Methods and apparatuses are described for unstructured computer text is analyzed for masking of confidential information using artificial intelligence. A client device generates a message comprising unstructured computer text including confidential information. A server trains a word embedding model using the unstructured text. The server generates a multidimensional vector for each word in the unstructured text, generates a mapping table comprising a predetermined set of words corresponding to confidential information from the unstructured text, and determines one or more neighboring words in the trained word embedding model using the predetermined set of words. The server updates the mapping table to incorporate the one or more neighboring words and executes rules on the unstructured text that filter out one or more words, and applies the updated mapping table to match words in the updated mapping table with words in the filtered text and mask the matching words in the unstructured text.

Aspects of the disclosure relate to in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data, in a data store based on credentials received from a source. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. A secure connection to the data store can be established. The sensitive information in the big data dataset can be redacted into a sanitized dataset based on one or more data obfuscation types. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

A computer system includes an ensemble moving target defense architecture that protects the computer system against attack using one or more composable protection layers that change each churn cycle, thereby requiring an attacker to acquire information needed for an attack (e.g., code and pointers) and successfully deploy the attack, before the layers have changed state. Each layer may deploy a respective attack information asset protection providing multiple respective attack protections each churn cycle, wherein the respective attack information asset protections may differ.

Aspects of the disclosure relate to resource allocation and rebating during in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. Secure connection(s) to the data store can be established. Sensitive information can be redacted into a sanitized dataset based on one or more data obfuscation types. RAM requirements and current RAM allocation can be diagnosed. Portion(s) of the current RAM allocation exceeding the RAM requirements can be rebated. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

Co-browsing sessions allow an agent to see inputs of a user and assist the user in completing a task associated with the inputs, such as completing a form on an application or website. Agents may see the information provided by the user, unless that information is sensitive (e.g., social security number, account number, password, etc.), in which case the information is blocked. However, humans will make mistakes for any number of reasons. When that mistake is the providing of sensitive information in a non-sensitive field, systems and methods are provided to block such information, even when provided into a field not designated for sensitive information (e.g., city of residence). As a result, sensitive information may be entered during a co-browsing session, into a field by mistake, and not expose the information to the agent.

Technology for password entry security that monitors a text entry field that is not an appropriate text entry field for password entry, and, on condition that a user enters a first portion of a designated user password into the text entry field, then machine logic deletes and/or obscures at least the first portion of the password from the text entry field so that it cannot be espied or intercepted by unauthorized parties. IN some embodiments, an integer number N is designated to determine how many characters must be in the first portion entered by the user before the password text is deleted or obscured.

Techniques are described for runtime checking of function metadata prior to execution of a function in an environment. An application may include any appropriate number of components at one or more levels in a hierarchical arrangement, and each component may be packaged with metadata that describes the component. A function, or any component, may be packaged with metadata that includes term(s) governing the usage of the function. The term(s) may be checked, at runtime, during execution of the application to determine whether the function is to be executed. A function may also be hashed at runtime for verification of function version. Function(s) may be individually and independently executed as containerized nano functions within the environment.

A method for executing a binary code of a secure function includes obtaining a pointer containing: a first range of bits containing the address of a line of code, and a second, different range of bits containing an identifier of the pointer, storing the line of code, this line of code containing a first integrity tag constructed or encrypted using the identifier of the pointer, loading the line of code from the address contained in the first range of bits of the pointer, verifying the integrity of the loaded line of code by constructing a second integrity tag using the identifier of the pointer contained in the second range of bits of the pointer used to load it.

A computer system includes an ensemble moving target defense architecture that protects the computer system against attack using a plurality of composable protection layers that change each churn cycle, thereby requiring an attacker to acquire information needed for an attack (e.g., code and pointers) and successfully deploy the attack, before the layers have changed state. Each layer may deploy a different attack information asset protection providing multiple different attack protections each churn cycle.

A method of operating an electronic device includes generating scramble control codes. The scramble codes are generated by generating a random number, shifting the random number to produce a shifted random number, generating control signals by selecting different subsets of the shifted random number, and generating scramble control words by selecting different subsets of the random number based upon the control signals. The method further includes receiving a password comprised of sub-words and scrambling those sub-words according to the scramble control codes, retrieving a verification word comprised of sub-words and scrambling those sub-words according to the scramble control codes, and comparing the scrambled sub-words of the password to the scrambled sub-words of the verification word to thereby authenticate an external device that provided the password.