a computing device receives a persona request identifying a user and a platform. In response, the computing device obtains user data associated with the user and a plurality of potential user personas from a database. For each of the plurality of potential user personas, the computing device then determines a combination score for the user based on the user data. The combination score indicates user's affinity to a corresponding potential user persona within the platform. The computing device selects at least one potential user persona of the plurality of potential user personas as a final user persona for the user and the platform based on the corresponding combination score.

Abstract: According to an embodiment, a system includes an electronic device, a server, and an output device. The electronic device may perform user authentication together with the server. The server may specify first content based on the user authentication and may transmit first metadata of the first content to the electronic device. The electronic device may visually output a first object representing the first content based on the first metadata, and transmit, when at least one object is selected of the output objects by the user, identification information of content represented by the selected object to the server. The server may output content corresponding to the identification information through the output device. Moreover, various embodiment found through the present disclosure are possible.

Abstract: Example systems and methods for efficient data governance are disclosed. Metadata associated with file objects is analyzed to estimate, for each file object, likelihood that the file object includes sensitive data. The estimates are used to prioritize the file objects for analysis of the file objects’ content to determine the objects include data deemed to be of a sensitive nature. In cloud-based systems/methods the estimates are also used to prioritize the file objects for transfer from a remote file storage system to the cloud-based system for analysis of content. The disclosed systems and methods significantly reduce the time required to identify sensitive file content in a large number of file objects.

Abstract: A computer-implemented method is disclosed.

Abstract: Systems and methods for managing a list of huddle board participants are disclosed. The huddle collaboration system includes a huddle management system having an authentication module, a data processing module, a huddle board management module, and a module manager, among other suitable components. The system runs an automatic process to update a list of huddle boards and huddle board participants, which includes the process of adding or eliminating team members from the list of participants of one or more huddle boards and/or modifying a dotted line member's permissions within one or more huddle boards. The huddle board management module enables the automatic update of permissions assigned to a team member in one or more huddle boards, in a faster and more accurate manner; therefore enhancing the productivity of the huddle and leveraging the human and information technology resource of the company.

Abstract: A method, a system, and a computer program product are provided for determining usage of a software product. The software product is initialized within a virtualized container. Processes executing within the virtualized container are identified. A process fingerprint for the software product is created and includes identifying information of the processes executing within the virtualized container. Usage of the software product on a computing device is determined based, at least partly, on the identifying information of only non-common processes included in the process fingerprint.

Abstract: A technology is described for device communication with computing regions. An example method may include receiving a request for an identity token at a first computing region, where the identity token enables a device to communicate with a second computing region. In receiving the request, the device associated with the request may be authenticated using authentication credentials for the device. A determination may be made that the device is authorized to communicate with the second computing region and an identity token may be generated to indicate that the device is authorized to communicate with the second computing region. The identity token may be provided to the device and the device may present the identity token to the second computing region, allowing the device to communicate with the second computing region.

Abstract: Aspects refresh permission credentials by populating within user profile data sets cached for members an invalidated value and a first timestamp of said populating the invalidated value; selecting user profile data sets including the invalidated value; identifying a second timestamp of time of creation of the permission credential within the selected user profile data sets; and in response to determining that a time elapsed between the first and second timestamps does not exceed a threshold, rebuilding the selected user profile data sets to include an updated value of the permission credential and set the second timestamp value to a current time of the rebuild, and cache (store) the rebuilt selected user profile data set within the repository.

Abstract: Embodiments of the invention provide a method for data replication in a networking system comprising multiple computing nodes. The method comprises maintaining a data set on at least two computing nodes of the system. The method further comprises receiving a data update request for the data set, wherein the data update request includes a data update for the data set. The data set on the at least two computing nodes is updated based on the data update request received.

Abstract: Some embodiments of the invention provide a method for processing requests for performing operations on resources in a software defined datacenter (SDDC). The resources are software-defined (SD) resources in some embodiments. The method initially receives a request to perform an operation with respect to a first resource in the SDDC. The method identifies a policy that matches (i.e., is applicable to) the received request for the first resource by comparing a set of attributes of the request with sets of attributes of a set of policies that place constraints on operations specified for resources. In some embodiments, several sets of attributes for several policies can be expressed for resources at different hierarchal resource levels of the SDDC. The method rejects the received request when the identified policy specifies that the requested operation violates a constraint on operations specified for the first resource.

Abstract: Described are computer-implemented methods and computing systems for automatically deduplicating a target dataset relative to a baseline dataset by providing distributed analysis of a first dataset to automatically generate a baseline dataset of the most common blocks of the first dataset, wherein the analysis is conducted in a distributed computing environment comprising a master computer system connected via a computer network to a plurality of computer systems.

Abstract: Mechanisms are provided for latent ambiguity handling in natural language processing. The method may include: providing an annotated semantic graph based on a knowledge base in which nodes representing semantic concepts are linked by semantic relationships, wherein one or more nodes are annotated to indicate a latent ambiguity of the semantic concept; processing a natural language input by activation of the annotated semantic graph; during processing when encountering an annotated node indicating a latent ambiguity of the semantic concept, applying a pre-defined latent ambiguity process to the node; and replacing any annotated nodes indicating a latent ambiguity of the concept remaining in an output of the processing of the natural language input with an alternative node from the semantic graph.

Abstract: Example embodiments of a two-model user interface system are described. In an example embodiment, first information of a user interface model is presented via a user interface, the first information of the user interface model based on data available at a data processing system. User input indicating a selected portion of the first information is received via the user interface. A communication model is updated to include the selected portion of the first information, and the user interface model is updated to include an indication of the selected portion of the first information. The selected portion of the first information is communicated from the communication model to the data processing system based on the updating of the communication model.

Abstract: Embodiments relate to cross-domain service request placement in a software defined environment (SDE). An aspect includes receiving a service request corresponding to a job to be completed in the SDE. Another aspect includes determining a first computer device in a first domain, and a second computer device in a second domain, that are capable of performing the service request. Another aspect includes determining, for the first and second computer devices, first and second pluralities of available service classes. Another aspect includes determining, for the first and second computer devices, a first and second plurality of costs of performing the service request, wherein each of the first and second plurality of costs corresponds to a single respective service class. Yet another aspect includes selecting one of the first computer device and the second computer device to perform the service request based on the first and second plurality of costs.

Abstract: A data analysis system stores in-memory representation of a distributed data structure across a plurality of processors of a parallel or distributed system. Client applications interact with the in-memory distributed data structure to process queries using the in-memory distributed data structure and to modify the in-memory distributed data structure. The data analysis system creates uniform resource identifier (URI) to identify each in-memory distributed data structure. The URI can be communicated from one client application to another application using communication mechanisms outside the data analysis system, for example, by email, thereby allowing other client devices to interact with a particular in-memory distributed data structure. The in-memory distributed data structure can be a machine learning model that is trained by one client device and executed by another client device. A client application can interact with the in-memory distributed data structure using different programming languages.

Abstract: In accordance with an embodiment, described herein is a system and method for supporting the use of configuration tagging in a multitenant application server environment. In accordance with an embodiment, a user interface is provided which displays a domain structure, including partitions and target systems, and enables components of the domain to be associated with user-specified tags that are received from an administrator, including for example, a first component associated with a first set of one or more tag(s), and a second component associated with a second set of one or more tag(s), which are then associated with the corresponding domain component. For example, a virtual target or target system can be associated with a tag such as “Gold”, “Silver” or “Bronze”. The tagged components can then be associated with the creation or definition of a partition.

Abstract: Three embodiments of one-way cross-domain systems for transferring information from a client in a first security domain to a server in a second separate security domain are disclosed. In addition, three embodiments of bilateral cross-domain systems for transferring first information from a client in a first security domain to a server in a second separate security domain and second information from the server in the second separate security domain to the client in the first security domain are also disclosed. Each of the one-way and bilateral cross-domain systems is based upon a single computer server which employs a number of virtual machines to implement send and receive servers. The single computer server also implements one (for the one-way cross-domain systems) or two (for the bilateral cross-domain systems) virtual one-way data links in either virtual machines or within the hypervisor portion of the operating system.

Abstract: The present invention relates to a system, method and computing apparatus to isolate a database in a database system. The disclosure of the present invention enables more efficient and more secured implementation of “database isolation” in a multi-tenant or multi-user database system storing service data belonging to different users. The user identifier(s) are extracted from the default database, creating a user table according to the extracted user identifier(s), creating a service table in the main database with owner user identifier column and owner group identifier column inserted, it can efficiently create view to a user when the user requests to access the service data which the user owns or the user is authorized to access. The created service table with owner user identifier column and owner group identifier column inserted achieve database isolation at database level, and the created view achieves database isolation at application level.

Abstract: A dynamic video communications system provides real time provisioning of a video communication session in a domain video network between a set of user devices. The real time provisioning is implemented by receiving an identifier of a video communication session from a user device, where the identifier includes a domain and a name, determining an authentication principle associated with the user device, where the authentication principle includes a domain of the user, checking whether the domain of the user matches a domain of the video communication session, and joining the user device with the video communication session.

Abstract: Access control systems and methods are described, including receiving a request from a user to access a first object, where first access-control information is associated with the first object; determining that the first object is referenced by a second object; determining second access-control information associated with the second object, where the second access-control information identifies the user as having access to the second object; and providing to the user access to the first object based on to the second access-control information.

Abstract: Tools and techniques for performing a mass change to data are described. Attribute values in a data set can be replaced or overwritten based on a user request. The user request can be based on user selections and inputs made via a user interface. The user can limit the attribute values that are replaced based on attribute, attribute value, and/or other designation. The user interface can facilitate user execution of the mass change by presenting lists of attribute values and/or attributes to the user for selection. The list of attribute values can be limited based on a user designation of data elements for mass change. A mass change component can be configured to control directly or indirectly the user interface or portions thereof. The mass change component can initiate the mass change of the data, based on the user selections and inputs.

Abstract: Embodiments of the invention provide a method for data replication in a networking system comprising multiple computing nodes. The method comprises maintaining a data set on at least two computing nodes of the system. The method further comprises receiving a data update request for the data set, wherein the data update request includes a data update for the data set. The data set on the at least two computing nodes is updated based on the data update request received.

Abstract: Machines, systems and methods for handling a client request in a hierarchical multi-tenant data storage system, the method comprising processing a request in subtasks, wherein a subtask is executed with a minimal set of privileges associated with a specific subtenant; extracting a claimed n-level hierarchy of a tenant and sub-tenant identities from the request; extracting authentication signatures or credentials that correspond to a level in the hierarchy; for a first level in the hierarchy, sending the request to a dedicated subtenant authenticator with privilege to validate credentials for a subtenant at the first level; and receiving a confirmation from the dedicated subtenant authenticator, whether the request is authentic.

Abstract: The present invention provides an information processing device which can detect illegal authorization setting efficiently in a short period of time. The information processing device includes a database which stores electronic documents, a means for storing rank values of users of the database, a means for storing the authorization degree of an electronic document or an electronic document group and authorization degrees of respective document classes of the database, a means for analyzing the electronic documents and combining together documents having mutual similarity in a degree equal to or higher than a certain level into a similar document group, and a means for analyzing authorization degrees of respective document classes in the database with reference to the rank values of the users, and thus detecting an electronic document or an electronic document group whose authorization setting is improper.

Abstract: The present invention provides an information processing device which can detect illegal authorization setting efficiently in a short period of time. The information processing device includes a database which stores electronic documents, a means for storing rank values of users of the database, a means for storing the authorization degree of an electronic document or an electronic document group and authorization degrees of respective document classes of the database, a means for analyzing the electronic documents and combining together documents having mutual similarity in a degree equal to or higher than a certain level into a similar document group, and a means for analyzing authorization degrees of respective document classes in the database with reference to the rank values of the users, and thus detecting an electronic document or an electronic document group whose authorization setting is improper.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a instruction execution detection/interception mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it). The instruction execution detection/interception mechanism may perform processing, inter alia, for detection and/or notification of, and actions upon by a monitoring guest, code execution by a monitored guest involving predetermined physical memory locations, such as API calls.

Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: A Multilevel Security (MLS) server provides MLS functionality to single-level applications running on a remote Multiple Independent Level Security (MILS) or MLS client device. More specifically, the MLS server provides a plurality of different security domains in which applications can execute. The client device executes a single-level application in a first security domain, the single-level application not natively capable of communicating with other domains. The single-level application in the first security domain sends a request to the MLS server. The MLS server receives the request, passing it to all applicable domains, including a second security domain, where it is duly executed. The MLS server then provides the results of the request execution—if any—back to an appropriate application on the client device.

Abstract: A computer displays a graphical user interface on its display. The graphical user interface includes a schema information region and a data visualization region. The schema information region includes multiple operand names, each operand corresponding to one or more fields of a multi-dimensional database that includes at least one data hierarchy. The data visualization region includes a columns shelf and a rows shelf. The computer detects user actions to associate one or more first operands with the columns shelf and to associate one or more second operands with the rows shelf. The computer generates a visual table in the data visualization region in accordance with the user actions. The visual table includes one or more panes. Each pane has an x-axis defined based on data for the one or more first operands, and each pane has a y-axis defined based on data for the one or more second operands.

Abstract: An “Interactive Word Lattice” provides a user interface for interacting with and selecting user-modifiable paths through a lattice-based representation of alternative suggested text segments in response to a user's text segment input, such as phrases, sentences, paragraphs, entire documents, etc. More specifically, the user input is provided to a trained paraphrase generation model that returns a plurality of alternative text segments having the same or similar meaning as the original user input. An interactive graphical lattice-based representation of the alternative text segments is then presented to the user. One or more words of each alternative text segment represents a “node” of the lattice, while each connection between nodes represents a lattice “edge. Both nodes and edges are user modifiable. Each possible path through the lattice corresponds to a different alternative text segment. Users select a path through the lattice to select an alternative text to the original input.

Abstract: A system that persistently maintains and exposes one or more previous object hierarchies to which an object belonged across one or more hierarchy destroying operations, such as operations that delete parent objects, add parent objects subsequent to addition of their descendent objects, forward objects to or from the hierarchy, and/or modify hierarchy determining rules. A user interface object allows user access to one or more persistent hierarchies for the corresponding object. A hierarchy list or the like allows a user to select a desired one of the persistent hierarchies. A persistent hierarchy can be accessed in the disclosed system through a display object associated with any object within the hierarchy, including the root, leaves, and any intervening objects. When objects are deleted, “ghost” objects are maintained and displayed to the user in the hierarchical positions of the deleted objects when a persistent hierarchy is displayed.

Abstract: Various embodiments of the present invention provide systems, methods, and computer program products for providing a community interest network that is developed on a societal relationship platform. In various embodiments, the platform is based on a collection of online, virtualized social communities oriented around interests. Further, in various embodiments, the community interest network includes a directory structure that is hierarchical and is built on a number of interest accounts tied to a specific tier structure (e.g., tier classification).

Abstract: An efficient large scale search system for video and multi-media content using a distributed database and search, and tiered search servers is described. Selected content is stored at the distributed local database and tier1 search server(s). Content matching frequent queries, and frequent unidentified queries are cached at various levels in the search system. Content is classified using feature descriptors and geographical aspects, at feature level and in time segments. Queries not identified at clients and tier1 search server(s) are queried against tier2 or lower search server(s). Search servers use classification and geographical partitioning to reduce search cost. Methods for content tracking and local content searching are executed on clients. The client performs local search, monitoring and/or tracking of the query content with the reference content and local search with a database of reference fingerprints.

Abstract: A method of providing access control to a relational database accessible from a user interface is implemented at a policy enforcement point, which is located between the database and the user interface and includes the steps of: (i) intercepting a database query from a user; (ii) assigning attribute values on the basis of a target table or target column in the query, a construct type in the query, or the user or environment; (iii) partially evaluating an access-control policy defined in terms of said attributes, by constructing a partial policy decision request containing the attribute values assigned in step ii) and evaluating the AC policy for this, whereby a simplified policy is obtained; (iv) deriving an access condition, for which the simplified policy permit access; and (v) amending the database query by imposing said access condition and transmitting the amended query to the database.

Abstract: File management systems and methods are presented. In one embodiment, implementation of a method for determining the accurate ownership of a file within a data system includes: identifying a first plurality of access events for a file, wherein the file is associated with a directory of related files; identifying a second plurality of access events for the related files within the directory, wherein access events in the first and second plurality of access events occur within a period; determining a pool of users accessing files within the directory within the period; and selecting a user from the pool of users as an inferred owner of the file based on access metrics related to the plurality of access events.

Abstract: Policy-based, cell-level access control is provided in association with a sorted, distributed key-value data store. As data representing a hierarchical document is ingested into the data store, the data is interpreted to identify fields and any sub-fields in the document, each identified field and its associated protection level as identified are translated into a set of one or more fieldname and visibility label pairs. Each fieldname and visibility label pair has a fieldname identifying a field and its zero or more sub-fields, together with a visibility label that is a function of the associated protection levels of the field and any sub-fields therein. At query time, and in response to receipt of a query including an authorization label, the fieldname and visibility labels are applied against the authorization label in the query to control which fields in the document are retrieved and used to generate the response to the query.

Abstract: In a method for the access control to an automation unit (01), access rights predetermined by the access control are dependant on the operating state of the automation unit (01), wherein at least during an emergency, expanded access rights in relation to normal operation are granted independently of the access rights during normal operation.

Abstract: A method and system of sharing a folder in a file system between an owner and a grantee is provided. An indication of a folder to share with a grantee may be received from the owner. The folder to share may be a subfolder within a parent folder, the parent folder not shared with the grantee. Then, sharing permissions indicating a level of access the grantee has to the folder may be stored with the folder. A virtual folder corresponding to the folder to share may be created on a device of the grantee. The virtual folder maps to all objects within the folder to share and may be stored at a level equal to parent folders of a file hierarchy on device of the grantee.

Abstract: A method for securely accessing a number of computing systems within a remote facility includes, with a mobile computing system, checking out access data from a centralized database, the access data providing access to the computing systems within the remote facility. The mobile computing device then interfaces with a first computing system, the first computing system being unable to have access criteria changed from a remote location. The mobile computing system then provides a user with access to the first computing system using the checked out access data without revealing that checked out access data to the user.

Abstract: A method and system for managing data clusters is provided. A first data cluster is generated having a first data object and a second data object. The first data cluster has a strict hierarchy between the first data object and the second data object. A first object reference from the first data object to the second data object is extracted. The first object reference is stored in a first reference container. A second object reference from the first data object to a third data object is extracted. The third data object is stored in a second data cluster. The second object reference is stored in a second reference container. The second object reference is stored in a second reference container. A memory access is provided to the first data cluster based on the first object reference and the second object reference.

Abstract: The invention relates to a portable token (SC) comprising a capability query mechanism (CQM). The capability query mechanism (CQM) is set to inform entities (PC, MW) willing to communicate with the portable token (SC) of at least a subset of the command(s) (C) available in the portable token (SC). The portable token (SC) is arranged to set a flag when the capability query mechanism (CQM) is invoked. When a command (C) is called, the portable token (SC) enforces first access conditions (AC1) for the command (C) if the flag is set, or second access conditions (AC2) if the flag is cleared.

Abstract: Methods and systems for monitoring privileged user access of a database using a computer having at least one processor are provided. The system monitors database transactions. If a transaction is made by a privileged user, the system records information relating to the transaction in an audit database and/or in an audit file. If a transaction is made by a terminated or otherwise unauthorized privileged user, the system can be adapted to alert management of a possible security breach.