Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


POLICY

Subclass of:

726 - Information security

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20110179464Client-Side Security Management for an Operations, Administration, and Maintenance System for Wireless Clients - An Operations, Administration, and Maintenance (OA&M) 07-21-2011
20110185396INFORMATION-PROCESSING APPARATUS, INFORMATION-PROCESSING METHOD, AND COMPUTER-READABLE STORAGE MEDIUM - An information-processing apparatus comprises: an environment storage unit that stores a set of instructions for implementing a plurality of runtime environments including a first runtime environment and a second runtime environment; an execution unit that executes the set of instructions stored in the environment storage unit; a status-holding unit that stores an item(s) of status information to be transmitted from the first runtime environment to the second runtime environment; a timing storage unit that stores a condition relating to a status of execution of one of the first runtime environment and the second runtime environment; and a transmission unit that transmits the item(s) of status information stored in the status-holding unit to the second runtime environment in a case where the condition stored in the timing storage unit is fulfilled.07-28-2011
20090178107ACCESS CONTROL POLICY CONVERSION - Methods and apparatus are provided for generating an access control policy data structure for a single-authorization-query access control system from a source policy data structure of an access control system in which primary authorizations can be subject to auxiliary constraints. Authorizations in the data structures are defined in terms of subject, resource and action elements. For each resource in a set of resources in the source policy data structure, the data structure is analyzed to identify primary authorizations relating to that resource. For each primary authorization, policy data which represents a policy defining an access rule expressing that authorization is generated and stored in system memory and analyzed to identify any auxiliary constraints associated with that primary authorization. For each auxiliary constraint so identified, policy data is generated and stored in system memory.07-09-2009
20090222878SYSTEMS AND METHODS FOR A SECURE GUEST ACCOUNT - An embodiment relates generally to a method of creating a secure environment in a computer device. The method includes providing a secure guest account in a multi-user operating system and enforcing a policy on the secure account to allow a user to log-in to the secure guest account while preventing access at least one network port of the computer device. The method also includes enforcing a rule to allow the secure guest account access to an application and the at least one network port.09-03-2009
20120266209Method of Secure Electric Power Grid Operations Using Common Cyber Security Services - A system of operating an electric power grid using common cyber security services to ensure secure connections from control systems to devices in the electric transmission, electric distribution, and energy centric devices in electric customers' networks.10-18-2012
20120266208METHODS AND APPARATUS FOR MALWARE THREAT RESEARCH - Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored and or processed and counting the number of times in a given time period objects having one or more common attributes or behaviors that have been seen by the remote computers. The counted number is then compared with the expected number based on past observations, and if the comparison exceeds a predetermined threshold, the objects are flagged as unsafe or as suspicious.10-18-2012
20120174182NETWORKED PHYSICAL SECURITY ACCESS CONTROL SYSTEM AND METHOD - A distributed networked physical security access control system for controlling a plurality of security access devices includes access server appliances in communication with a primary network. At least one access server appliance includes an appliance management module accessible through a web browser in communication with the primary network. The appliance management module configures the access server appliances to a user specified security configuration. The access server appliances are in peer-to-peer communication on the primary network to bridge the access server appliances for providing consistency in each of the access server appliances.07-05-2012
20120174180AUTHORIZATIONS FOR ANALYTICAL REPORTS - A system may include reception of a request from a user to start a report associated with a node of a business object object model, where the node of the business object object model is associated with an access control list associating instances of the node with at least one access context restriction, determination of a first access context restriction associated with the user, retrieval of the at least one instance of the node based on the first access context restriction and on the access control list associated with the node, and presentation of an instance of the report to the user, the instance of the report populated with the at least one instance.07-05-2012
20100088738Global Object Access Auditing - Global object access auditing techniques are described. In an implementation, a global SACL for a resource and an object SACL are merged to form a merged SACL responsive to a request for access to an object. The merged SACL is checked to determine what activity is to generate an audit event.04-08-2010
20080276296MANAGEMENT OF USER AUTHORIZATIONS - A method of determining unauthorized user access requests in a data processing system, the method comprising the steps of accessing a record of role managed authorizations and a record of manually assigned authorizations, receiving a record of user authorization requests from a plurality of data processing systems, and comparing the record of user authorization requests to the record of role managed authorizations and to the record of manually assigned authorizations to identify any unauthorized authorizations.11-06-2008
20130047199Method and Apparatus for Subject Recognition Session Validation - According to one embodiment, an apparatus may store a plurality of token-based rules. A token-based rule may facilitate access to a resource. The apparatus may further store a plurality of tokens. The plurality of tokens may include a session token associated with access to the resource by a user. The apparatus may receive a first token indicating at least one of the detection of a face other than the user's and the detection of a voice other than the user's. The apparatus may determine, based at least in part upon at least one token-based rule from the plurality of token-based rules, that access to the resource should be terminated in response to receiving the first token and terminate the session token in response to the determination that access to the resource should be terminated.02-21-2013
20130031602THIN CLIENT SYSTEM, AND ACCESS CONTROL METHOD AND ACCESS CONTROL PROGRAM FOR THIN CLIENT SYSTEM - To heighten security in a thin client system, the thin client system includes: a communication unit 01-31-2013
20130031601PARENTAL CONTROL OF MOBILE CONTENT ON A MOBILE DEVICE - Systems and methods of parental control of content on a mobile device are disclosed. One embodiment includes, proxy server remote from a mobile device which monitors, traffic activities, including inbound or outbound traffic, on the mobile device and detects adult content from the traffic activities. The proxy server communicates identification of the suspicious traffic to a local proxy on the mobile device, such that the suspicious traffic containing the adult content is blocked from access to or from the mobile device.01-31-2013
20130031600AUTOMATIC GENERATION AND DISTRIBUTION OF POLICY INFORMATION REGARDING MALICIOUS MOBILE TRAFFIC IN A WIRELESS NETWORK - Systems and methods for automatically generating and distributing policy information for malicious mobile traffic in a wireless network are disclosed. One embodiment of a method which can be implemented on a system includes, aggregating suspicious activity information detected across multiple mobile devices in a wireless network, generating policy information for malicious mobile traffic using the suspicious activity information, and/or distributing the policy information among the multiple mobile devices or other mobile devices in the wireless network. The policy information can, for example, be distributed to wireless operators, mobile network carriers, or application service providers.01-31-2013
20130031599MONITORING MOBILE APPLICATION ACTIVITIES FOR MALICIOUS TRAFFIC ON A MOBILE DEVICE - Systems and methods for monitoring mobile application activities for malicious traffic on a mobile device are disclosed. One embodiment of a method which can be implemented on a system includes, monitoring application activities of a mobile application on the mobile device, detecting, from the application activities, suspicious activity, and/or blocking traffic from which the suspicious activity is detected. One embodiment includes creating a policy based on the information aggregated from the multiple mobile devices and/or broadcasting the policy to other mobile devices of the suspicious activity detected from the multiple mobile devices.01-31-2013
20130031598Contextual-Based Virtual Data Boundaries - A system, method, and apparatus for contextual-based virtual data boundaries are disclosed herein. In particular, the present disclosure relates to improvements in access control that work to restrict the accessibility of data based on assigning contextual data thresholds that create a virtual boundary. Specifically, the disclosed method involves assigning at least one threshold to at least one contextual criterion. The method further involves determining whether contextual information from the claimant meets at least one threshold to at least one contextual criterion. Also, the method involves authenticating the claimant, if the contextual information from the claimant meets at least one of the thresholds to at least one contextual criterion. Further, the method involves allowing the claimant access to the data, if the claimant is authenticated.01-31-2013
20130031597METHOD AND EQUIPMENT FOR SECURITY ISOLATION OF A CLIENT COMPUTER - A method and equipment to protect the client computer against attacks through a device that carries out the security isolation of the client computer. It includes isolating all kinds of media that allow for writings in the computer. It uses security software, such as Firewall and antivirus programs configured according to the company's needs and also software to access the company's server, such as a browser or its own software.01-31-2013
20130031596Evaluating Detectability of Information in Authorization Policies - Techniques for evaluating detectablity of confidential information stored in authorization policies are described. In an example, an authorization policy has a confidential property. The confidential property is defined by whether application of a test probe to the authorization policy results in the grant of access to a resource. A processor automatically determines whether at least one witness policy can be generated that is observationally equivalent to the authorization policy from the perspective of a potential attacker, but the application of the test probe to the witness policy generates an access denial result. In the case that such a witness policy can be generated, an indication that the confidential property cannot be detected using the test probe is output. In the case that such a witness policy cannot be generated, an indication that the confidential property can be detected using the test probe is output.01-31-2013
20130031595EFFICIENT SECURING OF DATA ON MOBILE DEVICES - A mobile device and associated method and computer-readable medium, wherein the device is configurable for data protection readiness. A preparation module is configured to perform preprocessing to prepare the mobile device for data protection readiness, the preprocessing includes: indicating certain items of data stored in the data storage arrangement which are of personal importance to an owner of the mobile device; indicating criteria that defines a situation for which the items of data of personal importance are to be secured; and indicating a set of actions to be carried out to secure the items of data of personal importance. A protection module is configured to monitor for an occurrence of the situation for which the items of data of personal importance are to be secured based on the criteria indicated by the preparation module, and to execute the set of actions indicated by the preparation module in response to a detection of the occurrence of the situation.01-31-2013
20110302623APPLICATION AND OPEN SOURCE INFORMATION TECHNOLOGY POLICY FILTER - The present invention is directed to a software distribution architecture in which an enterprise has a filter that screens user requested software, software upgrade(s), software feature(s), and/or software setting option(s) against enterprise rules or policies. Disapproved software, software upgrade(s), software feature(s), and/or software setting option(s) are blocked for download.12-08-2011
20090193498SYSTEMS AND METHODS FOR FINE GRAIN POLICY DRIVEN CLIENTLESS SSL VPN ACCESS - The present disclosure provides solutions that may enable an enterprise providing services to a number of clients to determine whether to establish a client based SSL VPN session or a clientless SSL VPN session with a client based on an information associated with the client. An intermediary establishing SSL VPN sessions between clients and servers may receive a request from a client to access a server. The intermediary may identify a session policy based on the request. The session policy may indicate whether to establish a client based SSL VPN session or clientless SSL VPN session with the server. The intermediary may determine, responsive to the policy, to establish a clientless or client based SSL VPN session between the client and the server.07-30-2009
20090193497METHOD AND APPARATUS FOR CONSTRUCTING SECURITY POLICIES FOR WEB CONTENT INSTRUMENTATION AGAINST BROWSER-BASED ATTACKS - A method and apparatus is disclosed herein for constructing security policies for content instrumentation against attacks. In one embodiment, the method comprises constructing one or more security policies for web content using at least one rewriting template, at least one edit automata policy, or at least one policy template; and rewriting a script program in a document to cause behavior resulting from execution of the script to conform to the one or more policies.07-30-2009
20090193496DETECTION OF HARDWARE-BASED VIRTUAL MACHINE ENVIRONMENT - A method and a processing device are provided for detecting a hardware-based virtual machine environment. An execution time of a privileged instruction may be measured and an execution time of a nonprivileged instruction may be measured. The execution time of the privileged instruction may be compared with the execution time of the nonprivileged instruction. When the execution time of the privileged instruction exceeds the execution time of the nonprivileged instruction by at least a threshold or a threshold factor, then a hardware-based virtual machine environment is detected. In some embodiments, a well-known technique for detecting a software-based virtual machine environment may be used in conjunction with a technique for detecting a hardware-based virtual machine environment. A licensing policy of a software product may be accessed and the software product may be prevented from executing when a detected machine environment is in violation of the licensing policy.07-30-2009
20090193495SYSTEM AND METHODS FOR EFFICIENTLY CLASSIFYING AND SELECTING AMONG SECURITY POLICY ALTERNATIVES FOR OUTBOUND NETWORK COMMUNICATIONS - A computer-implemented method of selecting among a plurality of endpoint policy alternatives to apply to a message conveyed over a data communications network is provided. The method can include assigning a score to each of the plurality of endpoint policy alternatives, wherein an assigned score is based upon policy assertions of the endpoint policy alternative to which the score is assigned. The method can further include selecting, according to a predetermined selection criterion, one of the plurality of endpoint policy alternatives based upon the assigned scores.07-30-2009
20090193494MANAGING ACTIONS OF VIRTUAL ACTORS IN A VIRTUAL ENVIRONMENT - A method, system, and computer usable program product for monitoring the actions of a virtual actor are provided in the illustrative embodiments. An interaction of the virtual actor acting in a role is detected. A set of policies is applied to the interaction. The set of policies include an auditing policy. Auditing according to the auditing policy is determined based on the role of the virtual actor.07-30-2009
20090193493ACCESS POLICY ANALYSIS - Software tools assist an access-policy analyst or creator to debug and/or author access policies. An access request contains a query that evaluates to either true or false depending on whether access is to be allowed. Abduction may be used to generate assumptions that, if true, would cause the access request to be true. The tool may perform analysis on the generated assumptions, such as: comparing the assumptions with tokens to detect errors in the tokens or to suggest changes to the tokens that would cause the query to be satisfied, or comparing the assumptions to a meta-policy. The tool may allow an analysis, policy author, or other person to interactively walk through assumptions in order to see the implications of the access policy.07-30-2009
20090193492METHOD FOR INFORMATION TRACKING IN MULTIPLE INTERDEPENDENT DIMENSIONS - A method for information flow tracking is provided using, for example, a functional programming language based on lambda calculus, λ07-30-2009
20090193491SECURE ELEMENT MANAGER - In one embodiment, a computing device may comprise system hardware, system firmware, one or more secure elements and one or more secure element management module. The secure element may enable access to goods or services. In some embodiments, the operational status of an embedded secure element may be modified by a secure element management module through addition of hardware, communication with a server or the like.07-30-2009
20110197256METHODS FOR SECURING A PROCESSING SYSTEM AND DEVICES THEREOF - A method, computer readable medium, and apparatus for securing a processing system includes implementing a virtual machine manager (VMM) using a hardware assisted handler in secure processing apparatus. One or more critical events are monitored with the VMM in the secure processing apparatus. One or more behaviors in response to the one or more monitored critical events are controlled with VMM.08-11-2011
20100083345METHODS AND APPARATUS RELATED TO PACKET CLASSIFICATION ASSOCIATED WITH A MULTI-STAGE SWITCH - In one embodiment, an apparatus can include a policy vector module configured to retrieve a compressed policy vector based on a portion of a data packet received at a multi-stage switch. The apparatus can also include a decompression module configured to receive the compressed policy vector and configured to define a decompressed policy vector based on the compressed policy vector. The decompressed policy vector can define a combination of bit values associated with a policy.04-01-2010
20130212639Method, System And Apparatus For Improving Security Level Of A Terminal When Surfing Internet - A method, system, and apparatus for improving security level of a terminal when it surfs the Internet. The method includes receiving, by a network side, network security information reported by a terminal, generating a network security policy according to the network security information reported by each terminal, and transmitting a security indication to the network security policy to the terminal; providing, by the terminal, a security prompt for network information to be obtained or having been obtained according to the security indication. Various embodiments can improve the security level of the terminal when it surfs the Internet and save resources of the terminal.08-15-2013
20130086632SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR APPLYING A RULE TO ASSOCIATED EVENTS - A system, method, and computer program product are provided for applying a rule to associated events. In use, a plurality of events is associated based on at least one identifier. Additionally, at least one rule is applied to the associated events. Further, a reaction is performed based on the application of the at least one rule.04-04-2013
20110202970Secure Access In A Communication Network - A method of providing secure access to a remote communication network via a local communication network for a terminal device. A gateway node located outside the local communication network allocates an IP address to the terminal device. The gateway node subsequently receives a request to establish a secure tunnel between the gateway node and the terminal device. It identifies the terminal device as the same terminal device to which an IP address is allocated, and allocates the same IP address for use by the terminal device as both an inner IP address and an outer IP address for packets sent via the secure tunnel. This ensures that there are no issues as described above in selecting the IP address for use in the secure tunnel, and reduces the risk of a successful man-in-the-middle attack.08-18-2011
20110202969ANOMALOUS ACTIVITY DETECTION - The disclosure addresses the detection of anomalous activity. Some embodiments are directed towards a system for receiving an indication relating to a plurality of controls, identification information associated with a responsible account, and instructions from a responsible account associated with the monitoring of thresholds of controls being monitored. The plurality of user account may be organized into groups based upon information relating to the user accounts, and instructions may be applied to the groups to create a dynamic security policy.08-18-2011
20120180105SYSTEMS, METHODS, AND APPARATUS FOR FACILITATING CLIENT-SIDE DIGITAL RIGHTS COMPLIANCE - According to one aspect there is provided a method and an apparatus for facilitating intellectual property rights compliance that is compliant with a same-origin security policy that prohibits the application from executing application-specific instructions from the first domain that access application-specific instructions from the second domain. The method includes receiving a structured document from a first domain, the structured document having at least one content object, a reference to at least one digital rights compliance (DRC) object located on a second domain and associated with the at least one content object, and application-specific instructions being executable by the application. The at least one DRC object is defined in a non-executable format and contains information indicative of rights associated with the at least one content.07-12-2012
20120180103Garage management system - A garage management and monitoring system defines and manages each operational event in a parking facility. Access events, management events, equipment operation events, equipment malfunction events, security events and defined anomaly events are labeled and parsed into a relational database, which is used for generating reports, creating logs, making management decisions, reconstructing accidents, and so on. The equipment includes a computer terminal, a reader, an identifying item or code capable of being read by the reader to control access to the facility, an IP camera, and a garage door or vehicle gate with safety sensors. Each defined event can be codified on the server and/or local controller to create an event library that is downloaded to the controller.07-12-2012
20080256595METHOD AND DEVICE FOR VERIFYING THE SECURITY OF A COMPUTING PLATFORM - Method and device for verifying the security of a computing platform. In the method for verifying the security of a computing platform a verification machine is first transmitting a verification request via an integrity verification component to the platform. Then the platform is generating by means of a trusted platform module a verification result depending on binaries loaded on the platform, and is transmitting it to the integrity verification component. Afterwards, the integrity verification component is determining with the received verification result the security properties of the platform and transmits them to the verification machine. Finally, the verification machine is determining whether the determined security properties comply with desired security properties.10-16-2008
20080256594Method and apparatus for managing digital identities through a single interface - Method and apparatus for managing digital identities through a single interface is described. One aspect of the invention relates to managing digital identities related to a user. An identity policy of an entity is obtained. At least one relevant digital identity is selected from the digital identities. Each relevant digital identity includes information required by the identity policy. A selected digital identity is obtained from the relevant digital identity or identities. A representation of the selected digital identity is provided to the entity that complies with the identity policy.10-16-2008
20080256593Policy-Management Infrastructure - Described herein are one or more implementations of a policy-management infrastructure that provides a universal policy-based solution across a spectrum of scenarios in a computing environment. At least one implementation of the policy-management infrastructure defines how policy-based data is structured or layered relative towards the data in other layers. Furthermore, a described implementation provides a mechanism for determining “overlap” and “conflicts” in policies.10-16-2008
20080256592Managing Digital Rights for Multiple Assets in an Envelope - Techniques enable building a collection of data that defines an asset, with the data possibly having differing data types. These techniques are then capable of assigning arbitrary policy to that asset, regardless of which data types are present within the asset. In addition, these techniques enable packaging of this first asset with one or more additional assets in a self-contained envelope. Each asset within the envelope may similarly include data of differing data types. Furthermore, each of these assets may be assigned a policy that may be different than the policy assigned to the first asset. This envelope, or a collection of envelopes, may then be provided to a content-consuming device to consume the assets in accordance with each asset's specified policy.10-16-2008
20120246698SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.09-27-2012
20120246695ACCESS CONTROL OF DISTRIBUTED COMPUTING RESOURCES SYSTEM AND METHOD09-27-2012
20100077445Graduated Enforcement of Restrictions According to an Application's Reputation - Security software on a client observes a request for a resource from an application on the client and then determines the application's reputation. The application's reputation may be measured by a reputation score obtained from a remote reputation server. The security software determines an access policy from a graduated set of possible access policies for the application based on the application's reputation. The security software applies the access policy to the application's request for the resource. In this way, the reputation-based system uses a graduated trust scale and a policy enforcement mechanism that restricts or grants application functionality for resource interactivity along a graduated scale.03-25-2010
20100077444BROWSER ACCESS CONTROL - Systems, methods and apparatus for a distributed security that monitors communications to manage client browser network access based upon the browser configuration of the client browser by use of a configuration script executed in the browser environment. Such management can reduce the exposure of potentially vulnerable client browsers to domains associated with malicious activity.03-25-2010
20130086629DYNAMIC IDENTITY CONTEXT PROPAGATION - Techniques are provided for dynamically propagating identity context for a user in a Service-Oriented Architecture. Methods and apparatus are provided that include receiving a request to invoke a web service, retrieving first security claims from application identity context information pertaining to a user, generating second security claims at runtime, packaging the first and second security claims into an authentication token, and transmitting the authentication token to a second computer system in a service request. The second computer system can be configured to extract the first and second security claims from the authentication token, validate the extracted first and second security claims, generate identity context information based upon the extracted first and second security claims, and publish and propagate the identity content information in an identity context object. The second computer system can verify that the security claims conform to corresponding security claim schemas stored in a claims dictionary.04-04-2013
20100115582SYSTEM, METHOD, AND DEVICE FOR MEDIATING CONNECTIONS BETWEEN POLICY SOURCE SERVERS, CORPORATE RESPOSITORIES, AND MOBILE DEVICES - The invention relates to providing policy from an integrated policy server to a mobile device, comprising identifying a policy in an integrated policy server applicable to the mobile device and supplying policy elements to policy transports for transmission to the mobile device. The invention also relates to providing policy from an integrated policy server to a mobile device, including identifying a policy in the integrated policy server applicable to the mobile device, determining whether the mobile device is in compliance with the policy, and supplying policy elements to policy transports for transmission to the mobile device when the mobile device is not in compliance with the policy. The invention further relates to controlling access to a data server by a mobile device, including identifying a policy in an integrated policy server applicable to the mobile device, and determining whether the mobile device is in compliance with the policy.05-06-2010
20130086624FLEXIBLE DOCUMENT SECURITY FOR PROCUREMENT AGENTS - A method, system, and computer program product for providing document security for procurement agents. The method commences by establishing user authentication credentials for at least two procurement agents. Then, initially granting limited access to a first set of documents where the first set of documents is initially under control of the first procurement agent (and initially inaccessible by the second procurement agent), and initially granting limited access to a second set of documents, where the second set of documents is initially under control of the second procurement agent. A procurement application receives an access request from the first user to access a document from among the second set of documents, causing the procurement application to confirm the first user authentication credentials, retrieve the document access rule for the first procurement agent, and allow/deny access by the first user to the document from among the second set of documents.04-04-2013
20130086626CONSTRAINT DEFINITION FOR CONDITIONAL POLICY ATTACHMENTS - Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context.04-04-2013
20130086623SYSTEMS AND METHODS FOR ESTABLISHING ISOLATION BETWEEN CONTENT HOSTING SERVICES EXECUTING ON COMMON SUPPORT SERVER - Embodiments relate to systems and methods for establishing isolation between content hosting services executing on a common support server. In aspects, a server virtualization platform can operate on a common physical support server to instantiate, configure, and operate a set of virtual servers. The set of virtual servers can, for instance, be used to run independent Web sites or other locations or services. The data available to each process on each virtual server can be encoded using an SELinux™ label including an MCS (multi-category security) category or categories uniquely identifying that process. Isolation of the potentially sensitive data for multiple Web sites and/or their content hosted on a common physical server can therefore be enforced, since each process operating on each virtual server is restricted to only access and manipulate data objects or other entities having matching MCS category information identified on that baremetal support server.04-04-2013
20130086631SYSTEMS AND METHODS FOR CONTROLLING ACCESS TO A MEDIA STREAM - Systems and methods of controlling access to a multimedia stream in a media streaming session from a multimedia server to a requesting device via a network. The systems and methods facilitate receiving a primary request for the multimedia stream from the requesting device; determining whether to allow access to the primary request from the requesting device in accordance with at least one media session policy; and if access is permitted, then generating a secondary request corresponding to the primary request; providing the secondary request to the multimedia server; receiving a first multimedia stream from the multimedia server in response to the secondary request; determining whether to transmit the first multimedia stream or a second multimedia stream based on the at least one media session policy; and transmitting either the first multimedia stream or the second multimedia stream to the requesting device as indicated by the at least one media session policy.04-04-2013
20130086630DYNAMIC IDENTITY SWITCHING - Techniques are disclosed for dynamically switching user identity when generating a web service request by receiving, at a client application, an invocation of a web service, the invocation associated with a first authenticated user identity of a first user, identifying a second user identity, verifying that a switch from the first user identity to the second user identity is permitted by switching rules, including the second user identity in a service request when the switch is permitted, and communicating the service request to the web service. The switching rules can include associations between initial user identities and permitted user identities. Verifying that a switch is permitted can include searching the associations for an entry having an initial user identity that matches the first authenticated user identity and a new user identity that matches the second user identity, wherein the switch is permitted when the entry is found.04-04-2013
20130086628PRIVILEGED ACCOUNT MANAGER, APPLICATION ACCOUNT MANAGEMENT - Techniques for managing accounts are provided. An access management system may check out credentials for accessing target systems. For example a user may receive a password for a period of time or until checked back in. Access to the target system may be logged during this time. Upon the password being checked in, a security account may modify the password so that the user may not log back in without checking out a new password. Additionally, in some examples, password policies for the security account may be managed. As such, when a password policy changes, the security account password may be dynamically updated. Additionally, in some examples, hierarchical viewing perspectives may be determined and/or selected for visualizing one or more managed accounts. Further, accounts may be organized into groups based on roles, and grants for the accounts may be dynamically updated as changes occur or new accounts are managed.04-04-2013
20130086627CONFLICT RESOLUTION WHEN IDENTICAL POLICIES ARE ATTACHED TO A SINGLE POLICY SUBJECT - Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a single policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a determination can be made whether two conflicting policies that are attached to a single policy subject are identical. This determination can be based on, e.g., a Uniform Resource Identifier (URI) that is used to identify the policies in their respective policy attachment metadata files, as well as any policy configuration properties. If the two conflicting policies are determined to be identical, the policy attachment metadata for one of the policies can be considered valid, while the policy attachment metadata for the other, duplicate policy can be ignored. In this manner, validation errors arising from duplicate policy attachments can be avoided.04-04-2013
20130081100SYSTEM AND METHOD OF REAL-TIME CHANGE PROPAGATION AND ACTIVATION USING A DISTRIBUTED OBJECT CACHE - Embodiments of the invention provide systems and methods for using a distributed object cache to propagate and activate changes to security information across nodes of a cluster. Embodiments of the present invention can be implemented, for example, in a security product that enforces security policies, i.e., access control, etc., on resources such as web content provided by a set of servers of nodes of a computing grid and provide ways to handle data synchronization between the servers or nodes of the grid. This synchronization can be performed using a distributed object cache that provides replicated and distributed object caching services. For example, Oracle Coherence is one such distributed object cache that is built on top of a reliable, highly scalable peer-to-peer clustering protocol. However, embodiment of the present invention are not limited to use with Coherence but rather are equally applicable to other distributed object caches.03-28-2013
20130081099METHOD AND APPARATUS FOR PROVIDING ABSTRACTED USER MODELS - An approach is provided for providing abstracted user models in accordance with one or more access policies. A model platform determines an ontology for specifying a hierarchy of one or more abstraction levels for items data used in latent factorization models. The model platform further causes, at least in part, a generation of one or more user models for the one or more abstraction levels. The model platform also causes, at least in part, a selection of at least one of the one or more user models for generating one or more recommendations for one or more applications, one or more services, or a combination thereof based, at least in part, on one or more privacy policies, one or more security policies, or a combination thereof.03-28-2013
20130081105PROVISIONING USER PERMISSIONS USING ATTRIBUTE-BASED ACCESS-CONTROL POLICIES - An attribute-based access control policy (e.g., XACML policy) for a set of elements depends on attributes carried by elements in one of several predefined categories. In order to evaluate such policy for a set of elements, the invention provides a method including the steps of (I) selecting a primary category; (II) partitioning the elements in the primary category into equivalence classes with respect to their influence on the policy; and (III) using the equivalence classes to replace at least one policy evaluation by a deduction. The result of the evaluation may be represented as an access matrix in backward-compatible format. The efficiency of the policy evaluation may be further improved by applying partial policy evaluation at intermediate stages, by forming combined equivalence classes containing n-tuples of elements and/or by analyzing the influence of each element by extracting functional expressions of maximal length from the policy.03-28-2013
20130081101POLICY COMPLIANCE-BASED SECURE DATA ACCESS - Access control techniques relate to verifying compliance with security policies before enabling access to the computing resources. An application is provided on a client that generates verification codes using an authentication seed. Prior to granting the client the authentication seed necessary to generate a verification code, a server may perform a policy check on the client. Some embodiments ensure that the client complies with security policies imposed by an authenticating party by retrieving a number of parameter values from the client and then determining whether those parameter values comply with the security policies. Upon determining that the client complies, the authentication seed is issued to the client. In some embodiments, the authentication seed is provided such that a policy check is performed upon the generation of a verification code. The client is given access to secure information when the client is determined to comply with the security policies.03-28-2013
20130081104MOBILE DEVICE MANAGEMENT APPARATUS AND METHOD BASED ON SECURITY POLICIES AND MANAGEMENT SERVER FOR MOBILE DEVICE MANAGEMENT - A mobile device management apparatus has a policy storage unit that receives a plurality of security policies, which are classified into a plurality of profiles assigned priorities of activation and in which operating states of functions of a mobile device are defined. A management server supplies the profiles and the security policies to the mobile device. A policy implementation unit selectively activates the profiles so that control of the mobile device functions can be carried out with minimal communication, and also in response to changing events.03-28-2013
20130081103Enhanced Security SCADA Systems and Methods - A system and method for a secure supervisory control and data acquisition (SCADA) system. Secure SCADA elements (SSEs) have individual system security monitoring and enforcement of policies throughout the SCADA system. And isolation core ensures that a system security monitor monitors and takes appropriate action with respect to untrusted applications that may impact an SSE. The system security server provides policy enforcement on all of the SSEs that exist on the system. New security policies are created that are populated to individual SSEs in the system. Biomorphing algorithms allow for system uniqueness to be derived over time further enhancing security of SSEs03-28-2013
20130081102CREATING AND MAINTAINING A SECURITY POLICY - An approach for managing a security policy is provided. First, second, and third specification sets are received after being independently generated by different practitioners. The first specification set maps service-to-service communications. The second specification set maps the services to devices on which the services are placed. The third specification set maps the devices to one or more network addresses. The received specification sets are algorithmically combined to create packet filtering rule statements. The security policy is generated as packet filtering rules based on the combined specification sets and the packet filtering rule statements. An application deployment modification includes independently editing specification set(s) that are affected by the modification, without knowledge of specification set(s) that are unaffected by the modification. An updated security policy may be generated by an incremental update to an existing security policy without requiring replacement of the entire security policy.03-28-2013
20100037292System and Method for Secure Record Management in a Virtual Space - Systems and methods for using a matching system in a virtual space to facilitate the exchange of protected information and protected content. Subscriber computing devices each operated by a subscriber are associated with a subscriber identifier. Each computing device is connected to the network. In an embodiment, the sharing of protected information and content by one party with another party is regulated through permissions that determine whether a sharing party is authorized to disclose the protected content, whether a potential receiving party is authorized to receive protected content, and whether the protected content meets conditions established by the potential disclosing party for review by the potential reviewing party. Matching instructions may reveal whether a potential recipient is qualified to view the protected information or content and whether the subscriber also possesses any required supplemental information.02-11-2010
20080209506Physical access control and security monitoring system utilizing a normalized data format - Embodiments disclose a system and method for the integration of data and events to and from physical access control and security monitoring systems that is normalized to standardized definition for enforcement of standardized rules, created through a visual policy editor, affecting persistence, propagation of data and generation of alerts and notifications for physical security, network and IT systems. Data from disparate physical security systems is normalized for visual rule creation by rule object shapes representing normalized security systems, data and processes. A rules-based policy engine enforces security policies and generates actionable events. The overall system provides an integration platform, methods and processes for normalizing data from physical security systems, representation of physical security systems, data and processes for visual creation of rules using defined stencil objects, generating formatted rules, and enforcing these rules in real-time on security systems data and events.08-28-2008
20130086625ENFORCING SECURITY RULES AT RUNTIME - Various arrangements for implementing a security policy at runtime are presented. A plurality of calls in a syntax tree may be identified. Each call of the plurality of calls may be substituted with a corresponding security-modified call to create a plurality of security-modified methods calls. Each security-modified call may be linked with a security class. Following modification of each call of the plurality of calls, the plurality of security-modified calls may be compiled into bytecode.04-04-2013
20130212641DISTRIBUTED NETWORK INSTRUMENTATION SYSTEM - A distributed network instrumentation system (08-15-2013
20130036447Attribution points for policy management - Attribution points for policy management for improvement of a determination of an access control decision; identity verification; rights management determination; or permissions inquiry. These attribution points include those between a Policy Enforcement Point and a Policy Decision Point; as well as resources for Policy Decision Point when there is not sufficient information received from the Policy Enforcement Point. Attribution Points facilitates the augmentation of attributes; speed the transmission of attributes between PEP and PDP; reduces the elapsed time for a decision; and maintains security over the attributes. An attribution point also facilitates the retrieval of attributes across zones, such as security and/or networks and/or detached systems.02-07-2013
20130036449TECHNIQUES FOR PROVIDING TENANT BASED STORAGE SECURITY AND SERVICE LEVEL ASSURANCE IN CLOUD STORAGE ENVIRONMENT - Techniques for tenant-bases storage security and service level assurances in a cloud environment are presented. A Tenant Storage Machine (TSM) for each tenant uses a unique identifier. The TSM is dynamically allocated with operating system resources to run processes based on agreed service level assurances. The service level assurances are stored in a Service Level Assurance (SLA) policy store. The TSM communicates with the SLA policy store via a TSM bus to acquire a SLA policy configured for the tenant and based on which resources are dynamically allocated. Processes running under the TSM run with root privileges to provide security.02-07-2013
20130036448SANDBOXING TECHNOLOGY FOR WEBRUNTIME SYSTEM - In a first embodiment of the present invention, a method of providing security enforcements of widgets in a computer system having a processor and a memory is provided, comprising: extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.02-07-2013
20130139216Method and Computer Device to Control Software File Downloads - A computer device includes a download unit which downloads one or more files into a storage device. A file logging unit records a resource locator identifying a source network location of the file, when the file is downloaded, and associates the resource locator with a first fingerprint of the file. A system policy unit stores the resource locator associated with a process control policy relevant to the file. A process control unit is arranged to obtain a second fingerprint of the file upon launching a process in a runtime execution environment, retrieve the resource locator from the file logging unit by matching the second fingerprint with the first fingerprint, retrieve the process control policy from the system policy unit according to the retrieved resource locator, and selectively apply process execution privileges which determine execution of the process in the runtime execution environment according to the retrieved process control policy.05-30-2013
20130042294IDENTIFYING APPLICATION REPUTATION BASED ON RESOURCE ACCESSES - Malware detection is often based on monitoring a local application binary and/or process, such as detecting patterns of malicious code, unusual local resource utilization, or suspicious application behavior. However, the volume of available software, variety of malware, and sophistication of evasion techniques may reduce the effectiveness of detection based on monitoring local resources. Presented herein are techniques for identifying malware based on the reputations of remote resources (e.g., web content, files, databases, IP addresses, services, and users) accessed by an application. Remote resource accesses may be reported to a reputation service, which may identify reputations of remote resources, and application reputations of applications that utilize such remote resources. These application reputations may be used to adjust the application policies of the applications executed by devices and servers. These techniques thereby achieve rapid detection and mitigation of newly identified malware through application telemetry in a predominantly automated manner.02-14-2013
20130042296PHYSICAL INTERACTION WITH VIRTUAL OBJECTS FOR DRM - Technology is provided for transferring a right to a digital content item based on one or more physical actions detected in data captured by a see-through, augmented reality display device system. A digital content item may be represented by a three-dimensional (02-14-2013
20130042295METHOD AND APPARATUS FOR PROVIDING A SECURE VIRTUAL ENVIRONMENT ON A MOBILE DEVICE - Methods and devices provide a secure virtual environment within a mobile device for processing documents and conducting secure activities. The methods and devices create a secure application environment in which secure data and documents may be segregated from unsecured data using document encryption, allowing the application of security policies to only the secure application environment. The creation of a secure application environment allows users to access and manipulate secure data on any mobile device, not just specifically designated secure devices, without having to secure all data on the mobile device, while providing the corporate entity with necessary document security. The methods and devices provide for securing data on a mobile device at the data level using encryption.02-14-2013
20130042298SYSTEM AND METHOD FOR GENERATING TRUST AMONG DATA NETWORK USERS - A system and a method in which a user makes a service request with a service provider through a data network. The service provider receives from trust generating equipment, located in an access provider, an assessment of the security level of the user; said equipment in turn receiving a delivery of information about the trust level provided by said user; and in order for the aforementioned equipment to collect information about the user identity, the network traffic generated by the user, the security status of the user device and the geographical location of the user device, this information being analyzed and summarized in a trust label which is sent to the service provider.02-14-2013
20130042297METHOD AND APPARATUS FOR PROVIDING SECURE SOFTWARE EXECUTION ENVIRONMENT BASED ON DOMAIN SEPARATION - An apparatus for providing a secure environment of software execution in a terminal device includes a normal service domain and a secure service domain into which a domain of the software is divided based on virtualization. The normal service domain executes a normal service on elements of the software, and the secure service domain executes a security service on elements of the software in response to a request for a security service of the software elements from the normal service domain.02-14-2013
20130042300METHOD FOR CONFIGURING AN APPLICATION FOR AN END DEVICE - A method for configuring an application for an end device having a predefined end-device configuration with a predefined security level. A query about the predefined end-device configuration is directed by means of the application to a central place in which a multiplicity of security levels of end-device configurations have respective application configurations associated therewith. In response to the query, the central place ascertains the predefined security level of the predefined end-device configuration from the multiplicity of security levels, and outputs it to the application together with the associated application configuration. In dependence on the output security level, one or several functions of the application are configured by means of the application on the basis of the output application configuration for the end device.02-14-2013
20130042299WHITE LISTING DNS TOP-TALKERS - Systems and methods for creating a list of trustworthy resolvers in a domain name system. A computer receives a resolver profile for a resolver sending queries to a domain name server. The resolver profile is based on one or more of a top-talker status of the resolver, a normalcy of distribution of domain names queried, a continuity of distribution of query type, and an IP time-to-live variance of queries from the resolver. Resolver profiles can be compared to a trust policy to determine whether the resolver is trustworthy. Resolvers deemed trustworthy can be added to a list of trustworthy resolvers. Embodiments can detect the occurrence of a network-based attack. Embodiments can mitigate the effect of a network-based attack by responding only to queries from resolvers on the list of trustworthy resolvers.02-14-2013
20100100927SYSTEMS AND METHODS FOR PROTECTING WEB BASED APPLICATIONS FROM CROSS SITE REQUEST FORGERY ATTACKS - Computer implemented methods (04-22-2010
20100100924Digital Rights Management (DRM)-Enabled Policy Management For A Service Provider In A Federated Environment - A method operative at a service provider enforces a digital rights management (DRM) scheme associated with a piece of content. The service provider typically is a content provider. The service provider is an entity that participates in a “federation” with one or more other entities including, for example, an identity provider, a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins upon receipt at the service provider of a single sip on (SSO) message generated by the identity provider entity that includes a reference to a set of DRM privileges associated with an end user requesting access to the piece of content. In response to receiving the message, the service provider as necessary obtains the DRM privileges and at least one applicable DRM policy. It then evaluates the DRM privileges associated with the end user against the DRM policy, and provides the end user a response.04-22-2010
20130139213MONITORING AND CONTROLLING ELECTRONIC ACTIVITY USING THIRD PARTY RULE SUBMISSION AND VALIDATION - Concepts and technologies are disclosed herein for monitoring and controlling electronic activity. A policy service can be called for policies for controlling electronic activity occurring at one or more managed devices. The policies can include a number of rules, each of which can include a number of variables. The rules can be defined by a manager device and/or received from third parties. Third party rule submissions can be validated. If electronic activity at the managed device deviates from a rule, the manager device can be notified and the electronic activity can be blocked. The manager device can update the policy and/or issue exceptions, if desired.05-30-2013
20100043053METHOD, SYSTEM, AND ENTITY FOR EXERCISING POLICY CONTROL - A method and a system for exercising policy control, a policy and charging enforcement function (PCEF), and a policy control and charging rules function (PCRF) are provided, which can solve the problem that no policy control can be exercised over application service flows without an application function (AF). The method includes of the following steps: a PCRF receiving information about an application event sent by a PCEF; and the PCRF generating a control policy for a service flow of the application according to the information about the application event, and delivering the control policy to the PCEF. In the present invention, the PCEF sends the obtained information about the application event to the PCRF, so that even when no AF is involved, the PCRF can still generate a control policy according to policy contexts including the information about the application event and the like, so as to exercise an effective policy control over the QoS guarantee, charging and gating of the service flow, thus meeting the requirements of exercising the policy control over data applications with no AF being involved.02-18-2010
20100043052APPARATUS AND METHOD FOR SECURITY MANAGEMENT OF USER TERMINAL - The present invention relates to an apparatus and method for security management of a user terminal. The present invention generates security policies for the user terminal through an external security management server based on context information for the user terminal. At this time, the present invention receives the generated security policy information and sets internal security policies for the user terminal. The present invention can overcome a limitation of the user terminal as the security policies for the user terminal, particularly, the complex terminal is set by using various interfaces and provide systematic and supplemental security services.02-18-2010
20100043051IDENTIFYING AND RESOLVING SEPARATION OF DUTIES CONFLICTS IN A MULTI-APPLICATION ENVIRONMENT - A method and system for identifying and resolving separation of duties (SOD) conflicts in a multi-application environment. An SOD conflict based on a person being granted a first authorization and a second authorization in violation of a policy is identified. The first and second authorizations are permissions allowing the person to perform, respectively, a first action provided by a first application and a second action provided by a second application. An optimal recommended action that resolves the SOD conflict is retrieved from a first database table that includes an association between the identified SOD conflict and the optimal recommended action. After the optimal recommended action is displayed on a display device, a user's acceptance of the optimal recommended action is received. In response, the optimal recommended action is performed by automatically deleting from a second database table an association between the person and the first or second authorization.02-18-2010
20100043050FEDERATING POLICIES FROM MULTIPLE POLICY PROVIDERS - One aspect of the present invention can include a system, a method, a computer program product and an apparatus for federating policies from multiple policy providers. The aspect can identify a set of distinct policy providers, each maintaining at least one policy related to a service or a resource. A federated policy exchange service can be established that has a policy provider plug-in for each of the distinct policy providers. The federated policy exchange service can receive requests for policies from a set of policy requesters. Each request can include a resource_id or a service_id used to uniquely identify the service or resource. The federated policy exchange service can dynamically connect to a set of the policy providers to determine policies applicable to each request. For each request, results from the policy providers can be received and processed to generate a response. The federated policy exchange service can provide the response to each policy requestor responsive in response to each response.02-18-2010
20100043049IDENTITY AND POLICY ENABLED COLLABORATION - Techniques for identity and policy enabled collaboration are provided. Access to assets of an enterprise is governed by identity relationships. A policy defines security restrictions between collaborating network resources based on identities assigned to the network resources. During collaboration, the security restrictions are enforced.02-18-2010
20100043048System, Method, and Apparatus for Modular, String-Sensitive, Access Rights Analysis with Demand-Driven Precision - A static analysis for identification of permission-requirements on stack-inspection authorization systems is provided. The analysis employs functional modularity for improved scalability. To enhance precision, the analysis utilizes program slicing to detect the origin of each parameter passed to a security-sensitive function. Furthermore, since strings are essential when defining permissions, the analysis integrates a sophisticated string analysis that models string computations.02-18-2010
20100043047UNAUTHORIZED DATA TRANSFER DETECTION AND PREVENTION - A method includes receiving a policy via a network connection, wherein the policy includes at least one signature. Receiving a data communication message from a processor of a computing device via a system bus. Identifying a class, and selectively forwarding the data communication message based in part on the received policy and the identified class.02-18-2010
20100325693REMOTE AUTHORIZATION FOR OPERATIONS - Techniques for the remote authorization of secure operations are provided. A secure security system restricts access to a secure operation via an access key. An authorization acquisition service obtains the access key on request from the secure security system when an attempt is made to initiate the secure operation. The authorization acquisition service gains access the access key from a secure store via a secret. That is, the secret store is accessible via the secret. The secret is obtained directly or indirectly from a remote authorization principal over a network.12-23-2010
20100325687Systems and Methods for Custom Device Automatic Password Management - In various embodiments, a method comprises receiving a custom login script from a first user, receiving a custom change password script from the first user, logging onto an account on a digital device using the custom login script from the first user, changing an old password on the account to a new password at predetermined intervals using the custom change password script from the first user, receiving a password request from a second user, approving the password request, and checking out the new password to the second user.12-23-2010
20090158387CONTROL SYSTEM AND METHOD - A control system includes a user management server or server group, a Service Policy Decision Function (SPDF) server, an Access-Resource and Admission Control Function (A-RACF) server, and a control interface location between the user management server or server group and the SPDF n server for transmitting the information. In addition, a control method using the control system above and a control device are provided. By the technical solutions above, when there are many access network operators connecting to the uniform network operation operator, the problem that the SPDF server searches the A-RACF server is solved, and the user information is acquired by setting the interface between the SPDF server and the user management server or server group.06-18-2009
20090158384DISTRIBUTION OF INFORMATION PROTECTION POLICIES TO CLIENT MACHINES - One embodiment includes a method which may be practiced in a computing environment where resources are distributed. The method includes acts for obtaining policy information defining restrictions on resources distributed in the computing environment. The method includes sending a request to a server for metadata about one or more resource protection policies at the server. In response to the request, metadata about one or more resource protection polices at the server is received from the server. The metadata from the server is analyzed. Based on analyzing the metadata, one or more resource protection policies stored at the client are updated.06-18-2009
20090158385Apparatus and method for automatically generating SELinux security policy based on selt - Provided is an apparatus and method for automatically generating a SELinux security policy based on SELT. In the method, process generation is prepared by receiving execution file names of a program destined for policy generation. A system call log, which is traced by generating a process by executing the received execution file of the program, is stored. The traced system call log is purified into data necessary for generation of a security policy. Objects are grouped in consideration of the relationship between the objects based on purified information. A normalized data structure is recorded in an SELT description language format using a security policy file. Duplication and collision between the generated SELT security policy and the previous security policy in a system are detected.06-18-2009
20100333169Classifying an Operating Environment of a Remote Computer - Systems and techniques are provided for controlling requests for resources from remote computers. A remote computer's ability to access a resource is determined based upon the computer's operating environment. The computer or computers responsible for controlling access to a resource will interrogate the remote computer to ascertain its operating environment. The computer or computers responsible for controlling access to a resource may, for example, download one or more interrogator agents onto the remote computer to determine its operating environment. Based upon the interrogation results, the computer or computers responsible for controlling access to a resource will control the remote computer's access to the requested resource.12-30-2010
20100333167Adaptive Rule Loading and Session Control for Securing Network Delivered Services - Mechanisms are provided for handling client computing device requests with adaptive rule loading and session control. The mechanisms partition a set of rules, into a plurality of filter sets with each filter set having a different subset of the set of rules and being directed to identifying a different type of attack on a backend application or service. A subset of filter sets is selected to be used to validate client computing device requests received from client computing devices. The selected filter sets are applied to requests and/or responses to requests. The mechanisms dynamically modify which filter sets are included in the subset of filter sets based on an adaptive reinforcement learning operation on results of applying the selected filter sets to the requests and/or responses to requests.12-30-2010
20100333166METHODS AND APPARATUS FOR RATING DEVICE SECURITY AND AUTOMATICALLY ASSESSING SECURITY COMPLIANCE - Automatic Security Compliance Assessment (ASCA) systems and methods are provided for automatically generating and determining a security rating for a plurality of Settings Objects (SOs), where each of the SOs define particular configurations of subsystems of a wireless computing device. Each SO collectively defines a collection of Values specified for Configurable Attributes that can be used to define a different configuration for a particular subsystem associated with a particular Setting Class that is used to guide the creation of that particular SO. The server can store a group of security rating templates, each of which includes the information needed to determine an expected security rating for any SOs created per a particular Settings Class. For any combination of device settings, the resultant SOs can be used to generate an expected security rating. In addition, a security interaction template (SIT) and security test scripts can be generated that correspond to each particular group of SOs, and can be used to produce an Overall Device Security Rating (ODSR) for that particular group of SOs or a sub-set thereof.12-30-2010
20100333165FIREWALL CONFIGURED WITH DYNAMIC MEMBERSHIP SETS REPRESENTING MACHINE ATTRIBUTES - A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules.12-30-2010
20100107217CONTENT CONTROL METHOD AND DEVICE - A content control method and device are provided. A method is as follows. A monitoring device sends a first acquisition request message carrying identification information to a content identity manager (CIM) to request attribute metadata and a registered fingerprint corresponding to the identification information when a first cumulative transmission amount of a content whose identification information is acquirable detected by the monitoring device in a first preset time period reaches a first preset threshold. The monitoring device acquires the attribute metadata and the registered fingerprint corresponding to the identification information returned by the CIM. Thus, at multiple concurrent accesses of the same content in any time periods, the monitoring device does not need to request the related policy control attribute metadata from the CIM each time, so that interactive processing for the repeated content with a high concurrent rate between the monitoring device and the CIM is reduced, thereby reducing resource loss of a network and the CIM.04-29-2010
20100107216INFORMATION PROCESSING DEVICE AND MEMORY MANAGEMENT METHOD - It is an object of the present invention to provide an information processing device and a memory management method that enable execution of memory management processing for simultaneously starting up two types of applications. During execution of an application in the form of a Java application, the application starts up another an application in the form of Flash data, and then a native software in the form of a Flash Player causes a memory management unit to secures a prescribed memory area from a memory area for the native software. A native software then starts up the other application using the secured memory area.04-29-2010
20100107215SCALABLE FIREWALL POLICY MANAGEMENT PLATFORM - Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set. Other aspects include using more permissive and/or access control rules provided on network equipment to block known bad data, while providing host-based access control focused on application data flow.04-29-2010
20100107214TEMPORARY USER ACCOUNT FOR A VIRTUAL WORLD WEBSITE - A computer system and method are provided that facilitate permitting temporary access to a website or other computer application in which temporary access is given to a generic virtual character and its corresponding user. Temporary access is made available through a temporary user account that is set up by the user. The temporary user account is active for a limited time and allows the user to learn about the website, for instance, via the generic virtual character. The generic virtual character has limited access to the website and in particular to various activities or areas on the website. Unlike temporary user account holders, users who have purchased a real world item and have created premium user accounts have full access to the website via their corresponding premium virtual characters. In addition, the system and method prevent at least some interaction between the generic virtual characters and the premium virtual characters.04-29-2010
20100107213Access Control State Determination Based on Security Policy and Secondary Access Control State - In accordance with one or more aspects, a current security policy for accessing a device or volume of a computing device is identified. A secondary access control state for the device or volume is also identified. An access state for the device is determined based on both the current security policy and the secondary access control state.04-29-2010
20130047196TRANSITIVE CLOSURE SECURITY - In one implementation, a plurality of records included in a transitive closure of a driving record is identified, and a record from the plurality of records or the driving record is determined to satisfy a security rule. The security rule is then applied to the driving record and the plurality of records.02-21-2013
20090150973ACCESS CONTROL METHOD AND SYSTEM FOR MULTIPLE ACCESSING ENTITIES - An access control method and system for multiple accessing entities are provided. The access control method includes generating a plurality of integrated identifiers (IDs) respectively corresponding a plurality of individual ID groups, each having the individual IDs of a number of entities; if multiple accessing entities issue a request for access to a service, extracting an integrated ID corresponding to a list of the individual IDs of the multiple accessing entities; and searching for an access control policy corresponding to the extracted integrated ID and the ID of the service and performing access control on the multiple accessing entities according to the identified access control policy. Therefore, it is possible to efficiently control the access of multiple accessing entities to a service.06-11-2009
20090144799METHOD AND SYSTEM FOR SECURELY TRANSMITTING DETERRENT DATA - A method for securely transmitting deterrent data includes generating a deterrent having a predesigned number and configuration of glyphs having deterrent data therein, and transmitting a portion of the deterrent data from a subset of the glyphs without transmitting deterrent data from a remainder of the glyphs. The glyphs form a predetermined structure with a single solution. The method further includes receiving the portion of the deterrent data, placing the portion of the deterrent data into the subset of the glyphs, and solving the predetermined structure with the single solution, thereby determining the remainder of the glyphs to be infilled in the predetermined structure with deterrent data gleaned from the solution.06-04-2009
20130047208SYSTEMS AND METHODS OF ASSESSING PERMISSIONS IN VIRTUAL WORLDS - Systems and methods of virtual world interaction, operation, implementation, instantiation, creation, and other functions related to virtual worlds (note that where the term “virtual world” is used herein, it is to be understood as referring to virtual world systems, virtual environments reflecting real, simulated, fantasy, or other structures, and includes information systems that utilize interaction within a 3D environment). Various embodiments facilitate interoperation between and within virtual worlds, and may provide consistent structures for operating virtual worlds. The disclosed embodiments may further enable individuals to build new virtual worlds within a framework, and allow third party users to better interact with those worlds.02-21-2013
20130139215METHOD AND APPARATUS FOR MASTER PRIVACY POLICY MECHANISM IN A COMMUNICATIONS NETWORK - A method, non-transitory computer readable medium and apparatus for providing a master privacy policy in a communications network are disclosed. For example, the method receives a privacy control parameter to configure a master privacy policy, stores the master privacy policy in the communications network, and applies the master privacy policy to configure a third party service provider privacy policy for a third party service provider based upon the master privacy policy.05-30-2013
20120167164SYSTEM, METHOD, AND APPARATUS FOR ENCRYPTION KEY COGNITION INCORPORATING AUTONOMOUS SECURITY PROTECTION - A system, method, and apparatus for securing a cognitive encryption key data file stored in a storage medium or memory device. The encryption key file having stored instructions for an embedded autonomous executable program which is executed each time there is an attempt to access, control, or manipulate the encryption key file includes querying a user of the encryption key file, the user environment of the encryption key file, or both, for information required for analyzing a computational environment in relation to required security parameters for the cognitive encryption key file. The information in relation to the security parameters is received and analyzed. The computational environment of the user is determined and analyzed in relation to the required security parameters. Access to and/or use of the encryption key file is either permitted or denied based on the analysis of the user and computational environment.06-28-2012
20120167163APPARATUS AND METHOD FOR QUANTITATIVELY EVALUATING SECURITY POLICY - An apparatus for quantitatively evaluating security policy includes: a security policy analyzing unit for analyzing a security policy of a network; an evaluation criterion defining unit for defining an evaluation criterion for categorizing security features and evaluating each of the security features; an evaluation result calculating unit for calculating an evaluation result of each of security components based on the evaluation criterion; an indicator calculating unit for grouping the security components according to a security function and calculating an indicator by considering a security function of each group; and a quantitative evaluating unit for evaluating a security policy of the each group by using the indicator.06-28-2012
20120167160ROUTER POLICY SYSTEM - A router policy server may include a policy engine. The policy engine may receive, from a first router, a request for whether to accept or reject routing information received from a second router and determine whether a policy, associated with the second router, allows the second router to advertise the routing information. The policy engine may further instruct the first router to accept the routing information when the policy allows the second router to advertise the routing information and may instruct the first router to reject the routing information when the policy does not allow the second router to advertise the routing information or when no policy exists for the second router in association with the policy engine.06-28-2012
20120167159POLICY-BASED ACCESS TO VIRTUALIZED APPLICATIONS - When a request is received to execute a virtualized application, an application virtualization client component evaluates an execution policy to determine if the application may be executed. If the application virtualization client component determines based on the execution policy that the virtualized application may be executed, the application virtualization client component publishes the virtualized application. The application virtualization client component publishes the application by making the virtualized application available for execution if the application is installed, and installing the virtualized application if it is not installed. The application virtualization client component also evaluates the execution policy during execution of the virtualized application. If the application virtualization client component determines that the execution policy is no longer satisfied, the application virtualization client component unpublishes the virtualized application, thereby preventing execution of the virtualized application.06-28-2012
20120167158SCOPED RESOURCE AUTHORIZATION POLICIES - Resource authorization policies and resource scopes may be defined separately, thereby decoupling a set of authorization rules from the scope of resources to which those rules apply. In one example, a resource includes anything that can be used in a computing environment (e.g., a file, a device, etc.). A scope describes a set of resources (e.g., all files in folder X, all files labeled “Y”, etc.). Policies describe what can be done with a resource (e.g., “read-only,” “read/write,” “delete, if requestor is a member of the admin group,” etc.). When scopes and policies have been defined, they may be linked, thereby indicating that the policy applies to any resource within the scope. When a request for the resource is made, the request is evaluated against all policies associated with scopes that contain the resource. If the conditions specified in the policies apply, then the request may be granted.06-28-2012
20130047207METHOD AND APPARATUS FOR SESSION VALIDATION TO ACCESS MAINFRAME RESOURCES - According to one embodiment, an apparatus may store a plurality of token-based rules. The apparatus may further store a plurality of tokens. The apparatus may receive a first token indicating that access to a mainframe resource has been requested. The apparatus may determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule may condition access to the resource upon a second token. The second token may be associated with a device. The second token may indicate a password. The second token may further indicate a geographic location associated with the device. The apparatus may determine that the plurality of tokens includes the second token generate a session token based at least in part upon the first token and the second.02-21-2013
20130047206Method and Apparatus for Session Validation to Access from Uncontrolled Devices - According to one embodiment, an apparatus may store a plurality of token-based rules. A token-based rule may facilitate access to a resource. The apparatus may further store a plurality of tokens. The apparatus may receive a first token indicating that an unsecured device has requested access to the resource and determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule indicates a timeout associated with the unsecured device. The apparatus may determine, based on the at least one token-based rule, that the timeout associated with the unsecured device has not been exceeded and generate a session token based at least in part upon the first token in response to the determination that the timeout has not been exceeded.02-21-2013
20130047205Apparatus and Method for Making Access Decision Using Exceptions - According to one embodiment, an apparatus may store a plurality of token-based exceptions The apparatus may receive a resource token indicating that access to the resource has been requested. The apparatus may determine, based at least in part upon the resource token, at least one token-based exception. The token-based exception further may condition the grant of access to the resource upon the apparatus determining that the plurality of tokens comprises the at least one token. The apparatus may determine that the plurality of tokens does not comprise the at least one token and determine, in response to the determination that the plurality of tokens does not comprise the at least one token, that access to the resource should be denied.02-21-2013
20130047204Apparatus and Method for Determining Resource Trust Levels - According to one embodiment, an apparatus may receive a first resource token indicating that access to a resource has been requested. The apparatus may determine the value of an access value associated with at least one resource token in response to the determination that the plurality of resource tokens comprises the at least one resource token. The apparatus may determine that the value of the access value is insufficient to grant access to the resource. The apparatus may determine, in response to the determination that the value of the access value is insufficient to grant access to the resource, that access to the resource should be denied.02-21-2013
20130047201Apparatus and Method for Expert Decisioning - According to one embodiment, an apparatus may store at least one subject token associated with a user and a device, at least one resource token associated with the resource, and at least one network token associated with a network. The apparatus may determine various access values associated with these stored tokens. The apparatus may then determine the value of a first access value based on the values of these various access values. The apparatus may determine that the value of the first access value is insufficient to grant access to the resource and determine that access by at least one of the user and the device to the resource over the network should be denied.02-21-2013
20130047200Apparatus and Method for Performing Data Tokenization - According to one embodiment, an apparatus may receive a first data token indicating a request for data associated with the resource, a subject token indicating that at least one form of authentication has been completed, and a network token indicating that at least one form of encryption has been performed. The apparatus may determine at least one token-based rule based at least in part upon the first data token, the subject token, and the network token. The apparatus may determine, based at least in part upon the at least one token-based rule, that a second data token representing the data should be generated. The apparatus may generate a message indicating the determination that the second data token should be generated and then transmit the message.02-21-2013
20130047203Method and Apparatus for Third Party Session Validation - According to one embodiment, an apparatus may store a plurality of tokens. The apparatus may receive a first token indicating that access to a resource has been requested by a device. The apparatus may determine at least one token-based rule based at least in part upon the first token. The at least one token-based rule may condition access to the resource upon a second token. The apparatus may determine the geographic location of the device based on a token in the plurality of tokens. The apparatus may determine, based on the geographic location of the device, that the second token should be requested from an entity and transmit a request to the entity for the second token. The apparatus may receive the second token from the entity and generate a session token based at least in part upon the first token and the second token.02-21-2013
20130047202Apparatus and Method for Handling Transaction Tokens - According to one embodiment, an apparatus may store a plurality of token-based rules. A token-based rule may facilitate the processing of transactions. The apparatus may receive a transaction token indicating that a transaction associated with an entity has been requested. The apparatus may determine at least one token-based rule based at least in part upon the transaction token. The at least one token-based rule may indicate that there is a risk that the transaction is fraudulent. The apparatus may determine that the transaction should be denied based at least in part upon the risk that the transaction is fraudulent.02-21-2013
20130047195METHOD AND APPARATUS FOR MAKING TOKEN-BASED ACCESS DECISIONS - According to one embodiment, an apparatus may store a plurality of token-based rules that facilitate access to a resource, and a plurality of tokens indicating a user is using a device to request access to a resource over a network. The apparatus may receive a risk token indicating the risk associated with granting at least one of the user and the device access to the resource. The risk token may be computed from a set of tokens in the plurality of tokens. The apparatus may determine at least one token-based rule based at least in part upon the plurality of tokens and the risk token. The apparatus may then make an access decision based upon the at least one token-based rule, and communicate a decision token representing the access decision.02-21-2013
20130047198Policy Based Application Suspension and Termination - In accordance with one or more aspects, an application that is to be suspended on a computing device is identified based on a policy. The policy indicates that applications that are not being used are to be suspended. The application is automatically suspended, and is allowed to remain in memory but not execute while suspended. Additionally, when memory is to be freed one or more suspended applications to terminate are automatically selected based on the policy, and these one or more selected applications are terminated.02-21-2013
20130047197SEALING SECRET DATA WITH A POLICY THAT INCLUDES A SENSOR-BASED CONSTRAINT - Technologies pertaining to limiting access to secret data through utilization of sensor-based constraints are described herein. A sensor-based constraint is a constraint that can only be satisfied by predefined readings that may be output by at least one sensor on a mobile computing device. If the sensor on the mobile computing device outputs a reading that satisfies the sensor-based constraint, secret data is provided to a requesting application. Otherwise, the requesting application is prevented from accessing the secret data.02-21-2013
20100071025SECURING LIVE MIGRATION OF A VIRTUAL MACHINE WITHIN A SERVICE LANDSCAPE - In an embodiment of the invention, a method for secure live migration of a virtual machine (VM) in a virtualized computing environment can include selecting a VM in a secure virtualized computing environment for live migration to a different virtualized computing environment and blocking data communications with the selected VM and other VMs in the secure virtualized computing environment. The selected VM can be live migrated to the different virtualized computing environment and the VM cna be restarted in the different virtualized computing environment. Notably, a secure communicative link can be established between the restarted VM and at least one other of the VMs in the secure virtualized computing environment. Finally, data communications between the restarted VM and the at least one other of the VMs can be enabled over the secure communicative link.03-18-2010
20090044248SECURITY POLICY GENERATION - The invention provides security policy generation methods and devices for generating a security policy that is set up for an information processing apparatus comprises a step of generating an application model having a transmitter and a receiver of a message decided, for each of a plurality of messages that are communicated, a step of storing in advance a plurality of security patterns with a signer of electronic signature appended to the message as an undecided parameter, a step of selecting a security pattern that is a model of security policy to be set up for the transmitter or receiver of the message, corresponding to each of the plurality of messages included in the application model, and a step of substituting the identification information of the transmitter or receiver of each message included in the application model for the undecided parameter of the security pattern selected corresponding to the message.02-12-2009
20090328132DYNAMIC ENTITLEMENT MANAGER - Embodiments of the invention relate to systems, methods, and computer program products for monitoring and/or controlling access to entitlements. For example, in one embodiment a computer program product is configured to periodically examine the members of a particular community in an organization and automatically identify members in the community that have access to software applications, datasets, or other organizational resources that are uncommon in the community, which may indicate that the member should not have access to the such resources. The computer program product of embodiments of the invention is also configured to automatically and periodically determine the resources that members of the same community should all probably have access to. As such, embodiments of the present invention allow an organization to more efficiently monitor and control access to its resources and other entitlements.12-31-2009
20090307747System To Establish Trust Between Policy Systems And Users - A system and method are provided to establish trust between a user and a policy system that generates recommended actions in accordance with specified policies. Trust is introduced into the policy-based system by assigning a value to each execution of each policy with respect to the policy-based system, called the instantaneous trust index. The instantaneous trust indices for each one of the policies, for the each execution of a given policy or for both are combined into the overall trust index for a given policy or for a given policy-based system. The recommended actions are processed in accordance with the level or trust associated with a given policy as expressed by the trust indices. Manual user input is provided to monitor or change the recommended actions. In addition, reinforcement learning algorithms are used to further enhance the level of trust between the user and the policy-based system.12-10-2009
20090307746METHOD, SYSTEM AND DEVICE FOR IMPLEMENTING SECURITY CONTROL - A method, system and device for implementing security control are provided. The method for implementing security control includes: receiving, by the Policy and Charging Enforcement Function (PCEF) entity, security control policy information from the Policy Control and Charging Rules Function (PCRF) entity; and executing, by the PCEF entity, user security control according to the security control policy information. The provided method, system, and device may provide security control for the user session in the Policy Charging Control (PCC) architecture.12-10-2009
20090307745DOCUMENT MANAGEMENT APPARATUS, POLICY SERVER, METHOD FOR MANAGING DOCUMENT, METHOD FOR CONTROLLING POLICY SERVER, AND COMPUTER-READABLE RECORDING MEDIUM - A document management apparatus is included in a document management system having a policy server which issues a policy corresponding to a right to access a document. The document management apparatus has an access-right description determination unit configured to collate first data input in the document with an access-right description defined in accordance with second data input in the document in advance, and determine the access-right description for the document in which the first data is input in accordance with a result of the collation, a requesting unit configured to request the policy server to issue the policy in accordance with the access-right description determined using the access-right description determination unit, and an applying unit configured to apply the policy issued by the policy server to the document in which the first data is input.12-10-2009
20090307744AUTOMATING TRUST ESTABLISHMENT AND TRUST MANAGEMENT FOR IDENTITY FEDERATION - A federated identity verification system includes an identity provider that provides security tokens ultimately to one or more relying parties for access by the client to services at a relying party. Specifically, the relying party can validate the security token from an identity provider (whether directly or via a client) when verifying that the received security token conforms to security configuration data previously exchanged with the identity provider. To establish the trust relationship, the identity provider and one or more relying parties exchange security configuration information through an agreed-to communication channel. The security configuration information indicates the settings that the other party needs to use for establishing, maintaining, and/or monitoring the trust relationship. The communication channel allows both parties to flexibly and continually synchronize changes to security configurations, and thus maintain, change, or end the trust relationship automatically, as desired.12-10-2009
20090307743METHOD TO AUTOMATICALLY MAP BUSINESS FUNCTION LEVEL POLICIES TO IT MANAGEMENT POLICIES - A method, system, computer program product, and computer program storage device for transforming a high-level policy associated with a high layer to a low-level policy associated with a low layer. Mapping between high-level objects in a high layer and low-level objects in a low layer is derived by an automated discovery tool. The high-level policy is mapped to the low-level policy according to the mapping (e.g., by substituting the high-level objects with the low-level objects and by performing a syntax transformation). In one embodiment, a low-level policy is transformed to a high-level policy according to the mapping. As exemplary embodiments, policy transformations in traffic shaping and data retention are disclosed.12-10-2009
20090307742Indexing of Security Policies - In one embodiment, a computer implemented method for indexing security policies is provided. The computer implemented method determines a policy vocabulary to form a set of policy elements, and creates an index from the set of policy elements. The computer implemented method further receives a request to form requested policy elements, locates requested policy elements in the index to form a set of returned policy elements, and identifies a rule for use with the returned policy elements.12-10-2009
20090113517Security state aware firewall - A network firewall may apply policies to packets based on a security classification. Packets with an authenticated and established security connection may be handled at a high throughput while packets with unauthenticated connections may be handed at a low throughput or even discarded. In some embodiments, three or more levels of security classifications may be used to process packets at different speeds or priorities. In some embodiments, one device may classify and tag each packet, while another device within the network may process the packets according to the tags.04-30-2009
20120222086SYSTEM AND METHOD FOR DYNAMIC SECURITY PROVISIONING OF COMPUTING RESOURCES - The present invention facilitates the dynamic provisioning of computing and data assets in a commodity computing environment. The invention provides a system and method for dynamically provisioning and de-provisioning computing resources based on multi-dimensional decision criteria. By employing specialized computing components configured to assess an asset and requester of an asset, a provisioning engine is able to transform the input from the computing components into a specific configuration of computing resource provisioning and security controls. According to the rules and policies applying to a security domain, the provisioning engine may dynamically allocate computing resources in a manner that is both safe and efficient for the asset.08-30-2012
20120192248PROTECTING SCREEN INFORMATION - A method, computer program product, and system for protection screen information is described. A method may comprise determining, via a computing device, if there is a screen protection rule, the screen protection rule based upon, at least in part, at least one of an application rule for protecting a portion of a screen region, and a process rule for protecting the portion of the screen region. The method may further comprise modifying, via the computing device, the portion of the screen region based upon, at least in part, at least one of the application rule, and the process rule.07-26-2012
20120192246METHOD AND SYSTEM FOR MAPPING BETWEEN CONNECTIVITY REQUESTS AND A SECURITY RULE SET - A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa.07-26-2012
20110016509Method And Apparatus For Passing Security Configuration Information Between A Client And A Security Policy Server - Techniques for passing security configuration information between a security policy server and a client includes the client forming a request for security configuration information that configures the client for secure communications. The client is separated by an untrusted network from a trusted network that includes the security policy sever. A tag is generated that indicates a generic security configuration attribute. An Internet Security Association and Key Management Protocol (ISAKMP) configuration mode request message is sent to a security gateway on an edge of the trusted network connected to the untrusted network. The message includes the request in association with the tag. The gateway sends the request associated with the tag to the security policy server on the trusted network and does not interpret the request. The techniques allow client configuration extensions to be added by modifying the policy server or security client, or both, without modifying the gateway.01-20-2011
20090094675SYSTEM AND PROGRAM PRODUCT FOR AUTOMATICALLY MANAGING INFORMATION PRIVACY - A request including a call for the information in a bean and a purpose for the call is received. Upon receipt, the purpose is compared to a privacy control policy that is packaged with the bean. If the purpose complies with the privacy control policy, the requested access and/or use of the information is permitted.04-09-2009
20090094673METHOD AND SYSTEM FOR INTEGRATED SECURING AND MANAGING OF VIRTUAL MACHINES AND VIRTUAL APPLIANCES - Method and system for the integrated securing and managing of virtual machines and virtual appliances are presented. Sealing the virtual appliance at the computer of a sender, verifying authenticity of the sender at a recipient computer and managing the execution of the VA are performed in a seamless fashion.04-09-2009
20090094668EMAIL PRIVACY SYSTEM AND METHOD - A method of protecting identity privacy of a recipient of an electronic mail message from a sender to the recipient is disclosed. The method includes identifying a privacy policy within an address book entry corresponding to the recipient within an address book associated with the sender. The method further includes sending the electronic mail message from the sender to the recipient via a network in accordance with the identified privacy policy.04-09-2009
20130074142SECURING DATA USAGE IN COMPUTING DEVICES - Policies are applied to specific data rather than to an entire computing device that contains the specific data. Access to the specific data is controlled by the policies utilizing various password or other authentication credential requirements, selective data caching, data transmission, temporary data storage, and/or pre-defined conditions under which the specific data is to be erased or rendered inaccessible. Policies may be defined by an administrator and pushed to a mobile computing device, whereat the policies are enforced.03-21-2013
20130074143SYSTEM AND METHOD FOR REAL-TIME CUSTOMIZED THREAT PROTECTION - A method is provided in one example embodiment that includes receiving event information associated with reports from sensors distributed throughout a network environment and correlating the event information to identify a threat. A customized security policy based on the threat may be sent to the sensors.03-21-2013
20130074147PACKET PROCESSING - Network devices and methods are provided for packet processing. One method includes using logic embedded in an application specific integrated circuit on a network device to dynamically adjust an access control list. According to the method, the access control list is adjusted in response to information received from a checking functionality related to packets received by the network device from a particular port. The method also includes handling packets later received from the particular port according to the adjusted access control list.03-21-2013
20130074146DATA SECURITY FOR A DATABASE IN A MULTI-NODAL ENVIRONMENT - A security mechanism in a database management system enforces processing restrictions stored as metadata to control how different pieces of a multi-nodal application are allowed to access database data to provide data security. The security mechanism preferably checks the data security restrictions for security violations when an execution unit attempts to access the data to insure the nodal conditions are appropriate for access. When the security mechanism determines there is a security violation by a query from an execution unit based on the security restrictions, the security mechanism may send, delay or retry to maintain data security. Nodal conditions herein include time restrictions and relationships with other columns, rows or pieces of information. For example, multiple processing units may execute together, but the security mechanism would prohibit these processing units to access specific pieces of information at the same time through the use of metadata in the database.03-21-2013
20130074145SECURE KEY SELF-GENERATION - Techniques are disclosed for providing secure critical security parameter (CSP) generation in an integrated circuit (IC). Embodiments generally include determining that an ability to read the CSP externally (e.g., through a debug interface) has been disabled before the CSP is generated. Depending on the functionality of the device, embodiments can include other steps, such as determining whether software for executing a method for providing a secure CSP is being run for a first time. Among other things, the techniques provided herein for providing secure CSP generation can increase the security of the CSP and reduce manufacturing costs of the IC.03-21-2013
20130074144APPLICATION IDENTIFICATION - A method may include receiving a communication from a client device and identifying a port number, a protocol and a destination associated with the communication. The method may also include identifying a first application being executed by the first client device based on the port number, the protocol and the destination associated with the first communication.03-21-2013
20130061283Ultra-Low Power Single-Chip Firewall Security Device, System and Method - A firewall security device, system and corresponding method are provided that includes an operating system of an entirely new architecture. The operating system is based fundamentally around a protocol stack (e.g., TCP/IP stack), rather than including a transport/network layer in a conventional core operating system. The firewall security device may include a processor and an operating system (OS) embedded in the processor. The OS may include a kernel. The operating system kernel is a state machine and may include a protocol stack for communicating with one or more devices via a network interface. The OS may be configured to receive and transmit data packets and block unauthorized data packets within one or more layers of the protocol stack based on predetermined firewall policies.03-07-2013
20130061284SYSTEM AND METHOD FOR EFFICIENT INSPECTION OF CONTENT - A system and method of efficiently inspecting content is provided. Embodiments of the invention may inspect files accessed by an application prior to an activation of the application. Selective inspection of files accessed by an application may be based on a previous inspection. Inspection of files accessed by an application may be postponed or performed concurrently with the access. A prioritized queue may include references to files, a priority may be related to a risk level and an inspection order may be according to a risk level.03-07-2013
20130061282Content Handling for Applications - Techniques for content handling for applications are described. In one or more implementations, a first set of content handling policies is enforced for a first portion of an application that is permitted to invoke code elements of the computing device and a second set of content handling policies is enforced for a second portion of the application that is not permitted to invoke the code elements. Further, a determination is made whether to apply the first set of content handling policies or the second set of content handling policies to content based on which portion of the application is requesting the content.03-07-2013
20130061281System and Web Security Agent Method for Certificate Authority Reputation Enforcement - Network security administrators are enabled with their customizable certificate authority reputation policy store which is informed by an independent certificate authority reputation server. The custom policy store overrides trusted root certificate stores accessible to an operating system web networking layer or to a third party browser. Importing revocation lists or updating browsers or operating system is made redundant. Proactive remediation is enabled to delete or disable root certificates in trusted operating system root certificate stores or in trusted browser root certificate stores by a web security agent installed at distributed endpoints. This removes the need for additional hardware or synchronous remote access over the protected endpoints.03-07-2013
20110067084METHOD AND APPARATUS FOR SECURING A DATABASE CONFIGURATION - One embodiment of the present invention provides a system that secures a database configuration from undesired modifications. This system allows a security officer to issue a configuration-locking command, which activates a lock for the configuration of a database object. When a configuration lock is activated for a database object, the system prevents a user (e.g., a database administrator) from modifying the configuration of the database object, without restricting the user from accessing the database object itself. The security officer is a trusted user that is responsible for maintaining the stability of the database configuration, such that a configuration lock activated by the security officer preserves the database configuration by overriding the privileges assigned to a database administrator.03-17-2011
20120311661SERVICE/MOBILITY DOMAIN WITH HANDOVER FOR PRIVATE SHORT-RANGE WIRELESS NETWORKS - A system manages the integration of a private short-range wireless network into a service/mobility domain with handover of a wireless terminal device between access points registered with a domain server. The server maintains information specifying rules for responding to first wireless terminal devices authorized for private network access and to second wireless terminal devices authorized for shared network access, in response to requests for information on resources available from one or more access points registered with the server.12-06-2012
20090271843INFORMATION FLOW CONTROL SYSTEM - In an information control flow system, when a process reads a file with a second attribute after being through for reading of a file with a first attribute, when the second attribute is higher in level than the first attribute, a user is allowed to select first control with which the file with the second attribute is not made open, second control with which the file with the second attribute is made open after the file with the first attribute is closed, or third control with which the file with the second attribute is made open after the file with the first attribute is opened again for read-only purpose. When the user selects the first control, the first attribute is provided to a file to be written, and when the user selects the second or third control, the second attribute is provided to a file to be written.10-29-2009
20090271842COMMUNICATIONS SECURITY SYSTEM - A method of establishing secure communications between a first computer, eg a client computer (10-29-2009
20090271841METHODS, HARDWARE PRODUCTS, AND COMPUTER PROGRAM PRODUCTS FOR IMPLEMENTING ZERO-TRUST POLICY IN STORAGE REPORTS - A zero-trust policy is implemented in storage reports to provide a preventative measure against potential attack vectors. Introspection of a guest memory having a guest memory layout is performed. An operating system (OS) memory map is accepted. The guest memory layout is compared with the OS memory map. When the guest memory layout matches the OS memory map, the OS memory map is used to obtain one or more interested memory segments, and data processing is performed.10-29-2009
20090271840METHOD AND SYSTEM FOR CONTROLLING INTER-ZONE COMMUNICATION - A method for executing a target program that includes opening, in response to a request, a door between the source container and the global container, where the source container is controlled by the global container and the request specifies a target program. The method further includes sending the request to an access module located in the global container using the door, verifying that the request can be executed in a target container using a policy definition, where the target program is in the target container and the target container is controlled by the global container, logging in to the target container after the request has been verified, initiating a gateway within the target container in response to the login, setting an execution context of the gateway based on the policy definition, and executing the target program by the gateway, using the execution context, to generate a response to the request.10-29-2009
20090271839Document Security System - A document security system is disclosed. In the document security system, when a user is permitted to use a device and to use a document, a process for the document requested by a user is executed by the device. Further, after executing the process, a follow-up obligation is executed corresponding to the type of the document obtained from image data of the document.10-29-2009
20090055891DEVICE, METHOD, AND PROGRAM FOR RELAYING DATA COMMUNICATION - A device, method and computer program product for relaying data communication between a client and a server. A proxy device for relaying data communication between a client and a server includes a receiving unit for receiving an access request directed to the server from the client, a determining unit for determining whether transfer of a response of the server to the access request to the client will take and amount of time equal to or longer than a threshold time period, a dummy message responding unit for sending, in response to a determination result indicating that the transfer of the response will take an amount of time equal to or longer than the threshold time period, a dummy response message for notifying the client that the response of the server will be sent to the client when the response becomes available for transfer, and a transferring unit for transferring, upon the response of the server becoming transferable to the client, the response to the client.02-26-2009
20090055889System and method for detecting and mitigating the writing of sensitive data to memory - Disclosed is a system and method for detecting and mitigating the writing of sensitive or prohibited information to memory or communication media. The method includes detecting if an application is to write data to a memory, rerouting the writing of that data, and scanning the data for sensitive content or prohibited information. The scanning is done in accordance with one or more information security policies. If sensitive information is detected, the system has the option of issuing an alarm and/or preventing the sensitive information from being written, depending on the security policy. If the system permits the sensitive information to be written to memory, the system may spawn a file watcher object, which waits for a specified amount of time and then checks to see if the sensitive information has been deleted. If not, the system may issue an alarm or erase the sensitive information, depending on the security policy.02-26-2009
20090055888Self identifying services in distributed computing - A service policy is modified for a service in a distributed computing environment having a service oriented architecture. A client is notified of the modified service policy without use of a service registry.02-26-2009
20090055887PRIVACY ONTOLOGY FOR IDENTIFYING AND CLASSIFYING PERSONALLY IDENTIFIABLE INFORMATION AND A RELATED GUI - Method and system of providing an association between a system's meta-tagged data objects and a list of terms, the association indicating which objects are and are not covered by a given policy, in one aspect, may comprise obtaining a list of terms and a policy that includes one or more of the terms; identifying a plurality of meta-tags used in a system; developing one or more mappings between the terms and the meta-tags; identifying system data objects in the system having one or more meta-tags; creating for each meta-tag of each system data object identified, an association between the system data object and the one or more terms to which the meta-tag is mapped, the association indicating whether the system data object is or is not covered by the policy.02-26-2009
20120227083Dynamically Constructed Capability for Enforcing Object Access Order - Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.09-06-2012
20130167190MOBILE COMMUNICATION DEVICE SURVEILLANCE SYSTEM - A mobile communication device surveillance system is described. The system includes a gateway, a web server, a wireless mobile communication device, and a client device. The web server introduces the wireless mobile communication device to a gateway. The gateway authenticates the wireless mobile communication device. The gateway receives media data from the wireless mobile communication device and monitoring data from a security device connected to the gateway. The gateway aggregates the media data and the monitoring data, and communicates the aggregated data to the client device authenticated with the gateway.06-27-2013
20090031396METHOD OF AND APPARATUS FOR MANAGING ACCESS PRIVILEGES IN CLDC OSGi ENVIRONMENT - Provided are a method and apparatus for managing resource access privileges of an application in a Connected Limited Device Configuration (CLDC) Open Service Gateway Initiative (OSGi) environment. The method includes executing the application in a thread having a unique thread identifier, identifying the application by mapping the unique thread identifier with an application identifier from a mapping table, examining a security policy to determine the kind of resource access privileges the identified application has, and allowing or not allowing, according to the examination result, the application to access the resources. Accordingly, when an application tries to access resources in a device, access privileges of the application can be managed so that the application does not maliciously access the resources.01-29-2009
20120117616WIRELESS/WIRED MOBILE COMMUNICATION DEVICE WITH OPTION TO AUTOMATICALLY BLOCK WIRELESS COMMUNICATION WHEN CONNECTED FOR WIRED COMMUNICATION - A mobile wireless communication device also has at least one wired communication port. Enhanced security is achieved by permitting the device to automatically disable one or more wireless ports when connected to a wired port. Specific combinations/permutations of such automatic control may be effected by use of an IT Policy also resident on the device.05-10-2012
20120117615System and Method for Providing Access Control - A control device may be configured to monitor a network connection. An application running on a client device may send a first network communication destined for a network communicatively connected to the control device. Depending upon whether the client device is authorized to access the network, different global rules may be applied. The first application or a second application running on the client device may send a second network communication. The control device may process the second network communication according to a plurality of stages. Specifically, the control device may extract information associated with the client device from the second network communication and associate user specific rules at a client discrimination stage. The control device may, at a user specific rule stage, access these rules and apply accordingly to the second network communication as governed by user specific provisioning rules.05-10-2012
20120117612SYSTEM AND/OR METHOD FOR AUTHENTICATION AND/OR AUTHORIZATION - A computing platform constructs an application from source code such that the application detects an attempt to access at least one secured entity of the application. Further, the at least one secured entity is registered with an authorization system by providing metadata that is descriptive of the at least one secured entity to the authorization system so that authorization metadata is generated based upon the metadata and a global unique identifier is assigned to the application and the metadata to identify the application and the metadata. The authorization metadata indicates an access policy to the at least one secured entity.05-10-2012
20120117611CONTROLLING INFORMATION DISCLOSURE DURING APPLICATION STREAMING AND PUBLISHING - Various aspects as described herein are directed to systems, method, apparatuses, and software for intercepting requests to copy content, paste content, clip content, cut content, or perform a print screen operation, and either allowing the requested operation to occur or preventing the operation depending upon whether the content is sourced from a streamed application or a non-streamed application, and/or depending upon a streamed application-based policy. This may be performed by, for instance, hooking an appropriate function call to the operating system.05-10-2012
20120117610RUNTIME ADAPTABLE SECURITY PROCESSOR - A runtime adaptable security processor is disclosed. The processor architecture provides capabilities to transport and process Internet Protocol (IP) packets from Layer 2 through transport protocol layer and may also provide packet inspection through Layer 7. A high performance content search and rules processing security processor is disclosed which may be used for application layer and network layer security. A scheduler schedules packets to packet processors for processing. An internal memory or local session database cache stores a session information database for a certain number of active sessions. The session information that is not in the internal memory is stored and retrieved to/from an additional memory. An application running on an initiator or target can in certain instantiations register a region of memory, which is made available to its peer(s) for access directly without substantial host intervention through RDMA data transfer.05-10-2012
20120117609Pluggable Claim Providers - A server system receives and installs multiple claim provider plug-ins. Each of the claim provider plug-ins implements the same software interface. However, each of the claim provider plug-ins can provide claims that assert different things. Claims provided by the claim provider plug-ins can be used to control access of users to a resource.05-10-2012
20120117608CERTIFICATE POLICY MANAGEMENT TOOL - A certificate policy management tool (05-10-2012
20130067531Access Brokering Based on Declarations and Consent - Embodiments include processes, systems, and devices for brokering application access to capabilities, such as device capabilities. An access broker receives requests from applications to access capabilities. The access broker determines whether to grant access based at least in part on whether the application manifest declares the capability. The access broker also may cause a user interface element to be displayed requesting user consent to the access request. Also, an in-application user interface element is provided that displays capability access settings for a particular application. The in-application user interface element includes selectable options for changing those settings. Changes in those settings via the user interface update the settings in the access broker.03-14-2013
20130067532GENERATING SECURITY PERMISSIONS - Embodiments of the invention relate to generating security permissions for applications. A static analysis on an application is carried out to determine security exceptions and to determine the application components responsible for the security exceptions. The determined security exceptions are analysed to calculate permissions required for each component. A security policy file that includes a hierarchy of the required permissions suitable for the type of application is formatted and applied to the application to provide a security enabled application.03-14-2013
20130067530DNS-Based Content Routing - DNS-based content routing techniques are described. In one or more implementations, data is examined that describes interactions via a network with content via a domain name. Responsive to the examination, a policy is adjusted to change how one or more network addresses are resolved for the domain name for access to the content. A communication is formed that includes the adjusted policy to be communicated to one or more domain name system (DNS) servers, the adjusted policy configured to specify which network address are resolved for the domain name by the one or more DNS servers for access to the content.03-14-2013
20110023085INFORMATION PROCESSING APPARATUS, CONTROL METHOD OF THE INFORMATION PROCESSING APPARATUS, STORAGE MEDIUM, AND PROGRAM - An information processing apparatus for suitably registering policy information by considering an order of priority while reducing the burden on a user has the following structure. When policy information used for communication with an apparatus of a communication partner is to be registered in a storage unit, and when an address of the apparatus of the communication partner of the policy information to be registered in the storage unit is included in an address of an apparatus of a communication partner of policy information already stored in the storage unit, registering of the policy information to be registered so that an order of priority of the policy information to be registered in the storage unit is set lower than an order of priority of the policy information whose address includes the address of the apparatus of the communication partner of the policy information to be registered is restricted.01-27-2011
20110023084PROTECTION OF COMPUTER RESOURCES - In one embodiment, local software code present in a computer system enables real-time detection of whether the computer system is properly protected against malicious attacks from harmful software. For example, software code such as one or more agents executing in the computer system support real-time protection validation based upon detection of the behavior of the computer system (as opposed to mere detection of the presence of resources or applications in the computer system). In response to detecting that the computer system or an application accesses or provides a particular type of resource and should be protected via one or more appropriate protection policies, if the computer system is not already protected, an agent of the computer system can provide immediate remediation (e.g., a security measure) to temporarily protect the computer system until the appropriate protection policy can be activated to protect the computer system against malicious software threats.01-27-2011
20110023083METHOD AND APPARATUS FOR DIGITAL RIGHTS MANAGEMENT FOR USE IN MOBILE COMMUNICATION TERMINAL - A digital rights management (DRM) apparatus in a mobile terminal includes DRM middleware that makes different types of DRM systems compatible. The DRM middleware includes at least one plug-in module to perform a conversion between different types of DRM contents. A part of the at least one plug-in module is downloaded in real time from a server and is executed. A part of the at least one plug-in module is executed by a server by remote control through a plug-in interface.01-27-2011
20110023082TECHNIQUES FOR ENFORCING APPLICATION ENVIRONMENT BASED SECURITY POLICIES USING ROLE BASED ACCESS CONTROL - An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user. Further, such activations may occur in the context of establishing or maintaining a user session for a user of an application.01-27-2011
20120198513SECURE SOCIAL WEB ORCHESTRATION VIA A SECURITY MODEL - A method includes receiving, by a first computer, input from a first user. The method further includes creating, by the first computer, a hierarchical class tree implementing security profiles based on the input from the user. The hierarchical class tree identifies data, actions, and behaviors pertaining to content, and the security profiles restrict access and use of that user's content. The method also includes transmitting, by the first computer, a portion of the hierarchical class tree to a second computer.08-02-2012
20090235325MESSAGE PROCESSING METHODS AND SYSTEMS - Methods and apparatus for controlling the operation of a distributed application using message interception techniques are disclosed. The message interception software is independent of the software components making up the distributed application. The message interception software processes messages by carrying out a series of actions set out in an interceptor chain configuration policy, that policy being selected on the basis of the contents of the intercepted message. The interceptor chain configuration policy is divided into a separate enforcement configuration policy which dictates what actions should be carried out on a message and in what order, and an interceptor reference policy which indicates references to interceptors which are suitable for carrying out the actions specified in the enforcement configuration policy. In this way, the behaviour of the message interception software (and thus the distributed application) can be updated whilst both the interception software and the distributed application are running without requiring the person updating the behaviour of the message interception software to deal with esoteric references to interceptor software routines.09-17-2009
20090235324METHOD FOR DISCOVERING A SECURITY POLICY - Techniques for mapping at least one physical system and at least one virtual system into at least two separate execution environments are provided. The techniques include discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system, using the discovered policy to create an enforceable isolation policy, and using the isolation policy to map the at least one physical system and at least one virtual system into at least two separate execution environments. Techniques are also provided for generating a database of one or more isolation policies.09-17-2009
20120272289DEVICES, SYSTEMS, AND METHODS FOR PROVIDING INCREASED SECURITY WHEN MULTIPLEXING ONE OR MORE SERVICES AT A CUSTOMER PREMISES - Systems, devices, and methods are disclosed for providing increased security when multiplexing one or more services at customer premises. Such systems and devices may include one or more virtual machines that support a service, a service operating system, protocol functions, and protocol security functions including system, devices, and methods for, analyzing protocol data and generating protocol security data. In addition, the system, devices, and methods provide an administration function for each virtual machine that allows monitoring the protocol security data and provides a protocol alerting mechanism that reports protocol security trigger events. Moreover, the system, devices, and methods have a common layer providing a common operating system and common security functions. The protocol security functions and common security function utilize conventional and fuzzy logic rules to generate protocol security data and common security data.10-25-2012
20120272288METHODS AND APPARATUSES FOR DETERMINING STRENGTH OF A RHYTHM-BASED PASSWORD - Methods, apparatus, and computer program products are provided for determining the strength of a rhythm-based password to facilitate selection by a user of an appropriately secure rhythm-based password. A method may include receiving input defining a rhythm-based password and determining, by a processor, at least one property of the rhythm-based password. The method may also determine a strength value of the rhythm-based password based at least in part on the at least one property of the rhythm-based password. Corresponding apparatus and computer program products may also be provided.10-25-2012
20090013377Method and apparatus for privacy protection - The privacy of users of the Internet and interactive television is protected by actuating a ‘privacy button” on the computer of the end user to cause the computer to search the user's computer to identify all cookies designed to track the user's computer behavior; disable each of the cookies identified by the search; identify the source of each of the disabled cookies; create, carry and forward a message to the identified cookie source that the end user does not want to have his computer behavior observed and/or to receive any advertising until further notice; create, carry and forward a message to the end user's Internet service provider that the end user does not want to receive any advertising and/or that computer observation activity is to be suspended by the Internet service provider until further notice; search the computer memory to identify all websites visited by the end user on the computer during a given time period; and create carry and forward a message to each website identified in the search that the end user does not want to have his computer behavior observed and/or to receive any advertising until further notice.01-08-2009
20090013376SYSTEM FOR MANAGING COMMUNITY PROVIDED IN INFORMATION PROCESSING SYSTEM, AND METHOD THEREOF - Provided is a system which manages a user community provided in an information processing system, in which user community information provided by a user is made available to another user for reference. The system includes a storage section which stores an audit policy defining contents of information to be permitted to be registered in each of a plurality of communities, by associating the audit policy with each of the communities; a detection section which detects a community to which information is provided in response to provision of the information by a user; and a registration control section which inhibits registration of information, provided by a user, in a detected user community on condition that the information violates an audit policy corresponding to the user community.01-08-2009
20090013375PERMISSIONS MANAGEMENT PLATFORM - A permissions management platform is disclosed that includes: a documentation agent, which documents at least one circumstance, wherein the at least one circumstance comprises at least one permission that is provided from at least one first party to at least one second party, and at least one authorized party, wherein the at least one party has access to the documentation agent. A software system is also disclosed that includes the permissions management platform disclosed herein stored on a recordable medium. Methods for documenting and managing permissions information are described that include: providing a documentation agent that documents the circumstances in which permission is provided from at least one first party to at least one second party; creating a documentation record; storing the documentation record in a retrievable format, and providing at least one authorized party having access to the documentation record.01-08-2009
20090013374SYSTEMS AND METHODS FOR SECURING COMPUTERS - Systems and methods are disclosed for avoiding electronic mail (email) attacks on a computer by downloading one or more emails in virtual-copy format to prevent the one or more emails from executing; determining whether a potentially infected email is in the one or more emails; and displaying the potentially infected email to a user and providing a user interface to allow the user to select and delete the infected email prior to downloading emails to the user's computer.01-08-2009
20090013378Method for Testing Safety Access Protocol Conformity of Access Point and Apparatus Thereof - The invention relates to a method and device for testing conformity of a secure access protocol at an access point. The method includes the steps of: capturing a data packet of a secure access protocol in a secure access authentication process at an access point under test; and analyzing and checking an encapsulation format of the captured data packet of the secure access protocol and a protocol flow. With the invention the test result is independent of the implementation of an upper-layer protocol, and a correct test result can be obtained regardless of deviant implementation of a reference equipment, to thereby improve correctness of the test result. With the invention, an error in the implementation of the protocol can also be located precisely in accordance with detailed information obtained from the data packet of the protocol, and a simulative test of a possible exception is introduced, thereby ensuring that a product which passes the test conforms to the standard and interoperability.01-08-2009
20090007227SYSTEM AND METHOD OF DATA COGNITION INCORPORATING AUTONOMOUS SECURITY PROTECTION - Autonomous embedded data cognition enables data to perform real-time environmental configuration control, self-manage, perform analyses, determine its current situation, and evaluate behavior to respond accordingly. When created, security measures, and access controls are selected. Highly sensitive data can be extracted and substituted with creator label and/or functional representation. Data-to-data reasoning and analysis can be performed. The processing method comprises autonomous monitoring for a state change and analyzing the current user to determine if the instantiation should exist. If affirmed, the cognition engine automatically configures the computational environment in which it resides. If denied, environmental behavior is further analyzed for security problems or an erroneous situation. If detected, the creator is alerted and provided with incident information enabling remote creator control of the data. Cognitive data can decide to self-destruct mitigating risk of undesirable instantiations. Intelligent Agents, a comprehensive data structure, and intelligent document means are leveraged for implementation.01-01-2009
20090007225METHOD AND APPARATUS FOR ENSURING SECURITY OF REMOTE USER INTERFACE SESSION USING OUT-OF-BAND COMMUNICATION - A method and apparatus for ensuring security of a session. In the method, a first client selects a user interface related to a process in need of security from among user interfaces related to predetermined contents provided from a first server, and a first client or a second client communicates directly with a second server operated by a contents provider to perform the process in need of security and notifies the first server of the performing result. Thus, it is not required to transmit/receive security information via the first server.01-01-2009
20090007224INFORMATION PROCESSING APPARATUS, INFORMATION MANAGEMENT METHOD, AND STORAGE MEDIUM THEREFOR - An image forming apparatus capable of flexibly setting a security policy for a modified file. A client terminal generates a print job added with a new security policy for a second file generated from a first file, and delivers the print job added with the new security policy to the image forming apparatus. The image forming apparatus generates intermediate data based on the print job delivered from the client terminal, and causes a second policy server to register the security policy. The second policy server registers the security policy, while items of the security policy being appropriately assigned to the first and second policy servers. The second policy server generates an encryption key. The image forming apparatus encrypts the intermediate data using the encryption key, and stores the encrypted intermediate data.01-01-2009
20090007223METHOD AND SYSTEM FOR RUN-TIME DYNAMIC AND INTERACTIVE IDENTIFICATION OF SOFTWARE AUTHORIZATION REQUIREMENTS AND PRIVILEGED CODE LOCATIONS, AND FOR VALIDATION OF OTHER SOFTWARE PROGRAM ANALYSIS RESULTS - A system, method and computer program product for identifying security authorizations and privileged-code requirements; for validating analyses performed using static analyses; for automatically evaluating existing security policies; for detecting problems in code; in a run-time execution environment in which a software program is executing. The method comprises: implementing reflection objects for identifying program points in the executing program where authorization failures have occurred in response to the program's attempted access of resources requiring authorization; displaying instances of identified program points via a user interface, the identified instances being user selectable; for a selected program point, determining authorization and privileged-code requirements for the access restricted resources in real-time; and, enabling a user to select, via the user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorizations is provided.01-01-2009
20090007221Generation and use of digital contents - Provided are the generation and the use of user generated contents (UGC) to which a creative commons license (CCL) is applied. In a method of generating digital contents, a user interface window including a clause for managing digital contents copyright information and displaying the user interface window is generated, and digital contents including copyright information selected from the displayed user interface window is generated.01-01-2009
20090007220THEFT OF SERVICE ARCHITECTURAL INTEGRITY VALIDATION TOOLS FOR SESSION INITIATION PROTOCOL (SIP)-BASED SYSTEMS - A device prevents theft of service attacks on a Session Initiation Protocol (SIP)-based device using an identity assurance protection mechanism, a multiple end-points protection mechanism, and an intrusion detecting protection mechanism.01-01-2009
20130167193Security policy editor - A shared computing infrastructure has associated therewith a portal application through which users access the infrastructure and provision one or more services, such as content storage and delivery. The portal comprises a security policy editor, a web-based configuration tool that is intended for use by customers to generate and apply security policies to their media content. The security policy editor provides the user the ability to create and manage security policies, to assign policies so created to desired media content and/or player components, and to view information regarding all of the customer's current policy assignments. The editor provides a unified interface to configure all media security services that are available to the CDN customer from a single interface, and to enable the configured security features to be promptly propagated and enforced throughout the overlay network infrastructure. The editor advantageously enables security features to be configured independently of a delivery configuration.06-27-2013
20130167192METHOD AND SYSTEM FOR DATA PATTERN MATCHING, MASKING AND REMOVAL OF SENSITIVE DATA - Systems, methods and computer-readable media for applying policy enforcement rules to sensitive data. An unstructured data repository for storing unstructured data is maintained. A structured data repository for storing structured data is maintained. Request for information is received. The request is analyzed to determine its context. Based on the context, a policy enforcement action associated with generating a response to the request is identified. The policy enforcement action may be to remove sensitive data in generating the response to the request and/or mask sensitive data in generating a response to the request. An initial response to the request is generated by retrieving unstructured data from the unstructured data repository. Using the structured data maintained in the structured data repository, sensitive data included within the initial response is identified. The policy enforcement action is applied to the sensitive data included within the initial response to generate the response to the request.06-27-2013
20130167191SECURITY POLICY FLOW DOWN SYSTEM - A system and method are provided that distill an organization's information security plan into a detailed and unambiguous security object model. The developed security object model provides a visualization of complex relationships between individual elements and levels that is usable to carry into effect the organization's information security plan. Configuration control and a verifiable level of security compliance are provided through implementation of the organization's information security plan by the developed security object model. The developed security object model is hosted on a computing platform in communication with at least the organization's network to provide information security plan compliance, configuration control and gap analysis in a usable form to the organization.06-27-2013
20130167194SYSTEM AND METHOD FOR DETERMINING A SECURITY ENCODING TO BE APPLIED TO OUTGOING MESSAGES - A device comprising a processor is disclosed herein. In one broad aspect, the processor is configured to: determine whether a general message encoding configuration setting at the device is set to a first setting indicating that when a security encoding is to be applied to a message, the security encoding is to be established by a policy engine, wherein the established security encoding cannot be overridden by a security encoding selection algorithm at the device; and if the general message encoding configuration setting is set to the first setting, transmit the message to at least one message recipient via the policy engine such that the policy engine applies the security encoding to the message prior to the policy engine transmitting the message.06-27-2013
20080313699Information Rights Management - Information rights management (IRM) systems enable information to be protected after it has been accessed by or delivered to an authorized individual. For example, this might be to allow an email to be viewed for a limited time by specified individuals but to prevent that email from being forwarded. However, existing IRM systems are limited in the situations in which they may operate. An IRM server is provided which communicates with one or more policy evaluators which are independent of the IRM server. Results from the different policy evaluators may be combined by the IRM server and one or more identity providers may be used in conjunction with each policy evaluator. By enabling the IRM server to act as a broker between authors, recipients and policy evaluators situations in which IRM systems may operate are greatly extended.12-18-2008
20080307491SECURE SYSTEM AND METHOD FOR ENFORCEMENT OF PRIVACY POLICY AND PROTECTION OF CONFIDENTIALITY - The invention includes various systems, architectures, frameworks and methodologies that can securely enforce a privacy policy. A method is included for securely guaranteeing a privacy policy between two enterprises, comprising: creating a message at a first enterprise, wherein the message includes a request for data concerning a third party and a privacy policy of the first enterprise; signing and certifying the message that the first enterprise has a tamper-proof system with a privacy rules engine and that the privacy policy of the first entity will be enforced by the privacy rules engine of the first enterprise; sending the message to a second enterprise; and running a privacy rules engine at the second enterprise to compare the privacy policy of the first enterprise with a set of privacy rules for the third party.12-11-2008
20080307489SYSTEM AND METHOD FOR ADDING CONTEXT TO PREVENT DATA LEAKAGE OVER A COMPUTER NETWORK - Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Data is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information12-11-2008
20080307488Systems And Methods For Enterprise Security With Collaborative Peer To Peer Architecture - Systems and methods authenticate a device to operate within an enterprise system with an enterprise policy. An agent, installed on the device, analyzes the device to determine profile information of the device. The determined profile information is sent to a type 2 super peer that verifies whether the profile information conforms to the enterprise policy. If the profile information conforms to the enterprise policy, an agent trust credential is generated, within the type 2 super peer, for the agent, based upon the profile information, and issued to the agent. Authenticity of the device is verified based upon the agent trust credential. If the device is authenticated, communications with the device are permitted. If the device is not authenticated, communications with the device is prevented. In another embodiment, a method restores a device to conform to a system policy. A snapshot of critical components of the device is taken while the device is in compliance with the system policy. The critical components are monitored to identify critical components that differ from the critical components of the snapshot. If differing critical components are detected, the device is restored to conform with system policy by replacing differing critical components based upon the snapshot.12-11-2008
20080307487System and method of network access security policy management for multimodal device - A system and method are provided for management of access security for access by a multimodal device to a converged fixed/mobile network. An inter-technology change-off monitoring entity (ICME) is provided to monitor an inter-technology change-off of the multimodal device and to notify a policy manager of the inter-technology change-off. The policy manager looks up in a policy database, security policies applicable to the user of the multimodal device and the particular technology being used by the multimodal device. The policy manager conveys to various policy enforcement points throughout the converged fixed/mobile network the applicable security policies which take into account the user's identity and the access technology being used.12-11-2008
20120240188METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.09-20-2012
20080295149METHOD AND SYSTEM FOR GENERATING AND USING DIGITAL FINGERPRINTS FOR ELECTRONIC DOCUMENTS11-27-2008
20080295148System And Method For Crawl Policy Management Utilizing IP Address and IP Address Range11-27-2008
20080295147Integrated Security Roles11-27-2008
20080295146Integrated privilege separation and network interception11-27-2008
20080295145IDENTIFYING NON-ORTHOGONAL ROLES IN A ROLE BASED ACCESS CONTROL SYSTEM11-27-2008
20080295144Network client validation of network management frames11-27-2008
20090049511METHOD AND APPARATUS FOR PROVIDING A DATA MASKING PORTAL - An approach is provided for de-personalizing data. A request is received from an application for retrieval of data. An end user associated with the request is authenticated. A determination is made whether to mask the data based on the request and the authentication. In response to the determination, a masking algorithm is selected to apply to the data and to output mask data.02-19-2009
20120102543Audit Management System - A computer implemented method and system for managing an audit of one or more network layer devices is provided. An audit management system accessible by a user via a graphical user interface acquires network layer device information of the network layer devices and a configuration file comprising configuration file commands. The audit management system allows creation and/or selection of one or more audit policies for the network layer devices. The audit policies comprise one or more audit rules that define functioning of the network layer devices for one or more compliance policies. The audit management system executes the audit policies for performing the audit of the network layer devices by comparing the configuration file commands of the configuration file with the audit rules of the audit policies, and generates a report comprising information about security and compliance of the network layer devices with the compliance policies based on the audit.04-26-2012
20120102542SECURITY MONITORING APPARATUS, SECURITY MONITORING METHOD, AND SECURITY MONITORING PROGRAM BASED ON A SECURITY POLICY - A management server monitors even the occurrence of items, which are not targets of security policies, evaluates a change of the monitoring result, and implements specific output when necessary. Particularly, also regarding items which are considered to be non-targets of the security policies in management based on the security policies, the occurrence of such items is also monitored and the monitoring result is appropriately reported to an administrator so that the administrator can recognize a threat and takes necessary countermeasure at appropriate timing.04-26-2012
20110162040Owner Controlled Transmitted File Protection and Access Control System and Method - An owner controlled file protection and control system that uses a protected file that is encrypted and has embedded with access and use control features. The file is selected and encrypted and combined with a set of encrypted policy rules by an encryption software program. The policy rules are one or more ‘access rules’ and ‘use rules’ that determine who, what, when, and where the protected file may be accessed and how the protected file will be used. They may be selectively changed at any time and may be location, time and date sensitive. The protected file may be sent to the recipient or stored in a file that the recipient may accessed. During use, each recipient must register with the system and is assigned a registered ID. Using the ‘access rule’, the owner may assign a particular recipient ID to the protected file. A recipient then uses a reader program to generate a request to access and use the protected file to a management server. Management server then reviews the policy rules associated with the protected file to determine if they are satisfied. If the rules are satisfied, then time sensitive digital certificate is sent to the recipient that allows the protected file to be accessed and used according to the policy rules.06-30-2011
20090125976AUTOMATED TEST INPUT GENERATION FOR WEB APPLICATIONS - A method and apparatus is disclosed herein for automated test input generation for web applications. In one embodiment, the method comprises performing a source-to-source transformation of the program; performing interpretation on the program based on a set of test input values; symbolically executing the program; recording a symbolic constraint for each of one or more conditional expressions encountered during execution of the program, including analyzing a string operation in the program to identify one or more possible execution paths, and generating symbolic inputs representing values of variables in each of the conditional expressions as a numeric expression and a string constraint including generating constraints on string values by modeling string operations using finite state transducers (FSTs) and supplying values from the program's execution in place of intractable sub-expressions; and generating new inputs to drive the program during a subsequent iteration based on results of solving the recorded string constraints.05-14-2009
20110167469MONITORING FEDERATION FOR CLOUD BASED SERVICES AND APPLICATIONS - Technologies are described herein for cloud monitoring federations that can include cloud monitoring services (CMS) that collect monitoring information from point of presence (POP) agents. The cloud monitoring POPs may be located in the cloud, on client machines, embedded within cloud applications, or wherever they can obtain visibility into managed entities associated with the cloud. Management systems, acting as cloud monitoring clients (CMC), may interface with the CMS to obtain a complete view of services and application used by their enterprise including those that operate outside of the enterprise premises as part of a cloud or outside network. The publishing by POPs and consumption by CMCs of management information across components within the enterprise and out in the cloud may be supported by managing roles, responsibilities, scopes, security boundaries, authenticity of information, service level agreements, and other aspects of cloud monitoring operations.07-07-2011
20110283335HANDLING PRIVACY PREFERENCES AND POLICIES THROUGH LOGIC LANGUAGE - A logic language model for handling of personal data by specifying users' preferences on how their personal data should be treated by data-collecting services and the services' policies on how they will treat collected data is provided. Preferences and policies are specified in terms of granted rights and required obligations, expressed as declarative assertions and queries. Query evaluation is formalized by a proof system for verifying whether a policy satisfies a preference is defined.11-17-2011
20090094674INFORMATION AGGREGATION, PROCESSING AND DISTRIBUTION SYSTEM - A utility is provided for managing exchanges of information within a context involving multiple users, for example, multi-user network collaboration. The invention enables automatic enforcement of a policy regarding sensitive information. The policy may be negotiated among the users and expressed as multiple rule sets that govern access to a use of sensitive information. The utility also logs activities involving sensitive information to ensure compliance with the policy. These logs can be audited by a third party or automatically processed for audit compliance by the utility. In this manner, an environment of trust is created which encourages fruitful collaboration.04-09-2009
20090094669Detecting fraud in a communications network - The application relates to a method and apparatus for ranking data relating to use of a communications network according to the likelihood that the use is fraudulent, the method comprising receiving a first data set comprising a plurality of parameter values relating to each of a plurality of observed fraudulent uses of the communications network and establishing a first model for the parameters of the first data set, receiving a second data set comprising a plurality of parameter values relating to each of a plurality of observed non-fraudulent uses of the communications network and establishing a second model for the parameters of the second data set, receiving a third data set comprising a plurality of parameter values relating to a subsequent use of the communications network, applying the third data set to the first and second models, determining the likelihoods that the third data set is compatible with the first and second models and determining a ranking for the subsequent use within a plurality of subsequent uses to be investigated for fraud based on the determined respective likelihoods.04-09-2009
20090300714PRIVACY ENGINE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - A privacy enforcement engine conducts a process that evaluates user privacy preferences against the privacy policy of a service provider. The engine works in conjunction with an identity selector. The identity selector filters user identity information cards to determine which ones satisfy the requirements of a security policy. The engine identifies privacy preferences that are relevant to the user identity information specified by the successfully filtered cards. The engine evaluates these privacy preferences against the privacy policy, to provide its own filtering operation relative to the exercise of privacy controls. The cards that pass the filtering operation conducted by the engine are deemed available for disclosure.12-03-2009
20110302625System and Method for Managing and Controlling Data - A system for managing and controlling data. The system includes provisions for easily and rapidly updating and managing a computer system, particularly a complex computer system in which several computers communicate with one another. The system also includes a central database which plays a key role in the management and control of the computer system. Most of the management functions are retained in the central database and remote offices, which generally do not retain data management information, communicate with the central office to retrieve data management information. The system also includes a novel approach to manipulating data.12-08-2011
20080209504GENERALIZED NETWORK SECURITY POLICY TEMPLATES FOR IMPLEMENTING SIMILAR NETWORK SECURITY POLICIES ACROSS MULTIPLE NETWORKS - The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.08-28-2008
20110302624METHOD AND SYSTEM FOR SECURE CONTENT DISTRIBUTION BY A BROADBAND GATEWAY - A broadband gateway, which enables communication with a plurality of devices, handles at least one physical layer connection to at least one corresponding network access service provider. Security boundaries such as conditional access (CA) and/or digital right management (DRM) boundaries associated with the broadband gateway are identified based on security profiles associated with the plurality of devices and/or a service from networks. The identified security boundaries are utilized to determine or negotiate CA information for content access for the service. The received content may be distributed according to the determined CA information and the security profiles of the corresponding devices. The broadband gateway may be automatically and dynamically configured based on the identified security boundaries to secure content distribution to the devices. Content distribution security schemes, for example, super encryption, simul-crypt, IPSec and/or watermarking, may be selected by matching the CA information with corresponding device security profiles.12-08-2011
20110302626LATENCY BASED PLATFORM COORDINATION - In some embodiments, an electronic apparatus comprises at least one processor, a plurality of components, and a policy engine comprising logic to receive latency data from one or more components in the electronic device, compute a minimum latency tolerance value from the latency data, and determine a power management policy from the minimum latency tolerance value.12-08-2011
20110302622ENTERPRISE MODEL FOR PROVISIONING FINE-GRAINED ACCESS CONTROL - Access control rules can be defined for target applications of an enterprise system independent of a runtime of the target applications. The access control rules can then normalized into decision tables. These decision tables can then be used to reconcile authorization information with the target applications via user provisioning. This process can enable comprehensive reporting and analysis of enterprise access control rules without requiring direct integration of the target applications at runtime.12-08-2011
20090288133GAMING MACHINE - Disclosed is a gaming machine. The gaming machine comprises a gaming machine main body that plays a game with a predetermined game medium; a decoration member having identification information memorized therein; mounting means mounted to the gaming machine main body, the decoration member being detachably mounted thereto; effect data memorizing means for memorizing plural effect data including effect data corresponding to the identification information provided to the predetermined decoration member; identification information reading out means for reading out the identification member from the decoration member when the decoration member is mounted to the mounting means; effect data selecting means for selecting the effect data corresponding to the identification information read out by the identification information reading out means from the plural effect data memorized in the effect data memorizing means; and effect means for carrying out an effect, based on the effect data selected by the effect data selecting means.11-19-2009
20090077619METHOD AND SYSTEM FOR DYNAMIC PROTOCOL DECODING AND ANALYSIS - A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data.03-19-2009
20110289546Method and apparatus for protecting markup language document against cross-site scripting attack - A method for decomposing a web application into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain.11-24-2011
20110289554SYSTEM AND METHOD FOR APPLICATION PROGRAM OPERATION ON A WIRELESS DEVICE - Embodiments described herein address mobile devices with non-secure operating systems that do not provide a sufficient security framework. More particularly, the embodiments described herein provide a set of applications to the device for providing security features to the non-secure operating system.11-24-2011
20110289553POLICY AND ATTRIBUTE BASED ACCESS TO A RESOURCE - Techniques are provided for controlling access to a resource based on access policies and attributes. A principal issues a request to a service for purposes of accessing a resource. The principal is authenticated and a service contract for the principal, the service, and the resource is generated. The service contract defines resource access policies and attributes which can be permissibly performed by the service on behalf of the principal during a session. Moreover, the session between the service and the resource is controlled by the service contract.11-24-2011
20110289552INFORMATION MANAGEMENT SYSTEM - An information providing device which provides information, a privilege policy providing device which stores a privilege policy setting whether or not information is allowed to be provided and provides the privilege policy, and an authentication device, are provided. The authentication device includes a privilege information management means for storing privilege information indicating whether or not the privilege policy is allowed be provided by the privilege policy providing device, and a privilege certificate issuance means for issuing a privilege policy certificate including a content of the privilege information. The information providing device includes a privilege policy acquisition means for requesting the privilege policy providing device for the privilege policy based on the privilege policy certificate and acquiring the privilege policy, and an information providing means for providing stored information to another device based on the acquired privilege policy. The privilege policy providing device includes a privilege policy providing means for providing the privilege policy to the information providing device based on the privilege policy certificate.11-24-2011
20110289551DYNAMICALLY APPLYING A CONTROL POLICY TO A NETWORK - A method of dynamically applying a control policy to a network is described. A network layer of a plurality of network layers associated with user traffic is determined. A portion of a control policy corresponding to the network layer and the user traffic is accessed. Then, the portion is sent to a security device associated with the network layer, the portion being configured to be applied by the security device to the network layer and the user traffic.11-24-2011
20110289550POLICY MANAGEMENT APPARATUS, POLICY MANAGEMENT SYSTEM, AND METHOD AND PROGRAM USED FOR THE SAME - There are provided a role information storing unit (11-24-2011
20110289549METHOD AND SYSTEM FOR A DOCUMENT-BASED KNOWLEDGE SYSTEM - A document-based storage and knowledge production solution designed for use as a primary information system is disclosed. It uses Authentication, Privacy and Security Standards to ensure the source and reliability of the information in the stored documents. It uses Information and Document Standards to explicitly define the information content held in each document. Electronic documents from separate authors, from the same or separate legal entities, are stored together in the same system and can be used in aggregate for the generation of new knowledge. Variations are used to accelerate response times. Other variations describe the method's use as a Variable Electronic Health Record System in which different parts of the system can be produced by separate manufacturers. This is possible because the underlying document-based knowledge system stores the separate documents from each manufacturer's system in such a manner that they can be understood by systems from other manufacturers.11-24-2011
20110289548Guard Computer and a System for Connecting an External Device to a Physical Computer Network - A guard computer and a system including the guard computer for connecting an external device to a physical computer network are provided. The guard computer includes a network interface for connecting to the physical computer network, a device interface for connecting the external device having a data repository containing data, The guard computer also includes a configuration file containing a set of rules for making the data available to the network and a processor making data available to the network based upon the set of rules.11-24-2011
20120240185SYSTEMS AND METHODS FOR PROCESSING DATA FLOWS - A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks.09-20-2012
20110296487SYSTEMS AND METHODS FOR PROVIDING AN FULLY FUNCTIONAL ISOLATED EXECUTION ENVIRONMENT FOR ACCESSING CONTENT - A sandbox tool can cooperate with components of a secure operating system to create an isolated execution environment for accessing content without exposing other processes and resources of the computing system to the untrusted content. The sandbox tool can create the isolated execution environment with an assigned security context of the secure operating system. The security context can define the security policies applied by the operating system to the isolated execution environment, thereby, defining the levels of access the isolated execution environment has to the resources of the computing system.12-01-2011
20100088742APPARATUS FOR DEFINING A SET OF RULES FOR A PACKET FORWARDING DEVICE - There are methods and apparatus, including computer program products, for defining a policy including a set of rules for a packet forwarding device by receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.04-08-2010
20110296486DYNAMIC SERVICE ACCESS - Apparatus, systems, and methods may operate to authenticate a desktop client to an identity service (IS), to receive a request, from an application, at the IS via the desktop client for a virtual service internet protocol (IP) address associated with a service. The IS may operate to build a routing token that includes an original physical IP address associated with the service when a policy associated with the IS permits access to the service by a user identity associated with the desktop client. After the routing token is validated, the application may be connected to the service via the desktop client. The application may comprise an e-mail application or a remote control application, such as a virtual network computing (VNC) application. Additional apparatus, systems, and methods are disclosed.12-01-2011
20110296490AUTOMATIC REMOVAL OF GLOBAL USER SECURITY GROUPS - A system for automatically replacing a user security group-based computer security policy by a computer security policy based at least partially on actual access, including a learned access permissions subsystem operative to learn current access permissions of users to network objects in an enterprise computer environment and to provide an indication of which users are members of which user security groups having access permissions to which network objects, a learned actual access subsystem operative to learn actual access history of users in the enterprise to the network objects and to provide indications of which users have had actual access to which network objects, and a computer security policy administration subsystem, receiving indications from the learned access permission subsystem and the learned actual access subsystem and being operative to automatically replace pre-selected user-security group-based access permissions with at least partially actual access-based access permissions without disrupting access to network objects.12-01-2011
20110296489SELECTION OF SUCCESSIVE AUTHENTICATION METHODS - A method of authenticating a user who is a subscriber of a home network, authenticated in a first network, for accessing a service in a second network. This method includes: authenticating the user in the first network with a first authentication method selected in an authentication server; reserving resources for the service towards a rules enforcement device; requesting control rules for the resources towards a control rules server; submitting towards the control rules server information about the first authentication method; determining at the control rules server whether a further authentication of the user with a further authentication method is required; and instructing from the control rules server towards the authentication server to force the further authentication of the user with the further authentication method.12-01-2011
20110296488System and Method for I/O Port Assignment and Security Policy Application in a Client Hosted Virtualization System - A client hosted virtualization system includes a processor and non-volatile memory with BIOS code and virtualization manager code. The virtualization manager initializes the client hosted virtualization system, authenticates a virtual machine image, launches the virtual machine based on the image, and implements a policy manager. The policy manager determines a policy for the virtual machine, receives a request to access a device from the virtual machine, determines if the virtual machine is permitted to access the device based upon the policy, and if so, permits the virtual machine to access the device. If not, the policy manager denies the virtual machine access to the device. The client hosted virtualization system is configurable to execute the BIOS or the virtualization manager.12-01-2011
20090300712System and method for dynamically enforcing security policies on electronic files - A system and method dynamically enforcing security policies on electronic files when the file is used. The system and method preferably delegates the file the ability to protect itself. The file automatically identifies its confidential information and applies them when needed.12-03-2009
20090077623Security Network Integrating Security System and Network Devices - An integrated security system is described that integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network (broadband, cellular/GSM, POTS access) that enables users to remotely stay connected to their premises. The integrated security system, while delivering remote premise monitoring and control functionality to conventional monitored premise protection, complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices (cameras, lamp modules, thermostats, etc.) can be added, enabling users to remotely see live video and/or pictures and control home devices via their personal web portal or webpage, mobile phone, and/or other remote client device. Users can also receive notifications via email or text message when happenings occur, or do not occur, in their home.03-19-2009
20090282457COMMON REPRESENTATION FOR DIFFERENT PROTECTION ARCHITECTURES (CRPA) - A method of representing security information of a host in a universal format, in a manner that is independent of the semantics and implementation details of the underlying operating system is disclosed. The method comprises of the steps of having a security information representation layer to represent security information, the security information representation layer further comprising of representing entity and user privilege security information; representing object security information; representing object dependencies; and representing vulnerability information.11-12-2009
20090288136HIGHLY PARALLEL EVALUATION OF XACML POLICIES - Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.11-19-2009
20130024908SYSTEM AND METHOD FOR APPLICATION-INTEGRATED INFORMATION CARD SELECTION - A selector daemon can run in the background of a computer. Applications that are capable of processing information cards directly, without requiring the use of a card selector, can request the selector daemon to list information cards that satisfy security policy. Upon receiving such a request, selector daemon can determine the information cards available on the computer that satisfy the security policy, and can identify these information cards to the requesting application. The applications can then use the identified information cards in any manner desired, without having to use a card selector: for example, by requesting a security token based on one of the information cards directly from an identity provider.01-24-2013
20090119744DEVICE COMPONENT ROLL BACK PROTECTION SCHEME - Various embodiments of the present disclosure describe techniques for enforcing a subcomponent related security policy for closed computing systems. A closed computing system can include a list of subcomponents that identify the subcomponents it was manufactured with. The list can be used to determine if any currently attached subcomponents are different than the original ones. If a new subcomponent is detected, the device can perform a predetermined action in accordance with a security policy.05-07-2009
20090119740ADJUSTING FILTER OR CLASSIFICATION CONTROL SETTINGS - Methods and systems for adjusting control settings associated with filtering or classifying communications to a computer or a network. The adjustment of the control settings can include adjustment of policy and/or security settings associated with the computer or network. Ranges associated with the control settings can also be provided in some implementations.05-07-2009
20100100932SYSTEM AND METHOD FOR DETERMINING A SECURITY ENCODING TO BE APPLIED TO OUTGOING MESSAGES - A system and method for determining a security encoding to be applied to a message being sent by a user of a computing device, such as a mobile device, for example. In one broad aspect, the method comprises determining, at the computing device, whether a general message encoding configuration setting thereon indicates that the security encoding to be applied to the message is to be established by a policy engine; if the general message encoding configuration setting on the computing device indicates that the security encoding to be applied to the message is to be established by the policy engine, determining the security encoding to be applied to the message by querying the policy engine for the security encoding to be applied to the message; applying the determined security encoding to the message; and transmitting the message to which the security encoding has been applied to the at least one recipient. In one embodiment, the policy engine is a PGP Universal Server.04-22-2010
20100005506DYNAMIC ADDRESS ASSIGNMENT FOR ACCESS CONTROL ON DHCP NETWORKS - Systems and methods of managing security on a computer network are disclosed. The computer network includes a restricted subnet and a less-restricted subnet. Access to the restricted subnet is controlled by a network filter, optionally inserted as a software shim on a DHCP server. In some embodiments, the network filter is configured to manipulate relay IP addresses to control whether the DHCP server provides, in a DHCPOFFER packet, an IP address that can be used to access the restricted subset. In some embodiments, configuration information is communicated between the DHCP server and the network filter via DHCPOFFER packets.01-07-2010
20090178111SYSTEM AND METHOD FOR MAINTAINING SECURITY IN A DISTRIBUTED COMPUTER NETWORK - A system for maintaining security in a distributed computing environment comprises a policy manager located on a server to maintain policy data files and distribute local security policies to a plurality of clients, and a plurality of application guards, wherein each application guard is located at one of the plurality of clients to manage access by individual transactions to at least one application associated with the application guard, wherein the application guard controls access to the application based on a local security policy received from the policy manager.07-09-2009
20100071024HIERARCHICAL APPLICATION OF SECURITY SERVICES WITHIN A COMPUTER NETWORK - In general, techniques are described for hierarchical application of security services with a network device. In particular, the network device receives security classification information that maps a security class to one or more computing devices. The security class identifies security capabilities of the computing devices. The network device also receives network traffic associated with the computing device and applies a set of patterns defined by a policy associated with the security class to the network traffic to detect a set of network attacks. Based on the application of the set of patterns, the network device forwards the network traffic. As a result of receiving security classification information, the network device may become aware of the security capabilities of the computing device and only apply those patterns required to augment these detected security capabilities, thereby preventing application of overlapping security services through application of these services in a hierarchical manner.03-18-2010
20100037287METHOD AND APPARATUS FOR PROVIDING ROUTING AND ACCESS CONTROL FILTERS - A method and apparatus for providing an access control filter and/or a route filter in a network are disclosed. For example, the method receives a new filter rule or a modified filter rule associated with at least one of: a routing policy, or a security policy. The method creates or modifies one or more filter templates in accordance with the new filter rule or the modified filter rule. The method identifies one or more affected interfaces and audits the one or more affected interfaces. The method then generates one or more commands in accordance with the one or more filter templates if the auditing of the one or more affected interfaces is successful, and downloads filter content to one or more routers using the one or more commands.02-11-2010
20130219451Document digest allowing selective changes to a document - Methods and apparatus, including computer program products, implementing and using techniques for digital rights management. A set of content items is defined in an electronic document based on a set of rules. The rules in the set of rules are associated with one or more operations that can be performed on content items in the electronic document. The set of content items include only content items that are invariant to the operations associated with the rules in the set of rules. A representation of the content items in the set of content items is generated. An electronic document is also described.08-22-2013
20130219453DATA LEAK PREVENTION FROM A DEVICE WITH AN OPERATING SYSTEM - A data leak from a computer can be prevented by intercepting one or more system calls from an unknown application and applying different policies to the intercepted action associated with the system call(s) depending on the data itself and the metadata of a document associated with the system call.08-22-2013
20100169949SYSTEM AND METHOD TO PROVIDE ADDED SECURITY TO A PLATFORM USING LOCALITY-BASED DATA - In some embodiments, the invention involves protecting a platform using locality-based data and, more specifically, to using the locality-based data to ensure that the platform has not been stolen or subject to unauthorized access. In some embodiments, a second level of security, such as a key fob, badge or other source device having an identifying RFID is used for added security. Other embodiments are described and claimed.07-01-2010
20100169947SYSTEM AND METHOD FOR MOBILE USER AUTHENTICATION - As individuals increasingly employ their wireless devices to engage in different types of activities they face a growing threat from, possibly among other things, identity theft, financial fraud, information misuse, etc. and the serious consequences or repercussions of same. Leveraging the ubiquitous nature of wireless devices and the popularity of (Short Message Service, Multimedia Message Service, etc.) messaging, an infrastructure that enhances the security of the different types of activities within which a wireless device user may participate through dynamically configurable levels of authentication. The infrastructure may optionally leverage the capabilities of a centrally-located Messaging Inter-Carrier Vendor.07-01-2010
20100169948INTELLIGENT SECURITY CONTROL SYSTEM FOR VIRTUALIZED ECOSYSTEMS - Resources of a virtualized ecosystem are intelligently secured by defining and analyzing object handling security control information for one or more logical resources in the virtualized ecosystem and deriving therefrom object properties for each of the logical resources involved in the execution of a virtual machine in any given context within the virtualized ecosystem.07-01-2010
20100031311Method of executing virtualized application able to run in virtualized environment - A method of executing a virtualized application able to run in a virtualized environment. The virtualized application includes application software and the virtualized environment. The application software includes a license monitor to search for a software license while monitoring an execution policy set by a software provider when software is installed or executed. The virtualized environment includes an environment monitor to monitor an execution environment provided to the application software by the virtualized environment. Therefore, it is possible to prevent software able to run in a virtualized environment from being freely copied without any limitations by the execution policy provided by the software provider.02-04-2010
20110219424INFORMATION PROTECTION USING ZONES - Some embodiments are directed to an information protection scheme in which devices, users, and domains in an information space may be grouped into zones. When information is transferred across a zone boundary, information protection rules may be applied to determine whether the transfer should be permitted or blocked, and/or whether any other policy actions should be taken (e.g., requiring encryption, prompting the user for confirmation of the intended transfer, or some other action).09-08-2011
20090282458Remote and Local Compound Device Capabilities Synchronization Method and System - A method and system allow applying policies to service requests for information or a session, which are created by communications devices and are intended to be sent to service providers over a network. The policies govern the extent to which details about the communications devices sending the requests are released or revealed to that service provider. After amount of capabilities corresponding to the extent allowed by the polity is determined and provided in the service request, the service request is sent over the network to the service provider. Policy based disclosure of communications device capabilities information may be applied in local network embodiments, such as a home or small office network including local sever and residential gateway functions.11-12-2009
20100269149METHOD OF WEB SERVICE AND ITS APPARATUS - The present invention relates to a web service method and an apparatus therefor. A service apparatus in accordance with the present invention includes a message security gateway for security, an authentication server, an authorization server, a security policy server, a harmful site database, and an application server. User authentication employs SAML assertion of an SAML authority server. A service method in accordance with the present invention analyzes a message format and can employ security technologies although they have different message formats.10-21-2010
20100269148POLICY-PROVISIONING - Presented is an automated policy-provisioning method for a computing system having a service-oriented architecture. The system comprises at least one managed service and at least one policy enforcement point operable to enforce a runtime policy for the service. The method comprises: receiving in machine-readable form at least one semantic rule defining a condition imposed by a business policy; receiving machine-readable data describing a runtime policy enforcement capability of the at least one policy enforcement point; determining based on the at least one rule and the capability whether the at least one policy enforcement point can meet the condition; based on the determination, deriving a runtime policy suitable for enforcing the condition; and communicating the runtime policy to the at least one policy enforcement point.10-21-2010
20110219425ACCESS CONTROL USING ROLES AND MULTI-DIMENSIONAL CONSTRAINTS - Methods, systems, and computer-readable media of access control using roles and multi-dimensional constraints are disclosed are disclosed. A particular method includes assigning a user a particular role of a plurality of roles and associating the user with one or more multi-dimensional constraints. A request from the user to perform an operation permitted by the particular role may be received. The method includes determining whether any of the multi-dimensional constraints allows the user to perform the operation. The request is granted when at least one of the multi-dimensional constraints allows the user to perform the operation. The request is denied when none of the multi-dimensional constraints allows the user to perform the operation.09-08-2011
20110219423METHOD AND APPARATUS FOR TRIGGERING USER COMMUNICATIONS BASED ON PRIVACY INFORMATION - An approach is provided for protecting a user identity in communication based on privacy information. The privacy engine selects one or more parameters associated with a privacy metric. Next, the privacy engine determines the parameters in a communication environment, the communication environment including a user device and a plurality of other devices. Next, the privacy engine computes a privacy level based, at least in part, on the parameters and the privacy metric. Next, the privacy engine compares the computed privacy level against a predetermined privacy level. Then, the privacy engine triggers a communication to one or more of the other devices in the communication environment based, at least in part, on the comparison.09-08-2011
20110219422SYSTEM AND METHOD FOR DISPLAYING A DENSITY OF OBJECTS IN A SOCIAL NETWORK APPLICATION - A social network application system stores profile information of one or more types of objects, such as users, places, events, things, organizations and other types of objects. The system maintains current information for the various types of objects. The current information is updated periodically. The system generates a dataset for generating density reports for one or more types of objects based on search criteria. The dataset includes current information for one or more types of objects. The dataset is transmitted to a user device. The user device displays a graphical representation of density of objects in a geographical area.09-08-2011
20100031310SYSTEM AND METHOD FOR ROAMING PROTECTED CONTENT BACKUP AND DISTRIBUTION - A method includes receiving content and a license to the content at a storage system, receiving a request from a user system for the storage system to send the content and license to the user system, and sending the content and license from the storage system to the user system. Another method includes requesting content and a license to the content, receiving the content and license at a user system, requesting from the user system that the content and license be sent to a storage system, and requesting from the user system that the storage system send the content item to a second user system. In one embodiment, code could be used to perform a method that includes requesting content and a license to the content from a content provider, storing the content and license at a user system and a storage system, and requesting that the storage system send the content to another user system.02-04-2010
20100031308SAFE AND SECURE PROGRAM EXECUTION FRAMEWORK - A system and method is provided here that can make sure that the instruction sets executing on a computer are certified and secure. The system and method further facilitates a generic way to intercept instruction loading process to inspect loaded code segment 102-04-2010
20090165082DIRECTORY INFRASTRUCTURE FOR SOCIAL NETWORKING WEB APPLICATION SERVICES - A computer-implemented method of implementing information security. The method can include receiving a user input comprising a first user identifier and at least a second user identifier, determining whether the first user identifier corresponds to at least one of a plurality of existing user profiles, and determining whether the second user identifier corresponds to at least one of the plurality of existing user profiles. When it is determined that the first user identifier does not correspond to at least one of the plurality of existing user profiles, but that the second user identifier does correspond to at least one of the plurality of existing user profiles, the method can include selecting the user profile to which the second user identifier corresponds, automatically generating a unique user identifier, and associating the unique user identifier with the selected user profile.06-25-2009
20100088743PERSONAL-INFORMATION MANAGING APPARATUS AND PERSONAL-INFORMATION HANDLING APPARATUS - A personal-information managing apparatus includes: a usage permission policy managing unit to manage usage permission policy in which a boundary between usage permission and usage prohibition of personal information is defined; a personal information request receiving unit to receive a request for the personal information from the personal-information handling apparatus; a usage-permission issuing unit to obtain the usage permission policy corresponding to the received request via the usage permission policy managing unit, and to issue a usage permit corresponding to the usage permission policy and the requested personal information to the personal-information handling apparatus; a usage permit issue history managing unit to manage the issued usage permit and usage permission issue history relating to the personal information; and a credibility establishing unit to establish credibility of information exchange with the personal-information handling apparatus in relation to the issuing of the usage permit and the personal information.04-08-2010
20090150968Method and apparatus for managing and displaying contact authentication in a peer-to-peer collaboration system - Proper user-to-data associations are maintained in shared spaces created in a peer-to-peer collaborative system by means of a simplified and minimal user interface that permits users to easily authenticate other members of a shared space. In particular, support is provided for automatically building authenticated relationships even if users do not take the time to authenticate other users. When a user enters a shared space and views the contacts in that space, the display names of each contact are accompanied by distinctive icons that identify that authentication status of that contact. A mechanism is provided for resolving conflicts between contacts with the same display names to prevent confusion and contact “spoofing.” Security policies can be established to provide a uniform approach to authentication. These policies can be set by a user or, alternatively, the policies can be set by an administrator.06-11-2009
20130219464METHOD FOR STANDARDIZING COMPUTER SYSTEM ACTION - A method for standardizing computer system action, including: intercepting invoking command; obtaining data structure of the intercepted invoking command after intercepting the invoking command; determining the sponsor of the intercepted invoking command based on the data structure of the obtained and intercepted invoking command, and determining operation method and operation object of the intercepted invoking command; matching the sponsor, the operation method and the operation object of the intercepted invoking command with rules of standardizing computer system action, judging whether to allow executing the intercepted invoking command. The present disclosure determines the sponsor of the intercepted invoking command according to the data structure of the invoicing command, and can monitor comprehensively computer system. If only the sponsor is spiteful, the disclosure does not all allow executing the intercepted invoking command, thus detecting lawless operation comprehensively and effectively.08-22-2013
20130219460Remote Security Self-Assessment Framework - A system for security self-assessment for a computer platform. The system comprises a memory, a processor, and an application stored in the memory. When executed by the processor, the application in association with a call to action transmits security self-assessment logic and at least one security self-assessment policy to a computer platform, wherein the security self-assessment policy defines at least one scan tool to be used by the security self-assessment logic when executed on the computer platform to perform a security self-assessment of the computer platform. The system further comprises a plurality of scan tools stored in the memory and accessible for downloading by the computer platform. The security self-assessment logic is configured to cause a processor of the computer platform to download at least one scan tool defined by the security self-assessment policy and to perform a security self-assessment.08-22-2013
20090089857IDENTITY-BASED ADDRESS NORMALIZATION - In various embodiments, techniques for identity-based address normalization are provided. A principal attempts to access a resource via a principal-supplied address. A principal identity for the principal is used to acquire one or more address patterns. The principal-supplied address is compared against the one or more address patterns and when a match is detected, the principal-supplied address is normalized according to policy associated with the matched pattern. Additional access limitations and security restrictions are then enforced in response to the normalized address.04-02-2009
20120110638POLICY-BASED CROSS-DOMAIN ACCESS CONTROL FOR SSL VPN - A method may include generating a request that includes a host domain associated with a multiple-domain-to-one domain mapping, capturing the request before transmission of the request, rewriting the host domain, and transmitting the request.05-03-2012
20120110637Systems, Methods, and Apparatuses for Facilitating Authorization of a Roaming Mobile Terminal - Systems, methods, and apparatuses are provided for facilitating authorization of a roaming mobile terminal. A method may include receiving a request for security key related policy information for a user equipment device. The request may be sent by a service providing node on a visited network. The method may further include causing a service authorization information request including a user security settings package to be sent to a policy decisioning server. The method may also include receiving, in response to the service authorization information request, a service authorization information answer including a modified user security settings package including the authorization policy information for the user equipment device. The method may additionally include causing the requested security key related policy information to be sent to the service providing node. Corresponding systems and apparatuses are also provided.05-03-2012
20120110636Defining an Authorizer in a Virtual Computing Infrastructure - An authorizing entity is allowed to grant permission to a subject to perform an action on an object in a cloud computing environment. An authorizer is defined as the entity having granting authority to delegate a predetermined permission. A subject is defined as a group to whom the permission is being delegated. An object is defined upon which an action is authorized within the cloud computing environment. The action being authorized in the cloud computing environment is defined. Members of the subject group are authorized to perform the permitted action on the object.05-03-2012
20120110635METHOD AND SYSTEM FOR DETECTING CHARACTERISTICS OF A WIRELESS NETWORK - Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point.05-03-2012
20120110634AUTOMATIC PIN CREATION USING PASSWORD - A PIN is automatically generated based on at least one rule when the user enters a password through a user device. In one example, the PIN is a truncated version of the password where each character in the truncated version is mapped onto a number. The mapping can be a truncation at the beginning or end of the password, or the mapping can be with any pattern or sequence of characters in the password. This PIN generation may be transparent to the user, such that the user may not even know the PIN was generated when the password was entered. When the user attempts to access restricted content, the user may enter the PIN instead of the password, where the user may be notified of the rule used to generate the PIN so that the user will know the PIN by knowing the password.05-03-2012
20120110633APPARATUS FOR SHARING SECURITY INFORMATION AMONG NETWORK DOMAINS AND METHOD THEREOF - Provided are a security information sharing apparatus capable of sharing security information among network domains and a method thereof. The security information sharing apparatus includes a primitive security information storage unit configured to store primitive security information to be shared with other network domains, an information sharing policy storage unit configured to store an information sharing policy for information to be shared, an information masking policy storage unit configured to store an information masking policy for information not to be opened to the other network domain, a domain selector configured to select the other network domain to receive the shared security information, a shared security information generator configured to generate shared security information for the selected other network domain by applying the information sharing policy to the primitive security information, an information masking unit configured to mask information not to be opened in the generated security information according to the information masking policy, a protocol message generator configured to generate a protocol message for the shared security information subjected to the information masking, to be transmitted, and a protocol message transmitter configured to transmit the protocol message to the selected other network domain.05-03-2012
20130219455CERTIFICATE MANAGEMENT METHOD BASED ON CONNECTIVITY AND POLICY - Plural modes of operation may be established on a mobile device. Specific modes of operation of the mobile device may be associated with specific spaces in memory. By associating the existing certificate store structure and key store structure with a mode of operation, certificates and keys can be assigned to one space among plural spaces. Furthermore, management (viewing/importation/deletion) of certificates associated with specific modes of operation may be controlled based on the presence or absence of a mobile device administration server and the status (enabled/disabled) of an IT policy.08-22-2013
20110271322System and Method for Configuring Devices for Secure Operations - Systems and methods for establishing a security-related mode of operation for computing devices. A policy data store contains security mode configuration data related to the computing devices. Security mode configuration data is used in establishing a security-related mode of operation for the computing devices.11-03-2011
20110271321ACCESS CONTROL - Methods and apparatus for updating a policy store associated with a policy decision point of an access control system, the policy decision point being arranged to provide, in response to received decision requests, access control decisions in dependence on one or more policies stored in said policy store, each policy specifying a predetermined access control decision to be provided in response to a particular access request made in respect of a particular attribute or combination of attributes, the policy decision point being associated with at least one policy enforcement point arranged to implement access control in accordance with access control decisions provided by said policy decision point in response to decision requests submitted by said policy enforcement point, said policy enforcement point having associated therewith an attribute store providing data relating to attributes in respect of which access requests have previously been made via said policy enforcement point.11-03-2011
20110271320SYSTEM AND METHOD FOR PROVIDING SELECTIVE BEARER SECURITY IN A NETWORK ENVIRONMENT - An example method includes receiving a message related to a bearer or an Internet Protocol (IP) flow, the message includes an extension indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow. The method further includes mapping a communication flow to the bearer or the IP flow, and applying the IPsec feature to the bearer or the IP flow. In other embodiments, the method can include communicating the extension to a next destination, and updating a security policy to indicate that the bearer or the IP flow is designated for the IPsec feature. In yet other embodiments, an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow. The extension is provided at an IP flow level or at a bearer level such that network traffic is designated for the IPsec feature.11-03-2011
20090150972APPARATUS AND METHOD FOR MANAGING P2P TRAFFIC - The invention relates to a P2P traffic management apparatus and method. A P2P flow agent monitors an executed application program to extract a P2P application program, adds application identifiers to packets generated by the application program according to a set policy, and transmits the packets. In this case, a P2P security gateway monitors the inflowing packets from the P2P flow agent to extract packets having the application identifiers, uses the extracted application identifiers to inquire and acquire a related policy, and controls the packets according to the acquired policy.06-11-2009
20090150971TECHNIQUES FOR DYNAMIC GENERATION AND MANAGEMENT OF PASSWORD DICTIONARIES - Techniques for dynamic generation and management of password dictionaries are presented. Passwords are parsed for recognizable terms. The terms are housed in dictionaries or databases. Statistics associated with the terms are maintained and managed. The statistics are used to provide strength values to the passwords and determine when passwords are acceptable and unacceptable.06-11-2009
20090150970Data Fading to Secure Data on Mobile Client Devices - Methods, systems, and computer program products to secure data stored on mobile client devices are provided. In an embodiment, the method operates by defining one or more security policies. Each security policy comprises a plurality of security policy parameters. The method stores the security policies in a data store, and selects a security policy from among the stored security policies for a mobile client device. The selected security policy is applied to the mobile client device. The mobile client device determines whether it is compliance with parameters of said selected security policy, and performs data fade actions if it is determined that it is out of compliance with said security policy parameters.06-11-2009
20100122315METHODS AND APPARATUS RELATED TO TRANSMISSION OF CONFIDENTIAL INFORMATION TO A RELYING ENTITY - In one embodiment, a method includes defining a request for confidential information from a domain of confidential information based on an input from a relying entity. The domain of confidential information can be associated with a subject entity. A response to the request can be defined at an information provider. The method can also include sending the response to the relying entity when the response has been approved by the subject entity.05-13-2010
20100281514SYSTEM FOR MANAGING IDENTITY WITH PRIVACY POLICY USING NUMBER AND METHOD THEREOF - The present invention includes a request module that creates a user information request message and a communication module that transmits the user information request message to an attribute provider server, wherein the user information request message includes a privacy policy that represents at least one term of use subjects, use purposes, and use periods using a grade. With the present invention, the representation of the privacy policy can be simplified and the comparison of policies can be conveniently processed.11-04-2010
20130024907INTEGRATING SUDO RULES WITH ENTITIES REPRESENTED IN AN LDAP DIRECTORY - A method and apparatus for integrating Sudo rules into a Lightweight Directory Access Protocol (LDAP) repository. An LDAP directory server receives a request to add a sudo rule to the LDAP repository. The sudo rule defines at least one sudo command and one or more entities associated with the execution of the sudo command. The LDAP directory server creates an LDAP entry for the sudo rule, and links in the LDAP entry of the sudo rule an LDAP entry of the sudo command and LDAP entries of the entities associated with the execution of the sudo command.01-24-2013
20090049514Autonomic trust management for a trustworthy system - An autonomic trust management system, device or method performs trust management in an autonomic processing manner with regard to evidence collection, trust evaluation, and trust (re-)establishment and control. An autonomic trust management mechanism is embedded into a digital system, such as a device or a distributed system, for supporting trustworthy relationships among system entities. The trust management mechanism provides an autonomic adaptation of trust control modes, which include control mechanisms or operations, in order to ensure the dynamic changed trust relationships based on the feedback from a trust assessment and the adaptive trust (re-)establishment or control loops.02-19-2009
20110197254POLICY BASED PROVISIONING IN A COMPUTING ENVIRONMENT - A system and method for policy based provisioning in a computing environment. In an example embodiment, the system is adapted to selectively allocate usage rights and access privileges to computing resources of a computing environment. The system includes a provisioning policy; a centralized resource provisioning module; one or more applications in communication with the centralized resource provisioning module; and software running on the resource provisioning module, wherein the software is adapted to initiate selective provisioning of computing resources offered by the one or more applications to a user in accordance with the provisioning policy.08-11-2011
20110197253Method and System of Responding to Buffer Overflow Vulnerabilities - The application discloses a method of protecting a computer against buffer overflow attacks by creating a security policy based on information about the buffer overflow. This results in a dynamic and “on-the-fly” security policy that can be applied to an application to protect the computer. The application also discloses a method where the buffer overflow is reported to central server. The central server monitors the publisher to determine when a patch becomes available to remedy the problem. The server notifies the security software when a patch is available so that either the security software or computer user can download and install the patch.08-11-2011
20100132009Systems and Methods for HTTP Callouts for Policies - A method of identifying an action of a policy in association with communications between a client and one or more servers includes determining, by an intermediary, a policy action based on using a callout based policy. In one aspect, an intermediary receives communications between a client and one or more servers. The intermediary identifies a policy for the communications, the policy specifying a request and a server to communicate the request. Responsive to the policy, the intermediary transmits the request to the server. Based on the server response to the request, the intermediary determines an action of the policy. In another aspect, a system for the present method includes an intermediary and a policy engine for identifying a policy to specify a request and a destination server. Responsive to a server response to the request, the intermediary determines an action of the policy.05-27-2010
20100138893PROCESSING METHOD FOR ACCELERATING PACKET FILTERING - A processing method for accelerating packet filtering is used for accelerating the filtering process of packet data in a computer. The processing method accelerating packet filtering includes the steps. A plurality of packet filtering policies is loaded. Feature values of each packet filtering policy are resolved. A grouping procedure is performed on the packet filtering policies according to the feature values, so as to add the packet filtering policies meeting a threshold value to corresponding policy groups. A performing sequence of the packet filtering policies in the policy groups is determined according to a performing sequence of the packet filtering policies. A performing sequence of the policy groups is determined according to a producing sequence of the policy groups. A plurality of packet data is received. When the packets don't match the policy groups, the default policy is processed according to protocol information of the packets.06-03-2010
20080263624Contents Using Device, and Contents Using Method - A contents using device (or a terminal device) 10-23-2008
20080288999INFORMATION PROCESSING APPARATUS FOR AUTHENTICATION SETTING OF MODEL THAT REQUIRES CONFIDENTIALITY - The present disclosure provides an information processing apparatus and the like, which allow a service developer, who develops a service requiring confidentiality in a service-oriented architecture, to easily create authentication settings for the service model. The present disclosure provides an information processing apparatus for developing a service requiring confidentiality in a service-oriented architecture. The information processing apparatus includes: an input unit for inputting an annotation for a service; a storage unit for storing an Authentication Infrastructure Model of a machine node on which the service is executed; and an Authentication Policy generation unit for generating an Authentication Policy by using the annotation and the Authentication Infrastructure Model.11-20-2008
20080282314Firewall with policy hints - A firewall helps a user make a decision regarding network access for an application executing on a computing device by providing “hints” to the user about an appropriate network access policy. If at least one previously set firewall policy for the application exists in a context different from a current context, the user may be presented with information based on a previously set firewall policy. The information may be prioritized based on a source of the previously set firewall policy and other factors, to provide the user with a hint that facilitates making the decision appropriate in the current context. A programming interface to the firewall allows third party applications to specify a format in which hints are provided to the user.11-13-2008
20100122317Integrated Network Intrusion Detection - Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected. The system also may track behavior of applications using the network policy to identify abnormal application behavior, and monitor traffic from an abnormally behaving application to identify an intrusion.05-13-2010
20100122316User Controlled Identity Authentication - A system, method for user controlled identity authentication comprising: a) At least one central computer having at least one user within a user database having user data and at least one service provider within a service provider database with service provider data; b) At least one service provider having electronic communication with the central computer; c) At least one user having electronic devices capable of communications with the central computer and service provider; e) Providing a user with a set of controls within the central computer to customize privacy, security and authentication of the user data; f) Providing a set of access rights within the service provider data of the central computer having a set of transaction rules for the service provider.05-13-2010
20100281516METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR NETWORK AUTHORIZATION - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.11-04-2010
20080263625METHOD AND SYSTEM FOR ACCESS CONTROL USING RESOURCE FILTERS - The present description refers in particular to a method, a system, and a computer program product for access control using resource filters for a strict separation of application and security logic. The computer-implemented method for access control may include receiving at least one access request to at least one resource from an application; providing a resource hierarchy for the at least one resource, the resource having at least one resource class, wherein the resource hierarchy is defined in a single resource; providing a policy comprising at least one access control rule for accessing at least one element of the at least one resource class; verifying the at least one access request based on the policy through an authorization service; and processing the at least one access request through a service interface.10-23-2008
20130219456Secure Virtual File Management System - A virtual file management system provides user access to managed content on mobile devices. The system comprises storage domains storing the managed content distributively using file systems, and a data infrastructure that organizes the managed content into a virtual file system that maintains information of storage domain specific file system primitives for accessing corresponding portions of the managed content. The data infrastructure, which maintains metadata of the storage domains and the mobile devices, comprises a policy definition and decision component that maintains policies defining controls for permissible operations on the managed content, the permissible operations including the file system primitives. A client application hosted on the mobile devices is coupled to the data infrastructure and the storage domains and includes an enforcement component that communicates with the policy definition and decision component to retrieve and enforce the policies by applying the controls on the mobile devices.08-22-2013
20120036554ACCESS AUTHORIZATION HAVING EMBEDDED POLICIES - A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image's integrity prior to extracting the embedded policy.02-09-2012
20120036550System and Method to Measure and Track Trust - In some embodiments, a method of determining an overall level of trust of a system comprises receiving a level of trust for each of a plurality of elements of the system. A weight for each of the plurality of elements is received, each weight indicating an influence of each of the plurality of elements on the trust of the system. A contribution for each element to the overall level of trust of the system is determined based on the level of trust for each element and the weight for each element. The overall level of trust of the system is determined based on the determined contribution for each element.02-09-2012
20080271114SYSTEM FOR PROVIDING AND UTILIZING A NETWORK TRUSTED CONTEXT - A system for establishing a connection between a data server and a middleware server is disclosed. The system includes defining a plurality of trust attributes corresponding to a trusted context between the middleware server and the data server and validating the plurality of trust attributes against a plurality of attributes corresponding to the middleware server. The plurality of attributes provided in a connection request. The system also includes establishing the trusted context based on the validating the plurality of trust attributes.10-30-2008
20090094671System, Method and Apparatus for Providing Security in an IP-Based End User Device - The present invention provides a system, method and apparatus for providing security in an IP-based end user device, such personal computer clients, hard phones, soft phones, cellular phones, dual-mode phones, handheld communication devices, wireless communications devices and any other device capable of supporting real time IP-based applications. An application layer, a TCP/IP layer and a datalink layer of the IP-based end user device are monitored. Whenever an incoming session is detected and analyzed, the incoming session is accepted whenever one or more session security parameter(s) are satisfied and the incoming session is denied whenever the session security parameter(s) are not satisfied. Whenever an incoming packet is detected and analyzed, the incoming packet is processed whenever one or more packet security parameter(s) are satisfied and the incoming packet is dropped whenever the packet security parameter(s) are not satisfied.04-09-2009
20090094670SECURITY APPARATUS AND METHOD FOR ALL-IN-ONE MOBILE DEVICE USING SECURITY PROFILE - The present invention relates to a security apparatus and method for an all-in-one mobile device using a security profile. According to the security apparatus and method for an all-in-one mobile device using a security profile, a security profile of the mobile device is set in a manual mode or an automatic mode according to a user's knowledge level for security, and when environmental factors of the mobile device vary or the user requests to change a security level, the security profile is dynamically or statically reconstructed. This structure can rapidly solve a security problem and enables a user having a low knowledge level for security and a low degree of understanding of the functions of the mobile device to easily set a security function.04-09-2009
20090094666DISTRIBUTING POLICIES TO PROTECT AGAINST VOICE SPAM AND DENIAL-OF-SERVICE - In one embodiment, a network device generates a protection policy responsive to identifying undesired voice data traffic. The network device then distributes the generated protection policy along a call path used for transferring the undesired voice data traffic. The proxy may distribute the protection policy by inserting the protection policy in a call response or other message that traces the call path back to a calling endpoint.04-09-2009
20090094667Method and Apparatus for Automatic Determination of Authorization Requirements While Editing or Generating Code - Systems and methods are presented for automatically determining the security requirements of program code during the creation or modification of that program code and for presenting the necessary security permissions to a developer of the program code at the time of the creation or modification of the program code. A cache is established containing program code segments including library calls and application program interfaces that require security permissions at runtime. The cache also includes the security permissions associated with the stored program code segments. Program code editing is monitored in real time during the editing, and instances of edits that add, modify or delete the stored program code segments from the program code being edited are identified. The security permissions associated with the program code segments that are modified by the edits are retrieved from the cache. The retrieved security permissions are immediately presented to the developer in an interactive format that provides the developer with the ability to accept or decline the necessary changes to the security permissions.04-09-2009
20090094665Monitoring and Controlling Network Communications - Aspects of the subject matter described herein relate to monitoring and controlling network communications. In aspects, communication components receive a communication from a node. The communication components determine a potential use of the communication that may be used for reporting and enforcement purposes. The communication components monitor subsequent communications and store usage information including duration in a store. In addition, the communication components may enforce a policy that depends on the potential use of a communication and the usage information.04-09-2009
20090094664Integrated Guidance and Validation Policy Based Zoning Mechanism - A mechanism is provided to automatically retrieve zoning best practices from a centralized repository and to ensure that automatically generated zones do not violate these best practices. A user selects a set of hosts and storage controllers. The user also selects a guidance policy for creating the zone, and also selects a set of validation policies that must be enforced on the zone. If the user selects a guidance policy and a validation policy combination that is incompatible, the mechanism allows the user to change either the selected guidance policy or the set of validation policies. If the user has selected consistent-zoning as a guidance policy, then the mechanism automatically selects a guidance policy that does not violate the known validation policies.04-09-2009
20100088740Methods for performing secure on-line testing without pre-installation of a secure browser - Methods for performing secure on-line testing without the need for pre-installation of a secure browser are provided. The methods use a general purpose web browser which is already installed on the user's computer and extend the browser so as to restrict the functionality of the user's computer in at least one way which makes the computer more secure with regard to testing. The extending occurs through the transmission of trusted code to the user's computer over the internet. The elimination of the need for pre-installation represents a major savings to school districts in terms of the amount of IT professional time that must be dedicated to on-line testing, especially for school districts having large numbers of installed computers. Apparatus for practicing the methods is also provided.04-08-2010
20100125891Activity Monitoring And Information Protection - Disclosed herein is a computer implemented method and system for monitoring user activity and protecting information in an online environment. A security client application is provided on a computing device of a user. A local software component preloaded on the computing device is embedded within the security client application on the computing device. The security client application queries a policy server for a security policy for the user on receiving a request for access to the information from the user. The user is granted controlled access to the information based on the security policy. The granted controlled access enables enforcement of the security policy. The security client application permits the user to perform predefined activities on the information using the granted controlled access. The security client application prevents the user from performing activities apart from the predefined activities. The security client application tracks the performed predefined activities.05-20-2010
20090178104METHOD AND SYSTEM FOR A MULTI-LEVEL SECURITY ASSOCIATION LOOKUP SCHEME FOR INTERNET PROTOCOL SECURITY - Methods and systems for data communication are disclosed and may include utilizing a multi-level lookup process for determining IPsec parameters from a security association database. The security association database may be stored in content addressable memory, and may include an Internet protocol address table, a security association lookup table, and a security association context table. The security association lookup and security association context tables may include a single table. An Internet protocol address table index may be looked up in the Internet protocol address table for a first lookup of the multi-level lookup process. A security protocol index may be looked up utilizing the Internet protocol address table index for a second lookup of the multi-level lookup process. The Internet protocol security parameters may be determined utilizing the security protocol index. IPsec processing may be performed utilizing the determined Internet protocol security parameters.07-09-2009
20090300708Method for Improving Comprehension of Information in a Security Enhanced Environment by Representing the Information in Audio Form - In a software environment wherein one or more subjects respectively seek to access one or more objects, and wherein a security policy having rules is associated with the environment, a method is provided for use in connection with an effort by a particular subject to access a particular object. The method comprises identifying a domain to which the particular subject belongs, and identifying a type that includes or characterizes the particular object. One or more rules of the security policy are then used to decide whether or not to permit the particular subject to access the particular object. The method further comprises providing one or more distinct audible sounds for a user associated with the particular subject, wherein each audible sound represents specified information pertaining to the decision of whether or not to permit access to the particular object.12-03-2009
20100146584AUTOMATIC GENERATION OF POLICIES AND ROLES FOR ROLE BASED ACCESS CONTROL06-10-2010
20100146585Content Access Policy Management for Mobile Handheld Devices - Devices and methods are disclosed which relate to a mobile communications device which presents a user with content optimized for the mobile communications device based on connection speed, device capabilities, and user preferences. When a user wishes to view content, the user inputs an address. The mobile communications device accesses a policy management agent. The policy management agent checks an onboard database of websites, their mobile counterparts, and attributes of each. An optimal website is selected and the mobile communications device requests content from that website instead.06-10-2010
20100083348Method and rule-repository for generating security-definitions for heterogeneous systems - The present invention concerns a method for generating one or more system-specific security-definitions (04-01-2010
20100325685Security Integration System and Device - The present disclosure generally relates to systems and devices that share information related to computer and network security. In an embodiment, an integration device can receive a notification of a security event at a security device. The integration device can compare the contents of the notification against a set of rules, select actions to take based on the set of rules at other security devices, establish a connection to the other security devices, and take the actions over the connection. The integration device can take the actions by sending commands understood by the other security devices over the connection. The other security devices can be of different platforms than the security device or not interoperable with the security device. Additionally, the integration device can receive information related to log entries, security incidents, transaction data, or configuration data, and take actions based on this information at other security devices.12-23-2010
20110197258SYSTEM AND METHOD FOR LOST DATA DESTRUCTION OF ELECTRONIC DATA STORED ON PORTABLE ELECTRONIC DEVICES - A data security system and method protects stored data from unauthorized access. According to one aspect of the invention, a client computing device communicates periodically with a server. If communications is note established between the client and the server for a selected activation interval and a subsequent grace period, the data is determined to be lost, and programmed security rules are automatically executed. Rules relating to encryption, as well as other security procedures, can be defined and entered by an administrator with access to the server, and then disseminated to each of a plurality of clients that access the server.08-11-2011
20110197257ON DEVICE POLICY ENFORCEMENT TO SECURE OPEN PLATFORM VIA NETWORK AND OPEN NETWORK - Embodiments of the invention provide methods and systems for using policy enforcement for securing open devices and networks. The method includes accessing, by a policy enforcer, a plurality of policies configured to enforce network integrity and monitoring programs and/or services running on a device. The method further includes based on at least one of the plurality of policies, comparing the programs and/or services running on the device against the programs and/or services allowed by the at least one of the plurality of policies, and based on the comparison, determining that the device is running at least one program and/or service disallowed by the at least one policy. Further, the method includes in response, prohibiting access of the device to the network.08-11-2011
20110197255SOCIAL NETWORK PRIVACY BY MEANS OF EVOLVING ACCESS CONTROL - A method and software product for limit privacy loss due to data shared in a social network, where the basic underlying assumptions are that users are interested in sharing data and cannot be assumed to constantly follow appropriate privacy policies. Social networks deploy an additional layer of server-assisted access control which, even under no action from a user, automatically evolves over time, by restricting access to the user's data. The evolving access control mechanism provides non-trivial quantifiable guarantees for formally specified requirements of utility (i.e., users share as much data as possible to all other users) and privacy (i.e., users expose combinations of sensitive data only with low probability and over a long time).08-11-2011
20090210923Personal license server and methods for use thereof - A personal license server and methods for use thereof are disclosed. In one embodiment, a personal license server is provided comprising a memory and circuitry operative to receive a digital rights management (DRM) license from a license server, store the DRM license in the memory, and provide the DRM license to a personal license server client, wherein the personal license server client receives the DRM license without communicating with the license server. In another embodiment, a personal license server client is provided that receives, from a license requester, a request for a digital rights management (DRM) license from a license server; in response to the request, communicates with a personal license server instead of the license server to receive the DRM license; and provides the DRM license to the license requester. Other embodiments are provided, and each of these embodiments can be used alone or in combination with one another.08-20-2009
20130219452BUS MONITOR FOR ENHANCING SOC SYSTEM SECURITY AND REALIZATION METHOD THEREOF - The present invention discloses a bus monitor for enhancing SOC system security and a realization method thereof. The bus monitor disposed between a system bus and a system control unit includes a configuration unit, a condition judgment unit, an effective data selection unit, a hardware algorithm unit and a comparative output unit. Without affecting the bus access efficiency, the present invention provides the method capable of immediately monitoring the bus behavior, and the detection system notices whether a particular bus access serial behavior is changed due to an accidental fault or intentional attacking fault. If the particular bus access serial behavior is changed, the present invention warns the system to adopt a suitable security measure to prevent the security hidden trouble and leakage of classified information due to the incorrect system security process.08-22-2013
20100083347VERIFYING AND ENFORCING CERTIFICATE USE - A method, system, and computer usable program product for verifying and enforcing certificate use are provided in the illustrative embodiments. A certificate is received from a sender. The certificate is validated before communicating a message associated with the certificate to a receiver. If the certificate is invalid, a policy is selected based on a type of invalidity of the certificate. An action is taken to enforce the policy for using the certificate. The certificate may be received from the sender at a proxy. The validating may further include verifying the validity of the certificate using a certificate from a certificate database accessible to the proxy over a network. the proxy may copy a part of the certificate database to a second certificate database local to the proxy. The validating may further include verifying the validity of the certificate using a certificate revocation list accessible to the proxy over a network.04-01-2010
20090300704Presentity Rules for Location Authorization in a Communication System - A server, computer readable medium and method for accessing data related to a first user connected to a communication network that includes a server, the data being accessed by a second user connected to the communication network. The method includes receiving at the server instructions from the first user for generating authentication privileges for the second user to access the data of the first user, wherein the data includes at least one of location data related to a physical location of the first user, and presence data related to an availability of the first user to communicate with the second user; applying a single set of authentication rules to generate the authentication privileges for the second user for both the location data and the presence data; and storing the generated authentication privileges of the second user.12-03-2009
20100083346Information Scanning Across Multiple Devices - Provided are, among other things, systems, methods and techniques for scanning information across multiple different devices. In one representative system, remote data-processing devices are provided with scanning applications that repeatedly scan information on their respective data-processing devices to identify matching data units that satisfy a specified matching criterion, the specified matching criterion including required matches against a set of screening digests, and then transmit characteristic information regarding the matching data units; and a central processing facility receives the characteristic information from the remote data-processing devices and determines whether the corresponding matching data units satisfy a policy criterion.04-01-2010
20090282459ELECTRONIC DOCUMENT CONVERSION DEVICE AND ELECTRONIC DOCUMENT CONVERSION METHOD - Based on the security policy set in the original document and the security policy supported by the format of conversion destination, it is judged whether or not the security policy set in the original document is inheritable to the electronic document after format conversion. If it is judged that the security policy is inheritable, the security policy set in the original document is inherited to the electronic document after format conversion. If it is judged that the security policy is not inheritable, a process for inheriting the security policy set in the original document to the electronic document after format conversion is not performed.11-12-2009
20090165083METHOD AND APPARATUS FOR MANAGING POLICIES FOR TIME-BASED LICENSES ON MOBILE DEVICES - Methods and devices provide for creating, managing, modifying, and/or enforcing flexible digital rights management license policies for protecting games, media, data, or other software with a time-based license. Embodiments are especially directed toward situations in which a source of time is unavailable, untrustworthy, or unreliable. Licenses are defined by a small number of parameters. Parameter values may be defined by and included with protected content or applications. The parameter values may be chosen to define and enforce a desired level of compromise between usability and security characteristics.06-25-2009
20100100931TRANSACTION TOOL MANAGEMENT INTEGRATION WITH CHANGE MANAGEMENT - A change management system coordinates information of a transaction tool managed by a transaction tool management system. The system includes a receiver that receives, over a communications network, activity information and/or lifecycle event information for the transaction tool. The system also includes a storage that stores the received information. Additionally, the system includes a processor that manages a change in a status of the transaction tool based on the received information.04-22-2010
20100100930HOSTED VULNERABILITY MANAGEMENT FOR WIRELESS DEVICES - A method, a multi-tenant security server apparatus and associated system for securing wireless communication of devices. The method includes transferring security policy configuration information from the security server to wireless devices. The method also includes ascertaining compliance of wireless activity of the wireless devices with the security policy configuration using client software modules installed on the wireless devices.04-22-2010
20100100929APPARATUS AND METHOD FOR SECURITY MANAGING OF INFORMATION TERMINAL - Provided is an apparatus and a method for security managing of an information terminal. The provided classifies a plurality of information providing means into a plurality of domains including at least one information providing means and when a user process accesses any one domain and then attempts to access another domain, controls the access to said another domain by verifying whether or not the access of the user process to said another domain is allowed. According to the provided, security threats are monitored for each domain which an execution process accesses by simply constructing domain classification information of an entire system without specifically establishing a security policy of an information providing device, such that it is possible to protect a terminal from a multi-domain access process having high security risk. Accordingly, it is advantageous to increase security for the terminal from various security threats.04-22-2010
20090125974Method and system for enforcing trusted computing policies in a hypervisor security module architecture - A method and system for enforcing trusted computing (TC) policies in a security module architecture for a hypervisor. Upon receiving a request from a subject for access to an object, TC-related attribute values are obtained for the subject and the object based on a virtualized trusted platform module (vTPM). Access control decisions are the made based at least on the TC-related attribute values and TC-related policies.05-14-2009
20110173674METHOD AND SYSTEM FOR PROVIDING LOCATION OF TARGET DEVICE USING STATELESS USER INFORMATION - A method of providing a location of a target device to an application implementing a location based service includes receiving a request for a location of the target device from the application at a location server, the request including a location reference having a user reference referring to user information corresponding to the target device and stored in at least one data source. The method further includes retrieving the user information from the at least one data source using the user reference, determining the location of the target device based at least in part on the retrieved user information, and providing the determined location of the target device to the application.07-14-2011
20090187966NEAR REAL-TIME MULTI-PARTY TASK AUTHORIZATION ACCESS CONTROL - A method and apparatus are used in determining authorization to perform tasks in a computer environment, and specifically requiring multiple parties to authorize a task before access is granted. The present system provides for substantially real time communication to a second party authorizer when a task owner is attempting to perform a task.07-23-2009
20090187967ENHANCEMENTS TO DATA-DRIVEN MEDIA MANAGEMENT WITHIN AN ELECTRONIC DEVICE - A centralized resource manager manages the routing of audio or visual information within a device, including a handheld device such as a smartphone. The resource manager evaluates data-driven policies to determine how to route audio or visual information to or from various input or output components connected to the device, including headphones, built-in speakers, microphones, bluetooth headsets, cameras, and so on. Among the data considered in the policies are connection status data, indicating if a device is connected, routing status data, indicating if a device is permitted to route information to or from a component, and grouping data, indicating logical relationships between various components. Components may be considered inherently routable, automatically routable, or optionally routable. Numerous other uses exist for such data, including providing simpler and more logical management interfaces.07-23-2009
20120233656Methods, Systems and Devices for the Detection and Prevention of Malware Within a Network - Methods, systems and devices examine data flows in a communication system control network for known malware threats and suspicious properties typically associated with malware threats. A policy management system inside the control network accesses a user repository and a charging network, and performs pattern matching and/or observed behavior detection methods to determine if the data flows carry content (e.g., malware) that poses a security risk to network or wireless devices. The policy management system generates policy rules based on user preferences and risk-level. The policy management system sends the generated policy rules to a gateway/PCEF, which blocks the data flows, allows the data flows, or restricts the data flow based on the policy rules.09-13-2012
20090178112LEVEL OF SERVICE DESCRIPTORS - An apparatus can include a client having a card selector, a query generator, and a transmitter. The card selector can allow a user to select an information card based on a security policy. The card selector can also provide a security token in response to the selected information card. The query generator can generate a query based on the selected information card, wherein the query pertains to information about features that are available on a relying party based on the security token and independent of a user's identity. The transmitter can transmit the generated query and the security token to an endpoint on the relying party.07-09-2009
20090276828METHOD OF NEGOTIATING SECURITY PARAMETERS AND AUTHENTICATING USERS INTERCONNECTED TO A NETWORK - A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.11-05-2009
20090276826IMAGE FORMING APPARATUS, METHOD, AND COMPUTER-READABLE RECORDING MEDIUM FOR ACCESS CONTROL - There is disclosed an image forming apparatus to which one or more programs can be added. The image forming apparatus includes a managing part configured to manage access authorization information set for each of groups into which the programs are categorized, a displaying part configured to display a setting screen in which access authorization setting information is set in correspondence with each of the programs, a changing part configured to change a range of access authorization granted to the programs according to access authorization change information, the access authorization change information including definitions of change information corresponding to the access authorization setting information set in the setting screen, and a determining part configured to determine whether the access authorization can be granted to the programs.11-05-2009
20090288134System and Method for Providing Access to a Network Using Flexible Session Rights - A flexible rule engine allows a network operator to dynamically create and modify business rules that govern a subscriber's access to a communications network. The flexible rule engine governs subscriber transitions between various session states by testing for subscriber conditions, network conditions, and then performing specified actions based on these conditions. A rule editor provides the network operator with the ability to compose, edit and delete one or more rules in real time, using an appropriate user interface.11-19-2009
20100138897POLICY-BASED SELECTION OF REMEDIATION - A method, of automatically determining one or more remediations for a device that includes a processor, may include: receiving values of a plurality of parameters which collectively characterize an operational state of the device, there being at least one policy associated with at least a given one of the plurality of parameters, policy defining as a condition thereof one or more potential values of, or based upon, the given parameter, satisfaction of the condition potentially being indicative of unauthorized activity or manipulation of the device; automatically determining, from the received parameter values, whether the conditions for any policies are satisfied, respectively; and automatically selecting one or more remediations for the device according to the satisfied policies, respectively.06-03-2010
20100088741METHOD FOR DEFINING A SET OF RULES FOR A PACKET FORWARDING DEVICE - There are methods and apparatus, including computer program products, for defining a policy including a set of rules for a packet forwarding device by receiving information sufficient to enable a first rule related to one of security or traffic management to be defined, and based on the received information, enabling a corresponding second rule related to the other one of security or traffic management to be defined.04-08-2010
20120297444SYSTEM AND METHOD FOR ENSURING COMPLIANCE WITH ORGANIZATIONAL POLICIES - A method for ensuring compliance with organizational policies is described herein. The method can include the step of monitoring one or more parameters of a managed computing device for compliance with one or more policies of an organization in which the organizational policies may include limitations on the managed computing device. The method can also include the step of detecting a non-conformance event at the managed computing device with respect to at least one organizational policy. In response to the detection of the non-conformance event, the operation of the managed computing device may be restricted with respect to features or data associated with the organization.11-22-2012
20080209503METHOD AND SYSTEM FOR MANAGING LICENSE OBJECTS TO APPLICATIONS IN AN APPLICATION PLATFORM - Systems and methods are provided for managing license objects to applications in an application platform database system. The method includes associating an LMA with an application installed to the application platform by a developer, notifying a license manager to which the license manager application is installed of the installation of the application to the application platform, and managing subscriber access to the application using the license manager application.08-28-2008
20080209501System and method for implementing mandatory access control in a computer, and applications thereof - Provided are systems and methods for implementing mandatory access control in a computer, and applications thereof. An embodiment provides a security policy generator that generates security policies for one or more machines of a network based on a single set of enterprise configuration parameters. This single set of enterprise configuration parameters comprises relatively few lines of text compared to a typical security policy file. The present invention makes it possible to easily configure, change, and adapt mandatory access control security policies to enforce application-specific security goals across many networked systems to create a single, distributed, secure enterprise. With the present invention, a network administrator, for example, can set familiar network and file configuration options that automatically result in security changes without requiring extensive knowledge of the operating system kernel or how to develop a mandatory access control security policy.08-28-2008
20080209507MOBILE AUTHORIZATION USING POLICY BASED ACCESS CONTROL - An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.08-28-2008
20090113514Cascading Policy Management Deployment Architecture - Systems and methods are provided to implement a dynamic and efficient cascading policy management framework architecture for both wired and wireless networks. A plurality of Policy Functions (PFs) are assigned to a plurality of Policy Enforcement Points (PEP). The PFs make decisions regarding local policy control at the specific PEP. The PFs then delegate the policy requests or IP flows to a separate PEP that is more conducive to enforcing that policy request. Thus, policy decisions are made at the point where the most information is available, leading to fewer policy requests traversing back and forth across a network. Additionally, this cascading Policy Management Framework Architecture allows for unified policy management across multiple types of networks, including wired (Internet) and wireless (UMTS).04-30-2009
20090113515ALLOCATION OF ON-LINE MONITORING RESOURCES - Methods, apparatuses, and techniques for adjusting a level of monitoring of the activity of users in an online community are described. Aspects include a triggering mechanism being activated by a community member in response to inappropriate activity by another community member. Receiving a time based history of community members activity around a time of the triggering mechanism being activated. Recreating the community activity from the time based history. Evaluating activities of the community members to determine if there was inappropriate activity and if there is inappropriate activity by an offending community member applying online resources to track the activities of the offending community member.04-30-2009
20090276827Method and Apparatus for Network Access Control (NAC) in Roaming Services - The present invention discloses a method and apparatus for network access control (NAC) in roaming services. In embodiments of the present invention, roaming quarantine access policies and roaming secure access policies are defined on access devices to control access of roaming terminals, instead of defining unified access policies on network-wide access devices. Embodiments of the present invention allow each branch network to enforce and update access policies as needed without restrictions of network identification and adaptation, making it easier to implement NAC on a distributed network, and improving NAC development. Embodiments of the present invention provide widely applicable, easy-to-implement NAC solutions for roaming.11-05-2009
20090276824TECHNIQUE FOR EFFICIENTLY EVALUATING A SECURITY POLICY - One embodiment of the present invention provides a system for efficiently evaluating a security policy. During operation, the system retrieves one or more roles associated with the user. Next, the system checks if a session-level cache exists for a set of Access Control Entries (ACEs) which is associated with the one or more roles. If this session-level cache exists, the system returns the set of ACEs from the session-level cache. Otherwise, the system generates the set of ACEs associated with the one or more roles from an Access Control List (ACL). During operation, the system can also update the one or more roles associated with the user and update the set of ACEs based on the updated one or more roles and the ACL. The system subsequently updates the session level cache with the updated set of ACEs and updated one or more roles.11-05-2009
20090276825SHARING MANAGEMENT SYSTEM, SHARING MANAGEMENT METHOD AND PROGRAM - In a policy-change input unit (11-05-2009
20090276823METHOD AND APPARATUS FOR MODIFYING A COLOR OF AN ELECTRONIC HOUSING - A method and apparatus for modifying a color of an electronics housing (11-05-2009
20090282460System and Method for Transferring Information Through a Trusted Network - A networking method includes receiving a first data packet from a computing node at a middleware process of a first computing system, adding, by the middleware process, a Common Internet Protocol Security Option (CIPSO) label to the data packet to form a modified packet, and transmitting, by a separation kernel, the modified packet to a second computing system. The first computing system includes an embedded operating system, and the computing node is coupled to the first computing system. The second computing system includes a CIPSO compliant operating system.11-12-2009
20090119745SYSTEM AND METHOD FOR PREVENTING PRIVATE INFORMATION FROM LEAKING OUT THROUGH ACCESS CONTEXT ANALYSIS IN PERSONAL MOBILE TERMINAL - A system for preventing private information from leaking out through access context analysis in a personal mobile terminal includes a private information manager that receives a private information leakage prevention policy, divides the policy into a plurality of private information leakage prevention rules, and transmits the plurality of rules to individual modules, respectively; a context analyzer that performs access context information analysis to obtain context information, when detecting a packet corresponding to a first rule, and transmits the context information; a packet analyzer that receives the context information, monitors packets transmitted to the outside through packet analysis, and transmits filtering information when detecting a packet corresponding to a second rule; and a private information leakage preventing unit that receives the filtering information and determines whether to allow or drop a packet corresponding to a third rule.05-07-2009
20090119743Method and system for generic real time management of devices on computers connected to a network - A method and system for enterprise device management allows the administrator to set a policy of forbidden devices, monitor devices used in the organization, provide alerts and notification incase an unknown device is connected to a computer, and monitor or block connections of devices which do not comply with the said security policy. A method for device management in a computer system comprises detecting connection of a device to the computer system and determining a reaction to perform in response to the connection of the device to the computer system based on parameters related to the device and on device management rules.05-07-2009
20090119742Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol - Methods for authenticating and authorizing a mobile device using tunneled extensible authentication protocol are provided. The methods include evaluating an inner user identifier against a policy engine to determine a home AAA server to route an access request for inner user authentication. Instead of having a static route configured based on an outer identifier/roaming identity, the policy engine can have multiple rules and actions for routing the request. The evaluation can be based on the conditions of the inner user identifier and or other AAA attributes received in the request. The request is transmitted within a secure communication tunnel. There are several embodiments of evaluating an inner user identifier against a policy engine.05-07-2009
20090119741METHOD AND SYSTEM FOR PROVIDING WIRELESS VULNERABILITY MANAGEMENT FOR LOCAL AREA COMPUTER NETWORKS - A Software-as-a-Service (SaaS) based method for providing wireless vulnerability management for local area computer networks. The method includes providing a security server being hosted by a service provider entity to provide analysis of data associated with wireless vulnerability management for a plurality of local area computer networks of a plurality of customer entities, respectively. The method includes creating a workspace for wireless vulnerability management for a customer entity on the security server and receiving configuration information associated with the workspace. The method also includes supplying one or more sniffers to the customer entity. The method includes receiving at the security server information associated with wireless activity monitored by the one or more sniffers at premises of the customer entity and processing the received information within the workspace for the customer entity using the security server. The method includes metering usage of the workspace for wireless vulnerability management for the customer entity.05-07-2009
20090293101INTEROPERABLE RIGHTS MANAGEMENT - Techniques for interoperable rights management are provided. Content is packaged with declarations defining access rights. The packaged content is delivered to a target resource in accordance with a distribution policy. When the content is accessed the access rights are enforced against the target resource within the target environment in accordance with a local access policy.11-26-2009
20090293100APPARATUS AND METHOD FOR CHECKING PC SECURITY - Provided are an apparatus and method for checking Personal Computer (PC) security. The apparatus includes a check module for checking a security configuration of a PC on the basis of a check policy received from a security check server and outputting check results, and a control module for changing the security configuration of the PC on the basis of a control policy received from the security check server and the check results received from the check module. According to the apparatus, a security check agent installed in each PC performs security check and changes a security configuration according to a control policy, such that the security configurations of PCs in a network can be managed collectively.11-26-2009
20090254970MULTI-TIER SECURITY EVENT CORRELATION AND MITIGATION - The present invention is directed to the use of a multi-tiered security architecture that includes vendor-operated global security services and policy servers able to exchange security events and mitigation measures.10-08-2009
20090119747PEER-TO-PEER NETWORK - In order to provide security within a peer-to-peer network (05-07-2009
20090119746GLOBAL POLICY APPARATUS AND RELATED METHODS - A method of implementing requirements applicable to systems of an enterprise includes modeling the requirements as contents of policies applicable to target domains of the enterprise. The policy contents are integrated into a policy model. The policy model is adapted to obtain representations of domain-specific requirements corresponding to target systems in the target domains. The representations are integrated with the corresponding target systems to implement the domain-specific requirements.05-07-2009
20080276297System And Method For Intrusion Prevention In A Communications Network - A method and system for monitoring UDP communications and for preventing unauthorized UDP communications within a computer network. A method for managing access to a resource comprises assigning a unique user identifier to each authorized user, upon initiation of a UDP communication initialed by a specific authorized user for access to a specific resource, appending the unique user identifier of the specific authorized user to each UDP packet of the UDP communication, intercepting the plurality of UDP packets within the computer network, extracting the unique user identifier from each UDP packet to identify the specific authorized user associated with the respective UDP packet, and allowing each respective UDP packet to reach the specific resource as a function of the unique user identifier extracted from the respective UDP packet.11-06-2008
20080276295NETWORK SECURITY SCANNER FOR ENTERPRISE PROTECTION - A method of monitoring levels of security conformity and preparedness of a plurality of network connected computing machines, obtains a report by remotely scanning the machines in segments. The machines might already be connected to commercial security software and a patch dispenser. The report includes definition dates and any files quarantined by the commercial security software, patch-management-software communication present and the patches received. The method uses the report and software (not installed on the scanned machines) to produce a Network Security Scanner for Enterprise Protection output to perform a security-preparedness audit of the scanned machines. The audit non-intrusively ascertains. If the scanned machines conform to user-defined fields and policies, and assists in selective security updating of the machines. The scanning, unrecognized by the scanned machines may be configured to suit their OS, and done periodically as desired. A computer readable medium executing the method is included.11-06-2008
20120297443SYSTEM AND METHOD FOR APPLICATION PROGRAM OPERATION ON A WIRELESS DEVICE - Embodiments described herein address mobile devices with non-secure operating systems that do not provide a sufficient security framework. More particularly, the embodiments described herein provide a set of applications to the device for providing security features to the non-secure operating system.11-22-2012
20120297441METHOD AND APPARATUS FOR PROVIDING END-TO-END PRIVACY FOR DISTRIBUTED COMPUTATIONS - An approach is provided for providing end-to-end privacy in multi-level distributed computations. A distributed computation privacy platform determines one or more privacy policies associated with at least one level of a computational environment. The distributed computation privacy platform also determines one or more computation closures associated with the at least one level of the computational environment. The distributed computation privacy platform further processes and/or facilitates a processing of the one or more privacy policies and the one or more computation closures to cause, at least in part, an enforcement of the one or more privacy policies.11-22-2012
20110209195FLEXIBLE SECURITY BOUNDARIES IN AN ENTERPRISE NETWORK - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.08-25-2011
20110209193SECURE, POLICY-BASED COMMUNICATIONS SECURITY AND FILE SHARING ACROSS MIXED MEDIA, MIXED-COMMUNICATIONS MODALITIES AND EXTENSIBLE TO CLOUD COMPUTING SUCH AS SOA - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.08-25-2011
20080216150Offload Processing for Secure Data Transfer - Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques. Offload components can be controlled from the kernel, an SSL layer or an application.09-04-2008
20080216148Systems and methods for policy-based service management - Systems and method for policy-based service management are provided. An exemplary system includes a rule definition interface module configured to receive a plurality of rule definitions and a separate policy management interface module configured to allow a user to define a rule instance from an existing rule definition instance and to define a policy instance based on the defined rule instance. A policy may be simply expressed via the policy management interface as “perform the following set of action if all of the following rule instances are true unless any of the following rule instances are true.” Additionally, policies may be associated with a context at a specific a level in a context hierarchy having multiple levels. The policy may therefore inherit rules from contexts at a higher level in the hierarchy.09-04-2008
20080216149Digital Authentication with Analog Documents - Security of photographic identification documents is enhanced by embedding within the photographic image encoded information that may be correlated to other information pertaining to the individual represented by the image, such other information being, for example, printed on the document adjacent to the photograph.09-04-2008
20100132010IMPLEMENTING POLICIES IN RESPONSE TO PHYSICAL SITUATIONS - A method and apparatus is described to implement policies associated with physical situations (e.g., supply of power, occurrence of a fire, etc.). The method may comprise accessing sensor data captured by a sensor monitoring a physical situation to identify at least one activity occurring during the physical situation. A policy database including a plurality of policies may be accessed to identify at least two lower-level policies associated with the physical situation. Further, the policy database may be accessed to identify at least one higher-level policy associated with the physical situation. The higher-level policy may control implementation of the at least two lower-level policies.05-27-2010
20090083827SYSTEM AND METHOD FOR CIRCUMVENTING INSTANT MESSAGING DO-NOT-DISTURB - A system and method for circumventing a do-not-disturb status of an instant messaging user including defining a policy of circumvention rights for circumventing do-not-disturb status in instant messaging. A do-not-disturb status of an instant messaging user is identified, and the do-not-disturb status of the instant messaging user is circumvented based upon the policy of circumvention rights.03-26-2009
20110202968METHOD AND APPARATUS FOR PREVENTING UNAUTHORIZED USE OF MEDIA ITEMS - An approach is provided for preventing unauthorized use of media items. One or more features associated with a user are identified in one or more media items. It is determined whether the identified features are registered with a privacy service. One or more privacy rules are applied on the media items based on the determination.08-18-2011
20120297445Method of Managing Asset Associated with Work Order or Element Associated with Asset, and System and Computer Program for the Same - A method, system and computer program of managing an access right to at least one asset associated with at least one digital work order, or to at least one element associated with the asset, and provides a system and a computer program for the same. The method includes the steps of: loading a security policy associated with the work order, the asset, or the element; starting to monitor location information of the asset or the element and a moving object, or a elapsed time of the moving object at the location; and issuing an event for managing the asset, the element or the moving object in response to the start of the work order or in response to the fact that the loaded security policy is violated by any of the locations, a change in the location, or the elapsed time at the location obtained by the monitoring.11-22-2012
20100005505METHOD OF DYNAMICALLY UPDATING NETWORK SECURITY POLICY RULES WHEN NEW NETWORK RESOURCES ARE PROVISIONED IN A SERVICE LANDSCAPE - A computer-implemented method is provided for updating network security policy rules when network resources are provisioned in a service landscape instance. The method includes categorizing network resources in a service landscape instance based on a service landscape model. The method further includes responding to the provisioning of a network resource by automatically generating one or more security policy rules for a newly-provisioned network resource. Additionally, the method includes updating security policy rules of pre-existing network resources in the service landscape instance that are determined to be eligible to communicate with the newly-provisioned network resource so as to include the newly-provisioned network resource as a remote resource based on the service landscape model.01-07-2010
20100005504METHOD OF AUTOMATING AND PERSONALIZING SYSTEMS TO SATISFY SECURITYREQUIREMENTS IN AN END-TO-END SERVICE LANDSCAPE - A computer-implemented method of enabling security in network resources provisioned as part of a service landscape instance is provided. The method includes initiating an orchestration process for creating a landscape service instance to provide services to a service subscriber over a data communications network. The method further includes deriving from the orchestration process at least one parameter, and generating at least one security configuration profile based upon the at least one parameter for at least one system of the landscape service instance.01-07-2010
20100287599METHOD, APPARATUS AND SYSTEM FOR IMPLEMENTING POLICY CONTROL - A method, an apparatus and a system for implementing policy control are disclosed. The method includes: an SPDF receives a service request that carries service property of a session from an AF, makes a service policy decision according to the service property of the session and policy pre-configuration parameters to obtain authorized service parameters; and determines a corresponding local network transmission PDF according to a type of an access network; the SPDF sends an access network resource authorization request that carries the authorized service parameters to the determined local network transmission PDF, to enable the local network transmission PDF to generate a local network transmission policy according to the authorized service parameters and deliver the policy to a corresponding policy enforcement point for enforcing. Through the embodiments of the present invention, the converged policy control can be implemented for different types of networks.11-11-2010
20090037974SECURITY DOCUMENT PRINTING SYSTEM AND METHOD OF CONTROLLING THE SAME - A system to print a security document and a control method thereof. The printing system simplifies a security procedure, and minimizes or prevents the security document from being illegally copied or copied without authorization. The printing system includes an input unit which receives an authenticator to copy the security document, and an output unit which determines whether the authenticator is equal to an authentication mark on the security document, and copies the security document in different ways according to the determined result.02-05-2009
20090037973Policy-enabled aggregation of IM User communities - A method of automatically aggregating an online user community, and graphical user interface for same, the method including one or more of the following: a user creating the online community; the user defining an aggregation policy for the online user community; a service provider retrieving the aggregation policy; the service provider applying the aggregation policy to an other user; determining whether the other user fits the aggregation policy; adding the other user to the online user community; the user defining an anti-aggregation policy; the service provider retrieving the anti-aggregation policy; determining whether the other user fits the anti-aggregation policy; and removing the other user from the online user community when the other user fits the anti-aggregation policy.02-05-2009
20100138894INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE MEDIUM - An information processing apparatus includes: a storage that associates each of a plurality of pieces of use limitation information with a characteristic information, and that stores each of the plurality of pieces of use limitation information and the characteristic information, which are associated with each other; and a selection unit that refers to the storage, and that selects, based on a result of comparison between a second document characteristic information of a document acquired from a specified document specified by and in response to an instruction specifying a document for which a policy for limitation on use is to be determined and the characteristic information associated with each of the plurality of pieces of use limitation information stored in the storage, a candidate for use limitation information to be used for the limitation on use of the specified document from the plurality of pieces of use limitation information.06-03-2010
20110209196FLEXIBLE SECURITY REQUIREMENTS IN AN ENTERPRISE NETWORK - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.08-25-2011
20110209197WEB-BASED AUDIT SYSTEM AND RELATED AUDIT TOOL - A web-based audit system and related tool implemented by a computer or personal digital assistant providing user with access to the internet, comprising access to a repository of audit content; wherein said audit content is associated with appropriate regulatory rules, notices policies and information ; a means to update said regulatory rules, notices, policies and information associated with said audit content with changes.08-25-2011
20110209194NODE-BASED POLICY-ENFORCEMENT ACROSS MIXED MEDIA, MIXED-COMMUNICATIONS MODALITIES AND EXTENSIBLE TO CLOUD COMPUTING SUCH AS SOA - A system and method are provided to monitor and prevent potential enterprise policy and/or rule violations by subscribers.08-25-2011
20110209192BIOMETRIC SOCIAL NETWORKING - A method for maintaining a social network includes registering users in the social network, wherein registering users includes storing in association with a user ID for each registered user at least one image and verifying the user during a subsequent login by comparing a current image with the stored image. User interactions within the social networking system are restricted by a third party.08-25-2011
20080244692SMART WEB SERVICES SECURITY POLICY SELECTION AND VALIDATION - A computer-implemented method to select a web service security policy alternative can comprise selecting a web service security policy alternative at runtime based on previously collected data concerning web service and using the selected web service security policy alternative for a web service message. In addition, a computer-implemented method to prevent intrusion can use a honey policy that can be defined by the administrator in order to attract and closely monitor the hackers.10-02-2008
20080244694Automated collection of forensic evidence associated with a network security incident - An automated collection of forensic evidence associated with a security incident is provided by an arrangement in which different security products called endpoints in an enterprise network are enabled for sharing security-related information over a common communication channel using an abstraction called a security assessment. A security assessment is generally configured to indicate an endpoint's understanding of a detected security incident that pertains to an object in the environment which may include users, computers, IP addresses, and website URIs (Universal Resource Identifiers). The security assessment is published by the endpoint into the channel and received by subscribing endpoints. The security assessment triggers the receiving endpoints to go into a more comprehensive or detailed mode of evidence collection. In addition, any forensic evidence having relevance to the security incident that may have already been collected prior to the detection will be marked for retention so that it is not otherwise deleted.10-02-2008
20080244689Extensible Ubiquitous Secure Operating Environment - The present invention provides a portable and secure computer operating system, and applications that can be used securely on virtually any computer system regardless of its security state (i.e., regardless of the presence of computer viruses, Trojan code, keylogging software, or any other malicious mobile code that may exist on host computer system). The present invention is embodied within three (3) components including 1) the client desktop or server software, 2) the appliance-based management server, and 3) the media (i.e., including but not limited to USB thumb drive or CDROM) on which the client desktop or server software is installed.10-02-2008
20080244685Method and Apparatus for Providing Dynamic Security Management - Methods and devices provide dynamic security management in an apparatus, such as a mobile telephone terminal. The apparatus includes a platform for running an application; a security manager for handling access of the application to functions existing in the apparatus; an application interface (API) between the platform and the application; a set of access permissions stored in the apparatus and used by the security manager for controlling access of the application to functions through the application interface. Methods can include downloading into the apparatus an object containing access permissions applicable to at least one function; verifying the object; and installing the access permissions together with the existing permissions.10-02-2008
20080244686Systems and Methods for Enhancing Security of Files - Systems and methods for enhancing security of files are provided. A representative method includes: associating information with a file, the information identifying contents of the file; monitoring the information and the file contents; detecting a lack of correlation between the information and the file; and responsive to detecting the lack of correlation, storing information corresponding to a modification of the file separately from the file.10-02-2008
20080244690DERIVING REMEDIATIONS FROM SECURITY COMPLIANCE RULES - Systems and methods that automatically generate remediation processes such as acts performed as part of a benchmark model, to improve and update compliance of a machine with security policies compliance. A remediation component can automatically determine processes that are required to change and increase compliance of a machine with a security policy, and hence improve security level thereof.10-02-2008
20080235761AUTOMATED DISSEMINATION OF ENTERPRISE POLICY FOR RUNTIME CUSTOMIZATION OF RESOURCE ARBITRATION - A system and method for disseminating policies to multiple policy-based components includes a policy producer which generates a group of policies to be enforced. A policy disseminator classifies each policy with a type, and for each policy type, the policy disseminator identifies policy-based components that handle a corresponding policy type. The policy disseminator sends specific policy types from the group of policies to each policy-based component that can handle that specific policy type.09-25-2008
20110271319USING ENDPOINT HOST CHECKING TO CLASSIFY UNMANAGED DEVICES IN A NETWORK AND TO IMPROVE NETWORK LOCATION AWARENESS - A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.11-03-2011
20100132011Mechanism to Implement Security in Process-Based Virtualization - In one embodiment, a mechanism to implement security in process-based virtualization is disclosed. In one embodiment, a method includes maintaining a security policy for a process-based virtualization system, initializing a virtual machine (VM) in the process-based virtualization system, assigning a security label to the VM, and enforcing the security policy on the VM based on the security label of the VM in order to isolate the VM from other VM's in the process-based virtualization system.05-27-2010
20090265756SAFETY AND MANAGEMENT OF COMPUTING ENVIRONMENTS THAT MAY SUPPORT UNSAFE COMPONENTS - Techniques for managing and protecting computing environments are disclosed. A safe computing environment can be provided for ensuring the safety and/or management of a device. The safe computing environment can be secured by a safe component that isolates and protects it from unsafe computing environments which may also be operating. As a result, various security and management activities can be securely performed from a safe computing environment. A safe computing environment can, for example, be provided on a device as a safe virtual computing environment (e.g., a safe virtual machine) protected by a safe virtual computing monitor (e.g., a safe virtual machine monitor) from one or more other virtual computing environments that are not known or not believed to be safe for the device. It will also be appreciated that the safe components can, for example, be provided as trusted components for a device. As such, various trusted components (or agent) can operate in a trusted computing environment secured from interference by components that many not be trusted and perform various security and/or management tasks alone or in connection, for example, with other trusted components (e.g., trusted serves).10-22-2009
20090265757SYSTEM AND METHOD FOR SECURE NETWORKING IN A VIRTUAL SPACE - Secure networking in a virtual space over a network. Subscriber computing devices each operated by a subscriber are associated with a subscriber identifier. Each computing device is connected to the network. A subscriber security profile is created in a security profile datastore, wherein the subscriber security profile comprises information indicative of a security status and wherein the subscriber security profile is associated with the subscriber's subscriber identifier. Subscriber identifiers associated with subscribers who are logged in to a website are monitored. The website defines a virtual space and the logged-in subscribers are characterized as present in the virtual space. A web page is served to the computing devices of the present subscribers via the network. The web page of a first subscriber comprises a first subscriber icon associated with the first subscriber and subscriber icons of other present subscribers. A determination is made whether the first subscriber security profile matches the subscriber security profile of one or more of the other present subscribers according to security matching criteria. An attribute is assigned to the icons of the other present subscribers having security profiles that match the security profile of the first subscriber according to security matching criteria. Selected security profile information is provided to the first subscriber of a selected one of any of the other present matching subscribers.10-22-2009
20090265755FIREWALL METHODOLOGIES FOR USE WITHIN VIRTUAL ENVIRONMENTS - In some embodiments a method comprises receiving a virtual universe request, and determining properties of the virtual universe request. The method can also comprise determining a virtual universe firewall security policy, wherein the virtual universe firewall security policy identifies allowable properties associated with the virtual universe request. The method can also include comparing the properties of the virtual universe request to the properties of the virtual universe firewall security policy, and blocking the virtual universe request based on the comparison of the virtual universe request's properties to the virtual universe firewall security policy's allowable properties.10-22-2009
20090265754Policy Enforcement in Mobile Devices - Systems, methods and computer program products for enabling enforcement of an administrative policy on one or more mobile devices are described herein. In an embodiment, an administrator uses a policy server to create and provide an enforcement policy to a mobile device. An enforcement policy may include information on mobile device resources which may be controlled by an administrator. An enforcement policy also includes information on how mobile device features will be set, configured or disabled. An enforcement device driver and an enforcement monitor on a mobile device use the enforcement policy to control access to resources associated with the mobile device regardless of whether the mobile device is “online” and connected to a network or “offline” and disconnected from a network.10-22-2009
20090265752SYSTEM AND METHOD OF CONTROLLING A MOBILE DEVICE USING A NETWORK POLICY - A method of controlling a mobile device based on a network policy, wherein the network policy is stored on the mobile device when a server or access point is accessed. When a packet is transmitted, it is sent only if it meets the policy parameters as established by the network policy. Parameters may include the type of service or packet, the time of day of the usage, or the maximum tolerable delay permitted.10-22-2009
20090265753USING OPAQUE GROUPS IN A FEDERATED IDENTITY MANAGEMENT ENVIRONMENT - A system and method for using an opaque group within a federated identity management environment, to prevent disclosure of identities of the group. An opaque group is constructed at an identity provider within the system and has a group identity that references primary system identities of its members (e.g., electronic mail addresses, public key certificates, network addresses). Services to the group (e.g., distribution of an object such as a document or electronic mail message, invitation to an online meeting, authentication as a member of the group) can be requested from service providers, but because service providers do not have access to members' primary identities, the service providers forward the requests to an identity provider that has access to the group identity. That identity provider retrieves the members' identities and completes the action.10-22-2009
20090100497METHOD AND APPARATUS FOR PREVENTING A SET OF USERS FROM ACCESSING A MESSAGE IN AN INSTANT MESSAGING SYSTEM - The illustrative embodiments described herein provide a computer-implemented method, apparatus, and computer program product for preventing a set of users from accessing a message in an instant messaging system. The process determines whether a message received by a receiving computing device from a sending computing device is undetected by a set of users associated with the receiving computing device. The process notifies the sending computing device that the message is undetected by the set of users in response to determining that the message is undetected by the set of users associated with the receiving computing device. The process prevents the set of users from accessing the message in response to receiving a request to prevent the set of users from accessing the message.04-16-2009
20080271112AUTOMATIC FILE TRANSFER - A computer-readable medium contains software that, when executed by a processor, causes the processor to perform various actions. For example, as a result of a user-initiated event, the software causes the processor to automatically select at least one file from among a plurality of files based on a policy, and to automatically transfer the selected at least one file across a network.10-30-2008
20090049510SECURING STORED CONTENT FOR TRUSTED HOSTS AND SAFE COMPUTING ENVIRONMENTS - Techniques for protecting content to ensure its use in a trusted environment are disclosed. The stored content is protected against harmful and/or defective host (or hosted) environments. A trusted security component provided for a device can verify the internal integrity of the stored content and the host before it allows the content to come in contact with the host. As a counter part, a trusted security component provided for the host can verify and attest to the integrity of the host and/or specific host computing environment that can be provided for the content stored in the device. The trusted security component provided for a device effectively verify the host integrity based on the information attested to by the trusted security component provided for the host. If the trusted security component trusts the host, it allows the trusted host to provide a trusted host computing environment trusted to be safe for the content stored in the device. A trusted host can effectively provide a safe virtual environment that allows a content representing a copy (or image) of an original computing environment to operate on the host computing system to give a similar appearance as the original computing environment.02-19-2009
20090049517METHOD AND SYSTEM FOR PERFORMING AN UNTRACEABLE SECRET MATCHING - Performing an untraceable secret matching between a first credential associated with a first property of a first user and a second credential associated with a second property of a second user includes receiving the first credential, receiving a matching reference formed so the first user can detect a matching of the first property with a remote property from a credential of another user, supplying a first nonce value to the second user, receiving a hidden version of the second credential from the second user formed by the second user on the basis of the second credential, the first nonce value supplied by the first user and a random value locally generated on a side of the second user, and performing the matching by combining the first credential and the received hidden credential with the first nonce value and comparing the combination with the matching reference.02-19-2009
20080282316Information processing apparatus, program and method for transmitting content in security scheme according to license policy - An information processing apparatus is connectable to a user device over a network. The apparatus includes a processor. The processor transmits, in response to reception of a request for a particular item of content, an identification of a security scheme which is applicable to transmission of the particular item of content in accordance with a license policy. When the item of content can be received by the user device in the security scheme, the processor transmits the item of content in the security scheme.11-13-2008
20080282321SYSTEM AND METHOD OF MANAGING DATA PROTECTION RESOURCES - Herewith disclosed a method and system for computerized managing a plurality of data protection (DP) resources. The computerized management comprises obtaining data related to at least part of the DP resources among said plurality of DP resources, wherein at least part of data is obtained by automated collecting; accommodating the obtained data in a data repository thus giving rise to accommodated data; processing the accommodated data, said processing resulting in at least one of the following: a) identifying one or more data protection (DP) schemes characterizing DP resources and/or relationship thereof; and b) identifying one or more data protection (DP) gaps.11-13-2008
20080282318WORKFLOW AUTHORIZATIONS EVALUATION IN MULTI-LAYERED APPLICATIONS - There is provided a computer-implemented method, computer-program product, system and security index structure for a security enforcement strategy for a composite application. The method comprises providing a workflow for the composite application, wherein the composite application is constructed from a set of sub-applications and wherein at least a plurality of the sub-applications has a policy. A consolidated workflow policy is generated for the workflow by combining the policies of the sub-applications and by taking into account a control flow of the workflow, wherein the control flow provides an order in which the set of sub-applications are performed. The consolidated workflow policy is enforced by providing a security index structure for the consolidated workflow policy adapted for checking authorization in the workflow.11-13-2008
20080282317METHOD AND APPARATUS FOR CONVERTING A LICENSE - A method of converting a license is provided. The method includes obtaining a domain policy from a domain to which content is to be transmitted, determining whether license information that is information for a content usage limitation and the domain policy coincide, and then based on the determination result, selectively converting a license.11-13-2008
20080282313MULTI-PROFILE INTERFACE SPECIFIC NETWORK SECURITY POLICIES - Computer-readable medium having a data structure stored thereon for defining a schema for expressing a network security policy. The data structure includes a first data field including data defining a parameter to be applied based on the network security policy. The network security policy defines at least one of the following: a firewall rule and a connection security rule. The data structure also includes a second data field having data specifying restrictions of the parameter included in the first data field. The parameter in the first data field and the restrictions in the second data field form the schema for expressing the network security policy to be processed. The network security policy manages communications between a computing device and at least one other computing device.11-13-2008
20080235759Methods and Systems for Transparent Data Encryption and Decryption - A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine.09-25-2008
20080235757Detecting attempts to change memory - A system and method for detecting changes of memory state. In accordance with one embodiment, memory locations to be observed are determined, and pages of these locations are marked as read-only. Then, guest instructions execute during a trial period. During the trial period, guest instructions attempting to write to the identified memory locations cause page faults which result in identifying the instructions. At the end of the trial period, the pages are returned to a writable status, and attempts to modify the memory locations by the guest code are detected based on the instruction identifier. The system and method can be used for efficient frame list topology monitoring, such as in a virtual USB controller of a virtual machine.09-25-2008
20080289000METHOD AND ELECTRONIC DEVICE FOR MANAGING APPLICATIONS - The present invention provides a method for managing an application at an electronic device (11-20-2008
20080289001POLICY PROXY - In a system with a policy server, a first device able to communicate with the policy server and a second device able to communicate with the first device and unable to communicate with the policy server, the first device is to act as a policy proxy. The policy server may push to the first device a policy for the second device, and the first device may push the policy to the second device.11-20-2008
20080244691Dynamic threat vector update - A security manager aggregates various security components into a unified user interface. For each security component, the security manager may obtain an updated policy description that defines specific groups of settings for the component in terms of several threat conditions. Using the groups of settings, the security manager may classify a current state of a security component into a category. Some embodiments may use a standardized schema for an interface between a security component and the security manager. The schema may be implemented with an adapter that translates the specific settings of a security component into data for the security manager. In some embodiments, the adapter may also receive updated policy descriptions and perform a classification of the current settings.10-02-2008
20080229387Drm System - A method of and system for digital rights management, in which access to a piece of content is granted in accordance with a license owned by a license owner to a client who is a member of a domain. This requires successfully verifying that a membership relation exists between the client and the domain as reflected in a first state variable, and that an association relation exists between the license owner and the domain as reflected in a second state variable. Both relationships are revoked by executing an online protocol between the parties in the relationship after which both remove the corresponding state variable. The domain controller propagates the state administration relating to the domain is propagated to the client so that the client can update its state administration.09-18-2008
20080271113POLICY CONTROL IN A NETWORK - There are disclosed measures for policy control in a network, including an authorization check. Namely, a method of policy control in a network comprises obtaining, at an application function entity of the network, a request for a service, determining, at the application function entity, whether service information associated with the requested service requires an authorization check or a configuration of a policy enforcement entity of the network, and providing, depending on the determining result, an indication from the application function entity to a policy control entity of the network, whether or not the policy enforcement entity is to be configured for the requested service information, together with that requested service information.10-30-2008
20080244687FEDERATED ROLE PROVISIONING - In various embodiments, techniques for federated role provisioning are provided. A federated role definition for a resource is constructed and distributed. The federated role definition includes a role hierarchy having role assignments and constraints for dynamically resolving and binding a resource to particular ones of the role assignments. A resource may have role assignments statically bound to its identity and dynamically bound to its identity. Furthermore, some role assignments may be inherited from the role hierarchy.10-02-2008
20120297446Authentication System and Method - Aspects of the invention relate to a customer authentication system for authenticating a customer making a request related to a customer account. The customer authentication system may include multiple application level data receiving and processing mechanisms for receiving customer requests and collecting customer data. The customer authentication system may additionally include a central authentication system for receiving the customer requests and customer data from the multiple application level data receiving and processing mechanisms, the central authentication system determining, based on authentication policy, whether the collected customer data is sufficient to authenticate each customer in order to fulfill the customer request. The central authentication system may return its conclusions and instructions to the multiple application level data receiving and processing mechanisms. The customer authentication system may additionally include a fraud policy system for centrally managing authentication policy implemented by the central authentication system.11-22-2012
20080282319System for Managing Access Control - A content distribution system (11-13-2008
20100293595Security Policy Distribution to Communication Terminals - A method and arrangement for distributing a security policy to a communication terminal having an association with a home communication network, but being present in a visited communication network. The home communication network (11-18-2010
20080244688VIRTUALIZED FEDERATED ROLE PROVISIONING - In various embodiments, techniques for virtualized federated role provisioning are provided. An entire policy and role provisioning environment is packaged in a first environment and sent to a second environment. The second environment authenticates and initiates the policy and role provisioning environment as a virtualized federated role provisioning service or a shared policy decision point service. The shared policy decision point service dynamically resolves policy, roles, and constraints for requesting resources within the second environment and supplies this information to a local policy enforcement point service that enforces roles on the resources.10-02-2008
20080216147Data Processing Apparatus And Method - There is a described a method of certifying compliance with a designated process defined by a plurality of rules which are specified in a public template, wherein at least one rule associated with a process includes a certification requirement which requires compliance with that rule to be certified by a rule certifying authority. A processing apparatus operating in a secure environment receives rule compliance data and checks the received rule compliance data to verify that any certification requirement has been satisfied. If the processing apparatus confirms that all the rules specified in the public template are satisfied, then the processing apparatus issues a process compliance certificate which is digitally signed by the process certifying authority.09-04-2008
20080229386Substrate processing apparatus - The object of the present invention is to provide a substrate processing apparatus and a substrate processing system capable of performing an appropriate processing in response to the operating condition of the substrate processing apparatus and of realizing an improvement in the availability rate of the apparatus. The substrate processing apparatus includes: storage section for storing a plurality of recipes describing a procedure for processing a substrate and operating authorities of a user corresponding to the plurality of recipes; and display section for displaying an authority setting screen for setting the operating authorities of the user to the respective recipes and an edition screen for editing a recipe stored in the storage section on the basis of the operating authority set via the authority setting screen. The substrate processing apparatus can edit the authority setting screen displayed by the display section and can set different operating authorities to the recipe between when the operating condition of the substrate processing apparatus is online and when the operating condition of the substrate processing apparatus is offline.09-18-2008
20100138895Module and associated method for TR-069 Object management - The present invention relates to a security module for use in management of a TR-069 Object Model of a device. The Object Model comprises a plurality of parameters for selection by a view selector module based on credentials and for defining thereby an object model view associated to the device. The security module comprises means for associating the object model view to a security policy and means for configuring the security attributes of the security policy on an intermediate network entity.06-03-2010
20080271109PHYSICAL SECURITY TRIGGERED DYNAMIC NETWORK AUTHENTICATION AND AUTHORIZATION - A unified access control component (UACC) can maintain information relating to network access information and physical location information associated with respective users who may access a network that can include network resources (e.g., applications, information). The UACC can cross reference the network access information (e.g., user network access events, credentials, and policy) and physical location information (e.g., user physical access events, credentials, and policy) and can generate and enforce a unified network access policy based on network access information and physical location information associated with a particular user. After network access privileges have been granted to a user, the UACC can continue to monitor the user. The UACC can include a dynamic authentication component that can request a user re-authenticate if a change in the physical location and/or network access associated with the user is detected, such that a re-computation of network access privileges is desired.10-30-2008
20080271111EFFICIENT POLICY CONFLICT DETECTION - A method and computer program product for detecting a policy conflict in a managed system includes examining a plurality of policy rules for overlapping policy targets, in response to finding no overlapping policy targets, reporting that the policy rules do not conflict, and in response to finding overlapping policy targets, examining the plurality of policy rules for at least two rules having a same condition and a same event, and, in response to not finding at least two rules having a same condition and a same event, reporting that the policy rules do not conflict.10-30-2008
20080271110Systems and Methods for Monitoring Compliance With Standards or Policies - In one embodiment, a system or method pertain to accessing a model that comprises a computer-readable version of a standard or policy, identifying rules or requirements specified by the model that pertain to compliance with the standard or policy, and automatically generating questions relevant to the identified rules or requirements, the questions being intended to query intended respondents as to compliance with the identified rules or requirements.10-30-2008
20100146582ENCRYPTION MANAGEMENT IN AN INFORMATION HANDLING SYSTEM - A method of enforcing an encryption policy in an information handling system for receiving a request for access to data, automatically identifying from a plurality of encryption policies a particular encryption policy associated with the requested data, selecting an available encryption implementation module capable of enforcing the identified encryption policy, and initiating an encryption or decryption of the requested data using the selected encryption implementation module.06-10-2010
20100146583METHOD AND APPARATUS FOR OBFUSCATING CONTEXT INFORMATION - In some examples, context information is determined. The context information is associated with a user and based on information of a communication device associated with the user. The context information is obfuscated based on a user information, such privacy policy, user profile, user preferences, user activity, and/or any combination of the aforementioned, associated with the user. In other examples, the context information is determined based on a user location and/or user information.06-10-2010
20100146586APPARATUS AND METHOD FOR MANAGING IDENTITY INFORMATION - Provided are an apparatus and method for managing identity information. The apparatus includes a contract detail manager managing details of an identity information sharing contract made between a user and an identity provider (IdP) wanting to provide identity information about the user, and details of an identity information sharing contract made between the user and an identity consumer (IdC) wanting to be provided with the identity information about the user, an IdP selector selecting an IdP capable of providing the identity information about the user based on the details of the sharing contract when a request for the identity information about the user is input from the IdC, and an information provider obtaining information according to the identity information request from the selected IdP, and providing the obtained information to the IdC. The apparatus and method can solve a problem that all of a user's identity information is provided to an IdC according to the user's comprehensive agreement.06-10-2010
20120198515FLEXIBLY ASSIGNING SECURITY CONFIGURATIONS TO APPLICATIONS - A method, system, and computer usable program product for flexibly assigning security configurations to applications are provided in the illustrative embodiments. An embodiment determines, forming a first determination, whether a first identifier identifying the application is mapped to the security configuration. The embodiment determines, forming a second determination, whether the application participates in a group by determining whether a second identifier identifying the group is mapped to the security configuration. The embodiment assigns, forming a first assignment, the security configuration to the application if either of the first and the second determinations is true. The embodiment assigns, forming a second assignment, the security configuration to the application using a determination by a first policy if the first and the second determinations are false.08-02-2012
20120198514Methods and Apparatuses for User-Verifiable Trusted Path in the Presence of Malware - An apparatus and method for establishing a trusted path between a user interface and a trusted executable, wherein the trusted path includes a hypervisor and a driver shim. The method includes measuring an identity of the hypervisor; comparing the measurement of the identity of the hypervisor with a policy for the hypervisor; measuring an identity of the driver shim; comparing the measurement of the identity of the driver shim with a policy for the driver shim; measuring an identity of the user interface; comparing the measurement of the identity of the user interface with a policy for the user interface; and providing a human-perceptible indication of whether the identity of the hypervisor, the identity of the driver shim, and the identity of the user interface correspond with the policy for the hypervisor, the policy for the driver shim, and the policy for the user interface, respectively.08-02-2012
20090049513SYSTEM AND METHOD FOR CONTROLLING A VIRTUAL ENVIRONMENT OF A USER - A method and a system for controlling a virtual environment of a user, e.g., a child is provided. In the virtual environment, users are able to interact with other users using messages. Each message is made up of one or more items contained in a dictionary. Information is transmitted, e.g., by e mail, to an agent, e.g., a parent. The transmitted information is information that may be used to authorize the agent to control the virtual environment of the user. The virtual environment of the user is controlled by setting a level of interaction at which the user is permitted to interact with others. The messages may include pre-written messages and messages composed by a user using items contained in the dictionary. A message checker bars unsuitable combinations made up of items contained in the dictionary. Inappropriate language and personally identifiable information may be excluded from the contents of the messages.02-19-2009
20090049509SCOPE-CENTRIC ACCESS CONTROL MODEL - Apparatus, methods, and computer program products are disclosed that maintain an association graph made up of association tuples. Each of the association tuples belongs to an access-control-policy scope that imposes an access control policy. On receipt of a client reference and a supplier reference a scope-defining entity is identified from the client reference. The scope-defining entity has an explicit access control policy. An effective supplier reference is retrieved from a set of the association tuples matching the scope-defining entity and is presented.02-19-2009
20080250472INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD AND COMPUTER READABLE MEDIUM - An information processing system includes: an information processing apparatus includes: an acceptance unit that accepts selection of a function and a start command of processing relating to the selected function; a determination unit that determines element processing executed to provide the selected function; and a request unit that makes an execution permission request of the element processing determined in association with the selected function before the start command of processing relating to the selected function is accepted; and a permission management apparatus that accepts the execution permission request of processing from the information processing apparatus, determines whether or not the execution is permitted, and informs the information processing apparatus of the determination result.10-09-2008
20090049518Managing and Enforcing Policies on Mobile Devices - Embodiments of a system configured to manage policies, including decision policies and active policies, on mobile devices is described. The system is configured to manage policies, including decision policies and active policies, on mobile devices is described that includes a device policy repository, a policy decision point, a decision policy enforcer, and an active policy enforcer. The system includes a method for enforcing policies on mobile devices that proactively monitors the execution environment and automatically triggers active policies. The method further exports an interface and provides functionality to evaluate and enforce decision policies. The system can combine policies from different sources, including detecting and avoiding policy conflicts.02-19-2009
20090183228Method for managing usage authorizations in a data processing network and a data processing network - To facilitate the work of a user with a data processing network with a number of security levels of the applications and functions to be executed, a method is proposed for managing usage authorizations in this data processing network. In at least one embodiment of the method, when a user logs in at a work station, at least one role stored in a central authorization register is allocated to the user; when an application is called up a local security module of the application determines which authorizations are granted for the role of the user; and if there is no authorization for an application-related action, a central security module accesses a central collection of security rules, the security rules indicating the circumstances, in which, when a user's authorizations are not sufficient to carry out the application-related action, the user can still carry it out and determines whether according to at least one of the security rules a usage authority is possible for the application-related action and offers this to the user.07-16-2009
20090183226Systems and Methods for Identity-Based Communication Gate for Social Networks - Systems and methods are disclosed that provide for control of online communication services, including social networks and video games. In some embodiments, parents of children engaging in activities using online communication services can control who their child can engage in communications with, while using online communication services. In some embodiments, parents can monitor potentially problematic communications between their child and other subscribers of an online communication service. Thus, subscribers of online communication services can be prevented from misrepresenting themselves or concealing important information, including age and gender.07-16-2009
20090165080GENERIC RIGHTS TOKEN AND DRM-RELATED SERVICE POINTERS IN A COMMON PROTECTED CONTENT FILE - Methods and systems of rendering content on a device having a native digital rights management (DRM) system are described. A device, such as an end-user device capable of executing or playing content, acquires content in a common content format file having standardized locations for specific types of data. A generic digital rights token associated with the content is obtained by utilizing one of the standardized locations in the content format file, where the rights token contains information sufficient to allow retrieval of the rights associated with the content. Utilizing data in another of the standardized locations, it is then determined whether the device is registered in a domain. A license server directory may be accessed utilizing data in another of the standardized locations in the common content format file and a domain identifier, a device identifier, or both are transmitted to the license server directory. A native DRM system trigger is received and, upon activation of the trigger, a native DRM license is acquired, thereby enabling rendering of the content in the common content format file on the device.06-25-2009
20090165077Method, Apparatus and Computer Program Product for Secure Software Installation - A method, apparatus and computer program product are provided for secure software download or installation. In this regard, sensory notifications and cognitive activities are implemented prior to proceeding to a download or installation procedure. For example, a sensory notification can be provided if security attributes of software are noncompliant with security preferences. Additionally, performance of a task can be required if security attributes of software are noncompliant with the security preferences prior to installation of the software, wherein requiring performance of a task comprises selecting the task such that the task is variable from one installation of the software to another installation of the software.06-25-2009
20090165076METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR DATA SECURITY POLICY ENFORCEMENT - A method for data security policy enforcement including inspecting incoming and outgoing data packets from a server computing device for attributes in accordance with a data security policy, processing the data packets in accordance with the security policy based on the inspected attributes, and routing the data packets in accordance with the security policy based on the inspected attributes, wherein incoming and outgoing data from the server computing device composed of the data packets is processed and routed in accordance with the security policy on a per-packet basis. A system and computer program product is also provided.06-25-2009
20130219463Methods and Systems for Enterprise Data Use Monitoring and Auditing User-Data Interactions - A method for managing data use of an enterprise is disclosed. The method includes receiving login parameters from a user associated with user identification information. The method authenticates the login parameters and the user information to determine if the login parameters match the user identification information. The method provides access to specific data in a database that stores enterprise information. Upon providing access, initiating video capture of a viewing space for the screen, the viewing space being configured to include a location where the user associate with the user identification information is predefined to reside when accessing the specific data. During the video capture, capturing image data presented on the screen and input received for the user interface of the screen. The method acts to bind the video capture and the captured image data presented on the screen and the input received.08-22-2013
20120036552SYSTEM FOR MANAGING DEVICES AND METHOD OF OPERATION OF SAME - A managed services platform and method of operation of same are described herein. The platform can include a device management service (DMS) server in which the DMS server can act as a gateway for communications with one or more computing devices, and the computing devices are associated with a first entity. The platform can also include an application service (AS) server in which the AS server is communicatively coupled with the DMS server. When a first computing device contacts the DMS server, the DMS server is operable to provide a bundle to the first computing device. As an example, the bundle contains content that at least includes one or more configuration messages and an application set that contains one or more predefined applications. The content of the bundle can be determined at least in part by the first entity.02-09-2012
20090138940METHOD FOR ENFORCING CONTEXT MODEL BASED SERVICE-ORIENTED ARCHITECTURE POLICIES AND POLICY ENGINE - A method for enforcing context model based Service-Oriented Architecture (SOA) policies is provided, which includes: gathering instance documents related to policy enforcement according to a business requirement; generating an instantiated context model using the gathered instance documents; generating a policy set to be enforced according to the gathered instance documents; determining an enforcement sequence of policies in the policy set; and applying the policies to the instantiated context model according to the enforcement sequence. The method for enforcing context model based SOA policies may flexibly gather the instance documents according to scenarios and purposes of the policy enforcement to define the policy scope, such as project, application, service, etc., and may be applied to various types of the SOA policies. In addition, a policy engine for enforcing context model based SOA policies is provided.05-28-2009
20090183227Secure Runtime Execution of Web Script Content on a Client - Method for ensuring security of online content on a client device. Online content is rendered on a display on the client device and the client device stores one or more policies each defining an execution boundary of a web script content. The execution boundary defines resource access of the web script content, and the web script content is configured to issue an execution invocation to interact with other portions of the online content. The issued execution invocation is intercepted and parameters included in the intercepted execution invocation are identified. The identified parameters request resources from an application or the client device for interacting with the other portions of the online content. The identified parameters are evaluated against the execution boundary of each of the policies stored in the client device. A dynamic resolution is provided to the web script content in response to the evaluating.07-16-2009
20090094672Universal serial bus selective encryption - A method to interact with a remote USB device is disclosed. An identifying message is received from a remote client associated with the remote USB device. The remote USB device is identified based at least in part on the identifying message from the remote client. A security policy is determined for the remote USB device. A policy message is transmitted to the remote client for selectively implementing the security policy of the remote USB device. A method to interact with a local USB device is disclosed. An identifying message is determined by performing a host controller service for the local USB device. The identifying message is transmitted to a server. A policy message is received from the server for selectively implementing a security policy on the local USB device. The security policy is regarded and configuring the host controller service.04-09-2009
20090165078MANAGING POLICY RULES AND ASSOCIATED POLICY COMPONENTS - A method for modifying policy elements is disclosed. At least one reusable policy element (06-25-2009
20090165081TRUSTED MULTI-STAKEHOLDER ENVIRONMENT - In one embodiment, a multi-stakeholder environment is controlled by first assigning a first domain to a first stakeholder and a second domain to a second stakeholder. Then a first access policy is defined for the first domain and access is restricted to the first domain for the second stakeholder according to the first access policy. In another embodiment, an access request is handled in a multi-stakeholder environment by first receiving parameters forwarded by hooks in system call functions in a kernel of the multi-stakeholder environment, wherein the parameters contain information about a first stakeholder requesting access to a domain corresponding to a second stakeholder. Then it is determined whether to allow the first stakeholder to access the domain based at least partially upon security settings corresponding to the domain.06-25-2009
20090178105REDUCING OVERHEAD ASSOCIATED WITH DISTRIBUTED PASSWORD POLICY ENFORCEMENT OPERATIONS - A computer implemented method, data processing system, and computer program product for reducing the overhead associated with distributed password policy enforcement operations using a proxy server. when a proxy server provides a request from a client to a backend directory server, the proxy server determines whether a password policy check is required to be performed at the backend directory server. If a password policy check is not required to be performed at the backend directory server, the proxy server sends the client request together with a skip password policy control to the backend directory server. This skip password policy control informs the backend directory server to skip the password policy check on the client request.07-09-2009
20090178108ENTERPRISE SECURITY ASSESSMENT SHARING FOR OFF-PREMISE USERS USING GLOBALLY DISTRIBUTED INFRASTRUCTURE - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and off-premise or roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.07-09-2009
20090178106PASSWORD POLICY ENFORCEMENT IN A DISTRIBUTED DIRECTORY WHEN POLICY INFORMATION IS DISTRIBUTED - A computer implemented method, data processing system, and computer program product for password policy enforcement in a distributed directory when policy information is distributed. When a proxy server is providing a request from a client to a backend directory server, the proxy server performs a series of LDAP operations on a targeted set of backend directory servers to collect password policy information applicable to a target user. The password policy information applicable to the target user is partitioned and distributed across the plurality of backend directory servers. When the password policy information for the target user has been collected, the proxy server evaluates the collected password policy information to determine an effective password policy for the target user. The proxy server then sends the request and subsequent requests with the effective password policy to a backend directory server.07-09-2009
20090178110Communication Control Device, Communication Control System, Communication Control Method, and Communication Control Program - The communication control device of the present invention includes: a communication parameter acquisition means (07-09-2009
20090187965ELECTRONIC APPARATUS, METHOD FOR CONTROLLING FUNCTIONS OF THE APPARATUS AND SERVER - An electronic apparatus, having functions on which use limitations can be imposed, in which a variety of functions are loaded on the electronic apparatus by hardware circuitry or by computer programs. Use of a certain function(s) is limited by setting a function limiting flag to “1”, provided that an other function(s) are usable within a period of a preset number of days of possible test use. An application is made from the apparatus to a key issuing source for purchasing usable functions. The key issuing source then issues a limitation removing key. The limitation removing key may be acquired from the key issuing source by a mobile phone terminal and transmitted to the apparatus by infrared ray communication. The apparatus rewrites the function limiting flag by this limitation removing key. If the number of days of actual test use has reached the number of days of possible test use, the CPU of the apparatus does not carry out the function(s) the function limiting flag of which is “1”.07-23-2009
20090187964Applying Security Policies to Multiple Systems and Controlling Policy Propagation - A method and apparatus for attaching security policies to secured computing systems is provided. A security policy is attached to a parent domain. The parent domain includes a first secured computing system. The security policy is a natural language description for controlling access to the secured computing system. Upon determining that the parent domain propagates the security policy, a first generation child domain is identified. The first generation child domain includes a second secured computing system. The first generation child domain is associated with the parent domain in a hierarchical relationship. It is determined that the first generation child domain inherits the security policy based on an inheritance rule. The security policy is attached to the first generation child domain.07-23-2009
20090138939SYSTEM AND METHOD FOR INFERRING ACCESS POLICIES FROM ACCESS EVENT RECORDS - A method of security gateway policy definition to quickly infer a new policy based on event data extracted and analyzed using business logic and workflow from a gateway event log or behavior log. The method includes reading the components of a log record, translating the components into acceptable policy attributes, creating a new policy based on those attributes, and presenting the new policy to a system administrator for editing and approval.05-28-2009
20090007217COMPUTER SYSTEM FOR AUTHENTICATING A COMPUTING DEVICE - A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. A unique identity is assigned to each device, user and application to provide security services. A communications session is established between two devices using an authentication service that authenticates the device that is initiating the establishment of the communications session with another device. After authenticating the initiating device, the authentication service provides to the initiating device the network address of the other device and an authentication credential for use in the communications session between the initiating device and the other device.01-01-2009
20090007219Determining a merged security policy for a computer system - Embodiments of the invention described herein are directed to a mechanism for determining whether at least one operation will be effective in view of at least one security policy. In exemplary implementations, determining whether at least one operation will be effective in view of at least one security policy may comprise determining a merged security policy for a computer system by merging security policies for the computer system from two or more sources. The security policies may be security policies set by a user and/or an administrator of the computer system, may be security policies of a computer network to which the computer system is connected, or may be security policies of one or more other computer systems that are above the computer system in a computer network hierarchy.01-01-2009
20090178102Implementing Security Policies in Software Development Tools - Disclosed is an access and information flow control framework that includes a series of phases. The first phase includes: receiving raw authorization requirement(s); creating authorization requirement representation(s) from the raw authorization requirement(s) using a language; and analyzing the authorization requirement representation(s) to ensure that they are consistent and conflict-free. The second phase includes: creating case authorization(s) from the authorization requirement representation(s) and validating consistency between the authorization requirement representation(s) and the use case authorization(s). The use case authorization may be created by propagating the authorization requirement representation(s) to a subject hierarchy; enumerating implicit authorization(s) derived from the authorization requirement representation(s); resolving inconsistencies in the use case authorization(s); and completing incomplete use case authorization(s). The third phase includes: receiving raw information flow requirement(s); creating information flow requirement representation(s) from the raw information flow requirement(s) using a language; creating propagated information flow requirement(s) by propagating the information flow requirement representation(s) to a subject hierarchy; creating at least one enumerated information flow requirement by enumerating possible direct and indirect information flow requirement(s) derived from the information flow requirement representation(s) and the propagated information flow requirement”; generating filtered enumerated information flow requirement(s) by filtering enumerated information flow requirement(s); and ensure that the filtered enumerated information flow requirement(s) are consistent with an information flow policy. The fourth phase includes: creating operation authorization(s); resolving inconsistencies in the operation authorization(s); and ensuring that the operation authorization(s) are conflict-free; and handling errors in any of the earlier phases.07-09-2009
20110225624Systems and Methods for Providing Network Access Control in Virtual Environments - A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.09-15-2011
20120198516Inspecting Code and Reducing Code Size Associated to a Target - Code is associated to a target based on an inspection of the code. A target may be a device or a user. A number of code components may be inspected at one time and then transferred or otherwise associated to a target based on the target's profile. A code component may be a policy of an information management system.08-02-2012
20090260051POLICY PROCESSING SYSTEM, METHOD, AND PROGRAM - In a policy handling system performing automatic execution, management, and control of a system, a policy retrieving section (10-15-2009
20090260050Authenticating device for controlling application security environments - Computer protection is weak with the methods currently available and there are risks of malicious users getting access to computers, corrupting important data, including system data. We are proposing a method for improving access protection, more particularly, by adding a device capable of user authentication that will enable or disable protection for applications as required. The device supports one or more users, none or more user groups, none or one or more Application Security Environments for each user or user group and one or more states for each Application Security Environment. The state of the hardware is manually controlled by the users. Depending on the configuration, each hardware state corresponding to an Application Security Environment corresponds to a set of privileges for processes running in that Application Security Environment while that Application Security Environment is in that state.10-15-2009
20090187968SYSTEM AND METHOD FOR DYNAMIC NETWORK POLICY MANAGEMENT - A system and method that provides dynamic network policy management. The system enables a network administrator to regulate usage of network services upon initiation of and throughout network sessions. The system employs a method of identifying selectable characteristics of attached functions to establish static and dynamic policies, which policies may be amended before, during and after any session throughout the network based on the monitored detection of any of a number of specified triggering events or activities. Particular policies associated with a particular identified attached function in prior sessions may be cached or saved and employed in subsequent sessions to provide network usage permissions more rapidly in such subsequent sessions. The cached or saved policy information may also be used to identify network usage, control, and security. The system and method of the present invention provides static and dynamic policy allocation for network usage provisioning.07-23-2009
20090144798Optimized peer-to-peer mobile communications - A customer can control access to information about the customer stored in a database by selecting one or more policies, where each policy specifies conditions and/or rules for accessing information associated with the policy, and for each selected policy the user selects portions of the customer's information for association with the selected policy. The customer can create or specify one or more policies for accessing information. In another method, information about the customer stored in the database includes personal information about customer, including contact information for people associated with the customer, and facts about the customer, e.g., contact information for family members professionals who provide service (e.g. doctor, lawyer, banker), emergency contacts, medical information, for example blood type, allergies, medications, blood type, organ donor status.06-04-2009
20090144801METHODS AND SYSTEMS FOR SEARCHING FOR SECURE FILE TRANSMISSION - Described herein are methods and systems for managing and controlling the distribution of digital media. A first media file is associated with first media content and with first metadata providing one or more rules constraining how and/or what second media content can be played in conjunction with the first media content. Optionally, included in the first media file is a locator associated with the second media content which is to be accessed over a network when the first media content is played via a terminal player which receives the first media file.06-04-2009
20090144800AUTOMATED CLUSTER MEMBER MANAGEMENT BASED ON NODE CAPABILITIES - Embodiments of the present invention provide a method, system and computer program product for automated cluster member management based on node capabilities. In one embodiment of the invention, a method for automated cluster member management based on node capabilities can be provided. The method can include defining a membership policy for a cluster, the membership policy specifying a nodal configuration required for a node in a cluster. The method further can include evaluating different nodes in a computing environment against the membership policy for the cluster. Finally, the method can include associating cluster members in the cluster to only those of the nodes having respective configurations meeting the nodal configuration of the membership policy. Likewise, the method can include evaluating nodes already in the cluster, and disassociating cluster members in the cluster from those of the nodes having respective configurations failing to meet the nodal configuration of the membership policy.06-04-2009
20090025057Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.01-22-2009
20110225625DYNAMIC AUTHENTICATION OF A USER - According to an example embodiment, a system may include at least one processor and at least one memory comprising a policy module configured to receive data indicating risk factors associated with users of the system; update risk levels for the users by applying the data to risk factor rules; and provide the updated risk levels and/or authentication levels associated with the updated risk levels to an authentication module in response to receiving requests from the authentication module. The at least one processor and at least one memory may also comprise the authentication module configured to receive a first access request from a user; in response to receiving the first access request, request a first updated risk and/or authentication level for the user from the policy module; and require the user to provide a first authentication technique to grant the first access request based on the first updated risk and/or authentication level received from the policy module.09-15-2011
20110225623Web-Hosted Self-Managed Virtual Systems With Complex Rule-Based Content Access - A computer-based service provides methods and apparatus for a user to manage a collection of information that the user wishes to share with, or distribute to, one or more designated recipients, typically at a future time, where the user controls the contents of the collection, and the times and rules under which the collection, or portions of the collection, may be accessed by, or delivered to, the one or more designated recipients; and where the resources for storing, retrieving, processing and communicating the collection of information is logically centralized and remote from the user.09-15-2011
20090205017APPROPRIATE CONTROL OF ACCESS RIGHT TO ACCESS A DOCUMENT WITHIN SET NUMBER OF ACCESSIBLE TIMES - An access right management system is provided, which appropriately controls an access right, to access a document, when the number of executable times is set for each kind of processing on the document managed by a policy server. The management system includes the policy server which saves the access right showing permission or inhibition of access to the document in a first file and a document management server which saves the number of accessible times in a second file. When a predetermined condition is satisfied, the document management server instructs the policy server to update the access right, and the policy server which receives the instructions executes an update of the access right such as changing a permission of access to an inhibition of access.08-13-2009
20090205015Method for Forecasting Unstable Policy Enforcements - Method for forecasting instable policy enforcement, is described, wherein a behavior dynamic Bayesian network (DBN) model and a policy finite state transducers extended with tautness functions and identities (TFFST) model is analytically composed to derive predictions of the consequences of enforcing a given policy, in particular to detect flip-flop configuration changes in a system. The method comprises the steps of—translating (08-13-2009
20090031393SYSTEM AND METHOD FOR CONTROLLING EMAIL PROPAGATION - A system and method for controlling the propagation of an email message includes defining at least a first email recipient and a second email recipient of the email message. A first email propagation policy associated with at least the first email recipient is defined, and a second email propagation policy associated with at least the second email recipient is defined. The email message is sent to the first email recipient and to the second email recipient.01-29-2009
20090199268POLICY CONTROL FOR ENCAPSULATED DATA FLOWS - Systems and methodologies are described that facilitate communicating encapsulation information for a related mobility protocol type utilized in communicating over a data flow with reduced specific implementation on the policy server to support different mobility protocol types. In this regard, encapsulation information can be transmitted to the policy server from a network gateway such that the policy server can forward the encapsulation information to a serving gateway along with policy rules related to a data flow type. The serving gateway can utilize the encapsulation information to detect and interpret the encapsulated data flow according to the policy rules. In this regard, the serving gateway can provide support (e.g. quality of service support) for the flow. The encapsulation information can relate to a mobility protocol type, an encapsulation header, an indication that encapsulation is required, parameters regarding locating an encapsulation header in a message, and/or the like.08-06-2009
20090199266Compiling Method for Command Based Router Classifiers - A method and compiler for compiling hierarchical command based policy rules to a flat filter list structure adapted for storage in a Content Addressable Memory (CAM), wherein the policy rules are organized in a tree-structure of classifiers. First, all of the possible search paths in the tree structure are found, and then only the valid search paths according to defined criteria are added to the flat filter list. The CAM may be a Ternary Content Addressed Memory.08-06-2009
20090199264DYNAMIC TRUST MODEL FOR AUTHENTICATING A USER - A system that that dynamically authenticates one or more users is described. During operation, the computer system determines a trust level for a user, where the trust level is a function of elapsed time since the user previously provided authentication information. Next, the computer system calculates a transaction risk level based on a type of user transaction performed by the user. Then, the computer system requests additional authentication information from the user based on the trust level and the transaction risk level.08-06-2009
20090199267Internet filtering utility using consumer-governed internet web site ratings, governor voting system and vote validation process - Internet filtering system to produce only desirable internet search returns and to block undesirable web sites by computer administrators (herein called governors) wishing to limit the access of internet content for themselves, their children, their employees or clients, using a consumer-governed internet web site rating system that is verified with a governor voting system and vote validation process.08-06-2009
20090199265ANALYTICS ENGINE - Aspects of the subject matter described herein relate to a mechanism for assessing security. In aspects, an analytics engine is provided that manages execution, information storage, and data passing between various components of a security system. When data is available for analysis, the analytics engine determines which security components to execute and the order in which to execute the security components, where in some instances two or more components may be executed in parallel. The analytics engine then executes the components in the order determined and passes output from component to component as dictated by dependencies between the components. This is repeated until a security assessment is generated or updated. The analytics engine simplifies the work of creating and integrating various security components.08-06-2009
20090049512METHOD AND SYSTEM FOR MASKING DATA - An approach is provided for masking data. A determination is made whether an action initiated by an authenticated user corresponds to one of a plurality of policies stored in a policy store, wherein the policies relate to whether data to be retrieved from a data source is to be masked. A new policy is generated if no match is found in the policy store. Information associated with the new policy is received, wherein the information is input by the user. The new policy is stored in the policy store.02-19-2009
20090083831ACCESS CONTROL DECISION SYSTEM, ACCESS CONTROL ENFORCING SYSTEM, AND SECURITY POLICY - In an access control decision system, first information indicated by an access decision request is converted into second information being higher abstract when the access decision request is received. Next, the access control for the subject information is determined by referring a security policy being abstractly regulated based on the second information and a decision result showing the access control for the subject information is sent to a request originator that sent the access decision request.03-26-2009
20090083828METHOD OF ARMING-DISARMING SECURITY PANEL OVER UN-ENCRYPTED COMMUNICATION PATHS - A method and system for remotely controlling a security panel of a security alarm system over un-encrypted communication paths are provided. In one aspect, a message is received in plain text over un-encrypted communication path, for example, from a remote device to control a security panel of a security system installed at a premise. The plain text message is correlated to a security panel command and the security panel command is sent to a security panel installed at the premise. The security panel executes the command and sends a confirmation status message. The status message is correlated to a second plain text message and communicated over the un-encrypted communication path to the remote device that initiated the command.03-26-2009
20090260054Automatic Application of Information Protection Policies - The secure application of content protection policies to content. The secure application of content protection polices is accomplished by having an enforcement mechanism monitor policy application points to detect the transfer of content. The enforcement mechanism accesses the content and a determination is made to protect the content. A usage policy is then identified by the enforcement mechanism to apply to the content and the usage policy is then applied to the content, resulting in a usage policy for the content.10-15-2009
20090064270TEMPLATE BASED FEDERATION OF POLICIES - This disclosure presents a method of federating policies to the underlying policy management systems based on their respective capabilities, a method to federate policies to policy managers when same managed resource is being managed by multiple managers, a method to create and federate policies at lower level policy managers for given policy at higher level integrated policy manager system, and a method to federate policies to autonomic managers using policy templates.03-05-2009
20090055890SYSTEM AND METHOD FOR SECURITY PLANNING WITH HARD SECURITY CONSTRAINTS - A method for security planning with hard security constraints includes: receiving security-related requirements of a network to be developed using system inputs and processing components; and generating the network according to the security-related requirements, wherein the network satisfies hard security constraints.02-26-2009
20110145884Policy Needs Assessment - Methods, computer readable media, and apparatuses for policy development and management are presented. One or more policy needs may be identified, and a score for each policy need may be determined The score for each policy need may be determined based on audit issue closure date information, legal compliance information, and regulatory impact information. Based on the determined scores, development of one or more policy needs may be prioritized.06-16-2011
20090077624Forming A Security Network Including Integrated Security System Components and Network Devices - An integrated security system is described that integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network (broadband, cellular/GSM, POTS access) that enables users to remotely stay connected to their premises. The integrated security system, while delivering remote premise monitoring and control functionality to conventional monitored premise protection, complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices (cameras, lamp modules, thermostats, etc.) can be added, enabling users to remotely see live video and/or pictures and control home devices via their personal web portal or webpage, mobile phone, and/or other remote client device. Users can also receive notifications via email or text message when happenings occur, or do not occur, in their home.03-19-2009
20090064273Methods and systems for secure data entry and maintenance - Methods and systems are provided for the secure entry and maintenance of data entered via a user input device. A computing device includes a secure processor coupled to one or more user devices. The user devices may be peripheral devices coupled to the secure processor via a wired connection such as a USB or PS/2 interface or via a wireless connection such as Bluetooth. A security boundary associated with the secure processor is established using hardware or cryptographic techniques. Input data received from the user device is stored within the security boundary. Additionally, the secure processor is configured to identify the user peripheral device coupled to the secure processor and to determine whether a request received to access the user peripheral device is allowable based on security policies defined for the user peripheral device.03-05-2009
20090064271FILTERING POLICIES FOR DATA AGGREGATED BY AN ESB - Exemplary embodiments of the present invention implement filtering policies to correlate and perform fine-grained access control on aggregated data within an enterprise service bus (ESB) architecture. These filtering policies can be made available externally to a system user during runtime in order to allow changes to be dynamically applied to an ESB flow without the need to modify the flow of the ESB. An ESB architecture provides the benefit of being of having the capability to provide an aggregation of services. An ESB has the capability to route a service request to call multiple providers, collect all needed data, aggregate the data, and return the data to a requester. The filtering policies can be implemented within a data filtering engine that is comprised within the ESB.03-05-2009
20120079561ACCESS CONTROL METHOD FOR TRI-ELEMENT PEER AUTHENTICATION CREDIBLE NETWORK CONNECTION STRUCTURE - An access control method for a TePA-based TNC architecture is provided, including: 1) performing encapsulation of user authentication protocol data and platform authentication protocol data in the TePA-based TNC architecture: 1.1) encapsulating the user authentication protocol data in a Data field of TAEP packets, and interacting with the TAEP packets between an access requestor and an access controller, and between the access controller and a policy manager, to perform mutual user authentication between the access requestor and the access controller, and establish a secure channel between the access requestor and the access controller; and 1.2) encapsulating the platform authentication protocol data in a Data field of TAEP packets, and, for platform authentication protocol data between the access requestor and the access controller, encapsulating a TAEP packet of the platform authentication protocol data in a Data field of another TAEP packet to form a nested encapsulation.03-29-2012
20120079560METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.03-29-2012
20120079559METHODS FOR POLICY MANAGEMENT - Systems, methods, and apparatus are disclosed for coordinating enforcement of policies on a network and/or a wireless transmit/receive unit. The policies may include stakeholder-specific policies of one or more stakeholders that provide services on a user equipment. Enforcement of the stakeholder-specific policies may be securely coordinated using a policy coordination function. Systems, methods, and apparatus are also disclosed that include a network policy coordination function (NPCF) that coordinates service control policies and access control policies. The NPCF may coordinate enforcement of the service control policies for one or more service control entities and the access control policies for one or more access control entities.03-29-2012
20120079558Safety and securely us personal computer working at home or anywhere instead of going and working in the office - Revolutionary safely and securely using computers work at home or on the road is invented. The architecture of Corpnetlk7 built for the platform includes components, utility programs and files majority residing on the host company's servers. They work together with local and corporate machines where configurations are made and certain programs are installed. The user will go through different steps before reaching to the corporate legacy system. Corpnetlk7 consists of Corpnetlk7 Client, Server and Corporate Side Configuration Utility, Corpnetlk7 Connection Agent, Corpnetlk7 Names Server Manager, Corpnetlk7 Enterprise App, Corpnetlk7 User App, Corpnetlk7 Security Enhancement Layers, Corpnetlk7 Programs Repository, Corpnetlk7 Programs Security Storage Lockroom, Corpnetlk7 Multithreaded Server, Corpnetlk7 Host GUI Interface and Corpnetlk7 New User Checksum etc. The user creates connectivity on the local machine and Corpnetlk7 helps the user resolve the names service.03-29-2012
20120079557DERIVING EXPRESS RIGHTS IN PROTECTED CONTENT - The present invention extends to methods, systems, and computer program products for deriving express rights in protected content. Embodiments of the invention provide mechanisms to convert implicit rights to express rights for entities, including applications, inside and outside of an organizational (e.g., enterprise) boundary. The conversion can occur dynamically, based on the information protection policies defined by a policy administrator, granting entities express access to perform tasks on protected content.03-29-2012
20120079556SEPARATION OF DUTIES CHECKS FROM ENTITLEMENT SETS - A data model in which a set provides an abstraction that isolates the computation of membership from the details of how an enforcement point determines access (e.g., based on claims, based on security group membership etc). Set operations (e.g., intersection, union, inverse) can then be used across the sets. The architecture utilizes workflow on set transitions such that when an object such as a user enters the scope of one of these sets, notification can occur, such that inadvertent changes which lead to separation-of-duties violations can be detected quickly. The sets can also be used to define entitlements for enforcement of claims-based access control in a cross-organization deployment (e.g., to a cloud-hosted application).03-29-2012
20090083830Systems and Methods of Controlling Network Access - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.03-26-2009
20080263626Method and system for logging a network communication event - A method of logging a network communication event includes a step of identifying a network communication event within a communication leaving a computer network. The method also includes steps of identifying a network address associated with the communication, and associating a user identity with the network address. It should be appreciated that the network address may include a dynamic network address. In addition, information is logged associating the user identity with the network communication event.10-23-2008
20080263628MANAGING COMMUNICATIONS BETWEEN ROBOTS AND CONTROLLERS - The present disclosure is directed to a system and method for managing communications with robots. In some implementations, a computer network, where operators interface with the network to control movement of robots on a wireless computer network includes a network arena controller and a plurality of robot controllers. The network arena controller is configured to provide firewall policies to substantially secure communication between robot controllers and the associated robots. Each controller is included in a different robot and configured to wirelessly communicate with the network arena controller. Each robot controller executes firewall policies to substantially secure wireless communication.10-23-2008
20080263627System and Method for Identifying a Cookie as a Privacy Threat - A system and method for identifying a cookie as a privacy threat is disclosed. The system and method include receiving a request to install a cookie. A privacy policy associated with the cookie is also received, and that privacy policy may be evaluated against a set of predefined criteria. Based on this evaluation, the cookie may be determined to be a privacy threat.10-23-2008
20090100499Database System and Method for Encryption and Protection of Confidential Information - A database system for encryption and protection of confidential data is provided. The database system includes a data source system receiving confidential data and first associated data. A secure data network interface system is connected to the data source system over an open network, the data network interface system receives the confidential data and the first associated data from the data source system and further comprises a secure data storage system coupled to the data network interface system and isolated from the open network, a data encryption system generating a unique encrypted identifier for the confidential data, and a data association system associating the confidential data with the unique encrypted identifier and storing the confidential data, the first associated data and the unique encrypted identifier in the secure data storage system.04-16-2009
20110231889SECURITY POLICY AS QUERY PREDICATE - A method, system, and computer usable program product for applying a security policy as a query predicate. A query is received. The query is a request for data directed to a data repository executing in a data processing system. The security policy is identified, the security policy being a security policy applicable to the query. A predicate that corresponds to the security policy is determined. The query is modified to include the predicate. The modified query is sent to the data repository.09-22-2011
20090077620Method and System for Location-Based Wireless Network - Described are a method and a system for granting and denying network access to a device based on a location of that device. A method includes determining a current location of at least one mobile unit, permitting network access to a wireless network to the mobile unit if a network access policy of the mobile unit is configured to permit network access for the current location, and denying network access to the wireless network to the mobile unit if the network access policy of the mobile unit is configured to restrict network access for the current location. The system includes a processor generating network access policy data for at least one mobile unit, the network access policy data configured to one of permit network access and restrict network access for the at least one mobile unit depending on a location of the at least one mobile unit within an operating environment, a wireless switch providing a wireless network infrastructure, a location determination module calculating a current location of the at least one mobile unit, and a plurality of wireless access points in communication with the wireless switch, wherein each one of the wireless access points one of permits network access and restricts network access to the at least one mobile unit based on the current location and the network access policy data for the at least one mobile unit.03-19-2009
20110231896SYSTEMS AND METHODS FOR REDIRECTION OF ONLINE QUERIES TO GENUINE CONTENT - A system for redirection of online queries to a genuine content includes a user interface module to provide a user interface between a network user with administrative authority and an Internet service, a communication module to receive a request to establish a genuine content resolution policy for a network, a policy generating module to establish the genuine content resolution policy for the network, and a policy enforcement module to apply the genuine content resolution policy to a user request to access an intended website. The policy enforcement module may determine whether or not the genuine content resolution policy is activated, determine whether or not that the intended website is the genuine website, and based on the determination, selectively redirect the user to the genuine website.09-22-2011
20110231898SYSTEMS AND METHODS FOR COLLABORATIVELY CREATING AN INTERNET MEDIATION POLICY - Methods and systems of collaboratively creating an Internet service mediation policy are disclosed. Various embodiments include an initiating Internet service user establishing a base mediation policy via a DNS server, one or more other Internet service users collaborating with the initiating Internet service user to modify the mediation policy, the collaborating including the other Internet service users submitting content for the mediation policy to the initiating Internet service user, and the initiating Internet service user publishing the mediation policy. In some embodiments, the initiating Internet service user determines what submitted Internet content may be included in the mediation policy.09-22-2011
20110231895Systems and Methods for Mediating Internet Service - Systems and methods for an Internet service delivered to a particular location are provided herein. Exemplary methods for mediating an Internet service include executing instructions stored in a memory by a processor to selectively apply, on-demand, a mediation policy to the Internet service, the mediation policy adapted to prevent the delivery of Internet content for a predetermined period of time. The method may include establishing a user interface between a computing system and Internet service, the user interface receiving a request to apply the mediation policy to the Internet service via the user interface to prevent the delivery of Internet content for a predetermined period of time.09-22-2011
20110231894Systems and Methods for Mediating an Internet Service Delivered to a Particular Location - Systems and methods for an Internet service delivered to a selected location are provided herein. According to some exemplary embodiments a method for mediating an Internet service delivered to a selected location having an Internet connection operatively coupling at least one user device to the Internet service includes executing instructions stored in a memory by a processor to prevent delivery of restricted Internet content via the Internet service. The restricted Internet content includes Internet content included in one or more categories of restricted Internet content included in a mediation policy adapted to be selectively applied to the Internet service.09-22-2011
20110231893Systems and Methods for Mediating Internet Access Provided to End Users - Systems and methods for creating age based mediation policies and applying those age based mediation policies to Internet service are provided herein. A method for mediating Internet service provided to an end user includes creating an age based mediation policy by receiving information indicative of the end user's age, locating age-appropriate Internet content corresponding to the end user's age and combining the located age-appropriate Internet content with administrator approved Internet content, and applying the age based mediation policy to the Internet service such that only Internet content included in the mediation policy is accessible.09-22-2011
20110231892Systems and Methods for Restricting Online Access - Systems and methods for restricting online access include a user interface module to establish a user interface between a network user with administrative authority and an Internet service or a DNS server and a communication module to receive, from the network user with administrative authority, restriction parameters associated with a restriction policy for a network. The restriction parameters may include a company name, a website name, and a category name. Based on the parameters, the system may determine one or more Uniform Resource Locators (URLs) to be associated with the restriction policy. The system may further comprise an activation module to activate and deactivate the restriction policy. The system may restrict a URL requested by a network user based on the determination that the restriction policy is activated and the URL is associated with the restriction policy.09-22-2011
20110231890Systems and Methods for Managing Internet Access - Various embodiments of the present invention include methods and systems for managing Internet access. An exemplary method for managing Internet access includes three steps. First a request is received to access the Internet. Second, a determination is made whether the request is being made during a restricted time period. Third, Internet access is selectively managed Internet access for an end user via a computing device, by blocking Internet access if the determination is that the request was made during a restricted time period or granting Internet access if the determination is that the request was made outside the restricted time period.09-22-2011
20110231891Systems and Methods for Expression of Disassociation with Online Content - Systems and methods are provided for expression of disassociation with online content, including a user interface module to provide a user interface between a network user with administrative authority and an Internet service and a communication module to receive disassociation parameters for a disassociation policy for the Internet service. The disassociation parameters may include a name associated with an Internet content and a message corresponding to the Internet content. The name may be indicated as a website category or an affiliated website. The system may further include a confirmation module to confirm the disassociation policy with the network user with administrative authority, a policy generating module to establish, based on the disassociation parameters, the disassociation policy for the network, and a policy enforcement module to apply the disassociation policy to a user request to access the Internet content. The policy enforcement module may determine whether or not the disassociation policy is in effect to block the Internet content and provide the network user with the message corresponding to the Internet content.09-22-2011
20090205018METHOD AND SYSTEM FOR THE SPECIFICATION AND ENFORCEMENT OF ARBITRARY ATTRIBUTE-BASED ACCESS CONTROL POLICIES - A general attribute-based access control system includes at least one resource server, at least one client module, an access control database including basic data sets and basic relations between the basic data sets, at least one server module including an access decision sub-module that computes a decision whether to grant or deny access to computer-accessible resources referenced by objects, an event processing sub-module that processes events, and an administrative sub-module that creates, deletes, and modifies elements of the basic data sets and the basic relations.08-13-2009
20090007226Communications Apparatus and Control Method Therefor - When exchanging communication parameter setting information on a wireless network, a communications apparatus selects between a first operation mode in which communications parameter information is exchanged with a specific communications apparatus and a second operation mode in which communications parameter information is exchanged with an unspecified number of communications apparatus. Depending on the selected operation mode, the communications apparatus control security upon holding the communications parameter information exchanged with the specific communications apparatus and the communications parameter information exchanged with the unspecified number of communications apparatus.01-01-2009
20090165084SECURITY POLICY SWITCHING DEVICE, SECURITY POLICY MANAGEMENT SYSTEM, AND STORAGE MEDIUM - A security policy switching device includes a policy information storage that stores policy setting information and identification information of a policy in correspondence to each other, the policy setting information including setting content of the policy and identification information of a user to whom the policy is attached, a data information storage that stores identification information of data for which a policy is set and identification information of a policy attached to the data in correspondence to each other, and a policy switching unit that switches, in response to a switching request designating identification information of data for which the policy is to be switched and identification information of a user instructing the switch, a policy attached to the data by updating identification information of the policy attached to the data stored in the data information storage with identification information of another policy.06-25-2009
20090007228MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Apparatus are provided for managing hierarchically organized subscriber profiles. According to one embodiment, a router includes a subscriber manager, a database and a virtual interface. The subscriber manager is operable to receive a connection request from a subscriber of a service provider. The database has stored therein hierarchically organized profile identifiers, including multiple lower-level profile identifiers, which explicitly define subscriber services, and multiple first-level profile identifiers, which define service contexts representing combinations of services available to subscribers when connected to the service provider by (i) explicitly defining the subscriber services or (ii) referring to one or more of the plurality of lower-level profile identifiers. The virtual interface defines a subscriber connection between the router and the subscriber and is created and configured responsive to the connection request based on a first-level profile identifier that is associated with the subscriber.01-01-2009
20090222883Method and Apparatus for Confidential Knowledge Protection in Software System Development - An apparatus and a computer-implemented method for protecting confidential knowledge in a software system design which includes a plurality of artifacts. The method includes the steps of calculating a correlation between the confidential knowledge and the software system design, acquiring inter-dependencies between the artifacts in the software system design, and determining protection mechanisms for the respective artifacts according to the correlation and the inter-dependencies. The system includes a correlation calculating section for calculating a correlation between the confidential knowledge and the software system design; an inter-dependency acquiring section for acquiring inter-dependencies between the artifacts in the software system design; and a mechanism designing section for determining protection mechanisms for the respective artifacts according to said correlation and said inter-dependencies.09-03-2009
20090205016POLICY ENFORCEMENT USING ESSO - A method for enforcing policies used with a computer client, the method including receiving, at policy decision point (PDP) processor, information from a single sign-on (SSO) system indicating an occurrence of an event of interest on the computer client, performing, using the PDP processor, a policy check in response to the occurrence of the event of interest, wherein a policy check result is generated, and providing the generated policy check result to the SSO system.08-13-2009
20090205014SYSTEM AND METHOD FOR APPLICATION-INTEGRATED INFORMATION CARD SELECTION - A selector daemon can run in the background of a computer. Applications that are capable of processing information cards directly, without requiring the use of a card selector, can request the selector daemon to list information cards that satisfy security policy. Upon receiving such a request, selector daemon can determine the information cards available on the computer that satisfy the security policy, and can identify these information cards to the requesting application. The applications can then use the identified information cards in any manner desired, without having to use a card selector: for example, by requesting a security token based on one of the information cards directly from an identity provider.08-13-2009
20090106818SELECTIVELY AUTHORIZING SOFTWARE FUNCTIONALITY AFTER INSTALLATION OF THE SOFTWARE - Controlling access to functionality within an installed software product. The invention includes an authorization module that dynamically references authorization information when specific functionality is requested by a requesting entity such as a user or an application program to determine if the requested functionality is authorized to be executed. Further, the invention dynamically provides an opportunity to the requesting entity to purchase unauthorized functionality. In this manner, functionality within the software product may be enabled or disabled at any time (e.g., during installation, post-installation, and re-installation).04-23-2009
20090249440SYSTEM, METHOD, AND APPARATUS FOR MANAGING ACCESS TO RESOURCES ACROSS A NETWORK - A system, method and apparatus for managing access across a plurality of applications is disclosed. The system may include a user store connector configured to connect to one or more user stores to retrieve attributes; an authentication connector configured to communicate with at least one authentication subsystem to authenticate a user; a policy engine configured to retrieve attributes from the user store connector corresponding to a user and use the attributes to evaluate access policies, if any, which are defined for protection of resources, to determine whether or not the user should be granted access to the resources; an admin component that is configured to enable the access policies to be defined relative to attributes and the resources; and a policy store configured to store the access policies.10-01-2009
20090249437ASSIGNMENT OF POLICY FUNCTION ADDRESS DURING ACCESS AUTHENTICATION IN WIMAX NETWORKS - A policy function used by a Service Flow Authorization of an Internal Protocol network is dynamically specified. A mobile station sends a request to a Network Access Servicer. Service Equipment forwards the request to a Service Provider's AAA Server. A connectively serving network sends an Access-Accept RADIUS message to an accessing serving network. The PF address is inserted into the Access-Accept RADIUS message.10-01-2009
20090222885SYSTEM AND METHODOLOGY PROVIDING MULTI-TIER SECURITY FOR NETWORK DATA WITH INDUSTRIAL CONTROL COMPONENTS - The present invention relates to a system and methodology facilitating network security and data access in an industrial control environment. An industrial control system is provided that includes an industrial controller to communicate with a network. At least one security layer can be configured in the industrial controller, wherein the security layer can be associated with one or more security components to control and/or restrict data access to the controller. An operating system manages the security layer in accordance with a processor to limit or mitigate communications from the network based upon the configured security layer or layers.09-03-2009
20090205011CHANGE RECOMMENDATIONS FOR COMPLIANCE POLICY ENFORCEMENT - Some embodiments of the present invention provide a system for maintaining a software system. During operation, the system obtains a compliance policy for the software system and monitors the software system for a violation of the compliance policy. If a violation is detected, the system generates a change recommendation associated with the violation using the compliance policy and provides the change recommendation to an administrator, so that the administrator can use the change recommendation to resolve the violation.08-13-2009
20080276294LEGAL INTERCEPT OF COMMUNICATION TRAFFIC PARTICULARLY USEFUL IN A MOBILE ENVIRONMENT - Methods, structures, and systems are disclosed for implementing legal intercept of data which provide real-time correlation of broadband user information to network addresses (or other identifiers) across multiple and different authentication systems and user databases. In certain embodiments, an intercept coordinator module interacts with each authentication system to determine real-time a target address for a target user device, which it then uses to update mediation devices, external databases, etc., involved in performing a lawful intercept under the CALEA process. Probes are not required within the network to perform authentication system captures. A modular interface system provides support for existing CALEA equipment, and support for implementing additional interface modules for new or updated CALEA equipment. Exemplary intercept coordinator modules may communicate with multiple AAA systems, in multiple different sub-nets or networks, including geographically distant networks, and provides for pooling of common CALEA equipment resources for use in multiple networks simultaneously.11-06-2008
20090222884INTERFACES AND METHODS FOR GROUP POLICY MANAGEMENT - A system and method for managing group policy objects in a network, including interfaces that allow access by programs or a user interface component to functions of a group policy management console that performs management tasks on group policy objects and other related objects. The interfaces abstract the underlying data storage and retrieval, thereby facilitating searching for objects, and providing the ability to delegate, view, change and permissions on those objects, and check and save those permissions. Modeling and other test simulations are facilitated by other interfaces. Other interfaces provide dynamic and interactive features, such as to convey progress and rich status messages, and allow canceling of an ongoing operation. Still other interfaces provide methods for operating on group policy related data, including group policy object backup, restore, import, copy and create methods, and methods for linking group policy objects to scope of management objects.09-03-2009
20090222881RESOURCE STATE TRANSITION BASED ACCESS CONTROL SYSTEM - Enforcing access control based on resource state. A method includes receiving a request for an operation on one or more objects stored on computer readable media. One or more pre-operation states of the one or more objects are determined. One or more post-operation states of the one or more objects are determined. One or more access control rules are referenced. The access control rules control access to resources based on pre-operation state and post operation state. It can then be determined that the one or more access control rules allow the operation to succeed based on the one or more pre-operation states and the one or more post operation states. Based on determining that the one or more access control rules allow the operation to succeed, the operation is allowed to succeed.09-03-2009
20090222880Configurable access control security for virtualization - Provided are systems and methods for applying access controls to separate and contain virtual machines in a flexible, configurable manner. Access can be granted or removed to a variety of system resources—including network cards, shared folders, and external devices. Operations, such as cut and paste, between the virtual machines can be restricted or allowed. Virtual machines are run in containers. This allows more than one virtual machine to share the same access profile. Containers can be configured to allow a user to instantiate a virtual machine at run time. This allows the user to dynamically define which virtual machines run in various containers. An administrator determines which containers (if any) allow dynamic instantiation, and specifies the list of virtual machines the user can choose from. A container, and/or virtual machines within the container, can be restricted to particular users.09-03-2009
20090222876POSITIVE MULTI-SUBSYSTEMS SECURITY MONITORING (PMS-SM) - A system for Positive Multi-Subsystems—Security Monitoring providing for the monitoring of security events of a business organization comprising business assets, wherein the events are monitored according to a positively stated policy that is created, managed and controlled by Multiple Sub-Systems Meta Security Policy. The system includes Policy Connectors, wherein each PC has a specific set of rules and relevant data and an event collector comprising centralized event collector software, wherein the event collector collects security events, and wherein each security event is created in the PMS-SM system using MSSMSP. Each event arises from an application. The system also includes security events which include Business Asset Monitor events. A BAM event represents user activity against a specific business asset and Security data that is queried from the various security sub-systems using the PC's and a Security policy of MSSMSP. The system enables positive, centralized security monitoring.09-03-2009
20130219461AUTHENTICATION COLLABORATION SYSTEM, ID PROVIDER DEVICE, AND PROGRAM - A policy storage unit of an ID provider device according to an embodiment stores, for each service provider ID, policy information representing a user to which transmission of service data is permitted and policy information representing a user of a target in which transmission permission of service data is deleted. When a predetermined cycle comes or when a use status of the service provider device changes, the ID provider device acquires use status information of the service provider device transmitted from the service provider device, and updates a service use status storage unit based on the acquired use status information. When the service use status storage unit is updated, the ID provider device decides a deletion target account of each service provider ID.08-22-2013
20130219459CONTENT MANAGEMENT SYSTEMS AND METHODS - This disclosure relates to systems and methods for managing content. In one embodiment, a method of managing electronic content from a plurality of a user's computing devices is disclosed. Content from the devices is automatically uploaded to a media hub service that securely routes, processes, synchronizes, and/or stores the content in accordance one or more user-specified policies.08-22-2013
20130219458METHODS AND SYSTEMS FOR SECURE DIGITAL CONTENT DISTRIBUTION AND ANALYTICAL REPORTING - The present disclosure relates to methods and systems for securely distributing digital content and analytical reporting. In one aspect, a system for restricting access of digital content to a predetermined number of devices includes a content distribution system that can receive a specification of a predetermined number of devices to which digital content of a publisher may be accessed by one or more users on devices to be identified at time of distribution. The content distribution system can receive a request from a device to access the digital content and identify that the device has not been previously activated by the content distribution system to access the digital content. The content distribution system can restrict the device from accessing the digital content in response to determining that a number of devices from which the digital content has been accessed has reached the predetermined number of devices for that digital content.08-22-2013
20130219454LOCATION-BASED SECURITY SYSTEM FOR PORTABLE ELECTRONIC DEVICE - A location-dependent security method and system for a portable electronic device is disclosed. Without requiring that the user enter any location information, the system determines one or more familiar areas for the device based on locations where the device has received at least a threshold amount of successful user authentication entries. Thereafter, when a user attempts to access the device or an application of the device, the device will implement a first authentication process if the device is in one of the familiar areas, or a different authentication process if the device is not in one of the familiar areas.08-22-2013
20090254968METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR VIRTUAL WORLD ACCESS CONTROL MANAGEMENT - A method for virtual world (VW) access control management includes intercepting a policy object from a VW network in response to a request from a VW client system to access a VW space, the policy object intercepted by a proxy server located outside of the network. The method also includes selecting an identity based upon the policy object, which provides credentials required in the policy object as a condition of granting access to the network, generating proof from the selected identity, and transmitting the proof to a verifier avatar located inside the network, the verifier avatar logically mapped to, and controlled by, a verification system located outside of the network. The method further includes receiving, at the verification system, the proof from the verifier avatar. In response to successful validation of the proof, the verification avatar places an avatar of the client system on a list of avatars having access to the space.10-08-2009
20090254967VIRTUAL PRIVATE NETWORKS (VPN) ACCESS BASED ON CLIENT WORKSTATION SECURITY COMPLIANCE - Techniques for virtual private network (VPN) access, which is based on client workstation security compliance, are provided. When a user successfully logs into a secure network, client integrity checks are processed on a client workstation of the user to gather configuration information related to a processing environment of the client workstation. Metrics associated with the client integrity checks are compared with security policy and an assigned security access level is set for the user during a VPN session. Traffic policy is then enforced against the VPN session by configuring attributes of the VPN session.10-08-2009
20090249435Manually controlled application security environments - Computer protection is weak with the methods currently available and there are risks of malicious users getting access to computers, corrupting important data, including system data. We are proposing a method for improving access protection, more particularly, by adding a device that will enable or disable protection for applications as required. The device supports one or more users, one or more user groups, none or one or more Application Security Environments for each user or user group and one or more states for each Application Security Environment. The state of the hardware is manually controlled by the users. Depending on the configuration, each hardware state corresponding to an Application Security Environment corresponds to a set of privileges for processes running in that Application Security Environment while that Application Security Environment is in that state.10-01-2009
20090222879SUPER POLICY IN INFORMATION PROTECTION SYSTEMS - Providing access to information based on super policy. Information is associated with author policy expressing restrictions on use of the information The author policy is processed using super policy programmatic code to generate a composite policy. The composite policy includes a combination of the author policy and super policy applied by the super policy programmatic code, such that restrictions are added to or removed from the author policy to create the composite policy. A request for the information is evaluated. This includes evaluating information about the requester against the composite policy to determine if the requester is authorized to access the information. A determination is made that the requester is authorized to access the information based on the composite policy, where after the requester is authorized to access the information based on the composite policy, access is granted to the information to the requester.09-03-2009
20090249434APPARATUS, SYSTEM, AND METHOD FOR PRE-BOOT POLICY MODIFICATION - An apparatus, system, and method are disclosed for pre-boot policy modification. A key module exchanges a key with a server in a secure environment. A communication module receives a policy encoded with the key. A decode module decodes the encoded policy using the key and saves the policy setting prior to booting an operating system on the computer. An update module boots the computer using the policy.10-01-2009
20090249436Centralized Enforcement of Name-Based Computer System Security Rules - This disclosure describes techniques of using a centralized rule database to control the abilities of software processes to perform actions with regard to resources provided by a computer. As described herein, each software process executing in a computer executes within a chamber and each resource provided by the computer is associated with a canonical name that uniquely identifies the resource. Furthermore, the computer stores a set of security rules in a centralized rule database. In addition, this disclosure describes techniques of enforcing the rules stored in the centralized rule database.10-01-2009
20090249433SYSTEM AND METHOD FOR COLLABORATIVE MONITORING OF POLICY VIOLATIONS - A computer implemented system and method is used to receive user reports regarding potential security policy violations that describe observations by the user, the type of policy violation, and an identification of another user with potential knowledge of a security policy violation. A payoff matrix may be formed for each user submitting a user report regarding potential as well as actual security violations and for users identified in such reports, wherein the payoff matrix reflects payout data for reported and unreported security policy violations. The payoff matrix may be used to both reward and punish reporting behaviors.10-01-2009
20090249432SYSTEM AND METHOD FOR CIRCUMVENTING INSTANT MESSAGING DO-NOT-DISTURB - A method and computer program product for defining one or more authorized users capable of granting do-not-disturb circumvention privileges, and receiving an indicator of a grant of do-not-disturb circumvention privileges to a circumventing user by the one or more authorized users. A do-not-disturb status of an instant messaging user is circumvented based upon, at least in part, the grant of do-not-disturb circumvention privileges.10-01-2009
20090249441GOVERNING THE TRANSFER OF PHYSIOLOGICAL AND EMOTIONAL USER DATA - Apparatus and articles of manufacture are provided for governing the transfer of data characterizing a user's behavior, physiological parameters and/or psychological parameters. One embodiment provides a computer readable storage medium containing a program which, when executed, performs an operation for handling a request, from a requesting application, for emotion data characterizing an emotional state of a user. A firewall ruleset defining rules governing the transfer of the emotion data to requesting applications is accessed to determine whether to provide the emotion data the requesting application. The request is denied if the firewall ruleset rules are not satisfied.10-01-2009
20090249439SYSTEM AND METHOD FOR SINGLE SIGN-ON TO RESOURCES ACROSS A NETWORK - Systems, methods and apparatus for providing single sign on across a plurality of resources is disclosed. An exemplary method includes receiving a request from a user to access a particular one of the plurality of resources; establishing an SSO session for the user if an SSO session has not been established; determining if the user has been authenticated to the particular resource, and if not, retrieving credentials for the user that are specific to the resource; presenting the credentials to the resource so as to create a session with the resource; and presenting a user interface for a customer to configure which of the plurality of resources can be accessed by users.10-01-2009
20090249438MOVING SECURITY FOR VIRTUAL MACHINES - A method of maintaining multiple firewalls on multiple host nodes. Each host node runs one or more virtual machines. For at least a first host node, the method maintains multiple sets of policies for multiple virtual machines that run on the first host node. The method, upon detecting that a particular virtual machine has been moved from the first host node to a second host node, removes a set of policies associated with the particular virtual machine from the first host node and supplies the set of policies to the second host node.10-01-2009
20090222882UNIFIED MANAGEMENT POLICY - Defining a unified access management policy expression that unifies access control policy with events or workflows. Unified management policy information is stored. The unified management policy information defines permissions for access to resources together with events or workflows. A request is received to execute the one or more operations on one or more objects. The requested operation is verified against the unified management rules. Verifying includes performing a single retrieval, retrieving both the access control information and the events or workflows and calculating the applicability of the rule to the conditions represented by the request. Matching rules are applied, access control decisions performed and associated workflows are executed.09-03-2009
20080244695Total system for preventing information outflow from inside - Disclosed is a system for monitoring data flow for security including: a computing device for executing an application program and creating human-readable print-out data; and a control unit for receiving information, which is associated with the human-readable print-out data from an application program, and controlling a printing device based on the received information, wherein the information has an attribute of the human-readable print-out data to be output. The attribute of the human-readable print-out data is provided by a security program which is installed in the computing device, the attribute includes at least user's IP of the computing device, and the information is merged into the human-readable print-out data by the printing device.10-02-2008
20090254972Method and System for Implementing Changes to Security Policies in a Distributed Security System - Improved approaches for effectuating changes to security policies in a distributed security system are disclosed. The changes to security policies are distributed to those users (e.g., user and/or computers) in the security system that are affected. The distribution of such changes to security policies can be deferred for those affected users that are not activated (e.g., logged-in or on-line) with the security system.10-08-2009
20110113469Network synchronization system and information processing apparatus - In a network synchronization system, setting information synchronized among plural information processing apparatuses contains at least user information; user operating policy information; first equipment group information that prescribes a first equipment group to which the information processing apparatus belongs; and equipment operating policy information. The information processing apparatus includes a user authentication unit; a storage unit that stores the setting information and second equipment group information that prescribes a second equipment group to which the information processing - apparatus belongs; and an operating policy generation unit that generates an applied operating policy to be applied to a login user. The operating policy generation unit generates, when the second equipment group information is contained in the first equipment group information, the applied operating policy in accordance with the equipment operating policy information corresponding to the first equipment group information in preference to the user operating policy information corresponding to authenticated user information.05-12-2011
20100175104SAFE AND SECURE PROGRAM EXECUTION FRAMEWORK WITH GUEST APPLICATION SPACE - A system and method is provided here that allow computer user to create a temporary guest running space for application without switching user environment. This unique method allows user to run trusted applications in regular running space while keeping a separate working space for applications that uses or visit non trusted data sources.07-08-2010
20090241167METHOD AND SYSTEM FOR NETWORK IDENTIFICATION VIA DNS - In embodiments of the present invention improved capabilities are described for accessing a DNS server, where the DNS server may be a DNS server within the control of a administrator. A pair of name and IP address may be stored on the DNS server. A client may then transmit the name to a DNS server to request the DNS server to lookup the IP address related to the client transmitted name. This client to DNS server communication may be performed as part of a network request from the client. The IP address may then be returned to the client in response to the connection request, which may allow the client to interpret the return of the security IP address as an indication of a known DNS server and therefore a known network. As a result, the client may then be able to set its security rules according to known network rules. Further, the identifying of a known network may be associated with location information associated with the DNS server, and thus the client, where the location information may be associated with multiple DNS IP address entries.09-24-2009
20100154030Methods and Apparatus for Providing Alternative Paths to Obtain Session Policy - A method for a user agent to access a session policy in a network is provided. The method comprises the user agent receiving in a header field of a response message a plurality of uniform resource identifiers (URIs) for a policy server, wherein each of the plurality of URIs uses a different policy channel protocol.06-17-2010
20100154024METHODS, APPLIANCES, AND COMPUTER PROGRAM PRODUCTS FOR CONTROLLING ACCESS TO A COMMUNICATION NETWORK BASED ON POLICY INFORMATION - A method of operating an appliance in a communication network includes receiving policy information associated with at least one network access account from a responsible party associated with the account, the policy information restricting and/or expanding allowable use of the communication network, and controlling access to the communication network based on the received policy information.06-17-2010
20100154031Methods and Apparatus for Providing Indirect Alternative Paths to Obtain Session Policy - A method for a user agent to access a session policy in a network is provided. The method comprises sending, from the user agent, a single session policy request to a single network component, the single network component contacting a plurality of network components, wherein sending the single session policy request to the single network component utilizes a lower layer protocol. The lower layer protocol is at least one of Extensible Authentication Protocol (EAP), Point to Point Protocol (PPP), and General Packet Radio Service (GPRS) Activate Packet Data Protocol (PDP) context. The method further comprises aggregating policy information and providing the aggregated policy information to the user agent.06-17-2010
20100154027Methods and Systems for Enabling Community-Tested Security Features for Legacy Applications - A computer-implemented method for enabling community-tested security features for legacy applications may include: 1) identifying a plurality of client systems, 2) identifying a legacy application on a client system within the plurality of client systems, 3) identifying a security-feature-enablement rule for the legacy application, 4) enabling at least one security feature for the legacy application by executing the security-feature-enablement rule, 5) determining the impact of the security-feature-enablement rule on the health of the legacy application, and then 6) relaying the impact of the security-feature-enablement rule on the health of the legacy application to a server. Various other methods, systems, and computer-readable media are also disclosed.06-17-2010
20090144802Large scale identity management - Methods of designing, structuring and operating an Identity Management provisioning solution over multiple sets of hardware/software platforms are organized by “area of expertise” to better utilize IdM deployment and support team resources for subject matter expertise, improving quality, consolidating resources, and significantly reducing the cost of IdM deployment and operation, across the entire MSP customer base. For example, IdM events originate in a source system platform and flow into a large scale Identity Management infrastructure platform, where IdM event filtering occurs, source system lookups or source system exports occur, provisioning policies or rules are applied to determine which accounts and/or entitlements need to be provisioned or de-provisioned in target connected systems, and target system imports are executed to accomplish the provisioning or de-provisioning activities.06-04-2009
20090254971SECURE DATA INTERCHANGE - A secure data interchange system enables information about bilateral and multilateral interactions between multiple persistent parties to be exchanged and leveraged within an environment that uses a combination of techniques to control access to information, release of information, and matching of information back to parties. Access to data records can be controlled using an associated price rule. A data owner can specify a price for different types and amounts of information access.10-08-2009
20090254969Method and system for managing security of mobile terminal - A method for enabling security on a mobile terminal having a communication link with a circuit switched network against suspicious activities is provided. Activities performed at the mobile terminal are performed according to a security policy provided from the circuit switched network. Detection of a suspicious activity is alerted to the circuit switched network when the suspicious activity is detected. A policy manager server of the circuit switched network changes the security policy to cure the suspicious activity on the mobile terminal. Call traffic delivered to/sent from the mobile terminal is filtered out, which causes the suspicious activity according to the security policy. The mobile terminal enforces a security measure on a suspicious activity according to the security policy.10-08-2009
20080313700METHOD TO ALLOW ROLE BASED SELECTIVE DOCUMENT ACCESS BETWEEN DOMAINS - An improved solution for allowing role based selective access to a document between a plurality of domains is provided. In an embodiment of the invention, a method for allowing selective access to a document between a plurality of domains includes: obtaining a composed section of the document at a first domain; applying a security policy at the first domain to the composed section of the document; distributing the security policy from the first domain to a second domain, wherein the second domain is different than the first domain; and applying the security policy to the document at the second domain.12-18-2008
20090249431Determining Effective Policy - Aspects of the subject matter described herein relate to determining effective policy when more than one policy may be associated with an entity. In aspects, bindings associate policies with target groups that may include one or more entities. The bindings are ordered by precedence. When properties of two or more policies affect an entity, properties of policies in higher precedence bindings control (e.g., override) properties of policies in lower precedence bindings. When a property of a policy is not included in other policies that affect an entity, the property is retained. A policy resolver determines disjoint target groups and a resultant policy associated with each disjoint target group. The resultant policy associated with a disjoint target group represents a combination of the original policies according to precedence.10-01-2009
20090249430CLAIM CATEGORY HANDLING - A relying party can have a security policy. The security policy can include claims that are categorized other than “required” and “optional”. The user can specify, in a user policy, whether or not to include in a request for a security token from an identity provider claims that are not “required”.10-01-2009
20090260055REAL-TIME DATA SHARING AMONG A PLURALITY OF USERS - Described embodiments provide for accessing stored data representing real-time tracking information shared among a plurality of users. First, a user request for access to stored data is identified. A device type associated with the user request is determined, and one or more permissions for the user request are also determined. Based on the one or more permissions determined, a portion of the stored data is provided to the user through one of a plurality of specialized data views. The selected one of the plurality of specialized data views is selected based on the device type.10-15-2009
20090260056Role-Based Authorization Management Framework - A role-based authorization management system maintains an authorization policy store that represents user authorizations to perform operations associated with an application. When a user attempts to perform a function associated with an application, the authorization management system verifies that the user is authorized to perform the requested function. The authorization management system also provides an interface for an application administrator to update role-based user authorization policies associated with one or more applications.10-15-2009
20090260052Inter-Process Message Security - An inter-process messaging security management may be provided. A message comprising an operation to be performed may be sent from a process operating in a process chamber to a second process operating in another chamber. Before the message is allowed to be delivered, the validity of the operation contained in the message may be verified and a security policy may be examined to determine whether the message is permitted to be sent from the first process to the second process. If the security policy permits the second process to execute the operation requested by the first process, the message may be delivered to the second process. If the operation is not permitted, the message may not be delivered and an error message may be returned to the first process.10-15-2009
20080307493Policy specification framework for insider intrusions - This disclosure provides a policy specification framework to enable an enterprise to specify a given insider attack using a holistic view of a given data access, as well as the means to specify and implement one or more intrusion mitigation methods in response to the detection of such an attack. The policy specification provides for the use of “anomaly” and “signature” attributes that capture sophisticated behavioral characteristics of illegitimate data access. When the attack occurs, a previously-defined administrator (or system-defined) mitigation response (e.g., verification, disconnect, de-provision, or the like) is then implemented.12-11-2008
20080307492SECURITY POLICY GENERATION - The invention provides security policy generation methods and devices for generating a security policy that is set up for an information processing apparatus comprises a step of generating an application model having a transmitter and a receiver of a message decided, for each of a plurality of messages that are communicated, a step of storing in advance a plurality of security patterns with a signer of electronic signature appended to the message as an undecided parameter, a step of selecting a security pattern that is a model of security policy to be setup for the transmitter or receiver of the message, corresponding to each of the plurality of messages included in the application model, and a step of substituting the identification information of the transmitter or receiver of each message included in the application model for the undecided parameter of the security pattern selected corresponding to the message.12-11-2008
20080307486ENTITY BASED ACCESS MANAGEMENT - The subject disclosure pertains to systems and methods that facilitate entity-based for access management. Typically, access to one or more resources is managed based upon identifiers assigned to entities. Groups of identifiers can be assigned to access rights. An authority component can manage an exclusion group that excludes an entity, regardless of the identifier utilized by the entity. Access control components can utilize exclusion groups in access policies to define access rights to a resource.12-11-2008
20080307490METHODS AND APPARATUS FOR BUILDING AND EXECUTING NATURAL LANGUAGE WORKFLOW FUNCTIONS - The present disclosure provides methods and apparatuses for building and executing natural language policies. Using the methods and apparatus herein, users can easily program policies in a natural language intuitive manner. The user can program the natural language policy without needing to have technical knowledge of the underlying systems and without the assistance of a technical specialist.12-11-2008
20100154028MIGRATING A NETWORK TO TUNNEL-LESS ENCRYPTION - A method comprises, in a network comprising VPN gateway devices configured only for plaintext data communication, configuring a policy server with a security policy including DO NOT ENCRYPT statements temporarily overriding PERMIT statements defining which packets should be encrypted; selecting one sub-group of the VPN gateway devices in which tunnel-less encryption is not configured; configuring of the VPN gateway devices in the sub-group for tunnel-less encryption by: configuring each device in a passive mode of operation in which the device is configured to receive either encrypted packets or plaintext packets matching encryption policy; configuring local DO NOT ENCRYPT statements matching traffic that is currently being converted to ciphertext; removing, from the access control list of the policy server, DO NOT ENCRYPT statements referring to protected LAN CIDR blocks behind the VPN gateway devices in the selected sub-group; configuring the sub-group to send encrypted packets by removing, from each of the VPN gateway devices in the selected sub-group, the local DO NOT ENCRYPT statements for the CIDR blocks currently being converted and protected by the selected sub-group; repeating the configuring each of the VPN gateway devices in the selected sub-group for tunnel-less encryption, and the configuring the sub-group to send encrypted packets, for each other one of the sub-groups; and removing the passive mode on each of the VPN gateway devices.06-17-2010
20100154026AUTOMATED SOFTWARE RESTRICTION POLICY RULE GENERATION - Software restriction policy rules can be automatically generated by parsing through a specified metadata source and generating the rules in accordance with indicated preferences. Metadata sources can include storage locations, such as folders, in which case rules for each executable file in the folder can be generated. Metadata sources can also include trusted publisher stores, installation logs, difference files, and other like data sources. Indicated preferences can select from among rules based on the publisher, for files that are signed, or rules based on hashes or path information for unsigned files. In generating rules to prevent the execution of specified files, if an optimized set of rules is desired, a check can be made to determine if an exception to an existing rule can be generated instead of a new rule. The automated parsing of the indicated metadata source can provide for both completeness and correctness.06-17-2010
20100154025INTEGRATING POLICIES FROM A PLURALITY OF DISPARATE MANAGEMENT AGENTS - Described herein are embodiments for managing policies of a mobile device. In embodiments, a mobile device receives policy containers from a plurality of disparate management agents. Each policy container has one or more policies. Each policy corresponds to a particular category that governs various aspects of the device. The policies described herein may be device wide policies corresponding to various features on the device. The policies may also be data specific policies which dictate how data is stored on and transferred to and from the device. Once the policies are received, a determination is made as to which policy in each category is the most secure policy. The most secure policy for each category is merged to create a global policy that is applied to the mobile device.06-17-2010
20100186065METHOD FOR PROTECTING CONTENTS, METHOD FOR SHARING CONTENTS AND DEVICE BASED ON SECURITY LEVEL - A method for using contents, a method for sharing contents, and a device based on security level are disclosed. A method for using contents based on security level creates a device security level according to the number of device identification elements, receives contents, and if the device security level is found to be a minimum allowed device security level for using the contents, uses the contents. Therefore, a device that does not satisfy the conditions required for using contents cannot use the contents, whereby security is reinforced.07-22-2010
20100186064METHOD AND DEVICE FOR OBTAINING CAPABILITIES OF POLICY AND CHARGING ENFORCEMENT FUNCTION - A method for obtaining capabilities of a Policy and Charging Enforcement Function (PCEF) includes these steps: a Policy Control and Charging Rules Function (PCRF) obtains capability information of the PCEF; and the PCRF performs processing according to the capability information. A PCRF is also disclosed. With the present disclosure, the PCEF reports its capabilities in advance so that the PCRF makes policy decisions for a service or subscribes to appropriate application events from the PCEF when it knows the capabilities of the PCEF. This avoids possible subscription errors and decision failures arising when the PCRF is unable to know the capabilities of the PCEF.07-22-2010
20100162351SYSTEM AND METHOD FOR DOCUMENT ACCESS MANAGEMENT - In a system for document access management, each page of the electronic document is converted into an image, and viewing and download permission to view and download each converted image are set. The page of the electronic document is further converted into a restricted image comprising only designated elements.06-24-2010
20100192195MANAGING SECURITY CONFIGURATION THROUGH MACHINE LEARNING, COMBINATORIAL OPTIMIZATION AND ATTACK GRAPHS - The claimed subject matter provides systems and/or methods that combat identity follow-on attacks. The system can include components for receiving a plurality of security configuration changes, selecting which of the changes included in the plurality of security changes to approve or disapprove, and based on which of the changes are approved or disapproved by an administrator, generating a further plurality of security configuration changes that the administrator can once again approve or disapprove until the administrator is satisfied with the security configuration changes.07-29-2010
20100186062PROTECTING CONTENT FROM THIRD PARTY USING CLIENT-SIDE SECURITY PROTECTION - Architecture that employs encryption and storage of encryption keys to protect trusted client message content from an untrusted third-party hosted service. Each trusted user machine is configured to optionally apply security to messages. Rules determine when automatic protection is applied and the level of protection to apply. The trusted client automatically downloads the rules (or rules policies) from a trusted rules service and caches the rules locally. During composition, the rules analyze the message and automatically apply security template(s) to the message. The security template(s) encrypt the body of the message, but not the headers or subject. The untrusted message service processes the header and delivers the message to the correct recipient. The hosted service cannot view the contents of the message body, and only intended recipients of the protected message can view the message body. Offline protection is supported, and the user can override protection by the rules.07-22-2010
20100186063SYSTEM AND METHOD FOR SETTING SECURITY CONFIGURATION TO A DEVICE - A method of accessing an image forming apparatus (IFA) or a multifunction printer (MFP) using a management device (MD) via a network, transmitting security information from the MD to the IFA, updating an original security configuration of the IFA with a new security configuration using the security information, using the new security configuration by the IFA, and confirming the new security configuration with the MD. After confirming, it is preferable the security information is deleted. Also, an IFA including a confirmation unit and a write protection unit for use with the method.07-22-2010
20100263017POLICY MANAGEMENT IN A ROAMING OR HANDOVER SCENARIO IN AN IP NETWORK - The invention comprises methods and arrangements for Policy Decision Point discovery in a roaming or handover scenario in an IP network (IN) comprising a plurality of network elements. The authentication function, e.g. an AAA-server, receives the address (ASPDP10-14-2010
20100263018ELECTRONIC TRANSACTIONS SYSTEM - A system for processing electronic transactions according to policies is disclosed. The system includes a user module configured to store computer-readable information related to a user, and a policy module configured to store a plurality of policies for electronic transactions. Each policy for an electronic transaction includes a permission to access a physical space or item by a user. The system also includes a processor configured to receive a request to complete an electronic transaction by the user, and configured to dynamically apply, upon receipt of the request by the processor, the plurality of policies to the user based on the request to complete the electronic transaction. Methods and machine-readable mediums are also disclosed.10-14-2010
20100192196HEALTH-BASED ACCESS TO NETWORK RESOURCES - A protection system is described herein that dynamically determines whether a computer system can access a particular resource based on a combination of a dynamic health state of the computer system and a dynamic reputation of the resource. When a user attempts to access a resource, the protection system intercepts the request. The protection system determines the reputation of the resource that the user is attempting to access and the health of the computer system through which the user is attempting to access the resource. Based on the determined resource reputation and the determined computer system health, the protection system determines whether to allow the requested access to the resource.07-29-2010
20100192194EXTRACTION OF CODE LEVEL SECURITY SPECIFICATION - A method comprising, receiving a source code, identifying a data structure access in the source code, determining whether the data structure access is associated with a security check function, defining the data structure access as a security sensitive operation responsive to determining that the data structure access is associated with the security check function, and defining a security specification to include the security check function and the security sensitive operation.07-29-2010
20100192193SECURITY RESTRICTION TECHNIQUES FOR BROWSER-BASED APPLICATIONS - Various technologies and techniques are disclosed for restricting security levels that can be used with browser-based applications. When a request is received from an external application to retrieve data for use in a client browser, an intersection is performed on a permission set of a user of the client browser and of the external application to determine a new permission set to use for retrieving the requested data. Techniques for restricting operations of an external application that is being run in a client browser are also described. A session token is returned to a client browser after validating access can be granted to the client browser. Validation is performed to confirm access can be granted to an external application. A request for data is received from the external application, with the request for data containing the session token. The requested data is retrieved and returned to the external application.07-29-2010
20100162349CONTENT PROTECTION DEVICE, CONTENT PROTECTION METHOD, AND COMPUTER READABLE MEDIUM - A content protection device includes: a use restriction definition information storage that stores one or more pieces of use restriction definition information in which at least use restriction conditions to restrict use of contents are defined; a comparison unit that monitors writing of an access log into an access log accumulation unit, and that when the access log is written into the access log accumulation unit, compares a use manner in which content specified by the access log is used and the use restriction conditions included in the use restriction definition information; and a restriction unit that if a result of the comparing by the comparison unit indicates that the use manner meets any of the use restriction conditions, restricts at least a same kind of use as the use manner.06-24-2010
20100218235METHOD AND SYSTEM FOR TEMPORARILY REMOVING GROUP POLICY RESTRICTIONS REMOTELY - A device, system and method is provided for remotely changing a policy setting on a first computer. A second computer may remotely connect to the first computer. The first computer may have an initial policy setting. The second computer may change one or more key values stored in the registry of the first computer. The key values may define the policy setting of the first computer. The second computer may start an application in the first computer that automatically retrieves the key values stored in the registry of the first computer to apply a corresponding new policy setting to the first computer. The second computer may be operated by an administrator investigating a problem and providing maintenance to the first computer in a system network by temporarily removing a restrictive policy setting on the first computer.08-26-2010
20100218234METHOD AND APPARATUS FOR LIMITING OPERATION OF DIGITAL RIGHTS MANAGEMENT MODULE - A method and apparatus for limiting an operation of a digital rights management (DRM) module includes checking an operation mode that is currently set in the DRM module, deciding a DRM policy that will be applied to the DRM module, and selectively limiting an operation of the DRM module based on the checked operation mode and the decided DRM policy.08-26-2010
20120198517RULE-BASED CONTEST HANDLING - An embodiment of a method includes receiving a content request including a first set of attribute values, using at least one of the attribute values from the first set of attribute values to determine a second set of attribute values, traversing a hierarchy of decision nodes, wherein each decision node implements business logic based on one of the attribute values from the first set of attribute values or the second set of attribute values, and generating a decision from a last node in the hierarchy, wherein the decision dictates how to respond to the content request.08-02-2012
20120198512SYSTEM AND METHOD FOR COMBINING AN ACCESS CONTROL SYSTEM WITH A TRAFFIC MANAGEMENT SYSTEM - A system and method for handling a request from a client device to access a service from a server. The method comprises receiving a request from a user using a client device to access a service from a server. The request is received by a network traffic management device having a local external access management (EAM) agent. The EAM agent directly communicates with an EAM server that provides authentication policy information of a plurality of users able to at least partially access the server. User credential information is sent from the EAM agent to the EAM server, whereby the EAM agent receives access policy information of the user from the EAM server. The system and method selectively controls access of the user's request to the server in accordance with the received access policy information at the network traffic management device.08-02-2012
20120198511WEB SERVICE SECURITY COCKPIT - A first configuration object identifies attributes of a configuration of a first web service. Security setting data is identified defining a security setting rules for the computing system. The failure of the first attribute to satisfy at least one security setting rule is determined. A second configuration object is identified that identifies attributes of a configuration of a second web service. The failure of the second attribute to satisfy at least one security setting rule is determined. A service security cockpit is presented identifying that configurations of at least the first and second web services are unsecure, based at least in part on the determination that the first and second attributes fail to satisfy security setting rules. User input is received, through the cockpit, identifying a resolution action directed to resolve the first attribute failing to satisfy at least one security setting rule. The identified resolution action is then initiated.08-02-2012
20090077627INFORMATION CARD FEDERATION POINT TRACKING AND MANAGEMENT - A client can store information about federation points. A federation point is a combination of an identifier of an account on a relying party and an identifier of an information card. The client can track which information cards are included n various federation points, and can use this information to assist the user in performing a transaction with relying parties.03-19-2009
20090077626METHOD AND DEVICE FOR COMMUNICATION ON A COMMUNICATION LINK BETWEEN AN AIRCRAFT AND A GROUND STATION - A communication method on a communication link between an aircraft and a ground station, the communication capable of being configured according to a plurality of safety levels in which, when the aircraft sends a request to a ground station to modify the safety level of the communication from a previous safety level to a new safety level and the aircraft does not receive an acknowledgement of the request by the ground station, the aircraft still accepts messages from the ground station according to the new security level.03-19-2009
20090077621METHOD AND SYSTEM FOR MANAGING SECURITY POLICIES - A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g., to an enforcement entity, an Intrusion Detection System (IDS), etc.). In another example, the receiving, determining, loading, generating and distributing steps can be performed at a policy node within an IT system.03-19-2009
20090077625ASSOCIATING INFORMATION RELATED TO COMPONENTS IN STRUCTURED DOCUMENTS STORED IN THEIR NATIVE FORMAT IN A DATABASE - A system for associating information related to a component of a structured document that is stored in its native format in a database system includes generating a hierarchical node tree comprising a plurality of nodes, where each node represents a component in the structured document, and generating a path associated with each node, where the path follows the hierarchical structure of the structured document from a root node to the node. In each node, an identifier associated with the path is stored. A table is provided that correlates the identifier with information related to the associated path. The information applies to the component represented by the node.03-19-2009
20090077622Security Network Integrated With Premise Security System - An integrated security system is described that integrates broadband and mobile access and control with conventional security systems and premise devices to provide a tri-mode security network (broadband, cellular/GSM, POTS access) that enables users to remotely stay connected to their premises. The integrated security system, while delivering remote premise monitoring and control functionality to conventional monitored premise protection, complements existing premise protection equipment. The integrated security system integrates into the premise network and couples wirelessly with the conventional security panel, enabling broadband access to premise security systems. Automation devices (cameras, lamp modules, thermostats, etc.) can be added, enabling users to remotely see live video and/or pictures and control home devices via their personal web portal or webpage, mobile phone, and/or other remote client device. Users can also receive notifications via email or text message when happenings occur, or do not occur, in their home.03-19-2009
20090077616Handling trust in an IP multimedia subsystem communication network - A method and apparatus for handling trust in an IP Multimedia Subsystem network. A node in the IP Multimedia Subsystem network receives a Session Initiation Protocol message from a remote node. The message includes an indicator indicating the level of trust of a communication sent from the remote node to the IP Multimedia Subsystem node. The node can then apply a security policy to the message, the security policy being determined by the indicator.03-19-2009
20090077618Segmented Network Identity Management - A service category associates a set of authenticators and a set of authentication and authorization policies. When an authenticator attempts to connect the network, the service category for such authenticator determined and the authentication and authorization policies applied. A feature of the present invention is that these policies are segmented into several sub-policies to support multiple services and apply different authentication and authorization policies for each type of service. These sub-policies are a tunnel policy, a credential validation policy, in inner tunnel policy and an authorization policy. Successful negotiation of each policy allows the authenticator to connect a network.03-19-2009
20090077617Automated generation of spam-detection rules using optical character recognition and identifications of common features - In a spam detection method and system, optical character recognition (OCR) techniques are applied to a set of images that have been identified as being spam. The images may be provided as the initial training of the spam detection system, but the preferred embodiment is one in which the images are provided for the purpose of updating the spam-detection rules of currently running systems at different locations. The OCR generates text strings representative of content of the individual images. Automated techniques are applied to the text strings to identify common features or patterns, such as misspellings which are either intentionally included in order to avoid detection or introduced through OCR errors due to the text being obscured. Spam-detection rules are automatically generated on the basis of identifications of the common features. Then, the spam-detection rules are applied to electronic communications, such as electronic mail, so as to detect occurrences of spam within the electronic communications.03-19-2009
20100169950POLICY MANAGEMENT IN A ROAMING OR HANDOVER SCENARIO IN AN IP NETWORK - The invention comprises methods and arrangements for Policy Decision Point discovery in a roaming or handover scenario in an IP network (IN) comprising a plurality of network elements. The invention comprises methods and arrangement in an user equipment for receiving the address of the serving policy decision point and sending to the Home Agent a registration request comprising the local IP address of the user equipment so that the home agent can register the local IP address. The registration request will also comprise the address (ASPDP1) of the serving policy decision point (SPDP1) so that the Home Agent can forward the address of the serving policy decision point to the anchor Policy Decision Point and so that the anchor Policy Decision Point can contact the serving policy decision point by using said address of the serving Policy Decision Point.07-01-2010
20100162350SECURITY SYSTEM OF MANAGING IRC AND HTTP BOTNETS, AND METHOD THEREFOR - The present invention relates to a security system of managing IRC and HTTP botnets and a method therefor. More specifically, the present invention relates to a system and a method that detects a botnet in an Internet service provider network to store information related to the detected botnet in a database and performs security management of IRC and HTTP botnets, including a botnet management security management (BMSM) system, configured to visualize the information related to the detected botnet and establish an against policy related to the detected botnet. Accordingly, the present invention provides a security system of managing IRC and HTTP botnets that can efficiently performs the security management of IRC and HTTP botnets by using the BMSM system06-24-2010
20100162347ADAPTIVE DATA LOSS PREVENTION POLICIES - A monitor detects a policy violation on a computing device, wherein the policy violation includes a user attempt to perform an operation to move data that includes sensitive information off the computing device. The monitor determines whether one or more previous policy violations have occurred on the computing device. The monitor performs an action to minimize a risk of data loss based on the one or more previous policy violations.06-24-2010
20100162346SELECTING SECURITY OFFERINGS - Methods, systems, and computer-readable media are disclosed for selecting a set of security offerings. A particular method includes receiving a security need profile associated with a computing environment and receiving security offering information related to a plurality of security offerings. The security offerings of the plurality of security offerings are evaluated with respect to the security need profile. A set of security offerings from the plurality of security offerings are automatically selected.06-24-2010
20120036551Uniform modular framework for a host computer system - A security framework for a host computer system which allows a host to control access to a compliant security token by ensuring enforcement of established security policies administered by a middleware application. Processing between the host computer system and the security token is performed using one or more modular security application agents. The modular security application agents are counterpart applications to security applications installed in the security token and may be retrieved and installed upon to ensure compatibility between counterpart token and host security applications. The security policies are a composite of host security policies and token security policies which are logically combined by the middleware application at the beginning of a session.02-09-2012
20100218233TECHNIQUES FOR CREDENTIAL AUDITING - Techniques for credential auditing are provided. Histories for credentials are evaluated against a principal credential policy for a user and an enterprise credential policy for an enterprise as a whole. An audit trail is produced within a report for the histories. The report indicates whether compliance with the principal and enterprise credential policies occurred and if not at least one reason is provided as to why compliance was not met within the histories.08-26-2010
20100235880System and Method to Apply Network Traffic Policy to an Application Session - Method for applying a security policy to an application session, includes: recognizing the application session between a network and an application via a security gateway; determining by the security gateway a user identity of the application session using information about the application session; obtaining by the security gateway the security policy comprising network parameters mapped to the user identity; and applying the security policy to the application session by the security gateway. The user identity may be a network user identity or an application user identity recognized from packets of the application session. The security policy may comprise a network traffic policy mapped and/or a document access policy mapped to the user identity, where the network traffic policy is applied to the application session. The security gateway may further generate a security report concerning the application of the security policy to the application session.09-16-2010
20080209502ASSOCIATING RIGHTS TO MULTIMEDIA CONTENT - A method and software to implement a method comprising receiving digital content such as multimedia content, and either ascertaining whether at least a part of the digital content has previously been associated with one or more matched referenced works or searching a store of fingerprint data of referenced works for a match. The searching includes determining a fingerprint of at least part of the digital content, e.g., multimedia content; and searching the store of fingerprint data of referenced works for a match. In the case that is has been ascertained that the work has previously been associated, or the searching has produced a match to one or more matched referenced works, associating association data to the one or more matched referenced works. Ownership data to the matched referenced works is included in the association such that use of the digital content can take into account such ownership rights. The associating of the association data is carried out in a secure manner.08-28-2008
20100211989METHOD AND APPARATUS FOR AUTOMATED ASSIGNMENT OF ACCESS PERMISSIONS TO USERS - Given a new user U or a user whose role in the organization changed, an automated method of the present disclosure in one aspect determines the new or revised access permissions the user should have. In one aspect, the method of the present disclosure automatically determines access rights based on the access rights held by similar users. This general idea, including a formalization of similarity between users, the details of how access rights are determined, and an algorithm to test if the presented methods are safe to use are provided.08-19-2010
20100242085SYSTEM AND METHOD FOR DOCUMENT ISOLATION - A computer based system and method of providing document isolation during routing of a document through a workflow is disclosed. The method comprises maintaining a separate “working” copy of the original base document while the document is routed through a workflow. Access controls, which define who may access the original document as well as any versions of the working copy document, are defined and stored in relation to the documents. The access controls further define the types of actions users may take with respect to the document. Users are selectively directed to the appropriate document, either the base document or working copy, and selectively granted permission to perform publishing operations on the working copy document, as determined by the access controls.09-23-2010
20100242083RESTRICTING ACCESS TO OBJECTS CREATED BY PRIVILEGED COMMANDS - A method and system for restricting access to objects created by privileged commands. In an RBAC environment, execution of certain privileged commands creates objects, which typically, have traditional access permissions based on the user ID and not the role. To enhance security of these objects, a new security attribute is introduced. The security attribute can be associated to the privileged command. Therefore, whenever a privileged command creates an object, the security attribute associated with the privileged command is applied on the object. The security attribute can mask the traditional access permissions of the object, and modify the access permissions, which can be stored along with the object. An AND operation can be performed on the traditional access permissions and the security attribute, to determine the modified permissions of the object. Further, an authorized user can modify, add, delete, or customize the security attribute at any time.09-23-2010
20100235878METHOD AND SYSTEM FOR FILE DISTRIBUTION - A method and system for file distribution, the system comprising: a first data storage device for distributing a content file by seeding the content file for downloading by another data storage device; a second data storage device configured for distributing the content file; a third data storage device configured for distributing the content file; and a data file comprising at least one data entry, a data entry in the data file being associated with the content file, the first data storage device being configured for pushing the data file to the second data storage device, the second data storage device being configured for initiating downloading of the content file if the data entry associated with the content file is present in the pushed data file and the content file is not stored at the second data storage device, and sharing downloaded data of the content file with the third data storage device by simultaneously uploading downloaded data of the content file to the third data storage device while downloading the content file from the first data storage device.09-16-2010
20100242086SYSTEM AND METHOD FOR HANDLING DATA TRANSFERS - Systems and methods for managing data transfers between a secure location and a less secure location. A data transfer checker operating on a mobile device determines whether an attempted data transfer between two locations is permitted. If it is not permitted, then the data transfer is prevented and the user may be notified of the data transfer prevention.09-23-2010
20100242084NETWORK SECURITY MONITOR APPARATUS AND NETWORK SECURITY MONITOR SYSTEM - A network security monitoring apparatus and a network security monitoring system manages “permitted” or “not permitted” communication between nodes based on an access policy. A network security monitoring system includes nodes 09-23-2010
20100154029Method, Apparatuses and Computer Program for Dynamically Configuring a Proxy Call Session Control Function of the IP Multimedia Subsystem From a Policy Control Rules Server - The present invention faces the problem of network scenarios where there is no user differentiation, and where sessions established through an IP Multimedia Subsystem always proceed in the same way regardless user categories and regardless whether a user has accessed through a fixed or a mobile network. To this end, the present invention provides for a new method for dynamically configuring a Proxy Call Session Control Function of the IP Multimedia Subsystem from a Policy Control Rules server responsible for installing control rules to authorize media flows at an entity in the bearer layer. This entity in the bearer layer may be a Policy and Charging Enforcement Point of a PCC architecture, whereas the Policy Control Rules server may be a Policy and Charging Control Rules of the PCC architecture.06-17-2010
20100235877POLICY-BASED PRIVACY PROTECTION IN CONVERGED COMMUNICATION NETWORKS - System(s) and method(s) that employ deep packet inspection (DPI) of data flow relating to a requested service associated with a communication device to facilitate customizing the service or results provided by the service are presented. A service request can be received by a gateway identification of the service is attempted. If the service is identified, a privacy rule(s), which is contained in a user privacy profile of a user associated with the communication device, is analyzed to determine whether the privacy rule(s) applies to the service. If the privacy rule(s) is applicable, a DPI engine performs DPI on the data flow, in accordance with the privacy rule(s), to obtain information that can be used to customize the service or results provided by the service. The user can specify the level of DPI to be applied. A default rule can specify that no DPI is performed on the data flow.09-16-2010
20090106817SECURITY MANAGEMENT APPARATUS, SECURITY MANAGEMENT SYSTEM, SECURITY MANAGEMENT METHOD, AND SECURITY MANAGEMENT PROGRAM - A security management apparatus is capable of taking various security measures while referencing machine information and hence excellent in flexibility and widely applicable. The apparatus includes a security diagnostic unit for making a security diagnosis on the basis of security information obtained from a security information providing apparatus for providing information concerning security in a network and further on the basis of machine information obtained from at least one network machine connected to a network to judge a type of security-related processing to be executed for the network machine and also judge whether or not the security-related processing needs to be executed. A security execution unit executes predetermined security measure processing for the network machine on the basis of a result of diagnosis made by the security diagnostic unit.04-23-2009
20090106816INFORMATION PROCESSING APPARATUS, CONTENT PROCESSING METHOD, AND COMPUTER PROGRAM PRODUCT THEREOF - When a conflict occurs among usage rules for content data, a verification on the content data is made in accordance with the conflict solution policy defined in the usage rule for each of the content data. Available content data are determined in correspondence with a combination of grant verification results individually made on the content data.04-23-2009
20100251328MODEL BASED SECURITY FOR CLOUD SERVICES - Applications, such as cloud services, may be deployed within a network environment (e.g., a cloud computing environment). Unfortunately, when the applications are instantiated within the network environment, they have the ability to compromise the security of other applications and/or the infrastructure of the network environment. Accordingly, as provided herein, a security scheme may be applied to a network environment within which an application is to be instantiated. The security scheme may comprise one or more security layers (e.g., virtual machine level security, application level security, operating system level security, etc.) derived from an application service model describing the application and/or resources allocated to the application.09-30-2010
20100251327SOA POLICY ENGINE FRAMEWORK - Methods, including service methods, articles of manufacture, systems, articles and programmable devices provide a policy engine framework. A consumer policy request for a web service is mediated through a functional web service or a policy web service. A single unified method call is made to policy adapters in response to the mediated customer request, each of the policy adapters in communication with a policy server. The policy adapters transform the single unified method call into formats acceptable by each associated policy servers and place the transformed requests to the associated servers. Results from the policy servers are formatted by policy adapters and a policy is selected from a policy registry repository as a function of the formatted results and returned to a requesting consumer.09-30-2010
20100138896INFORMATION PROCESSING SYSTEM AND INFORMATION PROCESSING METHOD - In an information processing system, when an application is added to an information processing apparatus, an identifier of an resource of the information processing apparatus which is used by the application is acquired, and a rule suitable for the application is generated based on a rule defined in advance in correspondence to the resource identifier. The generated rule is applied to the information processing apparatus.06-03-2010
20110113470MASHUP SERVICE DEVICE AND SYSTEM, AND METHOD FOR ESTABLISHING AND USING MASHUP SERVICE - A mashup service terminal, a mashup service server, a mashup service system, a method for establishing a mashup service, and a method for using a mashup service are provided. A user terminal capability is introduced into the mashup service as a service and an information source of a mashup application, so that a user can establish and use the mashup service conveniently and flexibly, and the user experience is improved.05-12-2011
20100122314ACTIVE ACCESS MONITORING FOR SAFER COMPUTING ENVIRONMENTS AND SYSTEMS - Techniques for controlling access are disclosed. The techniques can be used for reference monitoring in various computing systems (e.g., computing device) including those that may be relatively more susceptible to threats (e.g., mobile phones). Allowed access can be disallowed. In other words, permission to access a component can be effectively withdrawn even though access may be on-going. After permission to access a component has been allowed, one or more disallow access conditions or events can be effectively monitored in order to determine whether to withdraw the permission to access the component. As a result, allowed access to the component can be disallowed. Access can be disallowed by effectively considering the behavior of a component in the aggregate and/or over a determined amount of time. By way of example, a messaging application can be disallowed access to a communication port if the messaging application sends more messages than an acceptable limit during a session or in 4 hours. Disallow-access policies, rules and/or conditions can be defined and modified, for example, by end-users and system administrators, allowing a customizable and flexible security environment that is more adaptable to change.05-13-2010
20100122313METHOD AND SYSTEM FOR RESTRICTING FILE ACCESS IN A COMPUTER SYSTEM - A computer-implemented method is provided of controlling file access in a computer system. The method includes: (a) reading file association information; (b) building a security policy in accordance with the file association information comprising rules that restrict the access of applications to files based on file type, format, or extension; and (c) providing additional rules for the security policy not based on the file association information; (d) storing the security policy; and (e) controlling file access in accordance with the security policy.05-13-2010
20100122312PREDICTIVE SERVICE SYSTEMS - A predictive service system can include a gathering service to gather user information, a semantic service to generate a semantic abstract for the user information, a policy service to enforce a policy, and a predictive service to act on an actionable item that is created based on the user information, the semantic abstract, and the policy. The system can also include an analysis module to create the actionable item and send it to the predictive service. The system can also include an identity service to create a crafted identity for the user.05-13-2010
20110119729IDENTITY AND POLICY ENFORCED INTER-CLOUD AND INTRA-CLOUD CHANNEL - Techniques for identity and policy enforced cloud communications are presented. Cloud channel managers monitor messages occurring within a cloud or between independent clouds. Policy actions are enforced when processing the messages. The policy actions can include identity-based restrictions and the policy actions are specific to the messages and/or clouds within which the messages are being processed.05-19-2011
20100064340SYSTEMS AND METHODS FOR CONTROLLING ACCESS TO DATA THROUGH APPLICATION VIRTUALIZATION LAYERS - A computer-implemented method for controlling access to data is. A request to access data is received. A determination is made that an access-control policy of the data is satisfied. A virtualization layer is activated to allow access to the data after determining that the access-control policy is satisfied. Various other methods, systems, and computer-readable media are also disclosed.03-11-2010
20130219457System and Method for Providing Network Security to Mobile Devices - A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.08-22-2013
20130219462GENERATING A DISTRUBITION PACKAGE HAVING AN ACCESS CONTROL EXECUTION PROGRAM FOR IMPLEMENTING AN ACCESS CONTROL MECHANISM AND LOADING UNIT FOR A CLIENT - A data distribution system, method and program for generating a distribution package for distribution data to a client. An environment of a requesting client requesting distribution data is detected. A determination is made of an access control execution program for implementing an access control mechanism and a loading unit on the requesting client. The access control execution program is adapted to the detected environment of the requesting client and control access to a resource from a process in the client. The loading unit loads the distribution data to a protected storage area of the client. A determination is made of a security policy specified for the distribution data. A distribution package is generated including the distribution data, the security policy, the loading unit, and the access control execution program adapted to the environment of the requesting client; and transmitting the generated distribution package to the requesting client.08-22-2013
20110239271TRUSTED NETWORK CONNECTION IMPLEMENTING METHOD BASED ON TRI-ELEMENT PEER AUTHENTICATION - A trusted network connection implementing method based on Tri-element Peer Authentication is provided in present invention, the method includes: step 1, configuring and initializing; step 2, requesting for network connection, wherein an access requester sends a network connection request to and access controller, and the access controller receives the network connection request; step 3, authenticating user ID; and step 4, authenticating a platform. The invention enhances the safety of the trusted network connection implementing method, widens the application range of the trusted network connection implementing method based on the Tri-element Peer Authentication, satisfies requirements of different network apparatuses and improves the efficiency of the trusted network connection implementing method based on the Tri-element Peer Authentication. The invention is not only applied to the trusted network connection of entities, but also applied to the trusted communication among the peer entities, and is further applied to the trusted management of the entities, thus the applicability of the trusted network connection implementing method based on the Tri-element Peer Authentication is improved.09-29-2011
20100100926INTERACTIVE SELECTION OF IDENTITY INFORMATOIN SATISFYING POLICY CONSTRAINTS - A system and method for verifying an attribute includes providing a compound policy by a relying party. The compound policy has one or more claims and/or sub-claims expressing conditions on attributes and constants. Identity providers are associated with aspects of the compound policy by mapping attributes of the compound policy with attributes of the identity providers. A selection of at least one identity provider that satisfies the compound policy is enabled. At least one attribute of the user is verified by at least one identity provider in accordance with the selection.04-22-2010
20110113467SYSTEM AND METHOD FOR PREVENTING DATA LOSS USING VIRTUAL MACHINE WRAPPED APPLICATIONS - A method in one example implementation includes selecting at least one criterion for controlling data transmission from within a virtual machine. At least one application is included within the virtual machine, which includes a policy module. The selected criterion corresponds to at least one policy associated with the policy module. The method also includes evaluating the selected criterion of the policy to permit an attempt to transmit the data from within the virtual machine. In more specific embodiments, the policy may include a plurality of criteria with a first selected criterion permitting transmission of the data to a first application and a second selected criterion prohibiting transmission of the data to a second application. In another specific embodiment, the method may include updating the policy module through an administration module to modify the selected criterion.05-12-2011
20110113466Systems and Methods for Processing and Managing Object-Related Data for use by a Plurality of Applications - A computer-implemented method for indexing data for use by a plurality of applications may include receiving a data object at a first application of a plurality of applications. The method may include tokenizing the common-form data object to extract tokens from the data object and creating an index of the tokens extracted from the data object, the index being formatted to be utilized by each of the plurality of applications. The method may further include storing the index in a database that is accessible by the plurality of applications. The plurality of applications may comprise two or more application types. Various other methods and systems are also disclosed.05-12-2011
20090328138SYSTEM FOR CONTROLLING ACCESS TO HOSPITAL INFORMATION AND METHOD FOR CONTROLLING THE SAME - A method and system for implementing activity-oriented access control (AOAC) to hospital information is disclosed. An access request device sends user credentials attaching user attributes to an AOAC server, which in turn searches activity rules that are assigned to user attributes from an activity server and a current work situation of the user from an activity recognition server. The AOAC server transmits an access request list corresponding to the activity rules and the current work situation of the user to the access request device so that it can select a desired access request among the list.12-31-2009
20090288135METHOD AND APPARATUS FOR BUILDING AND MANAGING POLICIES - Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.11-19-2009
20090328137METHOD FOR PROTECTING DATA IN MASHUP WEBSITES - A method for protecting a mashup webpage is disclosed. The mashup webpage includes a plurality of mini-applications. The method includes intercepting a content access event by a first mini-application of the plurality of mini-applications, the content access event requesting access to content of a second mini-application of the plurality of mini-applications. The method also includes ascertaining, using a Document Mini-application Model (DOM) access control policy and a DOM model, whether the content access event is permissible. The method additionally includes denying the access by the first mini-application to the content of the second mini-application if the content access event is deemed impermissible or permissible according to the DOM access control policy.12-31-2009
20090328130POLICY-BASED SECURE INFORMATION DISCLOSURE - Systems and methods for storing data and retrieving data from a smart storage device is provided, where smart storage includes processing capabilities along with the ability to store information. In one aspect, a method includes detecting via bidirectional settings one or more capabilities of rules enforcement logic associated with a storage device and selecting a set of criteria and policies to be downloaded from a host or a management server that are to be downloaded onto the storage device. This includes dynamically generating conditional context aware policies syntax based on user settings or network policy and downloading a set of policies onto the storage device for future policy enforcement.12-31-2009
20090328136TECHNIQUES FOR ROUTING PRIVACY SENSITIVE INFORMATION TO AN OUTPUT DEVICE - Various embodiments are directed to a privacy routing engine embodied on a device and a method for routing actuations to preserve a user's privacy. The privacy routing engine may receive actuations intended for a user, and may route the actuation to an output device according to a set of user output policies. The user output policies may specify output devices according to a user's context and need for privacy. A user context may include a location, an event, or a sensed condition. Other embodiments are described and claimed.12-31-2009
20090328135Method, Apparatus, and Computer Program Product for Privacy Management - An apparatus for privacy management may include a processor. The processor may be configured to access one or more privacy options. In this regard, each privacy option may be configured to provide members of one or more groups access to content. The processor may also be configured to provide for selection of a privacy option in association with the content. Associated methods and computer program products may also be provided.12-31-2009
20090328134LICENSING PROTECTED CONTENT TO APPLICATION SETS - The present invention extends to methods, systems, and computer program products for licensing protected content to application sets. Embodiments of the invention permit a local machine to increase its participation in authorizing access to protected content. For example, an operating system within an appropriate computing environment is permitted to determine if an application is authorized to access protected content. Thus, the application is relieved from having to store a publishing license. Further, authorization decisions are partially distributed, easing the resource burden on a protection server. Accordingly, embodiments of the invention can facilitate more robust and efficient authorization decisions when access to protected content is requested.12-31-2009
20090328133CAPABILITY MANAGEMENT FOR NETWORK ELEMENTS - A method, information processing system, and system manage network entities. At least a portion of at least one information model (12-31-2009
20090328129Customizing Policies for Process Privilege Inheritance - An approach is provided that uses policies to determine which parental privileges are inherited by the parent's child processes. A parent software process initializes a child software process, such as by executing the child process. The parent process is associated with a first set of privileges. The inheritance policies are retrieved that correspond to the parent process. A second set of privileges is identified based on the retrieved inheritance policies, and this second set of privileges is applied to the child software process.12-31-2009
20110067085METHOD FOR DELIVERING DYNAMIC POLICY RULES TO AN END USER, ACCORDING ON HIS/HER ACCOUNT BALANCE AND SERVICE SUBSCRIPTION LEVEL, IN A TELECOMMUNICATION NETWORK - The method comprises the steps of: 03-17-2011
20080320553MANAGING HIERARCHICALLY ORGANIZED SUBSCRIBER PROFILES - Methods are provided for managing hierarchically organized subscriber profiles. According to one embodiment of the present invention, a subscriber connection is created with a virtual router operable within a telecommunications system of a service provider. A connection request is received from a subscriber of multiple subscribers of the service provider at a subscriber manager of the virtual router. The virtual router maintains a database of hierarchically organized profile identifiers, including multiple lower-level profile identifiers, which explicitly define subscriber services, and multiple first-level profile identifiers, which define service contexts representing combinations of services available to subscribers when connected by (i) explicitly defining the subscriber services or (ii) referring to one or more of the multiple lower-level profile identifiers. If the subscriber is successfully authenticated, a connection is created by creating and configuring a virtual interface within the virtual router for the subscriber connection based on the subscriber's first-level profile identifier.12-25-2008
20090187963Method and apparatus for a cryptographically assisted computer system designed to deter viruses and malware via enforced accountability - The present invention provides a method and apparatus for a cryptographically assisted computer system designed to deter viruses and malware via enforced accountability and access policies. The Security Enforcement System (07-23-2009
20090320093HOLISTIC XACML AND OBLIGATION CODE AUTOMATICALLY GENERATED FROM ONTOLOGICALLY DEFINED RULE SET - Computer-based systems and methods for automatically generating both XACML rules and processed-based obligation code using a common ontologically defined ruleset.12-24-2009
20090320091PRESENTING PRIVACY POLICY IN A NETWORK ENVIRONMENT RESPONSIVE TO USER PREFERENCE - An approach for presenting a web page to a client user via a web browser. As one example, a user preference specifying a notification setting may be received from the client user at the web browser. The notification setting may cause the web browser, upon retrieving a web page, to present one or more of a privacy notice or a legal notice to the client user. The particular way in which the privacy notice and the legal notice are presented to the client user may be varied based on the notification setting specified by the user preference.12-24-2009
20090178103SPECIFYING AND ENFORCING AT LEAST ONE RUN-TIME POLICY FOR AT LEAST ONE COMPUTER PROCESS EXECUTING ON A COMPUTER SYSTEM - The present invention provides a method and system of specifying and enforcing at least one run-time policy for at least one computer process executing on a computer system, where the computer system includes a computer operating system. In an exemplary embodiment, the method and system include (1) relating the policy with an executable file of the process, (2) associating the policy with a running instance of the process, and (3) enforcing the policy on the running instance.07-09-2009
20090183225PLUGGABLE MODULES FOR TERMINAL SERVICES - Embodiments that facilitate the use of pluggable policy modules and authentication modules for access to a Terminal Services (TS) server are disclosed. In accordance with various embodiments, a method includes accessing one or more pluggable modules at a Terminal Services Gateway (TSG) server or a Terminal Services (TS) server. The method further includes processing a TS server access request from a TS client at the TSG server or the TS server. The TS server access request is processed in part based on the one or more pluggable modules. In one particular embodiment, the one or more pluggable modules include at least one of a connection authorization policy (CAP) module, a resource authorization policy (RAP) module, and an authentication module.07-16-2009
20090320094System and Method for Implementing a Publication - Systems and methods are provided that allow for publication delegation through the use of publication authorization rules, where a presentity can allow another entity, e.g., a publisher, to publish presence information associated with the presentity on behalf of the presentity. Additionally, the ability is provided for, e.g., a service provider, to restrict presence information that a presentity is allowed to publish. Hence, publication delegation can be effectuated in cases when a rule matches users (with identities) other than the presentity whose presence information is to be published. Moreover, service provider restriction on the allowed presence information can also be provided in those cases when a rule matches the identity of the presentity.12-24-2009
20090320092USER INTERFACE FOR MANAGING ACCESS TO A HEALTH-RECORD - A server system for regulating access to a health record of an individual includes a communications subsystem, a logic subsystem operatively coupled to the communications subsystem and configured to execute instructions, memory operatively coupled to the logic subsystem and holding user-interface instructions that, when executed by the logic subsystem, send information via the communications subsystem for presenting a user interface. In this embodiment, the user interface includes a list of one or more items in the health record to which an application has requested access, and for each of the one or more items, a configuration-indicating element distinguishing whether the application is configured to service the individual if access to that item is denied. The user interface further includes for each of the one or more items, one or more presettable selection elements enabling a marshal of the health record to authorize or withhold access to that item.12-24-2009
20090320088Access enforcer - A computer-driven resource manager (12-24-2009
20090165079Deriving Service Provider Constraints From Service Consumer Context - A context for a service request made by a service consumer can be used to establish a constraint rules set that is applied by a service provider. A context associated with a first service request can be received from a service consumer. An identity of the service consumer can be verified. A constraint value request associated with the service request can be received from a service provider responding to the service request. One or more constraints can be derived from the first context. An identity of a service provider that will fulfill the service request can be verified. The one or more constraints can be provided to the service provider. Related systems, apparatus, methods, and/or articles are also described.06-25-2009
20100223654MULTIPLE TIERED NETWORK SECURITY SYSTEM, METHOD AND APPARATUS USING DYNAMIC USER POLICY ASSIGNMENT - A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.109-02-2010
20120246697Method and Node in a Telecommunications Network - During a registration procedure by a User Equipment (UE) via a Proxy Call Session Control Function (P-CSCF) node and a Serving Call Session Control Function (S-CSCF) node, the S-CSCF node provides a policy indicator in a response message to a register request message. The policy indicator enables subsequent operation of the node to be controlled according to whether or not a registered UE has an associated policy. As such, delays (such as delays associated with retrieving an associated policy) are only experienced by UEs that have previously been determined as having such an associated policy, rather than all UEs being affected in the same way. 09-27-2012
20120246696SYSTEM AND METHOD FOR DATA MASKING - A system and computer-implemented method for providing security rules to an existing enterprise database system. The disclosed system and computer-implemented method intercepts database connection requests provided by third-party applications and end-users and determines what, if any, security rules to be applied to the request, including masking, scrambling and unmasking the data, as well as whether the requesting user has a need to know the requested data. Accordingly, personally identifiable and other sensitive information is not provided to an unauthorized requesting application and/or end-user.09-27-2012
20090113518Method for Establishing a Person as a User in a System - Dependents of benefit plan participants can be given access to personal information of a plan participant. The dependents, who are not existing users or members of the plan, can be allowed access to some or all of the personal information associated with the plan participant.04-30-2009
20090113519PARENTAL CONTROLS FOR ENTERTAINMENT CONTENT - Parental controls for entertainment digital media are provided that allow a parent to restrict multiple user's access to entertainment content. One or more updatable rating definition files with dynamic data are used to define rating levels and content descriptors for a regional rating system. Entertainment content definition files define the rating level and content descriptors for entertainment content. User permission settings define a particular user's access rating level and content descriptors. The rating definition file can be used to compare the entertainment content definition file and user permission settings in determining if a user is allowed access to particular entertainment content.04-30-2009
20090113516Setting Policy Based on Access Node Location - Policy setting in an access node remotely located from a controller. A remote access node connects to a controller over a digital network such as the internet. Operating policy is established based on the location of the access node. In one embodiment, the location of the access node is determined through a GPS receiver associated with the node. In a second embodiment, the location of the access node is determined through its public IP address. Location information is used to establish policy at the access node, which may include aspects such as operating parameters, access controls, and availability of services through the controller.04-30-2009
20100223655Method, System, and Apparatus for DHCP Authentication - A Dynamic Host Configuration Protocol (DHCP) authentication method includes: authenticating a Routing Gateway (RG) by an Authentication Server (AS) that serves the RG; receiving an access policy from a DHCP authenticator after the RG passes the authentication; and starting DHCP authentication according to the access policy, and performing DHCP authentication for a DHCP client connected to the RG. With the present invention, the DHCP authentication is started on the RG, and the DHCP authentication is performed for the DHCP client connected to the RG. Therefore, the DHCP client connected to the RG can undergo DHCP authentication through the RG to access the network.09-02-2010
20120144449METHOD AND SYSTEM FOR PROTECTING CONFIDENTIAL INFORMATION - A method for computer workstation based information protection is presented, the method comprises: a) monitoring user's actions on the computer workstation, b) analysis of the actions in respect to a pre-defined policy to determine whether the actions prejudice information to which the policy applies, and c) executing the policy in accordance with the results of the analysis to prevent or modify or restrict or monitor or log the actions.06-07-2012
20120144448Data Store Including a File Location Attribute - A data store including a file location attribute is described. In an embodiment, the location attribute for a data element, such as a file or database record, is stored with the bytes of data and records the geographic location of the data element. Writing to this attribute is limited to a single trusted entity, such as an operating system, to ensure that the location data can be trusted and when a data element is moved or replicated, the attribute is updated to reflect the new location of the data element. This location data is made available to users and applications by a metadata service which tracks the locations of data elements and responds to requests from users. Access control policies can been defined in terms of location and stored at the metadata service and the metadata service can then enforce these policies when responding to requests.06-07-2012
20080229385Mobility Aware Policy and Charging Control in a Wireless Communication Network - One embodiment of the present invention provides a method for implementation in a policy control and charging rules functional entity in a wireless communication system. The method includes receiving, from at least one of a source policy and charging enforcement function in a source access network or a target policy and charging enforcement function in a target access network, information indicative of a mobile unit that has handed off from the source access network to the target access network. The method also includes establishing a first session for communicating policy and charging rules associated with the mobile unit. The first session is concurrent with a second session for communicating policy and charging rules associated with the mobile unit. The second session was previously established with the source policy and charging enforcement function in the source access network. The method further includes transmitting at least one policy and charging rule to the target policy and charging enforcement function using the first session.09-18-2008
20080229383CREDENTIAL CATEGORIZATION - The user can associate metadata with information cards. The metadata can include, among other possibilities, string names, icons, user policies, containers, and hierarchies. The metadata is stored by the computer system. The metadata can then be used to filter the set of information cards that can satisfy a security policy from a relying party.09-18-2008
20090106819METHOD AND SYSTEM FOR PROVIDING, USING RIGHTS DESCRIPTION - A method for providing rights description includes generating a rights expression for controlling the use of digital contents, where the rights expression uses a parameter constant to describe permission and constraint of the rights and uses a parameter variable to describe consumption state information of the rights, and providing the terminal device with the rights expression. A method for using rights description includes obtaining the rights expression for controlling the use of digital contents, transferring the value of the rights consumption state to the corresponding parameter variable in the rights expression, executing the rights expression to obtain the remaining consumption state information of the rights, and using the digital contents according to the remaining consumption state information. The disclosure also discloses a server, a terminal device, and a DRM system. The technical solution under the present disclosure extends the rights description language without upgrading the terminal device and sets the logic relations between different rights items flexibly.04-23-2009
20090106815METHOD FOR MAPPING PRIVACY POLICIES TO CLASSIFICATION LABELS - A method and system are disclosed for mapping a privacy policy into classification labels for controlling access to information on a computer system or network, said privacy policy including one or more rules for determining which users can access said information. The method comprises the steps of parsing said one or more rules of the privacy policy; sorting the one or more rules into one or more sets; and, for each set of rules, (i) forming a logical statement from the rules of said each set, and (ii) using said logical statement to create associated privacy labels that allow access to said information. In a preferred embodiment, each of the rules is associated with a user category, a data category and a purpose category; and the rules in each set of rules have the same user category, the same data category, and the same purpose category.04-23-2009
20090037977APPARATUS AND METHOD FOR APPLYING NETWORK POLICY AT A NETWORK DEVICE - This document discusses, among other things, applying network policy at a network device. In an example embodiment fibre channel hard zoning information may be received that indicates whether a fibre channel frame is permitted to be communicated between two fibre channel ports. Some example embodiments include identifying a media access control addresses associated with the fibre channel ports. An example embodiment may include generating one or more access control entries based on the fibre channel identifications of the fibre channel ports and the zoning information. The access control entries may be distributes to an Ethernet port to be inserted into an existing access control list and used to enforce a zoning policy upon fibre channel over Ethernet frames.02-05-2009
20090037976System and Method for Securing a Network Session - A system comprises an end-user device including a browser and a security component capable of executing a security policy, the security policy to be downloaded from a website; and a website including a security policy downloadable to the security component.02-05-2009
20090037975System and Method for Authenticating Content - A system for authenticating content and methods for making and using same. The content authentication system advantageously facilitates recognition of known content, control over use of the known content, and knowledge accumulation regarding the use of known content for monetization models. The recognition of the suspect content preferably includes an analysis of known content recognition data associated with the known content and suspect content recognition data associated with the suspect content. A correlation between the known content recognition data and the suspect content recognition data is found, and the suspect content is analyzed in light of the correlation and known content rules associated with the known content. Thereby, the content authentication system can determine whether to approve action for the suspect content. The content authentication system enables selected known content information to be shared among known content right holders and hosting websites.02-05-2009
20100306818Computer-Implemented Method, Computer System, And Computer Program Product for Optimization Of Evaluation Of A Policy Specification - The present description relates to a computer-implemented method, computer system, and computer program product for optimization of evaluation of a policy specification. In one aspect, the computer-implemented method for optimization of evaluation of a policy specification may comprise receiving the policy specification represented as a tree, the tree comprising a plurality of nodes. A visiting history of the tree may be determined by computing a density at least for each node in a subset of the plurality of nodes having been visited. The density may be determined by a relationship between a position of a node v in the tree and a frequency F(v) in which the node v is visited. The tree may be transformed with respect to the visiting history into a similar tree such that sibling nodes in the subset of the plurality of nodes are sorted in decreasing order according to their density.12-02-2010
20090070854METHOD, APPARATUS AND NETWORK FOR NEGOTIATING MIP CAPABILITY - The invention provides a method, an apparatus and a network for negotiating MIP capability in a network, including: negotiating the MIP capability through an Authentication and Authorization process and/or an above-physical layer capability negotiation process, to obtain service information that can be provided by the network. With the invention, the network is allowed to choose whether to provide MIP service and relevant service.03-12-2009
20090070853Security Policy Validation For Web Services - Methods, apparatus, and products are disclosed for security policy validation for web services that include: transforming a security policy for a web service into a policy predicate logic representation; providing a profile predicate logic representation that represents one or more rules of a security policy profile; and determining whether the security policy satisfies the security policy profile in dependence upon the policy predicate logic representation and the profile predicate logic representation.03-12-2009
20090070852Social Network Site Including Invitation Functionality - A social network site with enhanced user interaction functionality. In one implementation, a method includes receiving an invite request from an inviting user, wherein the invite request comprises identifying information associated with an invited user; generating a new account for the invited user; allowing the inviting user to create and customize a proposed personal page for the invited user; transmitting to the invited user an invitation and a link to the proposed personal page; and conditionally receiving a response from the invited user, wherein the response indicates if the invited user has accepted the personal page.03-12-2009
20130133023DYNAMICALLY MAPPING NETWORK TRUST RELATIONSHIPS - In an embodiment, the method is comprising, receiving an access request, from an authenticator device, to grant a supplicant device access to a data network; transmitting the access request to an authentication server; after sending a response that the access request was granted, updating a trust topology map by including in the trust topology map information that has been obtained from the response and that indicates a secure link between the authenticator device and the supplicant device, and causing displaying the updated trust topology map as a logical map depicting one or more network devices and roles assigned to the one or more network devices; wherein the method is performed by one or more computing device.05-23-2013
20130133024Auto-Approval of Recovery Actions Based on an Extensible Set of Conditions and Policies - Recovery action approval may be provided. A request to perform an action may be received from a user. If the user is not always authorized to request the action, then the action may be performed if a policy rule permits the user to request the action.05-23-2013
20130133025Security Deployment System - To address security that can arise in information systems, the present invention uses novel methods and/or systems to enhance security in information systems, using a new way to deploy selected security policies. Instead of trying to modify a whole binary file all at once to add in code to implement additional security policies, the current invention modifies the code in memory in a piecemeal, as-needed fashion.05-23-2013
20130133030PLATFORM AUTHENTICATION STRATEGY MANAGEMENT METHOD AND DEVICE FOR TRUSTED CONNECTION ARCHITECTURE - Provided are a platform authentication strategy management method for trusted connection architecture (TCA), and the trusted network connection (TNC) client, TNC access point and evaluation strategy service provider for implementing the method in the TCA. In the embodiments of the present invention, the platform authentication strategy for the access requester can be configured in the TNC access point or the evaluation strategy service provider, and the platform authentication strategy for the access requester configured in the evaluation strategy service provider can be delivered to the TNC access point. Moreover, a component-type-level convergence platform evaluation strategy can be executed in the TNC access point or the evaluation strategy service provider, to ensure that the realization of the TCA platform authentication has good application extensibility.05-23-2013
20100306817DELEGATION MODEL FOR ROLE-BASED ACCESS CONTROL ADMINISTRATION - Role-based security architecture that facilitates delegated role assignments where role functionality is monotonically decreasing. In furtherance thereof decreasing monotonicity roles are arranged in a hierarchy. Moreover, delegated roles can be obtained by creating a derived role (from a parent role) and removing entries from the derived role to decrease the permissions for the derived role. Delegated role assignments are scoped (bounded), which automatically applies a given scope to the assignment created by the user receiving the delegation.12-02-2010
20100306816AUTHENTICATION VIA MONITORING - Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision.12-02-2010
20090125973METHOD FOR ANALYZING AND MANAGING UNSTRUCTURED DATA - A system and method for managing unstructured data that includes identifying at least one unstructured data environment with unstructured data, identifying mitigating controls in each of the unstructured data environments, the mitigating controls reducing a security risk associated with each of the unstructured data environments, and generating at least one process for managing the unstructured data in each of the unstructured data environments, the process including defining mitigating controls for managing the unstructured data in each of the unstructured data environments.05-14-2009
20130139214MULTI DIMENSIONAL ATTACK DECISION SYSTEM AND METHOD THEREOF - A method and system for protecting a protected entity using a multi-dimensional protection surface. The method comprises detecting at least one potential attack against the protected entity in incoming data traffic directed to the protected entity; detecting a type of each attack tool committing the at least one potential attack; generating a multi-dimensional protection surface by correlating a plurality of inputs related to the at least one detected attack, wherein the plurality of inputs include at least a first input identifying the at least one detected attack and a second input identifying each attack tool that performs the at least one detected attack, wherein the protection multi-dimensional surface includes at least one protection point that defines at least one attack mitigation action to mitigate the at least one detected attack; and executing the at least one attack mitigation action defined in the multi-dimensional protection surface.05-30-2013
20130139217METHOD AND APPARATUS FOR EXECUTING SECURITY POLICY SCRIPT, SECURITY POLICY SYSTEM - Embodiments of the present invention provide a method and an apparatus for executing a security policy script as well as a security policy system. The method includes: verifying a signature of a security policy script to be executed, where the security policy script to be executed corresponds to a unique signature, and the signature is used to verify validity of the security policy script; and invoking a script engine to execute the security policy script to be executed after verifying that the signature of the security policy script to be executed is correct, so as to improve security of the security policy script effectively.05-30-2013
20100319051CONTROLLING ACCESS TO RESOURCES BY HOSTED ENTITIES - Controlling resource access by entities hosted by an execution extension environment via entity identifiers associated with the resources or with the execution extension environment. Policy sets define the access to the resources. Each policy set includes a principal identifier for execution extension environment, a resource identifier for one of the resources, and access rights. The principal identifier or the resource identifier includes one of the entity identifiers. Access requests from entities are evaluated by comparing the entity identifiers to the policy sets. In some embodiments, the policy sets implement access control for web browsers hosting executable code that attempts to access resources on a computing device.12-16-2010
20090077615Security Policy Validation For Web Services - Methods, apparatus, and products are disclosed for security policy validation for web services that include: transforming a security policy for a web service into a policy predicate logic representation; providing a profile predicate logic representation that represents one or more rules of a security policy profile; determining whether the security policy satisfies the security policy profile in dependence upon the policy predicate logic representation and the profile predicate logic representation; and notifying a user that the security policy is valid if the security policy satisfies the security policy profile03-19-2009
20100325692SYSTEM AND METHOD FOR CONTROLLING POLICY DISTRIBUTION WITH PARTIAL EVALUATION - The present invention relates to a system (12-23-2010
20100325689USE AUTHORITY ATTACHING DEVICE AND COMPUTER READABLE MEDIUM - A use authority attaching device includes: a storing unit that stores use authority information corresponding to each of stamped images of various forms; a detecting unit that detects a stamped image from a document image obtained by reading a stamped paper document; and a storage control unit that specifies use authority information corresponding to the stamped image detected by the detecting unit from the storing unit and stores an electronic document corresponding to the document image in a predetermined saving unit, in association with the specified use authority information under control.12-23-2010
20100325690INFORMATION PROCESSING APPARATUS AND COMPUTER READABLE MEDIUM - An information processing apparatus, includes: a registration unit that refers to a use limit information memory which stores use limit information indicating a policy of a use limit of a document corresponding to a set of a mark image indicating that use of the document is limited and user associated information relating to a user associated to the document, extracts the mark image and person in charge information from document image information obtained by reading a paper document including the mark image and the person in charge information indicating a person in charge with respect to contents of the paper document, acquires the use limit information corresponding to a set of the extracted mark image and the user associated information corresponding to the extracted person in charge information from the use limit information memory, and registers the acquired use limit information associated with a document including the document image information in a document memory.12-23-2010
20100325688INFORMATION PROCESSING APPARATUS, AND COMPUTER READABLE MEDIUM - An information processing apparatus, includes: a registering unit for referring to a first storing unit for storing usage limitation information indicating a policy of usage limitation of a document which corresponds to a pair of a stamp image corresponding to an image representing that the document is limited in use, and the number of the stamp images, extracting the stamp image from document image information obtained by reading a paper document containing at least one of the stamp images, obtaining the usage limitation information corresponding to a pair of the extracted stamp image and the number of the extracted stamp images from the first storing unit, and registering the obtained usage limitation information and the document containing the document image information in correlation with each other into a second storing unit.12-23-2010
20100325686DYNAMIC ACCESS CONTROL LISTS - Disclosed are methods and apparatus for creating and managing dynamic access control lists (ACL's). In a specific embodiment, a method of creating or modifying a dynamic access control policy (ACP) is disclosed. A current ACP for one or more specified resources is defined based on one or more membership rules for specifying users who can access the one or more specified resources based on user information that was or will be collected for a plurality of users. The collected user information includes at least user presence information or user communication data. The current ACP is retained for the one or more specified resources, wherein the current ACP is accessibly usable so as to dynamically allow a selected set of users, who each have corresponding collected user information which meets the one or more membership rules of the current ACP, to access the one or more specified resources. The selected set of users is changeable over time as different user information is collected over time.12-23-2010
20100325684ROLE-BASED SECURITY FOR MESSAGING ADMINISTRATION AND MANAGEMENT - A role-based access control (RBAC) for the administration of complex services, such as for messaging. The RBAC architecture facilitates the creation of a role mechanism that describes any end-user, administrator, or partner action, of a set of scopes that address all populations, and a single authorization mechanism to handle role assignments through various mechanisms. Moreover, role and scope concepts are provided that universally apply to various management scenarios. A common set of primitives is defined that represent actions of enterprise and tenant end-users, partners, tenant administrators, datacenter administrators, and enterprise administrators. The primitives can include actions, action parameters, and API calls. Additionally, a set of scopes is defined that include self-relative scopes for end-users and tenants, and, absolute and filter-based scopes for administrators.12-23-2010
20130145418UPDATING SYSTEM BEHAVIOR DYNAMICALLY USING FEATURE EXPRESSIONS AND FEATURE LOOPS - Behavior of an online system is modified dynamically using feature expressions and feature loops. A feature expression can be expressed as a combination of other features or feature expressions, thereby allowing specification of complex features. The sets of feature expressions and policies of an online system can be modified while the online system is running. Feature loops aggregate values of a feature expression across a plurality of actions, for example, number of occurrences of an event over a time interval. The online system evaluates a set of feature expressions in response to actions performed by users. Feature expressions are used to specify policies that determine how the online system reacts to certain types of user actions. The ability to dynamically modify the feature expressions and policies of the online system allows the online system to adapt to attacks by malicious users in a timely manner.06-06-2013
20130145420SECURE AUTHENTICATION USING MOBILE DEVICE - Representative embodiments of secure authentication include receiving, by a server, information from a mobile device identifying (i) the mobile device and (ii) an identifying tag read by the mobile device; accessing, by the server, a database to identify (i) a user associated with the mobile device, (ii) a secure device associated with the identifying tag, and (iii) a security policy associated with the secure device; and if the policy permits access by the identified user to the identified secure device, causing access to the secure device to be accorded to the user.06-06-2013
20090007222APPARATUS AND METHOD FOR MANAGING DIGITAL RIGHTS MANAGEMENT CONTENTS IN PORTABLE TERMINAL - Provided is an apparatus and method for managing Digital Rights Management (DRM) contents in a portable terminal. The method includes when a license of the DRM content is consumed, changing license information, which is stored in an external memory, on the DRM content; storing information relating to changed data of the external memory into an internal memory; determining whether the changed license information stored in the external memory has changed by using the information stored in the internal memory when the DRM content is used; and determining whether the DRM content is available according to whether the changed license information has changed.01-01-2009
20100333170Smart Mouse System and Method of Use - The Smart Mouse technology is a computer mouse with its own computer, memory, Software, OS, networking and GUI. The Mousetop Window GUI is the viewport into the mouse and gateway between the mouse and computer(s). The mouse becomes a computer network where data can be stored and retrieved in the mouse buffer memory, mouse memory or between connected computer(s). Software and licenses can be served from the mouse allowing the sharing of software and licenses across multiple computers in proximity or remotely located. Shared cursor switching, drag and drop data and other interactive functions are available. Profile storage in the mouse allows for multiple configurations of networking or isolating the window. Concepts like keyboard switching, biometric access, child security and numerous other novel concepts are included with this technology. Added physical features like removable memory and connectivity to other hand held technology like Iphone or Ipad provide expanded communication functionality.12-30-2010
20100333172METHOD, APPARATUS AND SYSTEM FOR MONITORING DATABASE SECURITY - A system for monitoring database security includes a front-end probe that obtains network data information of a service system, a back-end probe that obtains database information accessed by the service system in a database system, and an analyzer that analyzes and integrates the obtained network data information and database information. The obtained network data information and database information are analyzed and integrated. The complete information about user operations at the front end of the service system and the front end of the database is obtained. User operations of the application system are associated with user operations of the database, and user operations can be audited completely.12-30-2010
20110010751Systems and Methods for Self-Organizing Networks Using Dynamic Policies and Situation Semantics - Communication nodes, systems and methods are described which manage and process management information using dynamic semantic variable entities governed by a formal logic and upon which computations can be performed. Such semantic variable entities include, for example, management infons and or management situations which can be used, for example, to manage policy enforcement in communication networks. Action logic is amalgamated with static situation semantics to enable dynamic policy enforcement in such networks.01-13-2011
20110004917Integration Platform for Collecting Security Audit Trail - An audit processor is interposed between production servers and an auditing server, and is a client to both. The audit processor is an integration point, receiving security audit data from production servers, processing the data (e.g., converting the data from binary to text format), and sending processed audit trails to the auditing server. The audit processor includes data buffering capacity and flow control; accordingly, temporary unavailability of the auditing server does not impact the production servers. The production servers will purge stale audit data; accordingly, temporary unavailability of the audit processor does not impact the production servers. Since the audit processor may process security audit data according to any protocol or format imposed or requested by the auditing server; the production servers are unaffected by auditing server changes. The audit processor integrates production servers with existing auditing servers without jeopardizing the telecom grade availability of the wireless telecommunication network.01-06-2011
20110010752ENABLING INCOMING VOIP CALLS BEHIND A NETWORK FIREWALL - A network device is configured to receive a registration message from a private user device including a private internet protocol (IP) address associated with the private user device. A public IP address and discrete port number are assigned to the private user device and private IP address and stored in an incoming call table. The registration message is translated to include the public IP address and discrete port number. The registration message is forwarded to a proxy server for registration. An incoming call invitation message is received from a public user device, where the call invitation message is directed to the public IP address and discrete port number associated with the private user device. The call invitation message is translated to include the private IP address associated with the private user device based on the received public IP address and discrete port number and the incoming call table. The call invitation message is forwarded to the private user device.01-13-2011
20110010754ACCESS CONTROL SYSTEM, ACCESS CONTROL METHOD, AND RECORDING MEDIUM - When access control implementing sections of many types different depending on an object are connected simultaneously, an access control list applied to each of the access control implementing sections is generated in a format corresponding to each access control implementing section, and a process of transferring to each access control implementing section is collectively executed based on an access control policy. Specifically, the access control lists different every access control implementing section are generated from a same access control policy based on a relation between an object and an access control implementing section for the access control implementing sections. A setting file in a format different every access control implementing section is generated from the access control list described in a format which does not depend on a kind of the access control implementing section, based on a relation of a format template of the setting file describing contents of the access control list and the access control implementing section. The setting file is distributed based on a relation of a distribution destination of the setting file and the access control implementing section.01-13-2011
20110030031Systems and Methods for Receiving, Processing and Organizing of Content Including Video - Methods and systems for receiving, processing and organizing video. Organizational tools are provided that allow users the capacity to solicit, mine, clip, aggregate, organize, and search submitted footage. These tools include: a set of electronic folders, a media clipper and a media submit portal. Studios, projects, folders and subfolders exist in a hierarchical relationship in order to arrange media. The hierarchy of folders created by producers may be made accessible by the public for the purpose of submitting media to a particular project. Various content creators may upload video to the system, may create electronic video clips from the uploaded video by selecting subportions of that video, and may submit the electronic video clips to a specific folder which is associated with a project. Producers may view various folders to select submitted video clips for use in a project.02-03-2011
20110030029REMOTE MANAGEMENT AND NETWORK ACCESS CONTROL OF PRINTING DEVICES WITHIN SECURE NETWORKS - Systems and methods are disclosed for enabling remote management of printing devices and for providing access control of printing devices within secure health policy based networks. A printing device transmits device status information to a status server and operational health information to a compliance server. The compliance server receives a health policy for the network from the status server. The compliance server evaluates the operational health information using the health policy and configures the printing device for operations within a secure portion of the network if the operational health information is in compliance with the health policy.02-03-2011
20090144803Computer-Implemented Method for Role Discovery and Simplification in Access Control Systems\ - A method includes selecting a first biclique role in a plurality of roles and finding all roles in the plurality that have a set of vertices of a second type that is a subset of a set of vertices of the second type in the first role; removing each of the subsets from the set of vertices of the second type corresponding to the first role; and reassigning the vertices of the first type to the roles such that original associations between the vertices of the first type and the vertices of the second type are maintained.06-04-2009
20110247046Access control in data processing systems - A policy data structure defines predetermined authorizations, each relating to authorization of at least one user to access at least one resource as well as to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. If the structure does not define an authorization for a request to access a resource, it is determined whether the structure defines a dynamic access requirement determinative for the request, and if so, whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one request, after determining whether to grant the request, a dynamic authorization relating to authorization to access the resource within the request is added to the structure.10-06-2011
20110030030UNIVERSAL SERIAL BUS - HARDWARE FIREWALL (USB-HF) ADAPTOR - A system and method in accordance with the present invention provides a protected area for software to execute on a separate hardware firewall adaptor when a storage device is operating in an unprotected environment when connected to an uncontrolled or unmonitored host system. This software provides security through a plurality of security, access management and monitoring (SAMM) applications when a USB storage device is connected to a computer in an uncontrolled, unprotected environment.02-03-2011
20100180318Flexible supplicant access control - Systems, methods, and other embodiments associated with flexible supplicant access control are described. One example method includes collecting a network information associated with a network to which an endpoint is to be communicatively coupled. The network information comprises a network identification and information to facilitate the evaluation of network threats. The example method may also include classifying the network based, at least in part, on the network information, to assign a variable level access parameter (VLAP) to the network based on the policy locally configured on the endpoint or centrally managed by the administrator. The VLAP may establish three or more access levels for the network at the endpoint. The example method may also include communicating the network identification and the network VLAP to a second endpoint, a security agent, a security application, and so on.07-15-2010
20100180319Method and System for Session Modification - A method and system for session modification are provided. The method includes these steps: A home policy and charging rules function (h-PCRF) sends a policy and charging control (PCC) rule providing message to a first policy and charging enforcement function (PCEF) according to a received PCC rule request message, an application layer service message, or an h-PCRF self-trigger event; and the h-PCRF sends a PCC rule providing message to a second PCEF according to a PCC rule response message received from the first PCEF. With this present disclosure, session modification may be implemented when two or more PCEFs are included in the PCC architecture of a system architecture evolution (SAE) system.07-15-2010
20100162348METHOD AND APPARATUS FOR PROVIDING NETWORK COMMUNICATION ASSOCIATION INFORMATION TO APPLICATIONS AND SERVICES - A system and method are provided that allow an application on a first terminal to inquire about available network communication associations that it can use to send data to another terminal, thereby avoiding the establishment of a new network communication association with the other terminal. A security information module may serve to collect and/or store information about available network communication associations between the first terminal and another terminal across different layers. The security information module may also assess a trust level for the network communication associations based on security mechanisms used to establish each association and/or past experience information reported for these network communication associations. Upon receiving a request for available network communication associations, the security information module provides this to the requesting application which can use it to establish communications with a corresponding application on the other terminal.06-24-2010
20110035781Distributed data search, audit and analytics - A system that comprises of a set of components that interact together to achieve large-scale distributed data auditing, searching, and analytics. Traditional systems require auditing data to be captured and centralized for analytics, which leads to scaling and bottleneck issues (both on network and processing side). Unlike these systems, the system described herein leverages the combination of distributed storage and intelligence, along with centralized policy intelligence and coordination, to allow for large-scale data auditing that scales. This architecture allows for data auditing in “billions” of events, unlike traditional architectures that struggled in the realm of “millions” of events.02-10-2011
20110035782METHOD, APPARATUS AND SYSTEM FOR UPDATING PCC RULES - A method, an apparatus, and a system for updating PCC rules are disclosed herein to ensure normal process of the user service in the process of updating the PCC rules. A method for updating PCC rules includes: obtaining a response made by a PCEF after the PCEF updates the PCC rules; and keeping consistency between PCC rules stored in the PCRF and the PCC rules currently executed in the PCEF according to the obtained response.02-10-2011
20110035783CONFIDENTIAL INFORMATION LEAK PREVENTION SYSTEM AND CONFIDENTIAL INFORMATION LEAK PREVENTION METHOD - There is provided a confidential information leak prevention system in which confidential information and normal information can be simultaneously used without switching an execution environment, and which can prevent information from being leaked. An application behavior controlling unit (02-10-2011
20090049515SYSTEM AND METHOD FOR EFFECTING INFORMATION GOVERNANCE - A method to manage data located on networked devices is provided. The method includes replicating objects residing on the devices and collecting information about at least one of the objects or the devices. The method further includes receiving input on desired information governance policies and outcomes and analyzing the replicated objects, collected information and received input to determine an information governance action.02-19-2009
20110113471METHOD AND APPARATUS FOR CONTEXT-BASED CONTENT MANAGEMENT - In one embodiment, a system for context-based management of cached content includes policy and context servers. The policy server makes policy decisions controlling, e.g., usage of a content cache by a user, based on a contextualized policy that includes one or more context-dependent policy rules. The context server collects context information for the user and generates the contextualized policy by inserting the updated context-parameter(s) into the context-dependent policy rule(s). The policy server thus obtains or otherwise updates the contextualized policy responsive to a policy decision request received from a caching agent operating as a policy enforcement point, and returns a policy decision to the caching agent. In support, the context server may be configured to collect context information for the user at least in part by receiving context information from a user agent associated with the user.05-12-2011
20110047593SYSTEM AND METHOD FOR SECURE MANAGEMENT OF TRANSACTIONS - Secure management of electronic transactions is provided by a system server that is communicatively coupled to terminals configured as thin client devices (TCD) and to one or more application servers. A TCD completes a secure communications link with the system server, and transfers information concerning the identity of a user and account information from a secure transaction card (STC). Upon authentication, the system server drives the display of available applications at the TCD, allowing the user to select and engage in a desired transaction with the application server hosting the selected application. During the transaction, the system server brokers communications according to the different security schemes used by the TCD and the application server and, ultimately, stores a transaction ticket that memorializes the transaction. The transaction ticket can later be retrieved by presenting appropriate authentication information.02-24-2011
20110113468ESTABLISHING AND ENFORCING SECURITY AND PRIVACY POLICIES IN WEB-BASED APPLICATIONS - Method, system, and computer code for implementing privacy protection in a web application, wherein the web application is executed in a web application language execution environment within a web server, the method containing the steps of: establishing at least one inbound tagging rule for tagging objects entering the web application language execution environment, referred to as inbound objects, according to a respective source of each of the inbound objects; assigning a tag to at least one of the inbound objects being operated on by the web application language execution environment based on the at least one inbound tagging rule; establishing at least one privacy rule for performing privacy actions on at least one object that is outbound from the web application language execution environment, referred to as outbound objects, according to a respective tag of each of the outbound objects; and performing a privacy action on the at least one outbound object being operated on by the web application language execution environment based on the at least one privacy rule.05-12-2011
20110047590APPARATUS, SYSTEM, AND METHOD FOR SHARING REFERENCED CONTENT THROUGH COLLABORATIVE BUSINESS APPLICATIONS - An apparatus, system, and method are disclosed for sharing referenced content through collaborative business applications. The method includes detecting referenced content in an electronic communication. The referenced content references content stored in an external repository. The referenced content identifies a registered external repository connector. The method also includes determining that an Access Control List (“ACL”) for the referenced content lacks an entry for a recipient of the electronic communication. The method includes generating an ACL entry for the recipient in response to the recipient lacking an entry in the ACL for the referenced content. The ACL entry controls access to the referenced content for the recipient. The ACL entry is defined based on a security policy associated with the recipient.02-24-2011
20110214157SECURING A NETWORK WITH DATA FLOW PROCESSING - An apparatus and method to distribute applications and services in and throughout a network and to secure the network includes the functionality of a switch with the ability to apply applications and services to received data according to respective subscriber profiles. Front-end processors, or Network Processor Modules (NPMs), receive and recognize data flows from subscribers, extract profile information for the respective subscribers, utilize flow scheduling techniques to forward the data to applications processors, or Flow Processor Modules (FPMs). The FPMs utilize resident applications to process data received from the NPMs. A Control Processor Module (CPM) facilitates applications processing and maintains connections to the NPMs, FPMs, local and remote storage devices, and a Management Server (MS) module that can monitor the health and maintenance of the various modules.09-01-2011
20110119730Enforcing Centralized Communication Policies - A system provides centralized policies to be applied in a distributed manner to all communication channels used by a set of mobile communication devices, including communication channels which do not pass through a centralized communication server, such PIN-to-PIN communication channels. Such policies may include address-based and content-based policies. The system also allows all such communications to be archived.05-19-2011
20110119733ENFORCING POLICIES IN WIRELESS COMMUNICATION USING EXCHANGED IDENTITIES - Techniques for facilitating the exchange of information and transactions between two entities associated with two wireless devices when the devices are in close proximity to each other. A first device uses a first short range wireless capability to detect an identifier transmitted from a second device in proximity, ideally using existing radio capabilities such as Bluetooth (IEEE802.15.1-2002) or Wi-Fi (IEEE802.11). The detected identifier, being associated with the device, is also associated with an entity. Rather than directly exchanging application data flow between the two devices using the short range wireless capability, a second wireless capability allows for one or more of the devices to communicate with a central server via the internet, and perform the exchange of application data flow. By using a central server to draw on stored information and content associated with the entities the server can broker the exchange of information between the entities and the devices.05-19-2011
20110119731INFORMATION PROCESSING APPARATUS AND METHOD OF SETTING SECURITY THEREOF - An information processing apparatus includes an accepting unit that accepts from a user a command relating to security; a setting unit that makes a setting relating to security of the information processing apparatus based upon the command from the user accepted by the accepting unit; a recording unit that performs the following operation in a case where the accepting unit has accepted a command for changing a security-related setting that has already been made by the setting unit: before the setting unit changes the security-related setting, the recording unit records an event, among events that occur in the information processing apparatus, the content of which will be different between a case where the security-related setting is changed and a case where the security-related setting is not changed; and a notification unit that notifies the user based upon the event that has been recorded by the recording unit.05-19-2011
20110119732SYSTEM AND METHOD FOR USER-CENTRIC AUTHORIZATION TO ACCESS USER-SPECIFIC INFORMATION - In a network computing environment, a user-centric system and method for controlling access to user-specific information maintained in association with a web-services service. When a web-services client desires access to the user-specific information, the client sends a request. The request identifies the reasons/intentions for accessing the desired information. The request is compared to the user's existing access permissions. If there is no existing access permission, the request is compared to the user's default preferences. If the default preferences permit the requested access, an access rule is created dynamically and the client's request is filled, without interrupting the user. If the default preferences do not permit the request to be filled, a consent user interface may be invoked. The consent user interface presents the user with one or more consent options, thereby permitting the user to control whether the client will be given access to the user-specific information.05-19-2011
20110131628SYSTEM AND METHOD FOR AUTOMATICALLY DISCOVERING SECURITY CLASSIFICATION OF HOSTS - A system and method for discovering security classifications of network areas includes representing actually allowed network flows and flows permitted by a security policy in a format that enables comparison. The actually allowed network flows and the security policy are provided in a networked computing environment including network areas, wherein each network area is a collection of one or more computing and network devices, and enterprise security policy defines security requirements for security classifications. An assignment of security classifications to network areas is determined by comparing the actually allowed network flows with the flows permitted by the security policy.06-02-2011
20110126261METHODS AND SYSTEMS FOR IMPLEMENTING SERVICE LEVEL CONSOLIDATED USER INFORMATION MANAGEMENT - Embodiments of the invention provide methods and systems for implementing service level consolidated user information management. According to one embodiment, a method comprises intercepting, at a policy enforcer, a manipulation request of data. The method may further include analyzing the request to determine which data the manipulation request is associated with and, based on that analysis, selecting a policy from a plurality of policies. Furthermore, the method may execute the selected policy. The policy may be configured to direct the policy enforcer to allow the manipulation request to pass through to the associated destination data system to process the request, delegate processing of the manipulation request to at least one of a plurality of data systems, or process the manipulation request by the policy enforcer.05-26-2011
20110093916METHOD AND SYSTEM FOR RAPID ACCREDITATION/RE-ACCREDITATION OF AGILE IT ENVIRONMENTS, FOR EXAMPLE SERVICE ORIENTED ARCHITECTURE (SOA) - A system and method for managing and analyzing security requirements in reusable models. At least one functional model, at least one security implementation model, at least one requirement model, and meta models of the models are read by a reader. A correspondence between the functional model, security implementation model, and the requirements model is analyzed, whereby the correspondence indicates that compliance/security/accreditation requirements defined in the requirement model match with security objectives implemented by controls defined by the security implementation model. Next, it is determined whether correspondence is or is not given based on the analysis of the correspondence and then evidence is generated based on the analysis of the correspondence and the determination and the impact of changes is analyzed.04-21-2011
20100242082PROTECTING SENSITIVE INFORMATION FROM A SECURE DATA STORE - In embodiments of the present invention improved capabilities are described for the steps of receiving an indication that a computer facility has access to a secure data store, causing a security parameter of a storage medium local to the computer facility to be assessed, determining if the security parameter is compliant with a security policy relating to computer access of the remote secure data store, and in response to an indication that the security parameter is non-compliant, cause the computer facility to implement an action to prevent further dissemination of information, to disable access to network communications, to implement an action to prevent further dissemination of information, and the like.09-23-2010
20100235879SYSTEMS, METHODS, AND MEDIA FOR ENFORCING A SECURITY POLICY IN A NETWORK INCLUDING A PLURALITY OF COMPONENTS - Systems, methods, and media for enforcing a security policy in a network are provided, including, for example, receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of a plurality of components; attributing a first event of the plurality of events to a first principal; attributing a second event of the plurality of events to a second principal; determining whether the first and second events are correlated; storing a data structure that attributes each of the first and second events to the first principal, if it is determined that the first and second events are correlated; comparing the second event to the security policy; and modifying network behavior to enforce the security policy against the first principal based on the comparison of the second event to the security policy and the attribution of the second event to the first principal.09-16-2010
20090083826UNSOLICITED COMMUNICATION MANAGEMENT VIA MOBILE DEVICE - A system that can effectively screen or filter incoming communications to a mobile device is disclosed. The innovation can filter voice calls, emails, instant messages, text messages, etc. via a mobile device (e.g., cellular telephone, smartphone, personal digital assistant (PDA), notebook computer). In accordance with the innovation, callers (or senders) are prompted to prove their ‘identity’ as an acceptable (or authorized) identity in order to be permitted to communicate with a mobile device. Accordingly, the innovation prompts a caller (or sender) with a challenge that requires a human input (e.g., human interactive programming (HIP)), which can effectively filter automated machine communication as well as unwanted human communication such as spam. This filtering can be based on most any policy, rule, context-awareness factor.03-26-2009
20100011408Implementing Organization-Specific Policy During Establishment of an Autonomous Connection Between Computer Resources - An organization-specific policy is implemented during establishment of an autonomous connection between computer resources includes evaluating a relative priority between default credentials and alternative credentials; and using the highest priority credentials to establish a connection between the computer resources. The alternative credentials are based organization-specific policy and provide for autonomous connections between computer resources differently than the default credentials.01-14-2010
20120192247METHOD AND APPARATUS FOR PROVIDING DATA BASED ON GRANULARITY INFORMATION - An approach is provided for providing data based on granularity information. The policy platform determines to act on a request, from an application or a service, for data associated with a device, a user of the device or a combination thereof. Next, the policy platform determines a granularity level for the data based, at least in part, on at least one privacy policy associated with the data, the application, the service, the device, the user of the device or a combination thereof. Then, the policy platform processes and/or facilitates a processing of the data to generate transformed data based, at least in part, on the granularity level.07-26-2012
20090031395Security system for wireless networks - A security procedure for invoking IPsec security for communication of a packet in a network includes the steps of generating a message to be sent at the transport layer, building Internet Protocol and Transport Control Protocol headers for the message, selecting a security policy in accordance with a security policy database after the step of building Internet Protocol and Transport Control Protocol headers, and processing the packet according to the selected security policy.01-29-2009
20090031394METHODS AND SYSTEMS FOR INTER-RESOURCE MANAGEMENT SERVICE TYPE DESCRIPTIONS - Communication nodes, systems and methods are described which provide access screening for services based upon service type description information and policy criteria information associated with an access network. If a requested service is, e.g., banned due to regulatory policies in a geographic region associated with a particular access network, then the requested service shall be denied even if the user has a valid subscription to such requested service via another access network.01-29-2009
20100037284MEANS AND METHOD FOR CONTROLLING NETWORK ACCESS IN INTEGRATED COMMUNICATIONS NETWORKS - The invention provides methods and means for assisting the control of a User Terminal's, UT's, (02-11-2010
20100037286PRINTER-CRITERIA BASED PRINT JOB SUBMISSION APPROVAL POLICY IN A PRINT SHOP MANAGEMENT SYSTEM - In a print shop management system, a print job submission approval policy is provided to determine whether a print job submission to a target printer is approved or prohibited. The policy includes multiple policy settings of job restriction criteria enforced at job submission time. The restrictions are based on conditions of the target printer, such as PM count, jam count, error count, printer status, levels of available resources, etc. The policy may also restrict certain user's ability to submit print jobs to certain printers. If the job submission is prohibited, a message is displayed to the user but the print job is not submitted to the printer. Each policy setting may be applied to a printer based on printer type or identity. Each policy setting is created by an administrator. A user interface for inputting policy setting values is disclosed.02-11-2010
20100037285USER-CRITERIA BASED PRINT JOB SUBMISSION APPROVAL POLICY IN A PRINT SHOP MANAGEMENT SYSTEM - In a print shop management system, a print job submission approval policy is provided to determine whether a print job submission made by a particular user is approved or prohibited. The policy includes multiple policy settings of job restriction criteria enforced at job submission time. The restrictions may be based on job price, certain restricted functions, resource usage, etc. If the job submission is prohibited, a message is displayed to the user but the print job is not submitted to the printer. Each policy setting may be applied to a user based on his user role or user name. Each policy setting is created by an administrator. A user interface for inputting policy setting values is disclosed.02-11-2010
20100037291SECURE COMPUTING ENVIRONMENT USING A CLIENT HEARTBEAT TO ADDRESS THEFT AND UNAUTHORIZED ACCESS - Techniques for securing a client. An operating system agent is one or more software modules that execute in an operating system of a client, such as a portable computer. Portions of the operating system agent may monitor resources of the client. The operating system agent sends a message, which describes an operational state of the operating system agent, to a BIOS agent. The BIOS agent is one or more software modules operating in a BIOS of the client. The BIOS agent performs an action based on a policy that is described by policy data stored within the BIOS of the client. The BIOS agent performs the action in response to either (a) the operational state described by the message, or (b) the BIOS agent not receiving the message after an expected period of time.02-11-2010
20090320089POLICY-BASED USER BROKERED AUTHORIZATION - A User Brokered Authorization (UBA) mechanism for policy decisions in a computing device is provided. The authorization mechanism interacts with an authorization layer of the computing device's operating system and enables a determination of whether an authorization decision can be made programmatically or by end user decision based on generalized device policy.12-24-2009
20090320090DEPLOYING PRIVACY POLICY IN A NETWORK ENVIRONMENT - An authoring application enables an administrative user to generate, validate, and deploy one or more privacy notices and legal notices in web pages that may be retrieved by a client user via a web browser. Two or more of the privacy notices generated by the authoring application may be deployed in a web page, and may be selectively presented to the client user via the web browser in accordance with the notification setting selected at the web browser. Two or more of the legal notices generated by the authoring application may be deployed in the web page or in a second web page. The legal notices may be selectively presented to the client user via the web browser in accordance with the notification setting.12-24-2009
20100037290SYSTEM AND METHOD FOR HIERARCHICAL ROLE-BASED ENTITLEMENTS - A system and method for authorization to adaptively control access to a resource, comprising the steps of providing for the mapping of a principal to at least one role, wherein the at least one role is hierarchically related to the resource; providing for the evaluation of a policy based on the at least one role; and providing for the determination of whether to grant the principal access to the resource based on the evaluation of the policy.02-11-2010
20100037288Inherited Access Authorization to a Social Network - A method for access authorization via inheritance to information of a first registered user on a social network comprises defining authorization criteria for the first registered user; receiving first verification data from a requester, wherein the requester comprises one of a second registered user or a non-registered user; determining if the first verification data satisfies the authorization criteria, and in the event the first verification data satisfies the authorization criteria, extending inherited access authorization to the requester in the event the requester is the non-registered user, and extending inherited access authorization to a contact of the requestor in the event the requestor is the second registered user.02-11-2010
20090217347METHOD AND NETWORK SYSTEM FOR NEGOTIATING A SECURITY CAPABILITY BETWEEN A PCC AND A PCE - A method and a network system for negotiating a security capability between a path computation client (PCC) and a path computation element (PCE) are described. The method includes the steps as follows. The PCE sends a packet carrying security policy capability information to the PCC. After receiving the packet, the PCC acquires a security policy capability supported or required by the PCE or a security policy capability supported by both of the PCE and the PCC. In various embodiments of the present invention, negotiation of PCC-PCE and PCC-PCC may be performed by sending the packet carrying the security policy capability information, thereby greatly simplifying the security policy configuration between PCC-PCE and PCE-PCE, and simplifying the complexity in PCE deployment.08-27-2009
20090217346DHCP CENTRIC NETWORK ACCESS MANAGEMENT THROUGH NETWORK DEVICE ACCESS CONTROL LISTS - In embodiments of the present invention improved capabilities are described for the computer program product steps of serving a limited network connection to an endpoint computing facility via network device access control lists, where the limited network connection may enable the endpoint to communicate with a limited set of network resources; assessing security compliance information relating to the endpoint to determine a security state; and in response to receiving an indication that the security compliance information is acceptable, serving a managed network connection to the endpoint, where the managed connection may enable the endpoint to communicate with a larger set of network resources than the limited network connection.08-27-2009
20090217345SYSTEM AND METHOD FOR POLICY BASED CONTROL OF NAS STORAGE DEVICES - A system and method for providing policy-based data management and control on a NAS device deployed on a network and having event enabling framework software. When a user makes a request to store, read, or manipulate data on the NAS device, the NAS device provides an indication of this request to a management tool running on a remote system through the event enabling framework software. The management tool reviews the request in light of its previously established policy-based data storage management configuration and subsequently informs the NAS device, via the event enabling framework software, to either accept or not accept the user's request to store, read or modify data on the NAS device.08-27-2009
20090217344Digital Rights Management of Captured Content Based on Capture Associated Locations - When captured content is detected, the captured content is analyzed to determine whether any portion of the content is subject to digital rights management protection specified for content captured, where captured content is content captured independent of distribution of the content by an owner of at least one restricted element within the captured content. In response to determining that a portion of the captured content is subject to digital rights management protection, a database is queried to select at least one digital rights management rule associated with the portion and comprising at least one location based criteria. At least one relevant location is associated with the captured content. At least one digital rights management rule is applied to restrict usage of the captured content, with the at least one location based criteria specified by the at least one relevant location. In addition, in response to determining that the captured content is not subject to digital rights management protection, a certification is applied to the captured content designating a particular system that determined no portion of the captured content is subject to digital rights management protection.08-27-2009
20090217343Digital Rights Management of Streaming Captured Content Based on Criteria Regulating a Sequence of Elements - A captured content rights controller detects a first portion of streaming captured content and a second portion of the streaming captured content after the first portion of the streaming captured content is detected. The captured content rights controller determines whether rendering the second portion of the streaming captured content after the first portion of the streaming captured content is subject to at least one digital rights management protection rule for streaming captured content as specified by at least one owner of at least one restricted element within the streaming captured content captured independent of distribution of the content by the owner of the at least one restricted element within the streaming captured content. The captured content rights controller applies the at least one digital rights management protection rule to restrict rendering of the second portion of the streaming captured content after the first portion of the streaming captured content.08-27-2009
20100058431Agentless Enforcement of Application Management through Virtualized Block I/O Redirection - Application authorization management is provided without installation of an agent at an operating system level. A component runs outside of the operating system, in an AMT environment. AMT is utilized to examine the operating system for applications. Identified applications are checked against a whitelist or a blacklist. Responsive to determining that an identified application is not authorized, AMT is used to redirect input/output requests targeting the application to an alternative image, which can, for example, warn the user that the application is not authorized.03-04-2010
20090217342Parental Control for Social Networking - A computer-implemented infrastructure is provided for use with social communication services that are accessed via the public Internet. Facilities of the infrastructure identify a controlled class of users and permit a supervisory class of users to monitor and control use of social communication services server by the controlled class. The infrastructure enables children to access social communication services servers, and allows their parents to supervise their use of such services on an ongoing basis.08-27-2009
20090217341METHOD OF UPDATING INTRUSION DETECTION RULES THROUGH LINK DATA PACKET - A method of updating intrusion detection rules through a link data packet is used to dynamically update rules storages of Snort system hosts. Firstly, an update sponsor in the network transmits a link data packet with an intrusion detection rule to the Snort system host. The Snort system host acquires the intrusion detection rule from the received link data packet, and parses an operation type of the intrusion detection rule. Then, the Snort system host verifies the validity of the intrusion detection rule. Subsequently, the rules storage is updated according to the type of the valid intrusion detection rule and a rules tree.08-27-2009
20090217340METHODS AND SYSTEMS FOR CLINICAL CONTEXT MANAGEMENT VIA CONTEXT INJECTION INTO COMPONENTS AND DATA - Certain embodiments present a system for managing access to patient data in a clinical information system that uses software applications, and a context manager that facilitates the sharing of context among the applications. The system has one access point, or a computer workstation terminal, allowing for user interaction with said at least two software applications. A centralized database stores information relating to patient data and user attempts to access patient data by the software applications. A first context identification module assigns a context label to each access attempt, and a second context identification module assigns a context label to data gathered by the software applications. An auditor regulates relationships between the software applications manager and provides a user interface enabling access to the centralized database. The auditor identifies impermissible application tasks based on rules and identification labels, and prevents access to impermissible application tasks through the user interface.08-27-2009
20100071029Method for Granting an Access Authorization for a Computer-Based Object in an Automation System, Computer Program and Automation System - An access authorization for a computer-based object in an automation system comprising a plurality of network nodes is granted using a control file which is structured in line with a scheme for a markup language for granting access authorizations and which maps a hierarchic tree structure. In this case, access authorizations are mapped in an object model which has a hierarchic tree structure. A relevant subtree from the object model is ascertained for a selected network node, at which services are provided using computer-based objects, or when access to a computer-based object is requested, by an access guideline service. The control file is produced from the ascertained relevant subtree. The control file produced is made available for the selected network node or for access to the computer-based object.03-18-2010
20100071028Governing Service Identification In A Service Oriented Architecture ('SOA') Governance Model - Methods and systems for governing service identification in an SOA governance model according to embodiments of the present invention are provided. Embodiments include receiving a set of input parameters for identifying candidate services for the SOA; determining whether the set of input parameters comply with a predetermined input parameter validation policy. If the set of input parameters comply with a predetermined input parameter validation policy, governing service identification includes identifying in dependence upon the set of input parameters one or more candidate services available for the SOA in existing SOA business applications and determining whether each candidate services available in existing SOA business applications comply with a predetermined service selection policy. If one of the candidate services available in existing SOA business applications complies with a predetermined service selection policy, governing service identification includes selecting the candidate service as a service available for the SOA and communicating the identification of that selected service to relevant stakeholders in the SOA.03-18-2010
20100058433MODULAR DATA SYNCHRONIZATION METHOD - In one embodiment, policies and sources may be used to synchronize data. Sources, which contain knowledge about files and metadata, can pass events to policies when changes in data are detected. The policies may then manage the data synchronization with other sources. The sources are agnostic as to how the data is synchronized between sources. Also, the policies are agnostic of the data that is being managed by sources. Accordingly, a modular infrastructure is provided that allows sources and policies to be configured to interact modularly.03-04-2010
20110154434Utilizing Location Information to Minimize User Interaction Required for Authentication on a Device - A system and a method are disclosed for authenticating a user of a mobile computing device. Information is received describing the location of the mobile computing device. The information can include the current location of the device or a current type of user activity associated with a location. A current timeout length is determined based on this information. If the mobile computing device has remained idle for a time period equal to the current timeout length, the user of the mobile computing device is authenticated.06-23-2011
20100064342SECURITY MEASURE STATUS SELF-CHECKING SYSTEM - The present invention provides a security measure status self-checking system which can determine the measure status in a more simplified and effective manner by focusing on the information leakage measure in the security measures, managing the PC's security measure status and the user's take-out operation status in an integrated and unitary manner, and providing security policy samples. According to the present invention, the client computer collects security inventory information and operation log information and transmits the information to the server computer. Further, the server computer stores the security inventory information and the operation log information transmitted from the client computer and determines whether or not the information conforms to the security policy which has been set in advance. The check result is displayed on the server computer and when a policy violation is detected, the manager and the client are notified of that effect.03-11-2010
20100058434HIERARCHICAL ACCESS CONTROL ADMINISTRATION PREVIEW - Embodiments of the present invention provide a method, system and computer program product for hierarchical access control administration preview of access control rights for hierarchically organized content. In an embodiment of the invention, a method for rendering a hierarchical access control administration preview of access control rights for hierarchically organized content can be provided. The method can include rendering a view of hierarchically organized content in connection with corresponding access rights and proposing explicitly assigned access rights for selected content in the hierarchically organized content. The method also can include re-rendering the view to reflect both the proposed explicitly assigned access rights for the selected content and also implicitly resulting assigned access rights for the children of the selected content.03-04-2010
20100058436SERVICE LEVEL NETWORK QUALITY OF SERVICE POLICY ENFORCEMENT - Embodiments of the invention provide systems and methods for providing service level, policy-based QoS enforcement on a network or networks. According to one embodiment, a system can comprise at least one communications network, a first endpoint communicatively coupled with the communications network, and a second endpoint communicatively coupled with the communications network and can monitor traffic on the communications network between the first endpoint and the second endpoint. A policy enforcer can be communicatively coupled with the network monitor. The policy enforcer can apply one or more policies based the traffic between the first endpoint and the second endpoint. The one or more policies can define a Quality of Service (QoS) for the traffic between the first endpoint and the second endpoint and can apply the policies to affect the traffic between the endpoints to maintain the QoS defined by the one or more policies.03-04-2010
20100058435SYSTEM AND METHOD FOR VIRTUAL INFORMATION CARDS - A client includes a card selector, and receives a security policy from a relying party. If the client does not have an information card that can satisfy the security policy, the client can define a virtual information card, either from the security policy or by augmenting an existing information card. The client can also use a local security policy that controls how and when a virtual information card is defined. The virtual information card can then be used to generate a security token to satisfy the security policy.03-04-2010
20100058432PROTECTING A VIRTUAL GUEST MACHINE FROM ATTACKS BY AN INFECTED HOST - In a virtualization environment, a host machine on which a guest machine is operable is monitored to determine that it is healthy by being compliant with applicable policies (such as being up to date with the current security patches, running an anti-virus program, certified to run a guest machine, etc.) and free from malicious software or “malware” that could potentially disrupt or compromise the security of the guest machine. If the host machine is found to be non-compliant, then the guest machine is prevented from either booting up on the host machine or connecting to a network to ensure that the entire virtualization environment is compliant and that the guest machine, including its data and applications, etc., is protected against attacks that may be launched against it via malicious code that runs on the unhealthy host machine, or is isolated from the network until the non-compliancy is remediated.03-04-2010
20100071027METHOD OF PROVIDING A MIXED GROUP COMMUNICATION SESSION - A method of providing a mixed group communication session for a mixed group containing protected users and a guest user is provided. The method uses a secure server to assign temporary Identities (IDs) to the protected users. The secure server forms a mixed group session containing desired participants from among the protected users and the guest user. The secure server provides limited group rights to the guest user in the mixed group session. During the mixed group session, the secure server uses the permanent IDs of the protected users towards other protected users and temporary IDs of the permanent users towards the guest user. Also provided is a method for providing a mixed group communication session for a mixed group containing protected users and a guest user, wherein temporary IDs are assigned to protected users and the guest user.03-18-2010
20110154432IP Mobility Security Control - In a non-limiting and exemplary embodiment, a method is provided for adapting security level between a mobile node and a mobility anchor. An IP mobility binding with an indication of a security mode is established for a mobile node connected to an IP sub-network and identified in the IP sub-network by a care of address. A trigger to adapt the security mode for the mobile node connected to the IP sub-network is detected. The security mode for the mobile node connected to the IP sub-network and identified by the care of address is adapted in response to the trigger.06-23-2011
20110107392MANAGEMENT OF OBSERVABLE COLLECTIONS OF VALUES - Architecture that a mathematical duality established herein between an asynchronous observable design pattern and a synchronous iterator design pattern. This provides a mechanism for processing multiple observable collection and asynchronous values associated with those collections, including situations where a single observable collection is directed to multiple subscribers or multiple observable collections are directed to a single subscriber. Operators are presented that facilitate multi-collection processing based on this proven duality. As a result of this duality concurrent asynchronous and event-driven programs can be elegantly formulated. Consequently, asynchronous and event-based programming can now be unified into single conceptual framework, based on sound mathematical principles such as monads and duality.05-05-2011
20110107393Enforcing a File Protection Policy by a Storage Device - A file attribute, which is called herein “enforcement bit”, is used for each file that is stored in a storage device. If the protection particulars associated with a stored file are allowed to be changed, the enforcement bit is set to a first value, and if the protection particulars or properties are not to be changed, the enforcement bit is set to a second value. When the storage device is connected to a host device, the storage device provides to the host device protection particulars and an enforcement bit, which collectively form a “file protection policy”, for each stored file in response to a file system read command that the host device issues, in order to notify the host device of files in the storage device whose protection particulars are allowed to be changed freely, and of files whose protection particulars are not allowed to be changed by unauthorized users or devices.05-05-2011
20120304252METHOD AND SYSTEM FOR AUTHORIZATION OF PRESENCE INFORMATION - Embodiments of the present invention include a system and method for implementing a presence system. According to an embodiment of the present invention, responsive to receiving a request for presence information associated with a presentity from a watcher, the presence system receives instructions indicating that an authorization instance other than the presentity shall be given an opportunity to change or verify an authorization rule associated with the request for presence information. As a consequence, the presence system notifies the authorization instance of the request for presence information, thereby enabling the authorization instance to change or verify the authorization rule. The presence system also makes a final decision on the authorization rule on the basis of the instructions and a notification indicating a change or verification of the authorization rule.11-29-2012
20120304251FIREWALL SECURITY BETWEEN NETWORK DEVICES - A security device may be interconnected, via multiple links, between multiple network devices in a network. The firewall device may include multiple input interfaces that receive data units from a first network device destined for a second network device of the multiple network devices, identify a session associated with each of the data units, and process the data units in accordance with the identified sessions and a security policy.11-29-2012
20120304250POLICY-BASED PRIVACY PROTECTION IN CONVERGED COMMUNICATION NETWORKS - System(s) and method(s) that employ deep packet inspection (DPI) of data flow relating to a requested service associated with a communication device to facilitate customizing the service or results provided by the service are presented. A service request can be received by a gateway identification of the service is attempted. If the service is identified, a privacy rule(s), which is contained in a user privacy profile of a user associated with the communication device, is analyzed to determine whether the privacy rule(s) applies to the service. If the privacy rule(s) is applicable, a DPI engine performs DPI on the data flow, in accordance with the privacy rule(s), to obtain information that can be used to customize the service or results provided by the service. The user can specify the level of DPI to be applied. A default rule can specify that no DPI is performed on the data flow.11-29-2012
20120304249METHOD AND APPARATUS FOR SECURITY VALIDATION - A computer-implemented method, apparatus, and article of manufacture for security validation of a user input in a computer network application. The method includes: providing a subset of security rules of a server-side protection means to a pre-validation component deployed at a client side, so as to enable security validation of a user input on the client side by the pre-validation component; validating the user input based on at least one of the security rules; determining, in response to detecting a user input violation and that a violated security rule has not been provided to the pre-validation component, the user as a first class of users; determining, in response to detecting the user input violation and that the violated security rule has been provided to the pre-validation component, the user as a second class of users; and performing different security protection actions to the first and second class of users.11-29-2012
20120304248METHOD AND SYSTEM FOR INFORMATION TECHNOLOGY ASSET MANAGEMENT - As aspects of the present invention provides a manner of software asset management involving inputting data pertaining to software into a database; performing software product mapping for software product data input to the database; performing usage rights rule building for usage rights data input to the database; performing software title mapping for software title data input to the database; and determining software compliance as a function of data input to the database and mappings that are performed on the data. Another aspect of the present invention includes method of inputting or importing data into a database m an IT service management system involving: the system importing the data into temporary storage m the database; the system applying validation rules; the system applying the transformation rules; the user reviewing the processed data; the user modifying the processed data; the user requests that the processed data be committed to the database; the system committing the processed data to records in the database.11-29-2012
20120304247SYSTEM AND PROCESS FOR HIERARCHICAL TAGGING WITH PERMISSIONS - The invention provides a file sharing system and process for hierarchical tagging with permissions in computer network-based file storage and sharing systems. The file sharing system includes a hierarchical list of tags, a plurality of files, a hierarchical tag management facility and a tag permissions facility. Each of the plurality of files is tagged by one or more tags in the hierarchical list of tags. The hierarchical tag management facility is used to create and manage the hierarchical list of tags. The tag permissions facility is activated when an administrator selects one or more tag(s). The administrator is a user having rights to facilities to configure the file sharing system. The tags permissions facility is used to change permissions for one or more users or groups of users to access a plurality of files tagged with the selected tag(s).11-29-2012
20120304246System and Method for Selective Security of Wireless Bearers - A system is provided for use by a wireless cellular base station and core network to inspect and perform security actions on the input and output data stream based on policy driven security settings per application bearer for each subscriber.11-29-2012
20120304245SYSTEM AND METHOD FOR CONNECTING A COMMUNICATION TO A CLIENT - A method and system for connecting a communication to a client including at a system bridge, establishing a client subscription connection with a client device; receiving an incoming communication request at the system bridge; publishing an incoming communication notification from the system bridge to the client device; receiving a client communication at the system bridge; and merging the incoming communication request into the client communication at the system bridge.11-29-2012
20120304244MALWARE ANALYSIS SYSTEM - In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.11-29-2012
20110078759Method and System For Automating Security Policy Definition Based On Recorded Transactions - Following development of an application, the application is deployed in a pre-production environment. A user role plays against that application, typically by performing one or more operations as a particular user in a particular group. As the operator role plays, access logs are written, and these logs are then analyzed and consolidated into a set of commands that drive a policy generator. The policy generator creates an optimized security policy that it then deploys to one or more enforcement points. In this manner, the framework enables automated configuration and deployment of one or more security policies.03-31-2011
20120311660SYSTEM AND METHOD FOR MANAGING IPv6 ADDRESS AND ACCESS POLICY - A policy server receives an access policy information request message, and authenticates the request. When the authentication is successful, an access policy storage is accessed to obtain access policy information corresponding to the source of the message. The server outputs the corresponding access policy information. The information includes an IPv6 address for use, at the source, as a new source address. The information may also include a terminal address setting function, a rebooting option adding function upon terminal address setting, a default gateway setting function, a domain name service (DNS) server address setting function, a tunnel function on or off function, a neighbor cache clearing function, and/or a privacy extension on or off function.12-06-2012
20110072490METHOD AND APPARATUS FOR CONSTRUCTING AN ACCSS CONTROL MATRIX FOR A SET-TOP BOX SECURITY - In multimedia systems requiring secure access, a method and apparatus for constructing an access control matrix for a set-top box security processor are provided. A security processor may comprise multiple security components and may support multiple user modes. For each user mode supported, at least one access rule table may be generated to indicate access rules to a security component in the security processor. An access control list comprises information regarding the access rules for a particular user mode to the security components in the security processor. An access control matrix may be generated based on the access control lists for the user modes supported by the security component. The access control matrix may be implemented and/or stored in the security processor for verifying access rights of a user mode. Results of operations associated with security components may be transferred to other processors communicatively coupled to the security processor.03-24-2011
20110072487System, Method, and Software for Providing Access Control Enforcement Capabilities in Cloud Computing Systems - According to one embodiment, a system comprises one or more processors coupled to a memory. The one or more processors when executing logic encoded in the memory provide a topology manager. The topology manager is configured to maintain a security topology of a plurality of hosts. The security topology associates one or more virtual hosts policies with a plurality of virtual hosts in a cloud computing deployment. The topology manager is also configured to request a query for one or more hosts that are candidates to be enforced. A portability manager is configured to receive a request to deploy an access control agent on the one or more candidate hosts, determine an optimal agent to be deployed from a list of available agents, and deploy the optimal agent on the one or more candidate hosts.03-24-2011
20110078760SECURE DIRECT MEMORY ACCESS - A data processing system comprises a memory, a memory protection unit, and one or more IP units connected to the memory via the memory protection unit. The memory protection unit is arranged to logically partition the memory into different regions, to maintain a policy for each region, the policy defining access rights to the respective region and defining the safety status of data written in the respective region, to check access requests writing data from a first region to a second region, and to refuse the access request if the safety status, according to the respective policy, of the written data in the second region is not maintained.03-31-2011
20110078758METHOD AND DEVICE FOR CONTROLLING USE OF CONTEXT INFORMATION OF A USER - A method and device for controlling use of context information of a user includes establishing a context policy enforcement engine on a mobile computing device. The context policy enforcement engine may be embodied as software and/or hardware components. The context policy enforcement engine retrieves context policy data in response to receiving a request for context information related to a user. The context policy data defines a set of context rules for responding to context requests. The context policy enforcement engine responds to the request based on the set of context rules.03-31-2011
20110072488METHOD AND APPARATUS FOR AUTHENTICATION - A method and an apparatus for authentication are disclosed. The method includes: deciding to release a connection or continue a current service according to native information and network policy after an AKA authentication procedure fails. When the EPS AKA authentication procedure fails, the connection is not released immediately in the present invention, but the connection is released or the current service is continued according to the native information and network policy, thus avoiding unnecessary release of connections and saving resources.03-24-2011
20110258679Method and System for Accessing Network Feed Entries - A security mechanism for an application level protocol used to publish and edit web resources is extended to enable enforcement of a security policy on feed entries. The security mechanism ensures that only a certain class of privileged users can perform create, read, update and/or delete (CRUD) actions on feed entries, and it provides a uniform methodology for determining security access controls for resources. The techniques described herein enable selectively display of feed entries while at the same time maintaining a single document source for the privileged users.10-20-2011
20110061089DIFFERENTIAL SECURITY POLICIES IN EMAIL SYSTEMS - A differential message security policy includes receiving information regarding activities of a user, determining a security risk for the user based on the activities of the user, and setting a security policy for the user based on the security risk. The security policy of the user may be modified based on a change in the security risk of the user or the security risk of the user exceeding a predetermined level. The security risk may be determined based on an aggregated scoring system that uses security variables related to the activities of the user.03-10-2011
20110016510SECRET INFORMATION MANAGEMENT APPARATUS, INFORMATION PROCESSING APPARATUS, AND SECRET INFORMATION MANAGEMENT SYSTEM - Secret key backup is safely implemented even if a role base access structure in which the access structure is specified using roles is used. An all combination generating unit 01-20-2011
20130160075ENTITLEMENT SECURITY AND CONTROL - A system, apparatus, and method are provided for entitlement security and control. A method of embodiments of the invention includes granting an entitlement permission upon satisfaction of entitlement rules by an entitlement request.06-20-2013
20130160076ACCESS AUTHORITY GENERATION DEVICE - A precedence constraint solving means generates a set of authorities without a precedence constraint into a temporary storing means from a set of authorities having a precedence constraint extracted for a role. At this moment, the precedence constraint solving means derives an authority in accordance with an order satisfying the precedence constraint from the set of authorities having the precedence constraint and, when an object of the derived authority includes an object of an authority having the same action already generated in the temporary storing means and permission/denial identifiers of both the authorities are different from each other, divides the derived authority into a plurality of authorities having objects of the same granularity as that of the included object, and stores only an authority having a different object from the included object into the temporary storing means.06-20-2013
20110041158System and method for message handling - Systems and methods employable, for example, in the handling of various electronically-dispatched messages, fiber-optic or light based messages, wireless based messages, and/or the like. According to various such systems and methods, in the case where a dispatched message is, for instance, found to be inadequate, undesirable, and/or not wanted or the like in some way, an entity receiving the message and/or one or more entities associated with the recipient entity may, for example, come to possess all or some of funds required by network rules, database rules, file based rules, message based rules, in memory based rules, computer program based rules and/or the like to be made available for possession by the sender (either directly or indirectly) of the message in association with the message.02-17-2011
20110030028Extensible Protocol Validation - A method comprises operations for receiving a binary data structure including a portion representing a protocol validation specification expressed in a respective protocol validation specification language and for receiving a security policy rule having an action part specifying that the binary data structure is to be used for verifying that application protocol payload of network packets complies with the protocol validation specification. After receiving the binary data structure and the security policy rule, an operation is performed for verifying that application protocol payload of received network packets complies with the protocol validation specification. Such verifying is initiated in response to determining that the security policy rule applies to the received network packets and such verifying includes validating the application protocol payload of the received network packets against the binary data structure.02-03-2011
20110016508Security Deployment System - To address security that can arise in information systems, the present invention uses novel methods and/or systems to enhance security in information systems, using a new way to deploy selected security policies. Instead of trying to modify a whole binary file all at once to add in code to implement additional security policies, the current invention modifies the code in memory in a piecemeal, as-needed fashion.01-20-2011
20110016507State-Updating Authorization - State-updating authorization is described. In an embodiment, an authorization system comprises an authorization node, a storage device and a reference monitor. The authorization node executes an authorization policy, and the storage device stores an authorization state associated with the authorization policy. Requests for access to a secured resource are received at the reference monitor, and the reference monitor queries the authorization node, which uses the authorization policy to determine whether to grant access to the secured resource based on a rule having at least one access condition. The rule, executed as part of the authorization policy on the authorization node, is configured to update all the entries in the authorization state for which an update condition is met.01-20-2011
20110154435IDENTITY MEDIATION IN ENTERPRISE SERVICE BUS - A method, system, and computer usable program product for identity mediation in an enterprise service bus are provided in the illustrative embodiments. A security information is received at the enterprise service bus from a first application executing in a first data processing system. The security information is a part of a request for service from a second application executing in a second data processing system. A part of the security information is identified to be transformed such that the part upon transformation is usable for handling the request by the second application. A security policy applicable to the identified part is selected and the identified part is transformed according to the security policy. The transforming results in a transformed security information. The transformed security information is sent to the second application.06-23-2011
20100299718METHODS AND APPARATUS FOR TITLE PROTOCOL, AUTHENTICATION, AND SHARING - A title management apparatus resident on a first computer including a memory for storing a control program and data, and a processor for executing the control program and for managing the data. The apparatus includes a title object resident in the memory including a title structure, the title structure further comprising a content element, a set of attributes, and a set of title object security indicia. The apparatus further includes an authorization structure configured to selectively redeem the content element based at least in part on the user security indicia, and further configured to use a set of protocols. The apparatus also includes a title management structure configured to associate a user with the title object based at least in part on the user data and the title attributes.11-25-2010
20100122318POLICY-BASED SERVICE MANAGMENT SYSTEM - A policy-based management mechanism is provided, whereby the mechanism provides for at least the controlling of access to network resources, the integration of different frameworks into a common open standard, and modular components for assembling integrated date and voice services. The mechanism accomplishes this by using an access management component that checks for access credentials, a service management component that identifies which resources are available to a requestor of resources, and a resource management component that manages the requested resources. In one exemplary implementation, a fourth component, the policy management component links the first three components such that a resource request gains access to resources based on policy decisions determined by the fourth component for the first three components.05-13-2010
20080235756Resource authorizations dependent on emulation environment isolation policies - A system, method, computer program product, and carrier are described for obtaining a resource authorization dependent upon apparent compliance with a policy of causing an emulation environment to isolate a first software object type from a second software object type; and signaling a decision whether to comply with the policy of causing the emulation environment to isolate the first software object type from the second software object type.09-25-2008
20110162039SECURE RESOURCE NAME RESOLUTION - Techniques for securing name resolution technologies and for ensuring that name resolution technologies can function in modern networks that have a plurality of overlay networks accessible via a single network interface. In accordance with some of the principles described herein, a set of resolution parameters may be implemented by a user, such as an end user or an administrator, to be used during a name resolution process for securing the process and/or for conducting the process in an overlay network. In some implementations, the set of resolution parameters may be maintained as a table of rules, and used to govern name resolution processes. For example, resolution parameters may be created that govern a DNSSEC session, or that govern how to communicate with networks implemented with Microsoft's Direct Access overlay technologies, or that govern communications using any other networking technology.06-30-2011
20100281512DYNAMIC COMMUNITY GENERATOR - Embodiments of the invention are directed to systems, methods, and computer program products configured to determine communities within an organization dynamically based on the distribution of entitlements within the organization.11-04-2010
20110162037IMAGE PROCESSING APPARATUS AND METHOD OF CONTROLLING THE SAME - A conventional method of verifying alteration of an image file has a problem of security and may negatively affect user convenience. An image processing apparatus according to the present invention records, as an image file, input image data and a plurality of types of parameters input by the user, and stores, for each of parameter types classified in accordance with the features of the parameters, first security information based on the plurality of types of parameters. When reading out the image file, second security information is decided for each of parameter types based on the plurality of types of parameters included in the image file. If determined that the pieces of security information for any of the parameter types do not coincide, processing for the image file is changed in accordance with information to be used to restrict the processing to be executed for the image file.06-30-2011
20100263020POLICY-BASED VIDEO CONTENT SYNDICATION - An item of hosted content is received from a media host. A match metric representing an aspect of a match between the item of hosted content and an item of reference content, the item of reference content provided by a content owner having rights to the item of reference content. A policy associated with the item of reference content is identified responsive to the value to that represents the correspondence, the policy including terms of use for the hosted content. The policy is provided to the media host.10-14-2010
20100263021SYSTEM AND METHOD FOR SELECTION OF SECURITY ALGORITHMS - There is described a method and apparatus for managing security for a connection between a user device and a communications network comprising at least one base station and a core network. In one embodiment, the method includes receiving at the core network security capability information for the user device connecting to the communications network. Security capability information for the base station is then obtained from memory or from the base station itself. The security capability information for the user device and the security capability information for the base station is then processed in the core network to select a security policy for a connection between the user device and the base station and the selected security policy is transmitted to the base station.10-14-2010
20100100925Digital Rights Management (DRM)-Enabled Policy Management For An Identity Provider In A Federated Environment - A method operative at an identity provider enforces a digital rights management (DRM) scheme associated with a piece of content. The identity provider is an entity that participates in a “federation” with one or more other entities including, for example, an service provider (e.g., a content provider), a DRM privileges provider, and a DRM policy provider. In one embodiment, the method begins by having the identity provider obtain and evaluate against a DRM policy a set of DRM privileges associated with the end user requesting access to the piece of content. Based on the evaluation, the identity provider generates a single sign on (SSO) message that includes a reference to the set of DRM privileges. The message is then forward to the service provider entity, which provides the end user a response.04-22-2010
20080229381SYSTEMS AND METHODS FOR MANAGING APPLICATION SECURITY PROFILES - Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups. These policy configurations and processing may allow configuration and processing of complex network behaviors relating to load balancing, VPNs, SSL offloading, content switching, application security, acceleration, and caching.09-18-2008
20080229388DEVICE AGENT - Device agents and methods are disclosed. In one embodiment, the method comprises monitoring, at an access device, at least a subset of device activity. The method further comprises detecting an activity satisfies at least one condition specified by a policy and executing at least one action in the policy associated with the satisfied condition.09-18-2008
20080229382MOBILE ACCESS TERMINAL SECURITY FUNCTION - Provided are a method, wireless communication device, and wireless communications system for managing packet data transmissions. The method includes receiving a set of security policies (09-18-2008
20100083349METHOD FOR REALIZING TRUSTED NETWORK MANAGEMENT - A method for realizing trusted network management is provided. A trusted management agent resides on a managed host, and a trusted management system resides on a management host. The trusted management agent and the trusted management system are software modules, which are both based on a trusted computing platform and signed after being authenticated by a trusted third party of the trusted management agent and the trusted management system. Trusted platform modules of the managed host and the management host can perform integrity measurement, storage, and report for the trusted management agent and the trusted management system. Therefore, the managed host and the management host can ensure that the trusted management agent and the trusted management system are trustworthy. Then, the trusted management agent and the trusted management system execute a network management function, thus realizing the trusted network management. Therefore, the technical problem in the prior art that the network management security cannot be ensured due to the mutual attack between an agent, a host where the agent resides, and a manager system is solved, and trusted network management is realized.04-01-2010
20120204222PRIVACY POLICY MANAGEMENT METHOD FOR A USER DEVICE - An arrangement for enabling users to set and modify privacy policies is described. User attributes and existing privacy policies are used to determine the similarity between users. On this basis, the nearest-neighbours to a particular user are determined. When a user is required or wishes to provide or modify a policy, the policies of those nearest neighbours are used to recommend a privacy policy to the user.08-09-2012
20120204221METHOD FOR MANAGING ACCESS TO PROTECTED RESOURCES IN A COMPUTER NETWORK, PHYSICAL ENTITIES AND COMPUTER PROGRAMS THEREFOR - A method carried out by a controller is disclosed. The method includes receiving (s08-09-2012
20120204220METHOD OF ANALYZING SECURITY RULESET AND SYSTEM THEREOF - There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧1 extrinsic rule-fields. The method comprised: upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, partitioning said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class; mapping said equivalence classes over the rule-set; and generating a logically equivalent security rule-set, wherein respective rules comprise N−1 extrinsic rule-fields.08-09-2012
20120204219METHOD AND SYSTEM FOR PROVIDING NETWORK SECURITY SERVICES IN A MULTI-TENANCY FORMAT - An approach is provided for performing cloud based computer network security services. Security policies are established for each of a number of subscribers. The subscribers are provided access to the security services via a common network cloud managed by the service provider. The security services are administered according to a multi-tenancy format, which enables the subscribers' data communications to be separately processed. The security services include network firewalling and filtering of content originating from or destined to one or more networks associated with the subscribers.08-09-2012
20100071026WIDGET HOST CONTAINER COMPONENT FOR A RAPID APPLICATION DEVELOPMENT TOOL - A widget host container serves as a component that may be added via a rapid application development tool, such as Oracle International Corporation's Application Development Framework. The rapid application development tool may be used to install the widget host container, for example, in a region of a user interaction environment, such as an application or a suite of user interactive applications, created by the rapid application development tool. If desired, one or more selection devices, such as a drop down menu, may be provided to select particular widgets for use and display. Features may be provided for organizing both personal and enterprise widgets. Security settings control access to web widgets, and an option to allow or restrict access to web widget display options in the container.03-18-2010
20090328131MECHANISMS TO SECURE DATA ON HARD RESET OF DEVICE - Mechanisms to secure data on a hard reset of a device are provided. A hard reset request is detected on a handheld device. Before the hard reset is permitted to process an additional security compliance check is made. Assuming, the additional security compliance check is successful and before the hard reset is processed, the data of the handheld device is backed up to a configurable location.12-31-2009
20080301760Enforcing Universal Access Control in an Information Management System - A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.12-04-2008
20090260053Data Management in a Computer System - Embodiments of the invention generally provide methods, systems, and articles of manufacture that facilitate classification of a data access authority of unclassified users into one or more categories, and control access of data by the users based on the categories. When an unclassified user is found in an organization chart, one or more classified users near the unclassified user in the data tree may be identified. The unclassified user may be compared to the identified classified users to determine one or more suggested data access categories for classifying the unclassified user. The unclassified user may therefore be classified into one of the suggested data access category based on, for example, user input.10-15-2009
20110154433SYSTEM AND METHOD OF ACCESSING DATA OBJECTS IN A DYNAMIC LANGUAGE ENVIRONMENT - An embodiment includes a computer-implemented method of managing access control policies on a computer system having two high-level programming language environments. The method includes managing, by the computer system, a structured language environment. The method further includes managing, by the computer system, a dynamic language environment within the structured language environment. The method further includes receiving a policy. The policy is written in a dynamic language. The method further includes storing the policy in the dynamic language environment. The method further includes converting the policy from the dynamic language environment to the structured language environment. The method further includes generating a runtime in the structured language environment that includes the policy.06-23-2011
20090241166Establishment of Security Federations - Secure interactions between administrative domains are modeled. The modeled process specifies role information for each of the administrative domains and interaction between the administrative domains. Role information associated with candidate administrative domains is received, and appropriate administrative domains from the candidate administrative domains are dynamically resolved based on the modeled process and the received role information. Trust realms between the dynamically resolved appropriate administrative domains are automatically derived based on the role information and the interactions from the modeled process. The secure interaction between the dynamically resolved appropriate administrative domains is effected through the automatically derived trust realms.09-24-2009
20090241165COMPLIANCE POLICY MANAGEMENT SYSTEMS AND METHODS - In an exemplary system, a compliance policy processing subsystem is selectively and communicatively coupled to a rules management subsystem. The rules management subsystem is configured to maintain a rules database. The compliance policy processing subsystem is configured to facilitate selection by a user of a section of text within a compliance policy, direct the rules management subsystem to identify one or more rules within the rules database that are relevant to the section of text, and display a representation of the relevant rules.09-24-2009
20090241164System and Method for Protecting Assets Using Wide Area Network Connection - A system, method, and program product is provided that detects whether a network adapter has been removed from a computer system. If the network adapter, such as a wireless network adapter, has been removed from the computer system, then a tamper evident indicator (e.g., bit) is set in a nonvolatile memory area of the computer system. In addition, a hard drive password is set to a different password according to a hard drive password policy. The hard drive password controls access to files stored on the hard drive. In one embodiment, the power-on password is also changed to a new password so that the user has to enter the new power-on password when initializing the computer system in order to access the files stored on the computer system.09-24-2009
20090222877UNIFIED NETWORK THREAT MANAGEMENT WITH RULE CLASSIFICATION - A computer network device comprises an intrusion prevention rule set comprising a plurality of rules, each of the plurality of rules associated with two or more rule classification parameters, and an intrusion prevention module that is operable to use two or more of the classification parameters associated with the plurality of intrusion protection rules to selectively apply the rules to provide network intrusion protection of network traffic09-03-2009
20110162033LOCATION BASED SECURITY OVER WIRELESS NETWORKS - A method, system, and computer usable program product for location based security over wireless networks are provided in the illustrative embodiments. A location of a data processing system is determined based on information about a network. A security policy is selected based on the location. The security policy is applied to the data processing system such that the data processing system is configured in a security configuration for using the network while maintaining security according to the security policy.06-30-2011
20110162038METHOD AND SYSTEM FOR SHARING USER AND CONNECTED USERS' DATA WITH EXTERNAL DOMAINS, APPLICATIONS AND SERVICES AND RELATED OR CONNECTED USERS OF THE SOCIAL NETWORK - A system for transmission, reception and accumulation of the knowledge packets to plurality of channel nodes in the network operating distributedly in a peer to peer environment via installable one or more role active Human Operating System (HOS) applications in a digital devise of each of channel node, a network controller registering and providing desired HOS applications and multiple developers developing advance communication and knowledge management applications and each of subscribers exploiting the said network resources by leveraging and augmenting taxonomically and ontologically classified knowledge classes expressed via plurality search macros and UKID structures facilitating said expert human agents for knowledge invocation and support services and service providers providing information services in the preidentified taxonomical classes, wherein each of channel nodes communicating with the unknown via domain specific supernodes each facilitating social networking and relationships development leading to human grid which is searchable via Universal Desktop Search by black box search module.06-30-2011
20110162035LOCATION-BASED DOCK FOR A COMPUTING DEVICE - One particular implementation conforming to aspects of the present disclosure takes the form of docking station for a computing device that maintains an indication of a docking station location. The location of the docking station may be utilized by the docking station and/or the computing device coupled to the docking station to configure the functionality and other aspects of the computing device. For example, the functionality of the computing device may be altered in response to the location of the docking station. Additionally, security features, display configurations and the availability of software applications may also be configured in response to the location of the docking station. In this manner, a single computing device may perform the functions of several computing devices based on the location of the docking station, without the need for the user of the device to configure the device manually.06-30-2011
20110162034DISCOVERY AND MANAGEMENT OF CONTEXT-BASED ENTITLEMENTS ACROSS LOOSELY-COUPLED ENVIRONMENTS - A method, apparatus and computer program product are provided to model and manage context-based entitlements that govern a user's access to information, applications and systems across a loosely-coupled distributed environment. One such distributed environment is a federated environment, which may span across companies, organizations, and geographical locations and regions. According to one embodiment, an entitlement modeling framework comprises a discovery module and an entitlement generator module. The discovery framework generates a data model for storing information concerning user identity, context, relationships between users, relationships between users and contexts and relationships between contexts. Preferably, the user identity, context, relationships between users, relationships between users and contexts, and relationships between contexts, are stored as attributes in the data model. An entitlement generator generates an entitlement according to the data model, wherein the entitlement (e.g., a user entitlement) is generated according to one or more contexts.06-30-2011
20080320551Controlling access to multiple pieces of content of a presentation - In one or more embodiments, a license associated with a first piece of content can grant rights with respect to a second and/or additional pieces of content. That is, language that is included in a first license can express a policy that is interpreted by a client-side device. This policy can establish rights with respect to additional pieces of content. Accordingly, policy enforcement with respect to licensed content can take place on the client-side device and can establish how different content is to be played relative to one another.12-25-2008
20080320549Method and System for Determining Policy Similarities - A method for determining similarity of two policies includes providing a first policy with n rules and a second policy with m rules, wherein each rule is structured into a plurality of identifiable elements, categorizing the rules in each policy based on an action, for each pair of rules finding those predicates whose attribute names match, computing an attribute similarity score for the attribute values, summing the attribute similarity scores for all pairs to obtain an element similarity score, and computing a rule similarity score for the pair of rules from a weighted sum of said element similarity scores.12-25-2008
20090187962METHODS, DEVICES, AND COMPUTER PROGRAM PRODUCTS FOR POLICY-DRIVEN ADAPTIVE MULTI-FACTOR AUTHENTICATION - Embodiments of the invention include methods for providing policy-driven, adaptive, multi-factor authentication procedures. A pool of potential authentication challenges is defined. Each of the potential authentication challenges is assigned a category and a weighted difficulty level. One or more authentication challenges are selected from the pool of potential authentication challenges using one or more security policies that are based upon the assigned category and the assigned weighted difficulty level, wherein a quantity of authentication challenges is determined using the one or more security policies. One or more historical access patterns are utilized in conjunction with the selected one or more authentication challenges to authenticate a user, wherein the historical access patterns include at least one of an access time or an access location. One or more dummy challenges are used to authenticate the user.07-23-2009
20120311659REAL-TIME MOBILE APPLICATION MANAGEMENT - Some embodiments relate to mobile application management. An example embodiment includes a method of mobile device management. The method includes installing a client-side engine of an enforcement engine on a mobile device. The enforcement engine further includes a runtime engine. The method also includes routing communications between the mobile device and a network/cloud or an enterprise network through the enforcement engine. In addition, the method includes generating a policy regarding the mobile applications from a signature database (“SigDB”). The SigDB includes signatures pertaining to mobile applications. Compliance of the mobile device with the policy is enforced in real time.12-06-2012
20120311658Access Control System and Method - A system and method for managing access policies where the result of an intersection performed on policy sets associated with each of two nodes based on the nodes' attributes determines whether the two nodes may interact.12-06-2012
20120311657METHOD AND APPARATUS FOR PROVIDING PRIVACY IN COGNITIVE RADIO INFORMATION SHARING - An approach is provided for providing privacy in cognitive radio information sharing. A cognitive radio privacy platform receives a request, from a device, for performing one or more operations on cognitive radio information stored in at least one information space. The cognitive radio privacy platform also determines one or more privacy policies associated with the device, the one or more operations, the cognitive radio information, the at least one information space, or a combination thereof. The cognitive radio privacy platform further processes and/or facilitates a processing of the one or more privacy policies to determine an availability, a restriction, or a combination thereof of the cognitive radio information. The cognitive radio privacy platform also causes, at least in part, the performing of the one or more operations based, at least in part, on the availability, the restriction, or a combination thereof of the cognitive radio information.12-06-2012
20120311656APPARATUS AND METHOD OF LAYERED LICENSING - A methodology and apparatus for layered licensing is described. A licensable item is detected on a device. A legacy license associated with the licensable item is accessed, wherein the legacy license corresponds to a legacy licensing policy. A layered license associated with the licensable item is accessed, wherein the layered license corresponds to a layered licensing policy. The legacy licensing policy and the layered licensing policy are integrated into an integrated license, and the integrated license is enforced.12-06-2012
20120311655APPARATUS AND METHOD OF MANAGING A LICENSABLE ITEM - An apparatus and method of managing a licensable item includes accessing a licensing policy related to managing a licensable item, and a license agent making a determination to act to enforce the licensing policy or to first communicate with a server before acting to enforce the licensing policy. Further, the apparatus and method include enforcing the licensing policy in accordance with the determination to act to enforce the licensing policy or to first communicate with a server before acting.12-06-2012
20090150969Filtering Policies to Enable Selection of Policy Subsets - A policy filter enables selection of a subset policy alternative that meets certain criteria from amongst a set of policy alternatives without having to specify the entire contents of the alternative to be selected. More specifically, the policy filter simplifies the process of selecting an appropriate alternative from amongst a set of available policy alternatives when the selection criteria comprises only a subset of the behaviors implied by an alternative by reducing the set of available alternatives to those that satisfy a certain criteria.06-11-2009
20090138937ENHANCED SECURITY AND PERFORMANCE OF WEB APPLICATIONS - A client-side enforcement mechanism may allow application security policies to be specified at a server in a programmatic manner. Servers may specify security policies as JavaScript functions included in a page returned by the server and run before other scripts. At runtime, and during initial loading, the functions are invoked by the client on each page modification to ensure the page conforms to the security policy. As such, before a mutation takes effect, the policy may transform that mutation and the code and data of the page. Replicated code execution may take place at both the client and the server where the server runs its own shadow copy of a client-side application in a trusted execution environment so that the server may check that the method calls coming from the client correspond to a correct execution of the client-side application The redundant execution at the client can be untrusted, but serves to improve the responsiveness and performance of the Web application.05-28-2009
20080320552ARCHITECTURE AND SYSTEM FOR ENTERPRISE THREAT MANAGEMENT - Enterprise threat assessment and management provides both physical and logical security. Physical access control systems are configured to identify physical events in the physical domain, and logical access control systems are configured to identify logical events in the logical domain. Connectors establish uninterrupted coupling to the physical and logical access control systems. Event middleware is configured to selectively subscribe only to those events that correspond to defined policies. The policies define a correlation of the physical and logical events, actions are initiated depending upon the correlated physical and logical events defined by the policies.12-25-2008
20080313698APPARATUS AND METHODS FOR NEGOTIATING A CAPABILITY IN ESTABLISHING A PEER-TO-PEER COMMUNICATION LINK - Apparatus and method to negotiate parameters of a policy in establishment of a peer-to-peer link are described herein. In an embodiment, a security policy is negotiated in establishment of a peer-to-peer link in a wireless mesh network.12-18-2008
20090125975Method for generating a plurality of unique secure numbers and card comprising such a number - A process is provided for enabling the generation of valid secure numbers during a given period, these secure numbers having an optimal security level, while preserving the possibility for creating additional numbers or increasing the security level in accordance with the requirements. In at least one embodiment, the method permits the generation of as many secure numbers as are required, while having a maximum security level, which reduces the risks of sending a random number allowing the assignment of entitlements or a credit. The contradictory parameters for the quantity of generated numbers and security can be corrected at any time.05-14-2009
20090125978APPARATUS AND METHOD FOR MANAGING CONTENTS RIGHT OBJECT IN MOBILE COMMUNICATION TERMINAL - An apparatus and method for managing a contents right object in a mobile communication terminal are provided. In the method, when a system update event occurs, a valid right object of contents in the mobile communication terminal is encoded and the encoded right object is transmitted to a server. A system update is executed and then the server is requested to transmit the encoded right object. The encoded right object is received from the server and the received right object is decoded.05-14-2009
20090125977LANGUAGE FRAMEWORK AND INFRASTRUCTURE FOR SAFE AND COMPOSABLE APPLICATIONS - A method and apparatus is disclosed herein for using a language framework for composable programs. In one embodiment, the method comprises accessing active content having a software component embedded therein, where the software component has a plurality of components that together implement a work flow of a sequence of activities, the plurality of components representing one or more external services, one or more user interface controls and one or more inputs and output; executing the software component, including mediating communication between components using an information flow-based security model.05-14-2009
20080313702INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND RECORDING MEDIUM - An information processing system which includes a compound content generation apparatus and a compound content consumption apparatus and processes a plurality of protected contents, the compound content generation apparatus comprising a compound content generation unit configured to generate a compound content from a plurality of protected contents, and the compound content consumption apparatus comprising a composite policy generation unit configured to generate a composite policy by obtaining an intersection of condition values of policies set for the respective protected contents contained in the compound content, and a compound content consumption unit configured to consume the compound content in accordance with the composite policy.12-18-2008
20080313701SYSTEM AND METHOD FOR MANAGING NETWORK BY VALUE-BASED ESTIMATION - A system and method for managing a network by value-based estimation is provided. A network device requesting communication is defined as an active point and a network device receiving a request for communication is defined as a passive point. A value of a network device is determined according to the number of active points connected to the corresponding network device, and a value of a network device that is in a path of communication between network devices is determined based on a value of a network device passing through the corresponding network device. When a policy for changing a network environment is transferred in a state where the values of the network devices have been estimated, a policy conflict test is performed on the basis of the estimated values of the network devices, thereby determining application of the policy in due consideration of the values and significance of the network devices.12-18-2008
20080282315Host control of partial trust accessibility - Various technologies and techniques are disclosed for providing host control of partial trust accessibility. A framework allows libraries to be identified as partial trust callers allowed to indicate that the libraries are allowed to be called from partially trusted code by default. The framework allows libraries to be identified as partial trust callers enabled to indicate the libraries could be called from partially trusted code, but not by default. A hosting application is notified that a particular library has been loaded. If the particular library has been identified as partial trust callers allowed, then a determination is received from the hosting application on whether to remove or keep partial trust accessibility for the particular library. If the particular library has been identified as partial trust callers enabled, then a determination is received from the hosting application on whether or not to enable partial trust accessibility for the particular library.11-13-2008
20090049516COMMUNICATION RELAY METHOD AND APPARATUS AND COMMUNICATION RELAY CONTROL METHOD AND APPARATUS - Provided are a method and apparatus for relaying a communication between a terminal and an external communication network, and a method and apparatus for controlling a relay of a communication between a terminal and an external communication network. The method includes receiving safety policy information of the terminal from an external server that stores a plurality of pieces of safety policy information used to control a communication between at least one terminal and the external communication network.02-19-2009
20090049508LANGUAGE-AGNOSTIC POLICY MANAGEMENT - A system and method for language-agnostic policy management. At least one policy associated with an event occurrence is identified. At least one policy engine associated with the at least one policy is identified. The at least one policy is evaluated by a policy engine of the associated at least one policy engine.02-19-2009
20110055890METHOD AND SYSTEM TO CONFIGURE SECURITY RIGHTS BASED ON CONTEXTUAL INFORMATION - Disclosed are methods and systems for modifying access of a business intelligence report on a client computing device according to contextual information of a user. The method includes obtaining a context update message from a context acquisition model associated with the client computing device through one or more software interfaces provided by the context, based on the contextual information of the user, retrieving one or more security policies associated with the contextual information, applying the one or more security policies to the business intelligence report according to the contextual information of the user and displaying the business intelligence report on the client computing device to the user according to the one or more security policies.03-03-2011
20080250474Collaborative Email With Delegable Authorities - Writing a collaborative email document with hierarchical authorities including establishing a collaborative email document on an administrator's computer, identifying one or more signatories for the document, identifying one or more collaborators who are authorized to view and edit the document, providing to the collaborators copies of the document for viewing and editing, where the collaborators' copies reside on collaborators' computers, updating the copies of the document on collaborators' computers with revisions from the collaborators, and sending the collaborative email document from the administrator's computer to addressees when the document bears valid digital signatures from all signatories. Typical embodiments also include providing at least one user authority to delegate signature authority, establishing a hierarchy of delegation authority for signatures, establishing at least one authority delegation policy including at least one rule for automated delegation of signature authority among signatories and delegating signature authority from at least one signatory to another.10-09-2008
20080250473METHOD, SYSTEM AND COMPUTER PROGRAM FOR CONFIGURING FIREWALLS - A solution (A1-A16) is proposed for distributing a software product to a set of data processing entities (such as endpoints) in a data processing system; the system includes a set of security applications (such as firewalls), which are adapted to control communications of the entities. A corresponding method starts with the step of determining a target configuration of the security applications for allowing execution of the software product on the entities. A software package (or more), being adapted to enforce the software product and the target configuration, is then built (A11). The method continues by distributing (A12-A16) the software package in the system, so as to cause the application of the software package for enforcing the software product on each entity and the target configuration of each security application.10-09-2008
20080235760Confidential Content Reporting System and Method with Electronic Mail Verification Functionality - A confidential content reporting system and method with electronic mail verification functionality are provided. With the system and method, a security compliance search engine is provided for searching items of information to identify items containing confidential content and security violations with regard to this confidential content. Results of the search may be reported to a user via a graphical user interface (GUI) that identifies the item of information, the security violations detected, and suggested corrective actions, such as encryption. A user may interact with the GUI to apply security mechanisms in accordance with the suggested corrective actions. Moreover, the searching and reporting mechanism may be used to search electronic mail messages and their attachments prior to distribution of the electronic mail messages. Automatic modification of the electronic mail message to modify distribution lists and/or content of the electronic mail message may be performed using the mechanisms of the illustrative embodiments.09-25-2008
20110265142INDUSTRY-WIDE BUSINESS TO BUSINESS EXCHANGE - A industry wide computerized business to business exchange permits participants in the industry to satisfy their procurement needs and manage their supply chains from a single log on to the exchange. An exchange architecture provides a particularly convenient platform for implementation of the exchange. Users connect to a portal services subsystem. User systems connect to an integration services platform. A platform services subsystem provides services to the portal services and to the integration services subsystems and to application programs that can be accessed through those subsystems. The application programs may include, for example, electronic procurement, collaborative product development applications and supply chain management. XML serves as the information currency for the exchange.10-27-2011
20100293591Licensing and Management of Shared Graphical Data Flow Web Applications - System and method for performing program-related operations over a network via a web browser. A network connection is established between a server computer and a client computer over a network. A universal resource identifier (URI) is sent from the client computer to the server computer over the network, where the URI indicates a program, e.g., a graphical program (GP), or at least a portion of a graphical program interactive development environment (GPIDE), e.g., a graphical program editor, an execution engine, a static or dynamic analyzer, and/or compiler. The at least a portion of the GPIDE is received from the server computer over the network in response to the URI, and executed in a web browser of the client computer to perform some specified functionality with respect to the GP.11-18-2010
20100293590LOCATION DETERMINED NETWORK ACCESS - A system and method for network authentication is provided. A network access device is operable to establish a communications with an internal network. A client device is operable to request and establish the communications over the internal network by interfacing with the network access device. A processor is operable to interface with the network access device to establish the communications between the client device and the internal network. The processor is also operable to establish a communications level for the communications based on the location of the client device.11-18-2010
20100293594Mobile Authorization Using Policy Based Access Control - An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.11-18-2010
20100293592SYSTEM AND DEVICE FOR PARALLELIZED PROCESSING - The invention relates to a system for processing data that can be exchanged between at least a first domain having a security level A and a second domain having a security level B, A being different from B, characterised in that it comprises at least one elementary entity EEi including a routing module URi and a device UTi for processing data, the routing module URi including at least one input Ii into the domain having the A security level for the data to be processed, and at least one first output Pi for the data that has not been processed and remains in the domain with the A security level, and a second output Li connected to the processing device UTi for the data processed and transferred into the domain with the B security level via the output Oi.11-18-2010
20110126260ACCESS AUTHORIZATION HAVING EMBEDDED POLICIES - A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image's integrity prior to extracting the embedded policy.05-26-2011
20120311666MICRO AND MACRO TRUST IN A DECENTRALIZED ENVIRONMENT - A method and system are disclosed. In one embodiment the method includes calculating a trust level of a first entity. The first entity has a plurality of components. Each component in the first entity has at least the trust level of the first entity.12-06-2012
20120311665Analyzing Usage Information of an Information Management System - In an information management system, activity data is collected and analyzed for patterns. The information management system may be policy based. Activity data may be organized as entries including information on user, application, machine, action, object or document, time, and location. When checking for patterns in the activity or historical data, techniques may include inferencing, frequency checking, location and distance checking, and relationship checking, and any combination of these. Analyzing the activity data may include comparing like types or categories of information for two or more entries.12-06-2012
20120311664NETWORK THREAT DETECTION AND MITIGATION - A network switch automatically detects undesired network traffic and mirrors the undesired traffic to a security management device. The security management device determines the source of the undesired traffic and redirects traffic from the source to itself. The security management device also automatically sends a policy to a switch to block traffic from the source.12-06-2012
20120311663IDENTITY MANAGEMENT - The present invention relates to an improved identity management in which a first authentication request is received from a service provider where the first authentication request requests authentication attributes relating to a user. A second authentication request is transmitted to an identity provider and a first authentication response is received from the identity provider wherein the first authentication response includes at least one authentication attribute relating to said user. At least one predefined policy is applied to the first authentication response to generate a second authentication response and the second authentication response is transmitted to the service provider.12-06-2012
20120311662SMART CONTAINERS - Smart containers are disclosed. A system for managing content comprises an interface to receive an operation associated with an instance of a smart container. The smart container comprises a logical structure configure using a definition to manage associated content. The system for managing content comprises a processor configured to determine whether the operation is allowable based at least in part on a policy; and in the event that the operation is allowable, perform the operation. A memory is coupled to the processor and is configured to provide the processor with instructions.12-06-2012
20110138442AUTOMATED SECURITY CLASSIFICATION AND PROPAGATION OF VIRTUALIZED AND PHYSICAL VIRTUAL MACHINES - Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.06-09-2011
20110138441MODEL BASED SYSTEMS MANAGEMENT IN VIRTUALIZED AND NON-VIRTUALIZED ENVIRONMENTS - Architecture that provides model-based systems management in virtualized and non-virtualized environments. A security component provides security models which define security requirements for services. A management component applies one or more of the security models during the lifecycle of virtual machines and services. The lifecycle can include initial deployment, expansion, moving servers, monitoring, and reporting. The architecture creates a formal description model of how a virtual machine or a service (composition of multiple virtual machines) is secured. The security requirements information can also be fed back to the general management system which uses this information in its own activities such as to guide the placement of workloads on servers can be security related.06-09-2011
20100325691Systems and Methods for Enabling a Service Provider to Obtain and Use User Information - In one aspect, the present invention provides a method for providing user information to a service provider. The method may include receiving a message including a communication device identifier; storing the communication device identifier with an identifier associated with a user of the communication device so that the communication device identifier is associated with the user identifier; transmitting a consent request message to the user; receiving a response to the consent request message, which response indicates that the user has provided the requested consent; and in response to receiving the response to the consent request message, transmitting a consent confirmation message to the service provider.12-23-2010
20100333171A METHOD FOR SELECTING POLICY DECISION FUNCTIONAL ENTITY IN A RESOURCE AND ADMISSION CONTROL SYSTEM - The present invention discloses a method for selecting policy decision functional entity in the Resource and Admission Control System. The method includes that: for resource and admission control in the PULL mode, after the Transport Resource Control Function Entity (TRC-FE) receives a resource request message from the Customer Premises Equipment (CPE) or after the Policy Enforcement Function Entity (PE-FE) receives a transport layer signaling sent by CPE, if the TRC-FE or PE-FE is interacting with more than one Policy Decision Functional Entities (PD-FEs), the TRC-FE or the PE-FE may select a PD-FE according to the stored identification information of PD-FE or statically configured PD-FE, and send a resource decision request message to the selected PD-FE. With the application of the present invention, in resource and admission control in the PULL mode, after receiving the resource request initiated by CPE through the transport layer signaling message, the TRC-FE or PE-FE may select the exact PD-FE to implement the resource reservation process, thereby resolving the problem in prior art that during the resource and admission control process the TRC-FE or PE-FE can not select the exact PD-FE to send resource decision requests.12-30-2010
20100333168METHODS AND APPARATUS FOR RATING DEVICE SECURITY AND AUTOMATICALLY ASSESSING SECURITY COMPLIANCE - Automatic Security Compliance Assessment (ASCA) systems and methods are provided. The disclosed systems and methods can automatically determine whether all of the devices in an enterprise network comply with security policies or standards, and can automatically take remedial or corrective action to bring those devices into compliance with security policies or standards if they are determined not to be in compliance. The disclosed systems and methods can automatically ensure that all of the devices in an enterprise network remain in compliance with the security policies or standards, and automatically create records that establish whether each of the devices are in compliance and regularly update those records over time so that the enterprise can quickly and easily provide evidence of compliance and/or corrective actions taken to bring devices into compliance if required to do so.12-30-2010
20110010753METHOD FOR DATA TRANSFER IN A NETWORK - A sophisticated gateway is connectable with at least one device, further sophisticated gateways, and/or a network. The sophisticated gateway includes an emulator proxy module and/or a presenter proxy module. The emulator proxy module receives higher layer data of a higher network layer, and processes the higher layer data thereby generating second intermediate layer data of an intermediate network layer. The processing includes a security function ensuring that the second intermediate layer data conform with a predetermined security level. The presenter proxy module receives and/or processes first intermediate layer data thereby generating the higher layer data. The processing within the presenter proxy module includes a security function ensuring that the higher layer data conform with a predetermined security level.01-13-2011
20110072486System, Method, and Software for Enforcing Access Control Policy Rules on Utility Computing Virtualization in Cloud Computing Systems - According to one embodiment, a system comprises one or more processors coupled to a memory and executing logic. A policy life cycle component is configured to maintain a repository of security policies. The repository of security policies comprises policies governing access to a virtual host and to a plurality of virtual machines running on the virtual host. The policy life cycle component is also configured to issue a compound policy for an identified virtual operating system running on the virtual host. The compound policy provides a virtual host policy and access rules for each of the plurality of virtual machines running on the virtual host. A topology manager is configured to receive the compound policy from the policy life cycle component, assign the compound to an access control agent, and maintain a security policy topology. The security policy topology stores associations between access control agents and compound policies.03-24-2011
20100115581SYSTEM METHOD AND DEVICE FOR MEDIATING CONNECTIONS BETWEEN POLICY SOURCE SERVERS, CORPORATE RESPOSITORIES, AND MOBILE DEVICES - The invention relates to providing policy from an integrated policy server to a mobile device, comprising identifying a policy in an integrated policy server applicable to the mobile device and supplying policy elements to policy transports for transmission to the mobile device. The invention also relates to providing policy from an integrated policy server to a mobile device, including identifying a policy in the integrated policy server applicable to the mobile device, determining whether the mobile device is in compliance with the policy, and supplying policy elements to policy transports for transmission to the mobile device when the mobile device is not in compliance with the policy. The invention further relates to controlling access to a data server by a mobile device, including identifying a policy in an integrated policy server applicable to the mobile device, and determining whether the mobile device is in compliance with the policy.05-06-2010
20100115580RETROSPECTIVE POLICY SAFETY NET - These and other objectives are attained with a method and system for evaluating an access policy change. The method comprises the step of providing an access control mechanism having a first policy, and an audit log having entries of accesses made under that first policy. The method comprises the further steps of submitting a second policy to the access control mechanism, comparing the log entries to the second policy, and based on the results of the comparing step, taking one of a predetermined number of actions.05-06-2010
20100115579SYSTEM AND METHOD FOR LOST DATA DESTRUCTION OF ELECTRONIC DATA STORED ON PORTABLE ELECTRONIC DEVICES - A data security system and method protects stored data from unauthorized access. According to one aspect of the invention, a client computing device communicates periodically with a server. If communications is note established between the client and the server for a selected activation interval and a subsequent grace period, the data is determined to be lost, and programmed security rules are automatically executed. Rules relating to encryption, as well as other security procedures, can be defined and entered by an administrator with access to the server, and then disseminated to each of a plurality of clients that access the server.05-06-2010
20100115578AUTHENTICATION IN A NETWORK USING CLIENT HEALTH ENFORCEMENT FRAMEWORK - A network with authentication implemented using a client health enforcement framework. The framework is adapted to receive plug-ins on clients that generate health information. Corresponding plug-ins on a server validate that health information. Based on the results of validation, the server may instruct the client to remediate or may authorize an underlying access enforcement mechanism to allow access. A client plug-in that generates authentication information formatted as a statement of health may be incorporated into such a framework. Similarly, on the server, a validator to determine, based on the authentication information, whether the client should be granted network access can be incorporated into the framework. Authentication can be simply applied or modified by changing the plug-ins, while relying on the framework to interface with an enforcement mechanism. Functions of the health enforcement framework can be leveraged to provide authentication-based functionality, such as revoking authorized access after a period of user inactivity or in response to a user command.05-06-2010
20100115577Method of Role Creation - A method and a computer program product for creating roles in an enterprise system comprising monitoring a system for instances of a change from a first normal user to a first super user; mapping said first user with a terminal; scanning said system to derive a plurality of commands executed from said terminal; mapping at least one of the plurality of command executed from said terminal to said first super user; and creating a first role comprising an authorization to execute the at least one command executed by said first super user.05-06-2010
20110093913MANAGEMENT OF ACCESS TO SERVICE IN AN ACCESS POINT - System(s) and method(s) are provided to configure access rights to wireless resources and telecommunication service(s) supplied through a set of access points (APs). Access to wireless resources is authorized by access attributes in access control list(s) (ACL(s)) while a profile of service attributes linked to the ACL(s) regulate provision of telecommunication service(s). Access and service attributes can be automatically or dynamically configured, at least in part, in response to changes in data that directly or indirectly affects an operation environment in which the set of APs is deployed. Automatic or dynamic configuration of access or service attributes enable control or coordination of wireless service provided through the set of APs; degree of control or coordination is determined at least in part by enablement or disablement of disparate services for disparate devices at disparate access points at disparate times and with disparate service priority.04-21-2011
20110093917Hierarchical Policy Management - A system and method for administering access to a central resource by a remote access device. A system includes a remote access device and a computer executing a hierarchical policy manager. The remote access device requests access to a central resource. The hierarchical policy manager determines a policy for allowing the device to access the resource by evaluating access policies at a plurality of precedence levels of a policy hierarchy. The hierarchical policy manager allows the device to access the resource based on the policy set at the highest precedence level of the policy hierarchy at which access control is specified.04-21-2011
20110093914NETWORK POLICY MANAGEMENT AND EFFECTIVENESS SYSTEM - The present disclosure relates to a method and apparatus for maintaining policy compliance on a computer network. A system in accordance with some embodiments disclosed herein performs the steps of electronically monitoring network user compliance with a network security policy stored in a database, electronically evaluating network security policy compliance based on network user compliance and electronically undertaking a network policy compliance action in response to network security policy non-compliance. The network policy compliance actions may include automatically implementing a different network security policy selected from network security policies stored in the database, generating policy effectiveness reports and providing a retraining module to network users.04-21-2011
20100064341System for Enforcing Security Policies on Mobile Communications Devices - A system for enforcing security policies on mobile communications devices is adapted to be used in a mobile communications network in operative association with a subscriber identity module. The system having a client-server architecture includes a server operated by a mobile communications network operator and a client resident on a mobile communications device on which security policies are to be enforced. The server is adapted to determine security policies to be applied on said mobile communications device, and to send thereto a security policy to be applied. The client is adapted to receive the security policy to be applied from the server, and to apply the received security policy. The server includes a server authentication function adapted to authenticate the security policy to be sent to the mobile communications device; the client is further adapted to assess authenticity of the security policy received from the server by exploiting a client authentication function resident on the subscriber identity module.03-11-2010
20110145885Policy Adherence And Compliance Model - Methods, computer readable media, and apparatuses for policy development and management are presented. Input corresponding to an implemented policy may be received. An adherence rating for the implemented policy may be determined based on a measured level of compliance with at least one guiding principle. An effectiveness rating for the implemented policy may be determined based on a determined level of responsiveness. Subsequently, a report may be generated.06-16-2011
20100088739Hardware Based Mandatory Access Control - Hardware mechanisms are provided for performing hardware based access control of instructions to data. These hardware mechanisms associate an instruction access policy label with an instruction to be processed by a processor and associate an operand access policy label with data to be processed by the processor. The instruction access policy label is passed along with the instruction through one or more hardware functional units of the processor. The operand access policy label is passed along with the data through the one or more hardware functional units of the processor. One or more hardware implemented policy engines associated with the one or more hardware functional units of the processor are utilized to control access by the instruction to the data based on the instruction access policy label and the operand access policy label.04-08-2010
20100031309POLICY BASED CONTROL OF MESSAGE DELIVERY - A method of policy based message delivery in a message delivery system includes supplementing a subscriber handle with supplemental information pertaining to a subscriber of the message delivery system, where the message delivery system including a set of subscribers, receiving a message for delivery within the message delivery system, comparing a set of policies with the supplemental information based on information contained in the received message, matching the message to a subscriber of the set of subscribers based on the comparison, and dispatching the message to a matched subscriber based on the matching.02-04-2010
20090300715USER-DIRECTED PRIVACY CONTROL IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - An identity management system incorporates privacy management processes that enable the user to exercise privacy controls over the disclosure of user identity information within the context of an authentication process. A combination includes an identity selector, a privacy engine, and a ruleset. The identity selector directs the release of a user identity in the form of a security token to satisfy the requirements dictated by a security policy. Prior to release of the user identity, the engine conducts a privacy enforcement process that examines the privacy policy of the service provider and determines if it is acceptable. The engine evaluates a ruleset against the privacy policy. A preference editor enables the user to construct, in advance, the ruleset, which embodies the user's privacy preferences regarding the disclosure of identity information. Based on the evaluation results, the user can either approve or disapprove the privacy policy, and so decide whether to proceed with disclosure of the user identity.12-03-2009
20090300716USER AGENT TO EXERCISE PRIVACY CONTROL MANAGEMENT IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM - A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy.12-03-2009
20090300713ACCESS CONTROL SYSTEM, ACCESS CONTROL METHOD, ELECTRONIC DEVICE AND CONTROL PROGRAM - Provided is the access control system for controlling an access on a task basis without modifying a device side to be accessed and without applying a task ID at each access to a device.12-03-2009
20090300711ACCESS CONTROL POLICY COMPLIANCE CHECK PROCESS - A storage medium on which is recorded a program for causing an information processing device. The program executes, an access right management information obtainment process for obtaining access right management information, a violation detection process for obtaining a policy from a policy storing unit for storing the policy set for the resource or the access to the resource, for checking whether or not the access right management information complies with the policy, and for detecting access right management information, a policy compliance level calculation process for calculating a risk score in accordance with a degree of risk of the violation, and for calculating a level of compliance with the policy.12-03-2009
20090300710UNIVERSAL SERIAL BUS (USB) STORAGE DEVICE AND ACCESS CONTROL METHOD THEREOF - The invention provides a USB storage device and an access control method thereof. An access control module is provided on the USB storage device. The storage space is divided into at least one data storage entity. Each user's access right to each data storage entity is set and stored in the USB storage device as an access control list. The process between the USB storage device's being connected with a USB host and its being disconnected from the USB host is one session. When a session is established, the user provides authentication information for the USB device to authenticate him/her, and saves the user information used in the current session. In the current session, when the host of the user issues an access request for the data storage entity on the USB storage device, the access control module queries the access right list based on the user information in the current session to determine whether the user has an access right to the requested data storage entity. When the user does not have the access right to the data storage entity, the access control module denies the user's access request for the data storage entity.12-03-2009
20090300709AUTOMATED CORRECTION AND REPORTING FOR DYNAMIC WEB APPLICATIONS - Changes to dynamic web content are monitored for compliance with web content compliance rules. A noncompliant element associated with a change to the dynamic web content is identified based upon the web content compliance rules. Automated correction of the noncompliant element is performed based upon the web content compliance rules. The noncompliant element is reported to a server associated with the change to the dynamic web content.12-03-2009
20090300707Method of Optimizing Policy Conformance Check for a Device with a Large Set of Posture Attribute Combinations - A method, apparatus, and electronic device for conforming integrity of a client device 12-03-2009
20090300706CENTRALLY ACCESSIBLE POLICY REPOSITORY - The present invention extends to methods, systems, and computer program products for a centrally accessible policy repository. Protection policies for protecting resources within an organization are stored at a central policy repository. Thus, an administrator can centrally create, maintain, and manage resource protection polices for all of the organizational units within an organization. Accordingly, resources consumed when performing these protection policy related operations is significantly reduced. Additionally, since protection policies are centrally located, there is increased likelihood of being able to consistently apply an organization's protection policies within different organizational units, even when protection policies change.12-03-2009
20090300705Generating Document Processing Workflows Configured to Route Documents Based on Document Conceptual Understanding - Embodiments of the invention may be used to improve enforcement and compliance with publishing rules in an automated and provable manner. Prior to publication, documents may be processed using publishing rules (workflows) based on conceptual analysis of document content. Additionally, embodiments of the invention include a content creation system configured to provide prompt feedback on content coverage. Such a system enables the creator of information to better understand what approval requirements apply to content they create and intend to publish, as the content is being created.12-03-2009
20090293099INSIGHT DISTRIBUTION - The present invention relates to using authorization information provided by an asserting agent to control insight-related interactions between a receiving agent and an insight agent. The insight may be information that relates to an entity with whom or a device with which the asserting agent is associated. Such insight is generally referred to as insight of the asserting agent. An insight source maintains the insight of the asserting agent, and the insight agent provides controlled access to the insight by the receiving agent through the insight-related interactions. For others to gain access to at least certain of the asserting agent's insight, the asserting agent must authorize the insight agent to provide the asserting agent's insight to the receiving agent. Upon obtaining the proper authorization, the insight agent will interact with the receiving agent and distribute the asserting agent's insight to the receiving agent.11-26-2009
20090205013Customization restrictions for multi-layer XML customization - Embodiments of the present invention provide techniques for customizing aspects of a metadata-driven software application. In particular, embodiments of the present invention provide (08-13-2009
20090205012AUTOMATED COMPLIANCE POLICY ENFORCEMENT IN SOFTWARE SYSTEMS - Some embodiments of the present invention provide a system that maintains a software system. During operation, the system obtains a compliance policy for the software system and monitors the software system for a violation of the compliance policy. If such a violation is detected, the system retrieves a change package associated with the violation based on the compliance policy and automatically deploys the change package to the software system to resolve the violation.08-13-2009
20110191818METHOD, APPARATUS, AND SYSTEM FOR IMPLEMENTING HOT-LINING FUNCTION - A method, an apparatus, and a system for implementing a hot-lining function are provided, which relate to the field of communications, so as to solve a problem in the prior art that a solution for implementing the hot-lining function is unable to be provided. The technical solution includes: acquiring a hot-lining function enabling message sent from a hot-lining application (HLA) network element, where the hot-lining function enabling message carries hot-lining rule information; enabling the hot-lining function according to the hot-lining rule information in the enabling message, and instructing a hot-lining device (HLD) to enable the hot-lining function according to the hot-lining rule information. The technical solution is applicable to a fixed network and a wireless network.08-04-2011
20100023996TECHNIQUES FOR IDENTITY AUTHENTICATION OF VIRTUALIZED MACHINES - Techniques for identity authentication of Virtual Machines (VM's) are provided. A VM is authenticated and once authenticated, each device interfaced to or accessible to the VM is also authenticated. When both the VM and each device are authenticated, the VM is granted access to a machine for installation thereon.01-28-2010
20100023999SYSTEM AND METHOD FOR NETWORK ADMINISTRATION AND LOCAL ADMINISTRATION OF PRIVACY PROTECTION CRITERIA - Cookie files are screened in a client machine, wherein a cookie file includes a cookie file source. A request from a subscriber is received at a server to send a list of untrusted cookie file sources to the client machine. The list of untrusted cookie file sources is downloaded from the server to the client machine. The downloaded list of untrusted cookie file sources is used to detect cookie files received at the client machine from cookie file sources on the downloaded list by comparing the cookie file source of any received cookie file to the untrusted cookie file sources on the downloaded list.01-28-2010
20100023998METHOD, ENTITY AND SYSTEM FOR REALIZING NETWORK ADDRESS TRANSLATION - A method of realizing network address translation (NAT) includes the following steps. An application function (AF) entity receives a message, and determines a signaling direction according to the message. The AF entity carries the signaling direction information in an access authorization request (AAR) message and sends the AAR message to a service-based policy decision function (SPDF) entity. The SPDF entity obtains a corresponding local domain address according to the signaling direction, and sends the obtained address to the AF entity. The AF entity sends the message according to the local domain address. An entity and a system of realizing NAT are also provided. By extending a message interacted between the AF entity and the SPDF entity and adding a field indicating a signaling direction, the SPDF entity is enabled to distinguish an uplink direction or a downlink direction of the message, for example, from an access side/a local core side to a core side/an opposite core side or from the core side/opposite core side to the access side/local core side, so as to realize an NAT control.01-28-2010
20100023997METHOD OF USING XPATH AND ONTOLOGY ENGINE IN AUTHORIZATION CONTROL OF ASSETS AND RESOURCES - A method of defining access control. The method allows the expression of access control rules using ontology based semantics and references an ontology subset using XPath as the ontological expression. The access control rules or access criteria are defined by an access control statement and may be expressed using classification criteria and ontology classes. The access control statement comprises a structural description that is used to define an asset and a logical expression that may be used to express the classification criteria. The access control statement defines access policy for various assets.01-28-2010
20100023995Methods and Aparatus for Securing Access to Computer Libraries and Modules, The SecModule Framework - We have shown an efficient, easy-to-use framework which allows retrofitting of existing libraries, as well as develop new ones into a secured, session-managed environment. Our framework can be used for policy level enforcement (i.e. create enforceable, undeniable rules) for accessing, using, arbitrary code, functions and data held inside the library.01-28-2010
20100017847Wireless Connection Setting Program - A computer program product includes computer readable instructions that cause a computer to execute a wireless connection setting process. The computer includes a communication interface configured to communicate with at least one device. The wireless connection setting process includes recognizing a state of the at least one device through the communication interface, displaying an input screen image sequentially for each of at least one setting item of wireless connection settings, configuring the wireless connection settings for the at least one device based upon the input, and controlling whether to display the input screen image by judging whether the input is required to be received for each of the at least one setting item based upon the state of the recognized at least one device. Said configuring includes determining the setting item for which the input is not judged required to be received.01-21-2010
20100017846SERVICE PROCESSING METHOD AND SYSTEM, AND POLICY CONTROL AND CHARGING RULES FUNCTION - A service processing method, a service processing system, and a PCRF entity are disclosed to overcome this defect in the prior art: The prior art is unable to handle services discriminatively according to the policy context information when different services require the same QoS level. The method includes: receiving bearer priority information from a PCRF entity, where the bearer priority information includes: bearer priority information of a service data stream, bearer priority information of an IP-CAN session, and/or bearer priority information of an IP-CAN bearer; and handling services according to the bearer priority information. In the embodiments of the present invention, the policy context information is converted into bearer priority information so that the PCEF handles services according to the bearer priority information. In this way, different services that require the same QoS level are handled discriminatively according to the policy context information.01-21-2010
20100017845DIFFERENTIATED AUTHENTICATION FOR COMPARTMENTALIZED COMPUTING RESOURCES - Embodiments for providing differentiated authentication for accessing groups of compartmentalized computing resources, and accessing each compartmentalized computing resources, as displayed on a desktop environment of an operating system. In one embodiment, a method includes organizing one or more computing resources accessible in a desktop environment into a group. The one or more computing resources include a data content, an application, a network portal, and a device. The method also includes providing an authentication policy for actions that can be performed on each computing resource. The authentication policy is configured to associate an authentication input to each action for a particular computing resource. The method further includes receiving an authentication input when the user intends one of the actions on the particular computing resource. The method additionally includes allowing the user to perform the intended action on the particular computing resource when the received authentication input enables the intended action.01-21-2010
20100017844ASSOCIATING A UNIQUE IDENTIFIER AND A HEIRARCHY CODE WITH A RECORD - A method and system for creating a record and associating a unique identifier and a hierarchy code with the record where the record is created in response to identifying that a transmission violates an institution's policy. The record may also be passed to a reporting module which may generate a report based on the unique identifier and/or a hierarchy code. Additionally, the record may be passed to a remediation agent for handling. The remediation agent may also update the record based on actions taken by the remediation agent or updates identified by the remediation agent.01-21-2010
20100017843Scenario Based Security - A security management system uses several security scenarios that have rules defining the configuration of system and security components in order to meet a specific security scenario. The rules may include an evaluation of multiple components to give a summary statistic or evaluation, as well as rules that may be used to configure the various components to achieve a desired level of security. A management console may aggregate multiple security scenarios together for administration.01-21-2010
20130125202Security Systems And Methods For Encoding And Decoding Digital Content - Systems and methods may be provided for masking data on public networks. At a publishing node, the system may monitor data input fields in a webpage, and intercept and encode content, such as text, images, and video input at the data input fields, prior to the content being posted online on a public service provider's website. A policy may be defined to control which users are permitted access to a key to decode the encoded content. The policy may defer to a third party policy node in determining key access. An account for a controlling entity, such as a guardian or employer, may be configured to control the encoding status of posts made by another. The controlling entity may control who has key access to decode posts made by the other account. The guardian account may be configured to have preemptive rights over posting decisions made by the minor.05-16-2013
20090158386METHOD AND APPARATUS FOR CHECKING FIREWALL POLICY - A method and apparatus for checking for vulnerabilities in a firewall policy used in a firewall system are provided. The method includes determining whether a target firewall policy is for an existing firewall system or a new firewall system, when the target firewall policy is for the existing firewall system, checking for errors in the target firewall policy by comparing the target firewall policy with an existing firewall policy applied to the existing firewall system, and when the target firewall policy is for the new firewall system, checking for errors in the target firewall policy by simulating a state in which the target firewall policy is applied to the new firewall system.06-18-2009
20120210389AUTOMATIC SECURITY ACTION INVOCATION FOR MOBILE COMMUNICATIONS DEVICE - In one embodiment, there is provided a mobile communications device comprising: a processor; a communications subsystem operable to exchange signals with a wireless network; a storage element having application modules and data stored thereon, the data comprising at least user application data associated with the application modules and service data including data for establishing communications with the wireless network; and a security module operable to detect policy messages received by the device, and to perform a security action if a first policy message to enforce a first data protection policy is received and a subsequent policy message to enforce a second data protection policy is not received within a predetermined duration from the time at which the first policy message is received; wherein the security action comprises erasing or encrypting at least some of the data on the storage element.08-16-2012
20120210392ACCESS METHOD AND ACCESS DEVICE - An access method and an access device are provided in the invention, and the method includes the step of: an Authentication, Authorization and Accounting (AAA) server sending indication information to a Wireless Local Area Network Access Network (WLAN AN), wherein the indication information is used for indicating that the WLAN AN determines the direct accessing by a user equipment to the Internet without passing through an Evolved Packet Core (EPC) network. The user experience can be improved by the invention.08-16-2012
20090064272DATABASE AUTHORIZATION RULES AND COMPONENT LOGIC AUTHORIZATION RULES AGGREGATION - Embodiments of the present invention provide a method, system and computer program product for aggregating database and component logic authorization rules in a multi-tier application. In an embodiment of the invention, a method for aggregating database and component logic authorization rules in a multi-tier application system can include aggregating role-based authorization rules for both a persistence layer and a logic layer of a multi-tier application in a unified policy, distributing the unified policy to both the persistence layer and the logic layer of the multi-tier application, transforming the unified policy into respectively a set of role based permissions for the persistence layer and a set of role based permissions for the logic layer, and applying the set of role based permissions for the persistence layer in the persistence layer, and the set of role based permissions for the logic layer in the logic layer of the multi-tier application.03-05-2009
20080320550PERFORMING POLICY CONFLICT DETECTION AND RESOLUTION USING SEMANTIC ANALYSIS - A method and system for managing a policy includes, in response to determining the presence of a conflict, determining a semantic equivalence between a component of a policy rule and at least one additional policy rule. The determining a semantic equivalence is performed by using a semantic reasoning algorithm that includes the steps of determining a first policy target of a first policy rule and a second policy target of a second policy rule, determining a meaning of the first policy target and a meaning of the second policy rule, assigning a confidence value based on the determined meaning of the first policy, assigning a confidence value based on the determined meaning of the second policy, performing a semantic comparison between the first policy target and the second policy target, and determining, based at least in part on the semantic comparison, the presence of a conflict between the first and second policy targets.12-25-2008
20110154431SYSTEMS AND METHODS FOR PROVIDING MULTIPLE ISOLATED EXECUTION ENVIRONMENTS FOR SECURELY ACCESSING UNTRUSTED CONTENT - A sandbox tool can create and maintain multiple isolated execution environments, simultaneously. The sandbox tool can assign a unique security label to each isolated execution environment. In order to ensure the security labels are unique, the sandbox tool, for each security label, can bind a communication socket in an abstract name space of the operating system with a name that is the same as the security label. If the operating system returns an error that the name for the communication socket is already in use, the sandbox tool can determine that the security label is already in use by another isolated execution environment or other process.06-23-2011
20110307937SECURITY SYSTEM FOR GENERATING KEYS FROM ACCESS RULES IN A DECENTRALIZED MANNER AND METHODS THEREFOR - Improved system and approaches for decentralized key generation are disclosed. The keys that can be generated include both public keys and private keys. The public keys are arbitrary strings that embed or encode access restrictions. The access restrictions are used to enforce access control policies. The public keys are used to encrypt some or all portions of files. The private keys can be generated to decrypt the portions of the files that have been encrypted with the public keys. By generating keys in a decentralized manner, not only are key distribution burdens substantially eliminated but also off-line access to encrypted files is facilitated.12-15-2011
20110307936NETWORK ANALYSIS - A method and system are provided for analyzing a network. The method and system convert network specification information into a single intermediate representation of the network. The intermediate representation can then be used to determine security parameters as well as expected data traffic parameters.12-15-2011
20090172773Syndicating Surgical Data In A Healthcare Environment - Disclosed herein are systems and methods for syndication and management of structured and unstructured data to assist institutional healthcare delivery, healthcare providers' practices, healthcare providers' group practices, collaborative academic research and decision making in healthcare, including through the utilization of medical devices and healthcare pools.07-02-2009
20090172774METHOD AND SYSTEM FOR DISTRIBUTING SECURITY POLICIES - A method and system for distributing and enforcing security policies is provided. A firewall agent executing at a host computer system that is to be protected receives security policies for the enforcement engines responsible for enforcing the security policies on the host computer system. A security policy has rules that each provide a condition and action to be performed when the condition is satisfied. A rule also has a rule type that is used by the distribution system to identify the security components that are responsible for enforcing the rules. To distribute the security policies that have been received at a host computer system, the firewall agent identifies to which enforcement engine a rule applies based in part on rule type. The firewall agent then distributes the rule to the identified enforcement engine, which then enforces the rule.07-02-2009
20090172771SYSTEMS AND METHODS FOR SITUATION SEMANTICS BASED MANAGEMENT OF POLICY ENABLED COMMUNICATION SYSTEMS - Communication nodes, systems and methods are described which manage and process management information using semantic variable entities governed by a formal logic and upon which computations can be performed. Such semantic variable entities include, for example, management infons and or management situations which can be used, for example, to manage policy enforcement in communication networks.07-02-2009
20090172772METHOD AND SYSTEM FOR PROCESSING SECURITY DATA OF A COMPUTER NETWORK - Method of processing security data of a computer network (R) including a plurality of users (U07-02-2009
20090172770METHOD AND APPARATUS FOR RENTING COMPUTER PERIPHERAL DEVICES IN-SITU - Embodiments of a system for renting one or more peripheral devices to a proximally disposed mobile device are disclosed herein. In some embodiments, a peripheral manager is configured to facilitate access to the one or more peripheral devices by the mobile device. The peripheral manager may also facilitate identification and/or authentication of the mobile device and/or its user, determine an access privilege of the mobile device and/or its user, and accept payment in exchange for the access by the mobile device and/or its user. Other embodiments are described and claimed.07-02-2009
20090172769PROGRAMMATIC VALIDATION IN AN INFORMATION TECHNOLOGY ENVIRONMENT - Programmatically validating service level policies established for business applications of an Information Technology environment. The programmatic validation predicts whether the policies are achievable within the environment. Examples of service level policies include quantitative goals, redundancy levels and resource use.07-02-2009
20090172768METHODS AND APPARATUS FOR OPERATING EMBEDDED INFORMATION TECHNOLOGY APPLICATIONS WITH A SERVICE OPERATING SYSTEM - A method includes setting a rule policy with an embedded information technology application. The method further includes parsing the policy rule from a policy engine to a context engine. The method further includes determining a computing device condition with the context engine based upon the parsed policy rule. The method further includes notifying the policy engine with the context engine if the computing device condition has changed from a first condition to a second condition. The method further includes, in response to the computing device condition changing from the first condition to the second condition, executing an action according to the parsed policy rule. An associated system and machine readable medium are also disclosed.07-02-2009
20090007218Switched-Based Network Security - Traffic sent from a network endpoint is redirected and the network endpoint is tested for compliance with a security policy. If the network endpoint is in compliance with the security policy, an access policy is generated to allow the network endpoint to access the network without any traffic redirection.01-01-2009
20120042353ACCESS CONTROL - A process and device are disclosed for depositing sequences of layers comprising a plurality of semiconductor components on a plurality of substrates (02-16-2012
20120042355REPRESENTING EXTENSIBLE MARKUP LANGUAGE (XML) AS AN EXECUTABLE HAVING CONDITIONAL AUTHENTICATION OR POLICY LOGIC - Techniques for representing extensible markup language (XML) in an executable format are presented. An XML document is parsed into its components and content. The components and content are packaged as an executable. Some portions of the executable include authentication logic or policy logic that is subsequently enforced when the executable is processed. The executable is subsequently distributed to recipient machines. The machines process the executable and produce memory loaded versions of the components and content representing the XML document on the machines. The memory loaded versions of the components and content include conditionally added authentication logic of policy logic.02-16-2012
20120042354Entitlement conflict enforcement - Various embodiments are directed to entitlements clearance. For example, an entitlement clearance request may be received from a provisioning application. The entitlement clearance request may comprise an indication of a subject entitlement and an indication of a subject user. An indication of user characteristics describing the subject user and an indication of existing entitlements held by the subject user may be received. A plurality of entitlements conflict rules may be applied to the existing entitlements, the subject entitlement and the user characteristics to determine whether an entitlements conflict exists in view of the subject entitlement. In addition, a completion indication of whether the entitlements conflict exists in view of the subject entitlement may be returned. Provided that the entitlements conflict exists, the completion indication may comprise an indication of at least one entitlements conflict rule selected from the plurality of entitlements conflict rules that would be violated by the subject entitlement.02-16-2012
20090138938System and Method for Auditing a Security Policy - Provided a computerized system and method of automated auditing a range of rules associated with an enforced security policy. The method comprises automated obtaining log records assigned to a first rule within the range of rules and logged during a counted period, each said log record comprising a unique rule identifier and recorded values of respective arguments comprised in the rule; counting a number of records matching certain recorded values and logged within certain time intervals within the counted period (counted values); and automated generating a counted log record assigned to said rule, said record comprising the unique rule identifier, the counted period, recorded values of the rule arguments and respective counted values. The method further comprises obtaining a plurality of objects engaged in said first rule; resolving a first object among said plurality of objects to a set of resolved values; matching said resolved values to the recorded values of the respective arguments, said recorded values comprised in the counted log record assigned to said rule; counting each match in accordance with respective counted value, thus giving rise to a plurality of matching values of the resolved values; and using the plurality of matching values for analysis related to usage of the first object.05-28-2009
20090019516ROLE-BASED ACCESS CONTROL - A user interface and a processor coupled to the user interface wherein the processor receives access requests through the user interface and authorizes access through the user interface. The processor associates a rights request with a role based policy to determine access rights, modifies the determined access rights in accordance with an exception list related to particular users and records, and authorizes access to a record based upon the modified determined access rights.01-15-2009
20120060199METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.03-08-2012
20120060200METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.03-08-2012
20120060201Web based extranet architecture providing applications to non-related subscribers - An extranet includes a network which couples a plurality of non-related participants and a server coupled to the network. The server stores a plurality of applications including workgroup applicants, transaction applications, security applications and transport circuits and equipment. The server is programmed to load particular ones of the plurality of applications onto the network for use by the plurality of participants in response to a request by one of the participants for a particular application.03-08-2012
20120066738System and Method for automatic Data Security Back-up and control for Mobile Devices - Systems and methods for providing security and control of mobile communications device activity including at least one mobile communication device with software operable thereon for receiving rules provided by an authorized user of the device(s) and in accordance with those rules administering actions to provide for controlling and security data stored or generated on the device(s), including logging data and activities related to the mobile communications device, blocking and filtering calls, messages, websites, emails, and combinations thereof, via wireless communication with a remote server computer having a corresponding software module operable thereon for managing and implementing the rules.03-15-2012
20120210391Automated Device Provisioning and Activation - Various embodiments are disclosed for a services policy communication system and method. In some embodiments, a communications device stores a set of device credentials for activating the communications device for a service on a network; and sends an access request to the network, the access request including the set of device credentials.08-16-2012
20120047554WEB SERVICE PROVISION SYSTEM, SERVER DEVICE, AND METHOD - A web application server includes a user information management unit that manages user IDs and attributes such that each of the user IDs is associated with corresponding one of the attributes, a security policy management unit that manages security policies such that each of security policies is associated with corresponding one of the attributes, a security policy acquisition unit that acquires one of the security policies based on one of the attributes associated with one of the user IDs, and an HTML file generation unit that generates an HTML file in which a script to acquire personal data of corresponding one of users from an intra-company database server is embedded based on one of the security policies of the corresponding one of the users.02-23-2012
20120047552DYNAMICALLY UPDATED SECURE HANDLING OF DOCUMENTS CONTAINING RESTRICTED INFORMATION - A method, system and computer program product for processing documents containing restricted information. One aspect concerns updating the relevant information security rules applicable to the documents.02-23-2012
20120047550Method and System for Device Integrity Authentication - A networked device performs integrity authentication by determining, using a processor, a measured integrity value of the device. The measured integrity value is compared by the processor to an embedded integrity value of the device. Application of a policy to the device is facilitated by the processor based on the comparison.02-23-2012
20120210390Extensible and Programmable Multi-Tenant Service Architecture - An extensible, multi-tenant software-as-a-service business application platform is provided for hosting multiple organizations. Organization services are provided by virtual or physical servers with dedicated data stores assembled in scalable groups. Distributed interaction between components of the scalable groups may enable extensibility and reliability, while changes in locations of organization services are provided to the client(s) for seamless continuation of the client's access to the services. Customizable and dynamic APIs for accessing each organization's data and applications isolated from the others and pluggable third party authentication services may also be integrated into the platform.08-16-2012
20120047551Machine-To-Machine Gateway Architecture - Systems, methods, and instrumentalities are disclosed that provide for a gateway outside of a network domain to provide services to a plurality of devices. For example, the gateway may act as a management entity or as a proxy for the network domain. As a management entity, the gateway may perform a security function relating to each of the plurality of devices. The gateway may perform the security function without the network domain participating or having knowledge of the particular devices. As a proxy for the network, the gateway may receive a command from the network domain to perform a security function relating to each of a plurality of devices. The network may know the identity of each of the plurality of devices. The gateway may perform the security function for each of the plurality of devices and aggregate related information before sending the information to the network domain.02-23-2012
20120005719Proxy-Based Network Access Protection - In certain embodiments, a method includes receiving, at a proxy, a request for access to a network from an application on an endpoint. The method also includes determining, by the proxy, information about the application on the endpoint by examining one or more headers of the request received at the proxy from the application. The method further includes determining, by the proxy, whether the one or more headers comprise expected information based on the determined information about the application. In response to determining that the one or more headers do not comprise the expected information, the method includes denying, by the proxy, the request for access to the network. In addition, in response to determining that the one or more headers comprise the expected information, the method includes forwarding, by the proxy, the request to the network on behalf of the application.01-05-2012
20120005724METHOD AND SYSTEM FOR PROTECTING PRIVATE ENTERPRISE RESOURCES IN A CLOUD COMPUTING ENVIRONMENT - A method for protecting private enterprise computing resources in a cloud computing environment includes determining a virtual topology comprising a secure computing zone, which includes a secure virtual vault, associated with an enterprise application of a private enterprise in a cloud computing environment. A traffic control policy associated with the secure computing zone is determined that comprises a plurality of security rules that define data traffic flow into, out of, and within the associated secure computing zone. A plurality of cloud computing nodes is selected and associated with the secure virtual vault. Any of the cloud computing nodes is a virtual computer or a physical computer device. The traffic control policy is automatically implemented in each of the cloud computing nodes associated with the secure virtual vault, where each cloud computing node is configured to enforce the plurality of security rules at an operating system level of the cloud computing node.01-05-2012
20120005722Application Context Based Access Control - Access control for an application is described. An exemplary method includes receiving a first command of an application to invoke a function of a user interface, identifying a first authorization context based on a first user context and the function of the user interface invoked, retrieving a first access policy providing access criteria associated with the first authorization context, and applying the first access policy to the accessibility of the function. The method includes receiving a second command to invoke the function in a second instance of the application and identifying a second authorization context based on a second user context and the function of the user interface invoked. The second authorization context is different than the first authorization context. The method includes retrieving a second access policy providing second access criteria associated with the second authorization context and applying the second access policy to the accessibility of the function.01-05-2012
20120005721PROCESSING UNIT ENCLOSED OPERATING SYSTEM - A processing unit for use in an electronic device includes standard instruction processing and communication interfaces and also includes functional capability in addition to or in place of those found in an operating system. A secure memory within the processing unit may contain a hardware identifier, policy data, and subsystem functions such as a secure clock, policy management, and policy enforcement. Data in functions within the secure memory are not accessible from outside the processing unit.01-05-2012
20120005718 TRUSTED NETWORK CONNECT SYSTEM FOR ENHANCING THE SECURITY - Disclosed is a trusted network connect system for enhancing the security, the system including an access requester of the system network that connects to a policy enforcement point in the manner of authentication protocol, and network-connects to the access authorizer via a network authorization transport protocol interface, an integrity evaluation interface and an integrity measurement interface, a policy enforcement point network-connects to the access authorizer via a policy enforcement interface, an access authorizer network-connects to the policy manager via a user authentication authorization interface, a platform evaluation authorization interface and the integrity measurement interface, and an access requester network-connects to a policy manager via the integrity measurement interface.01-05-2012
20120005720Categorization Of Privacy Data And Data Flow Detection With Rules Engine To Detect Privacy Breaches - A runtime approach receives a request from a target location. Data elements are received from a data store. Privacy data type categories corresponding to retrieved data elements are identified. Data flow category is identified based on the target location. Privacy actions are performed modifying some data elements based on the identified privacy data type categories and the data flow category so that the modified data elements comply with one or more data privacy rules pertaining to the target location. A design-time approach retrieves data types included in a software application data design. Privacy categories are selected that correspond to the retrieved data types. Flow categorization data is retrieved that correspond to software application processes. Privacy categories and flow categorization data are compared to privacy rules. A user is informed if privacy rules are violated to facilitate software application modification in order to comply with the privacy rules.01-05-2012
20120005723SYSTEM AND METHOD FOR CONCURRENT SESSIONS IN A PEER-TO-PEER HYBRID COMMUNICATIONS NETWORK - An improved system and method are disclosed for peer-to-peer communications. In one example, the method provides for concurrent sessions to be maintained by multiple endpoints.01-05-2012
20080282320Security Compliance Methodology and Tool - An apparatus is provided for evaluating risk to an organization. The apparatus includes a plurality of governmental rules directed to protecting shareholders, a plurality of security domains of the organization wherein each security domain is associated with a different asset of the organization and a request for an information risk assessment within at least one of the plurality of security domains of the organization formed under the plurality of governmental rules from a set of initializing inputs. The apparatus further includes a information risk assessment plan formed from the request for the information risk assessment, a set of information assessment templates and test cases formed from the information risk assessment plan, a set of information risk assessment tests conducted on the IT system using the assessment templates and test cases, a set of test results generated by the risk assessment tests, one or more security control gaps identified by the assessment responses and one or more gap remediation plans formed from the identified security gaps.11-13-2008
20120066737METHOD AND APPARATUS FOR SECURITY ALGORITHM SELECTION PROCESSING, NETWORK ENTITY, AND COMMUNICATION SYSTEM - Embodiments of the present invention disclose a method and an apparatus for security algorithm selection processing, a network entity, and a communication system. The method includes: receiving a service request message sent by user equipment; and according to a security protection requirement of the service request message, selecting a security algorithm from a security algorithm list supported by both the user equipment and a network entity, where security algorithm lists supported by the user equipment and/or the network entity are set separately based on different security protection requirements, or security algorithm lists supported by the user equipment and the network entity are used for indicating security capability of the user equipment and the network entity respectively.03-15-2012
20090178109Authentication in a globally distributed infrastructure for secure content management - Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.07-09-2009
20120047555PLATFORM AUTHENTICATION METHOD SUITABLE FOR TRUSTED NETWORK CONNECT ARCHITECTURE BASED ON TRI-ELEMENT PEER AUTHENTICATION - The invention discloses a platform authentication method suitable for trusted network connect (TNC) architecture based on tri-element peer authentication (TePA). The method relates to a platform authentication protocol of tri-element peer authentication, and the protocol improves network security as compared with prior platform authentication protocols; in the platform authentication protocol of the TNC architecture based on TePA, a policy manager plays a role as a trusted third party, which is convenient for concentrated management, thus enhancing manageability; the invention relates to the platform authentication protocol of the TNC architecture based on TePA, has different implementation methods and is beneficial for different dispositions and realizations.02-23-2012
20120047556ON-LINE CENTRALIZATION AND LOCAL AUTHORIZATION OF EXECUTABLE FILES - A system and system for controlling the execution of executable files. The executables are identified by either a cryptographic digest or a digital certificate. The cryptographic digest is computed from the binary image of the executable. An executable that is attempting to execute is intercepted by a protection module that consults a database of stored rules over a secure channel to determine whether or not the executable can be identified as a permitted executable and whether or not it has permission to execute on a particular computer system under certain specified conditions. If a stored permission is available, it is used to control the execution. Otherwise, the user is consulted for permission.02-23-2012
20110167474SYSTEMS AND METHODS FOR MOBILE APPLICATION SECURITY CLASSIFICATION AND ENFORCEMENT - The present disclosure provides systems and methods for mobile application security classification and enforcement. In particular, the present invention includes a method, a mobile device, and a distributed security system (e.g., a “cloud”) that is utilized to enforce security on mobile devices communicatively coupled to external networks (i.e., the Internet). Advantageously, the present invention is platform independent allowing it to operate with any current or emerging mobile device. Specifically, preventing malicious applications from running on an end user's mobile device is challenging with potentially millions of applications and billions of user devices; the only effective way to enforce application security is through the network that applications use to communicate.07-07-2011
20110167473Endpoint-Hosted Hypervisor Management - A client hypervisor comprises a virtual agent that runs outside of a system OS and that allows device management independent of the OS and user. The virtual agent is tied to a device and not a specific instance of the OS. Such client hypervisors expose new functionality to ease managing systems. Some of these capabilities come from the persistence and privileges outside the OS. In some embodiments of the invention, this new management functionality is exposed to allow device management via new virtualization concepts, such as multiple VMs per system, VM replacement, snapshot/rollback, etc.07-07-2011
20110167472Endpoint-Hosted Hypervisor Management - A client hypervisor comprises a virtual agent that runs outside of a system OS and that allows device management independent of the OS and user. The virtual agent is tied to a device and not a specific instance of the OS. Such client hypervisors expose new functionality to ease managing systems. Some of these capabilities come from the persistence and privileges outside the OS. In some embodiments of the invention, this new management functionality is exposed to allow device management via new virtualization concepts, such as multiple VMs per system, VM replacement, snapshot/rollback, etc.07-07-2011
20110167471METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR PROVIDING GROUP POLICY CONFIGURATION IN A COMMUNICATIONS NETWORK USING A FAKE USER - Methods, systems, and computer readable media for providing group policy configuration in a communications network using a fake user are disclosed. The method is performed at a policy charging and rules function (PCRF) node. According to one method, first policy profile information associated with a first subscriber identifier is obtained from a policy profile database, where the first subscriber identifier is associated with a first subscriber. Second policy profile information associated with a second subscriber identifier is obtained from the policy profile database, where the second subscriber identifier is associated with a group of subscribers that also includes the first subscriber. At least a portion of the second policy profile information is applied to the first subscriber.07-07-2011
20110167470MOBILE DATA SECURITY SYSTEM AND METHODS - Policy is provided from an integrated policy server to a mobile device, comprising identifying a policy in an integrated policy server applicable to the mobile device and supplying policy elements to policy transports for transmission to the mobile device. Policy can also be provided from an integrated policy server to a mobile device, including identifying a policy in the integrated policy server applicable to the mobile device, determining whether the mobile device is in compliance with the policy, and supplying policy elements to policy transports for transmission to the mobile device when the mobile device is not in compliance with the policy. Access to a data server by a mobile device can be controlled, including identifying a policy in an integrated policy server applicable to the mobile device, and determining whether the mobile device is in compliance with the policy.07-07-2011
20120011563NETWORK INTELLIGENCE SYSTEM - A network security system takes an active approach to network security. This is accomplished by providing intelligence about other networks. A master network intelligence database is established that uses a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database. A customer network security system is then able to secure the customer network in dependence upon information received from the master network intelligence. Security information includes at least one of hostility level on the Internet, collected from numerous sites; security event history; spam levels; hosted services; public wireless; organization type; organization associations; peer ISPs; bandwidth connection to the Internet; active security measures; number of users on the network; age of the network; inappropriate content served; industry; geographic placement; open proxy servers; and contact information.01-12-2012
20120011561TEMPORARY POLICIES IN A MOBILE COMPUTING DEVICE - A system, method and apparatus for enabling temporary policies in a mobile computing device are provided. Data representative of the temporary policies is received, the data comprising a time period for applying the temporary policies. Settings of the mobile computing device are automatically changing from original settings to temporary settings, the temporary settings based on the data. When the time period has expired, the settings are changed back to the original settings.01-12-2012
20120011560Dynamic Policy Trees for Matching Policies - A system and method is provided for evaluating one or more security policies. Security policies may be analyzed to determine one or more policy attributes based on which one or more policy trees should be generated. These policy trees may be utilized for evaluation purposes.01-12-2012
20120011559METHOD AND APPARATUS FOR SELECTING A SECURITY POLICY - An approach is provided for selecting a security policy. A security policy manager determines, at a device, context information associated with a place. The security policy manager then determines a safety score associated with the place based, at least in part, on the context information and selects a security policy for the device based, at least in part, on the safety score.01-12-2012
20120011562PROTECTING FILE ENTITIES - There is described a computer system to provide a filesystem, and to export a consumer directory of the filesystem for access by a consumer application over a network. The system has a protected directory. Protection controls restrict performance of file management activities on file entities of the protected directory by the consumer application.01-12-2012
20120159569METHOD OF MANAGING WEB APPLICATION POLICY USING SMART CARD, AND WEB SERVER AND MOBILE TERMINAL FOR IMPLEMENTING THE SAME - A method of managing policy information in a mobile terminal by requesting an external policy management server for information about whether a change has been made to policy information and updating the policy information in a smart card web server of the mobile terminal to control access to resources based on the updated policy information.06-21-2012
20120159568Method and Apparatus for Limiting Digital Content Consumption Inside Defined Real-world Geographic Area(s) - A method for limiting digital content consumption inside defined real-world geographic area(s) is disclosed. In one embodiment, the method is realized by adding additional consumption policy for geographic control to digital content's metadata, requesting the digital consumption device to acquire and provide its current location, checking device's current location against the geographic control consumption policy, and displaying the content for consumption if the digital content consumption policy is satisfied.06-21-2012
20120159566ACCESS CONTROL FRAMEWORK - A system and method for flexible access controls access be setting access permissions at the object element or subject level. An access control framework (ACF) may be implemented to control access to business objects, business object nodes, business object queries, actions, attributes, associations, instances, or other identifiable elements. The access control configurations for a user or object may be set at the system level with static configuration settings. In an embodiment, a user may temporarily reconfigure access permissions for a subject or object for a limited session with dynamic configuration settings.06-21-2012
20120159567CONTEXTUAL ROLE AWARENESS - The disclosed subject matter relates to an architecture that can provide contextual role awareness. For example, rather than focusing on features and functionality at the device level, features and functionality can be controlled based upon various roles that can be related to various personas of a user. Thus, in a business or enterprise setting, the enterprise can manage a business role in accordance with that enterprise's security objectives, which might dramatically limit certain features for the user. However, the user can quickly switch roles, away from the business role in order to again access desired features, yet without compromising the security objectives of the enterprise.06-21-2012
20120159564APPLYING ACTIVITY ACTIONS TO FREQUENT ACTIVITIES - Activities of users of a service often involve one or more resources, such as uploading or downloading files in a file system of an FTP server. The activities of the users may be tracked and recorded in an activity log in order to identify frequently performed activities involving particular resources, and for such frequently performed activities, one or more activity actions may be performed. For example, malicious users may upload or utilize an equivalent set of assets stored in several accounts. The frequency of these undesirable activities may be identified, and an activity action may be automatically applied to the users (e.g., banning accounts), resources (e.g., deleting assets), and/or activities (e.g., blocking access to the resources). Conversely, desirable activities involving particular resources may be similarly detected, and the activity action applied to such desirable activities may involve reporting the desirable activity to an administrator of the service.06-21-2012
20120117617METHOD FOR SELECTNG AN IPSEC POLICY - A method and apparatus for querying an IPsec Security Policy Database comprising a plurality of groups of Security Policies that have been assigned a priority value. When a network node receives an IP packet, it determines a priority value and looks for Security Policies in the Security Policy Database having that priority value. If no Security Policies are found, then it looks for Security Policies having a lower priority value. This process is repeated until a Security Policy is found, in which case it is returned and applied to the IP packet, or it is determined that no suitable Security Policy exists.05-10-2012
20120117614SYSTEM AND METHOD FOR HIGH PERFORMANCE SECURE ACCESS TO A TRUSTED PLATFORM MODULE ON A HARDWARE VIRTUALIZATION PLATFORM - A system and method for high performance secure access to a trusted platform module on a hardware virtualization platform, which includes Virtual Machine Monitor (VMM) managed components coupled to the VMM and a plurality of Virtual Machines (VMs). One of the VMM managed components is a Trusted Platform Module (TPM) Each virtual machine includes a guest Operating System, a TPM device driver (TDD), and at least one security application. The VMM creates an intra-partition in memory for each TDD such that other code and information at a same or higher privilege level in the VM cannot access the TDD's memory contents. The VMM also maps access only from the TDD to a TPM register space specifically designated for the VM requesting access. Contents of the TPM requested by the TDD are stored in an exclusively VMM-managed protected page table that provides hardware-based memory isolation for the TDD.05-10-2012
20120117613METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.05-10-2012
20120017263Security Authorization Queries - In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not.01-19-2012
20120017262SYSTEMS AND METHODS FOR PROCESSING DATA FLOWS - A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks.01-19-2012
20120017260VERIFYING ACCESS-CONTROL POLICIES WITH ARITHMETIC QUANTIFIER-FREE FORM CONSTRAINTS - A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving.01-19-2012
20120023544DATA ASSURANCE - Data assurance capabilities are received that are related to at least one individual persistent object type in a plurality of persistent object types linked to persistent objects stored on the service provider server. In addition, data assurance specifications are received from a customer, the data assurance specifications being based on the data assurance capabilities. Computer-readable data assurance policies for the at least one persistent object type are generated based on the received data assurance specification. The computer-readable data assurance policies then are combined with a corresponding template of data assurance capabilities for the at least one individual persistent object type to generate an enforceable customer-specific data policy.01-26-2012
20120023547PRIVACY PREFERENCES MANAGEMENT SYSTEM - The disclosed invention resides in a system and method for managing and maintaining an internet user's privacy directives without the necessity to rely on one or more cookies to be retained by a user's browser.01-26-2012
20120023545SYSTEM AND METHOD FOR PROVIDING A HIGH PERFORMANCE NETWORK CONNECTION SERVICE FOR DISTRIBUTED COMPUTING APPLICATIONS - A system and method are disclosed for providing a high performance network connection service (HPNCS) for distributed computing applications. The HPNCS provides a network abstraction layer to the distributed applications and provides an interface to the underlying high performance on-demand dynamic circuit network (DCN). The HPNCS may relieve performance bottleneck problems encountered by the distributed applications due to the limited available networking bandwidth. The HPNCS may be used by distributed applications that need to access dedicated high performance network connection resources, such as DCN circuits, on an as-needed basis without over consuming expensive network resources.01-26-2012
20130014208CHAINING INFORMATION CARD SELECTORS - A machine includes card stores to store information cards. For each card store, one or more card selectors can be provided. When performing a transaction involving information cards, a generic card selector, using a selector policy engine, can identify a card selector to use for the transaction. The identified card selector can be used to identify an information card in a card store to use in performing the transaction, which can be used to provide a security token to the relying party.01-10-2013
20120023546DOMAIN-BASED SECURITY POLICIES - An example network system includes a plurality of endpoint computing resources, a business policy graph of a network that includes a set of the plurality of endpoint computing resources configured as a security domain, a set of policy enforcement points (“PEPs”) configured to enforce network policies, and a network management module (“NMM”). The NMM is configured to receive an indication of a set of network policies to apply to the security domain, automatically determine a subset of PEPs of the set of PEPs are required to enforce the set of network policies based on physical network topology information readable by the NMM that includes information about the location of the endpoint computing resources and the set of PEPs within the network, and apply the network policies to the subset of PEPs in order to enforce the network policies against the set of endpoint computing resources of the security domain.01-26-2012
20130014207POLICY-BASED AUDITING OF IDENTITY CREDENTIAL DISCLOSURE BY A SECURE TOKEN SERVICE - A user defines an audit policy. The audit policy identifies one or more triggers that, when related information is included in a security token, trigger the performance of the audit. The audit can include notifying the user in some manner that the trigger occurred. The audit can require in-line confirmation of the audit, so that the security token is not transmitted until the user confirms the audit.01-10-2013
20090125972FEDERATED SINGLE SIGN-ON (F-SSO) REQUEST PROCESSING USING A TRUST CHAIN HAVING A CUSTOM MODULE - Federated single sign on (F-SSO) uses a token service that fulfills requests by executing a module chain comprising a set of modules. F-SSO runtime processing is enhanced by enabling a federated entity user to define a custom module to include in the chain. The custom module includes one or more name-value pairs, wherein a given name-value pair has a value that may be validated against an entity-defined rule. The rule is determined during the processing of the custom module based on one or more invocation parameters of the module chain. In a runtime operation, F-SSO begins in response to receipt of a token. In response, the processing of the module chain that includes the custom module is initiated. During processing of the custom module, an attempt is made to validate the value of a name-value pair based on the rule. If the value of the name-value pair based on the rule can be validated, processing of the module chain continues. This approach enables finer granularity on the information that can be asserted or required as part of an F-SSO flow.05-14-2009
20120060198METHOD AND SYSTEM FOR GENERATING METRICS REPRESENTATIVE OF POLICY AND CHARGING CONTROL RULES - The present relates to a method and a system for generating metrics representative of Policy and Charging Control rules. The method and system analyzes, at a PCC rules analyzer, a Policy and Charging Control rule, to define at least one metric representative of the Policy and Charging Control rule. Then, the method and system transmits the at least one metric representative of the Policy and Charging Control rule, from the PCC rules analyzer to an analytic system. The method and system receives, at the analytic system, information representative of an IP data traffic occurring on an IP data network; and processes, at the analytic system, the information representative of the IP data traffic occurring on the IP data network, to calculate a value of the at least one metric representative of the Policy and Charging Control rule.03-08-2012
20120159565Techniques for Performing Data Loss Prevention - A technique for performing data loss prevention includes creating for a user, using a data processing system, respective permissive policies with a most permissive enforcement action for each content category of a resource. In this case, the content category includes at least two categories. The technique also includes forming, using the data processing system, a policy set based on the respective permissive policies. The technique further includes creating, using the data processing system, an effective policy from the policy set using a least permissive enforcement action. Finally, the technique includes applying, using the data processing system, the effective policy to determine whether a user action is permitted on the resource.06-21-2012
20120210388SYSTEM AND METHOD FOR DETECTING OR PREVENTING DATA LEAKAGE USING BEHAVIOR PROFILING - Various embodiments provide systems and methods for preventing or detecting data leakage. For example, systems and methods may prevent or detect data leakage by profiling the behavior of computer users, computer programs, or computer systems. Systems and methods may use a behavior model in monitoring or verifying computer activity executed by a particular computer user, group of computer users, computer program, group of computer programs, computer system, or group of computer systems, and detect or prevent the computer activity when such computer activity deviates from standard behavior. Depending on the embodiment, standard behavior may be established on past computer activity executed by the computer user, or past computer activity executed by a group of computer users.08-16-2012
20120210387Airport Security System - A method, apparatus, and system for managing network security at an airport. A threat level for the airport is identified. A number of policies for a network data processing system is identified at the airport based on the threat level identified for the airport in response to identifying the threat level for the airport. Enforcement of the number of policies is initiated in the network data processing system.08-16-2012
20110072489METHODS, DEVICES, AND MEDIA FOR SECURELY UTILIZING A NON-SECURED, DISTRIBUTED, VIRTUALIZED NETWORK RESOURCE WITH APPLICATIONS TO CLOUD-COMPUTING SECURITY AND MANAGEMENT - The present invention discloses methods, devices, and media for securely utilizing a non-secured, distributed, virtualized network resource with applications to cloud-computing security and management. Methods including the steps of: receiving, by a deployed security mechanism, a user request over a network; parsing the user request by the deployed security mechanism; preparing, including applying security measures, the user request to transmit to a computing-service resource; and submitting, by the deployed security mechanism, the user request to the computing-service resource. Methods further including the steps of: dividing an original data stream into a set of split data streams; applying a first invertible transformation function to the split data streams, which produces an intermediate set of data streams; and extracting a final set of data streams from the intermediate set by applying a selection rule which produces the final set, thereby transforming the original data stream into individually-unintelligible parts.03-24-2011
20120072970CHAINING INFORMATION CARD SELECTORS - A machine includes card stores to store information cards. For each card store, one or more card selectors can be provided. When performing a transaction involving information cards, a generic card selector, using a selector policy engine, can identify a card selector to use for the transaction. The identified card selector can be used to identify an information card in a card store to use in performing the transaction, which can be used to provide a security token to the relying party.03-22-2012
20120072969DETERMINING A SENSITIVITY LABEL OF DOCUMENT INFORMATION IN REAL TIME - A sensitivity label for document information in a document may be determined in real time, according to one embodiment, by flexibly and dynamically determining a sensitivity label for the document based on content included in information within the document. Information within a document varies from day to day, for example, document information may decrease in importance with time, increase in importance due to an event, etc. Therefore, the sensitivity label of the document, according to embodiments described herein, may also change dynamically in accordance with document content, information, etc.03-22-2012
20120072968ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS IN VIRTUAL MACHINES - Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports.03-22-2012
20120110632METHOD AND APPARATUS FOR PROVIDING DISTRIBUTED POLICY MANAGEMENT - An approach is provided for distributed policy management and enforcement. A policy manager determines one or more domains of an information system. The one or more domains are associated at least in part with respective subsets of one or more resources of the information system. The policy manager also determines one or more respective access policies local to the one or more domains. The one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof. At least one of the one or more respective access policies is configured to operate independently of other ones of the one or more respective schemas.05-03-2012
20110093915METHOD OF SECURING A CHANGING SCENE, CORRESPONDING DEVICE, SIGNAL AND COMPUTER PROGRAM, METHOD OF UPDATING A CHANGING SCENE, CORRESPONDING DEVICE AND COMPUTER PROGRAM - The invention relates to a method of securing a changing scene composed of at least one element and intended to be played back on a terminal. According to the invention, such a method comprises the following steps: creation (04-21-2011
20110083159SYSTEM AND METHOD FOR ROLE DISCOVERY - According to one embodiment, a method for role determination includes detecting access to sensitive data and determining user information related to the access to sensitive data in response to detecting the access to sensitive data. The method also includes modifying at least one role in response to determining the user information related to the access to sensitive data. In addition, the method includes storing the modified at least one role.04-07-2011
20130174218SECURITY POLICY ENFORCEMENT SYSTEM AND SECURITY POLICY ENFORCEMENT METHOD - An object of the present invention is to distribute a processing load of security measures and enforce a security policy to be applicable to a large system. Policy information indicating a security measure to be executed on user information transmitted from a client to a server is stored in a policy storing section. Measure arrangement information indicating the security measure executable in each of a plurality of policy enforcement sections is stored in a measure-arrangement storing section. Among the plurality of policy enforcement sections, one or more of the policy enforcement sections that execute the security measure on the user information are selected on the basis of the policy information and the measure arrangement information. Each of the one or more policy enforcement sections executes the security measure on the user information and outputs, on the basis of a selection result, the user information to the other policy enforcement sections among the one or more policy enforcement sections or to the server.07-04-2013
20080320548PROXY-BASED MALWARE SCAN - A system that employs out-of-process (‘out-of-proc’) architectures with respect to malware scanning related to network services applications is provided. The ‘out-of-proc’ malware (e.g., virus) scanning is employed in connection with a web conferencing server. This architecture enables more versatile options related to scanning, for example, selective bypass in a crisis situation.12-25-2008
20110107391METHODS AND DEVICES FOR IMPLEMENTING NETWORK POLICY MECHANISMS - Embodiments of the invention provide a network device for implementing a host-based network policy mechanism, having a port for receiving packets wherein each packet identifies a host and a destination, and a processing engine configured to inspect packets received on the port, wherein if at least one of the packets matches a predetermined pattern, a rule regulating packet transmission originating from the host is defined and applied against subsequent packets received on the port.05-05-2011
20120151556METHOD AND APPARATUS FOR DIGITAL RIGHTS MANAGEMENT POLICIES - Method and apparatus are described wherein, in one example embodiment, there is provided one or more policy templates that may define a set of policy permissions or other attributes that may be desirable to specify in a policy. One or more policy templates may be specified in a user interface of a policy creation and maintenance program that may run on the policy server and/or run on a workstation computer. Each policy template specified by a user may include permissions for how a user may access and use a document. The maintenance program may, in one embodiment, associate both templates to a policy used for a specific unit of digital content, or, for example, an electronic document. The permissions for the policy are determined by aggregating the permissions associated with each respective templates chosen by the user. According to another example embodiment, a user selects a policy template and defines one or more additional permissions to form an augmented policy.06-14-2012
20120151554SECURITY ACCESS CONTROL METHOD AND SYSTEM FOR WIRED LOCAL AREA NETWORK - The present invention relates to a security access control method and system for wired local area network, the method includes the following steps: 1) a requester (REQ) negotiates the security policy with an authentication access controller (AAC); 2) the requester (REQ) and the authentication access controller (AAC) authenticate the identity; 3) the requester (REQ) negotiates the key with the authentication access controller (AAC). The direct identity authentication between the user and the network access control device is realized by the present invention; the negotiation and the dynamic update of the session key for the link layer data protection are realized; a variety of network architectures such as the enterprise network, the telecommunication network are supported; the scalability is good, the multiple authentication methods are supported; the authentication protocols with different security levels are supported, the requirements of the various subscribers are satisfied; the sub-modules of the protocol are independent, flexible, and easy to be accepted or rejected.06-14-2012
20120151553SYSTEM, METHOD, AND APPARATUS FOR DATA COGNITION INCORPORATING AUTONOMOUS SECURITY PROTECTION - A method, apparatus and computer readable medium for data cognition incorporating autonomous security protection including, a data file stored on a storage medium, and having stored instructions for an embedded autonomous executable program which is executed each time there is an attempt to access, control, or manipulate the file, a processor for executing the program, an output device for communicating to a user, where communication is based on the result of executing the program in relation to parameters required for the data file by a data file original creator, and an input device for receiving a response to the communication. The method, apparatus, and computer readable medium autonomously monitors for a state change and analyzes the current user to determine if an instantiation should exist. If affirmed, a cognition engine automatically configures a computational environment in which it resides. If denied, environmental behavior is further analyzed for security problems.06-14-2012
20120151555A SCALABLE FIREWALL POLICY MANAGEMENT PLATFORM - Securing large networks having heterogeneous computing resources including provision of multiple services both to clients within and outside of the network, multiple sites, security zones, and other characteristics is provided using access control functionality implemented at hosts within the network. The access control functionality includes respective access control policies for indicating to each host from which other computers it can accept connections. Content of the access control policies can be determined based on application data flow needs, and can draw information from databases including DNS and security zone information for hosts to which the access control policies will be applied. Access control policies can be formatted automatically for different host with different characteristics from the same base logical rule set. Other aspects include using more permissive and/or access control rules provided on network equipment to block known bad data, while providing host-based access control focused on application data flow.06-14-2012
20120151552DOMAIN-BASED ISOLATION AND ACCESS CONTROL ON DYNAMIC OBJECTS - A technique for performing domain-based access control for granular isolation on a data processing system includes assigning, using the data processing system, one or more first domain tags to a dynamic object that is created by a first process that is executing on the data processing system. The technique also includes assigning, using the data processing system, one or more second domain tags to a second process that is executing on the data processing system. The first and second domain tags are evaluated, using the data processing system, according to one or more enforced rules to determine whether to grant or deny the second process access to data associated with the dynamic object.06-14-2012
20120151551Method and apparatus for associating data loss protection (DLP) policies with endpoints - A method of policy management in a Data Loss Prevention (DLP) system uses a policy model that associates a user with one or more DLP endpoints. When an endpoint is added to the system, a set of policies for that endpoint are determined using an identity of the user that is associated with the endpoint and a list of roles or groups for that user. At policy distribution time, the method determines a set of endpoints to which the policy is to be distributed.06-14-2012
20100095349Approach for Managing Access to Electronic Documents on Network Devices Using Document Retention Policies and Document Security Policies - An approach for managing access to electronic documents uses document retention and document security policies. In response to detecting a request to access a particular electronic document stored on a network device, a document retention policy and a document security policy are applied to the particular electronic document. If, based upon application of the document retention policy to the particular electronic document, a determination is made that the particular electronic document is to be deleted, then the particular electronic document is deleted from the network device. If, based upon application of the document security policy to the particular electronic document, a determination is made that access to the particular electronic document should be denied, then access to the particular electronic document is denied. Retention policy audits, automatic or manual loading or auto-destruction code and self-extracting and executable data may also be used to enforce document retention and document security policies.04-15-2010
20100095348SYSTEM AND METHOD FOR MANAGEMENT AND TRANSLATION OF TECHNICAL SECURITY POLICIES AND CONFIGURATIONS - A system and method translating information of a source policy configuration into a universal data type useable with a target policy configuration. The disclosed system and method provide comprehensive and highly automated translation of security policies and configurations into a normalized format, thereby enabling management and transformation of information across various types of technologies. Normalized data format is utilized to output data into different formats or data types.04-15-2010
20110099604ACCESS CONTROL METHOD AND SYSTEM FOR PACKET DATA NETWORK, PCRF ENTITY - An access control method and system for packet data network, Policy and Charging Rules Function (PCRF) entity, the method includes: a policy and charging rules function entity receiving an indication of gateway control session establishment from a bearer binding and event report function entity, wherein the indication of gateway control session establishment carries a session identifier, and the session identifier is used to identify whether a user equipment accesses the same packet data network again or the bearer binding and event report function entity relocation occurs; the policy and charging rules function entity receiving the indication of gateway control session establishment, acquiring the session identifier, and judging whether the user equipment accesses the same packet data network again or the bearer binding and event report function entity relocation occurs according to the session identifier.04-28-2011
20110099603POLICY CONFIGURATION AND SIMULATION - Techniques for policy configuration and simulation are presented. A graphical user interface (GUI) permits a user to visualize network resources and their relationships to one another. The user can select a resource and receive another view within the GUI to see policies for that resource and relationships between the policies. The user can also select a particular policy and alter its configuration. The altered configuration can then be simulated within the network and the results presented back to the user within the GUI.04-28-2011
20110099602System and method for implementing adaptive security zones - A system for managing adaptive security zones in complex business operations, comprising a rules engine adapted to receive events from a plurality of event sources and a security manager coupled to the rules engine via a data network, wherein upon receiving an event, the rules engine determines what rules, if any, are triggered by the event and, upon triggering a rule, the rules engine determines if the rule pertains to security and, if so, sends a notification message to the security manager informing it of the triggered event, and wherein the security manager, on receiving a notification message from the rules engine, automatically establishes a new security zone based at least in part on the contents of the notification message, is disclosed04-28-2011
20120124642APPARATUS AND METHOD FOR SELECTIVELY DECRYPTING AND TRANSMITTING DRM CONTENTS - Provided are apparatus and method for selectively decrypting and transmitting DRM contents. A policy storing unit stores information on devices allowed for decryption of contents. A policy processing unit determines whether a target device, to which an encrypted content is transmitted, is a device allowed for decryption based on the information stored in the policy storing unit. A decryption unit decrypts the encrypted content. And a control unit controls the decryption unit to decrypt the encrypted content when the target device is the device allowed for decryption.05-17-2012
20120124641METHODS RELATED TO NETWORK ACCESS REDIRECTION AND CONTROL AND DEVICES AND SYSTEMS UTILIZING SUCH METHODS - In illustrative embodiments, methods in accordance with the present invention utilize a thin kernel module operating in the kernel space of an operating system to redirect all TCP flows to user space for application analysis and processing. Redirected data is presented to the user space application as a data stream, allowing the processing of information contained within the data stream from the user space on a mobile device. This allows the user space application to inspect and take action on incoming data before allowing the data to continue to pass through the device. This enables parental controls, firewalls, real-time anti-virus scanning, tethering/hot-spot, bandwidth optimization, and similar programs to effectively operate across different mobile devices as user downloadable/actuatable applications.05-17-2012
20120124640DATA SOURCE BASED APPLICATION SANDBOXING - A computing device and a method for a computing device to control access to data stored on a data store of the device. An access component of the device having control over access to the data. The access component being operative to receive a request for data from a requesting component, identify an assigned access domain of the requesting component and an assigned data domain of the requested data and determine whether the requesting component is authorized to access the data by comparing the assigned access domain and the data domain with permissions specified in a security policy. If the assigned access domain is authorized to access the data domain, the access component may provide access to the requested data.05-17-2012
20120124638SYNDICATION INCLUDING MELODY RECOGNITION AND OPT OUT - A syndication system facilitates rights management services between media content owners and media hosting services that elect to participate in the syndication system and mutually elect to participate with each other. The syndication system utilizes a content recognition system to identify hosted media content and ownership rights associated with the hosted content. By applying melody recognition, the content recognition system can identify compositions embodied in hosted media content even when these compositions do not precisely match any known sound recording. Thus, the content recognition system is beneficially able to detect, for example, recorded cover performances and recorded live performances embodied in hosted media content. Once identified, ownership information is determined and the syndication system can facilitate rights management policies associated with the content such as monetizing or blocking the protected content.05-17-2012
20120124637SECURE ACCESS TO HEALTHCARE INFORMATION - A system and method for providing or exchanging healthcare information (e.g., medical information) to authorized users in a secure manner. The method is implemented in a computer infrastructure having computer executable code tangibly embodied on a computer readable storage medium having programming instructions operable to: assign identification information to a plurality of users and a plurality of items; associate the identification information of a user of the plurality of users with one or more items of the plurality of items; set-up security policies including predetermined locations, within predetermined stages within a sequence and during predetermined times; and provide the user access to the one or more items when there is a matching between the identification information of the user and the one or more items, and all of the security policies associated with the user and the one or more of the plurality of items are met.05-17-2012
20090133098SERVICE MANAGEMENT SYSTEM AND METHOD OF EXECUTING A POLICY - A service management system and a method of executing a policy. In one embodiment, the service management system includes: (1) a repository configured to contain device, system, subscriber and service descriptions that define services in terms of a set of systems and devices that assume roles based on at least one of capabilities and attributes thereof and (2) a policy engine coupled to the repository and configured to employ the repository to identify end points relevant to a policy, identify services in which any of the end points play a role, identify subscribers having an identified device of the end points and a subscription to an identified service and cause the policy to be executed with respect to identified devices of identified subscribers and identified systems.05-21-2009
20090133096MICRO AND MACRO TRUST IN A DECENTRALIZED ENVIRONMENT - A method and system are disclosed. In one embodiment the method includes calculating a trust level of a first entity. The first entity has a plurality of components. Each component in the first entity has at least the trust level of the first entity.05-21-2009
20120124639VALIDATION OF CONSISTENCY AND COMPLETENESS OF ACCESS CONTROL POLICY SETS - Consistency and/or completeness of access control policy sets may be validated and/or verified. An access control policy set may be received. The access control policy set may include access control policies that allow or disallow access to computing resources. Individual ones of the access control policies may include one or more attributes. The one or more attributes of a given access control policy may be ordered into a predetermined order responsive to the one or more attributes of the given access control policy lacking the predetermined order. A decision tree may be generated based on the access control policies. The decision tree may be analyzed to determine one or more of (1) whether one or more of the access control policies are incomplete, or (2) whether one or more of the access control policies are inconsistent with one or more other ones of the access control policies.05-17-2012
20120124643Systems and Methods for Analyzing Application Security Policies - A system and method for analyzing application security policies is provided. One or more application security policies are retrieved. An optimized policy is then generated utilizing the one or more application security policies. One or more queries related to the one or more application security policies are received. The one or more queries are decomposed. The one or more decomposed queries are then processed utilizing the optimized policy.05-17-2012
20120167168Method and System for Authentication Event Security Policy Generation - A method and system allows for the deployment of security policies into the higher layers of the OSI model. Specifically, it allows for the establishment of security policies at layer 4 and higher, by monitoring authentication flows and using these flows as the basis for establishing security policies which then can be used as a basis for assessing the operation of the network.06-28-2012
20120167167ENABLING GRANULAR DISCRETIONARY ACCESS CONTROL FOR DATA STORED IN A CLOUD COMPUTING ENVIRONMENT - Enabling discretionary data access control in a cloud computing environment can begin with the obtainment of a data request and response message by an access manager service. The response message can be generated by a data storage service in response to the data request. The access manager service can identify owner-specified access rules and/or access exceptions applicable to the data request. An access response can be determined using the applicable owner-specified access rules and/or access exceptions. Both the response message and the access response can indicate the allowance or denial of access to the requested data artifact. The access response can be compared to the response message. If the access response does not match the response message, the response message can be overridden to express the access response. If the access response matches the response message, the response message can be conveyed to the originating entity of the data request.06-28-2012
20120167166SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR ENABLING COMMUNICATION BETWEEN SECURITY SYSTEMS - A system, method, and computer program product are provided for enabling communication between security systems. In use, a first communication protocol of a first security system and a second communication protocol of a second security system are identified, where the first communication protocol and the second communication protocol are different such that the first security system and the second security system are incapable of communicating therebetween. Further, the first security system is updated with a first security definition and/or the second security system is updated with a second security definition for enabling communication between the first security system and the second security system.06-28-2012
20120167165LAWFUL INTERCEPTION TARGET APPARATUS, LAWFUL INTERCEPTION APPARATUS, LAWFUL INTERCEPTION SYSTEM AND LAWFUL INTERCEPTION METHOD - A lawful interception apparatus, a lawful interception target apparatus and a lawful interception system are provided. If a lawful interception target apparatus accesses a new communication network which has no lawful interception authority, the lawful interception apparatus receives intercept activation information from the lawful interception target apparatus through a communication network which has a lawful interception authority. The lawful interception apparatus performs seamless lawful interception on the lawful interception target apparatus by use of the received intercept activation information.06-28-2012
20120167162SECURITY, FRAUD DETECTION, AND FRAUD MITIGATION IN DEVICE-ASSISTED SERVICES SYSTEMS - Secure architectures and methods for improving the security of mobile devices are disclosed. Also disclosed are apparatuses and methods to detect and mitigate fraud in device-assisted services implementations.06-28-2012
20120167161APPARATUS AND METHOD FOR CONTROLLING SECURITY CONDITION OF GLOBAL NETWORK - An apparatus for controlling a security condition of a global network includes: an information collection and blocking agent configured to detect a suspicious malicious code, generate security condition information from the detected malicious code, and block the malicious code based on security policy information; and a global security information analysis and control server configured to generate the security policy information by analyzing the security condition information generated by the information collection and blocking agent and provide the generated security policy information to the information collection and blocking agent to prevent the malicious code from spreading.06-28-2012
20120317611DYNAMICALLY DEFINING RULES FOR NETWORK ACCESS - Methods are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter.12-13-2012
20110126262SPECIFYING A SET OF FORBIDDEN PASSWORDS - Various embodiments are described for providing password approval on a device. The password approval includes getting the user password, generating at least one symbolically equivalent password and then comparing the at least one symbolically equivalent password with at least one specified forbidden password. The user password is disapproved if one of the symbolically equivalent passwords corresponds to the at least one forbidden password.05-26-2011
20120222084Virtual Securty Zones for Data Processing Environments - A method, apparatus, and computer program product for providing security and network isolation for service instances comprising data processing resources provided as a service by a provider of data processing resources. Individual service instances may be associated as members of one or more security zones. The security zones comprise security policies that define access of each service instance that is a member of a security zone.08-30-2012
20120222083METHOD AND APPARATUS FOR ENFORCING DATA PRIVACY - An approach for maintaining user privacy information is described. A privacy management platform determines a request, from one or more applications, for access to local data associated with a device. The platform then determines and processes one or more privacy profile objects associated with the local data to determine one or more privacy policies associated with the local data, the device, or a combination thereof. Enforcement of the one or more privacy policies is then caused for granting access to the local data.08-30-2012
20120222087APPLICATION BASED INTRUSION DETECTION - Intrusion detection is performed by communicating an initialization request from an intrusion detection system enabled application to an intrusion module to begin intrusion detection. Also, a request is communicated to a policy transfer agent to provide an intrusion detection system policy specifically configured for the application. The application identifies where in the application code the intrusion detection system policy is to be checked against an incoming or outgoing communication. Information obtained by the application program is selectively evaluated against information in the intrusion detection system policy. A conditional response is made based upon information in the intrusion detection system policy if an intrusion associated with the application program is detected.08-30-2012
20120222085METHOD AND SYSTEM FOR TRUSTED CONTEXTUAL COMMUNICATIONS - A method, system and apparatus for allowing media context sensitive SIP signaling exchange and call establishment while denying or challenging any other session description protocol extension dialogs which might not be desired by a user. User client media policy preferences are defined, the user media policy preferences establishing the parameters for evaluating a media session request received by a user client. The user client media policy preferences are provided to a policy enforcement point device, the policy enforcement point device evaluating the media session request received by the user client and applying the user client media policy preferences to the media session request. A user client portal is utilized to gain access to a media policy database, the media policy database providing storage for user client media policy preferences.08-30-2012
20120317609METHODS AND DEVICES FOR CONTROLLING ACCESS TO A COMPUTING RESOURCE BY APPLICATIONS EXECUTABLE ON A COMPUTING DEVICE - Methods and devices for controlling access to a computing resource by applications executable on a computing device are described herein. In one example embodiment, method comprises: identifying an application category with which one or more applications executable on the computing device is associated; providing one or more rules that specify whether the one or more applications associated with the application category are permitted to access the computing resource on the computing device; and transmitting the security policy to the computing device; wherein when the security policy is enforced at the computing device, access to the computing resource by the one or more applications executable on the computing device that are associated with the application category is controlled by the one or more rules.12-13-2012
20120317612ELECTRONIC APPARATUS AND METHOD OF CONTROLLING THE SAME - In an electronic apparatus of this invention, after a security function is canceled, it is determined whether the elapsed time from cancellation of the security function to detection of attachment of a device having a security function of security level higher than that of the canceled security function or the elapsed time until the operation of the attached device is enabled has exceeded a predetermined time. Upon determining that the elapsed time has exceeded the predetermined time, the electronic apparatus enables the canceled security function again.12-13-2012
20120317610DYNAMICALLY DEFINING NETWORK ACCESS RULES - Systems and computer program products are provided for dynamically defining network access control rules. A placeholder for a parameter of an interface to an endpoint such as a data processing system or virtual machine may be provided in a network access control rule, instead of a static parameter. The parameter may be dynamically determined, by a firewall or a hypervisor for example, and the placeholder may be replaced with the dynamically determined parameter.12-13-2012
20120317613NETWORK APPARATUS BASED ON CONTENT NAME AND METHOD FOR PROTECTING CONTENT - A content protection method includes generating content protection information regarding a content to be protected by a content producer, and generating a content name indicating a location of the content in content name based networks based on the content protection information. The content protection information may include at least one of marking information indicating whether the content is protected and policy information indicating a disclosure range of the content.12-13-2012
20120317614INDEPENDENT ROLE BASED AUTHORIZATION IN BOUNDARY INTERFACE ELEMENTS - Boundary interfaces for communications networks are disclosed. An example method includes configuring, with a processor, a first policy for a first network interface of a computing device in response to an input from a first network administrator of a first network; configuring, with the processor, a second policy for a second network interface of the computing device in response to an input from a second network administrator of a second network, the second network administrator being different than the first network administrator; displaying the second policy to the first network administrator; and displaying the first policy to the second network administrator.12-13-2012
20120131637Systems and Methods of Controlling Network Access - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.05-24-2012
20120131636Security Context Lockdown - A method and system for locking down a local machine zone associated with a network browser is provided. Placing the local machine zone in a lockdown mode provides stricter security settings that are applied to active content attempting to publish within a local page open in the network browser. The stricter setting are provided in a new set of registry keys that correspond to the lockdown mode of the local machine zone. The original security settings remain unchanged so that other systems and applications functionality that depends on the original security settings remains unaffected for the local machine zone. A user may also selectively allow active content to render despite the local machine zone being locked down.05-24-2012
20120131634METHOD OF EXECUTING AN APPLICATION EMBEDDED IN A PORTABLE ELECTRONIC DEVICE - The invention is a method of executing an application embedded in a portable electronic device. The application comprises one instruction handling an object. The electronic device comprises a firewall which is intended to check the compliance of the object with preset security rules. The portable electronic device comprises a volatile memory area intended to store a data set uniquely associated to the object. The data set comprises an indicator reflecting the result of the checking of the compliance of the object with the preset security rules. The method comprises the following steps before execution of the instruction, checking the presence in the volatile memory area of a data set associated to the object and comprising an indicator reflecting a successful checking of security rules, and if successful in the checking of the data set, authorizing the execution of the instruction without further security rules checking done by the firewall.05-24-2012
20120167157SYSTEMS AND METHODS FOR SECURE SOFTWARE DEVELOPMENT ENVIRONMENTS - The mock tool can be configured to create a mock execution environment for supporting software development processes. The mock execution environment is isolated from resources of the computing system supporting the mock execution environment and other mock execution environments. Further, the mock execution environment can be created to simulate disabling on any features of the operating system supporting the mock execution environment that could cause problems in the software development process.06-28-2012
20120131635METHOD AND SYSTEM FOR SECURING DATA - Disclosed is a method of supporting security policies and security levels associated with processes and applications. A security level is associated with a process independent of a user executing the process. When secure data is to be accessed, the security level of the process is evaluated to determine whether data access is to be granted. Optionally, the security level of a user of the process is also evaluated prior to providing data access.05-24-2012
20120216243ACTIVE POLICY ENFORCEMENT - A method and apparatus is provided that includes techniques for providing complete solutions for role-based, rules-driven active policy enforcement. An embodiment addresses blended risk assessment and security across logical systems, IT applications, databases, physical systems, and operational systems in the context of threat and fraud detection, risk analysis and remediation, compliance checks and continuous monitoring. Further, an embodiment provides ability to embed and enforce active policy enforcement in particular processes.08-23-2012
20120216244SYSTEM AND METHOD FOR APPLICATION ATTESTATION - An instrumented machine or platform having a target application thereon is disclosed. An attestation service may generate an application artifact having associated therewith a name and an application statement having at least one of a plurality of attribute value assertions describing the examined runtime local execution and introspection based derived security context. The application statements may represent the level of contextual trustworthiness, at near real time, of a running application on the instrumented target platform. A runtime process and network monitor may examine the local runtime execution context of the target application, and an identity provider may authenticate a user to the web application based on a web services query for attestation of the target application. A physical or logical authorization service may control access of an authenticated user to the target application, based on a dynamic application statement and multi-factor application attestation issued by the attestation service.08-23-2012
20120216242Systems and Methods for Enhanced Security in Wireless Communication - A communication system having a policy server coupled to a communications network for managing secure communication with and among end instruments (EI). The EI comprises a memory, and a processor coupled to the memory with processor-executable instructions, including instructions for an operating system kernel; and instructions for a protection core that monitors operations of the operating system kernel in accordance with a security policy for the EI. Security policies can intercept calls to an operating system kernel and for each call, determining whether the call is allowed under the security policy(ies). Policies are stored in a policy library and transmitted to an EI over a wireless communication network.08-23-2012
20120216241METHODS, CIRCUITS, APPARATUS, SYSTEMS AND ASSOCIATED SOFTWARE APPLICATIONS FOR PROVIDING SECURITY ON ONE OR MORE SERVERS, INCLUDING VIRTUAL SERVERS - Disclosed are methods, circuits, apparatus, systems and associated software applications for providing security on one or more servers, including virtual servers. A server operating system may include or be otherwise functionally associated with a firewall application, which firewall application may regulate IP port access to resources on the server. A port-tending agent or application (PorTender) running on the server, or on a functionally associated computing platform, may monitor and regulate server port status (e.g. opened, closed, and conditionally opened). The PorTender may initiate and engage in communication sessions with a policy server, from which policy server the PorTender may receive port, user and security policies and/or settings.08-23-2012
20120216248ADJUSTING FILTER OR CLASSIFICATION CONTROL SETTINGS - Methods and systems for managing data communications are described. The method includes receiving a data communication; analyzing the data communication to determine a particular type of sender or recipient activity associated with the data communication based at least in part on an application of a plurality of tests to the data communication; assigning a total risk level to the data communication based at least in part on one or more risks associated with the particular type of sender or recipient activity and a tolerance for each of the one or more risks; comparing the total risk level assigned to the data communication with a maximum total acceptable level of risk; and allowing the data communication to be delivered to a recipient in response to the comparison indicating that the total risk level assigned to the data communication does not exceed the maximum total acceptable level of risk.08-23-2012
20120216249Enhanced Media Control - An enhanced mechanism for conflict resolution between authorized services in respect of selective authorization criteria, such as service incompatibilities, subscribed bandwidth QoS assigned per subscriber and pre-emption priority value assigned per service. The present invention allows the authorization of a subsequent service as a result of applying a selective authorization criterion for the subscriber at a policy control rules server to determine those previously authorized services to be put on hold, notifying about said previously authorized services to be on hold towards application devices handling such services, and inactivating at a policy enforcement device those control rules applicable to the media associated with said previously authorized services. In addition, the method as well as the policy control rules server, the application devices and the policy enforcement device may be also arranged for re-activating said previously authorized services still on hold when the reason for being on hold has ceased.08-23-2012
20120216247Access control in data processing system - A policy data structure defines predetermined authorizations, each relating to authorization of at least one user to access at least one resource as well as to dynamic access requests. Each dynamic access request indicates a condition to be satisfied by a respective set of attributes associated with a user request to access a resource and for the request to be granted in absence of an authorization determinative of the request. If the structure does not define an authorization for a request to access a resource, it is determined whether the structure defines a dynamic access requirement determinative for the request, and if so, whether to grant the request in accordance with the respective set of attributes associated with the request. For at least one request, after determining whether to grant the request, a dynamic authorization relating to authorization to access the resource within the request is added to the structure.08-23-2012
20120216246PARAMETRIC CONTENT CONTROL IN A NETWORK SECURITY SYSTEM - A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, or log file activities. The system can provide and update a security value that causes host computers to change security levels for a number of different policies. The policies are grouped into a master set of policies and options which are propagated to the hosts from a centralized server. The security value is stored on the hosts and the server, and changes of the value on the server are propagated to the hosts.08-23-2012
20120216245METHOD AND APPARATUS FOR EDITING, FILTERING, RANKING AND APPROVING CONTENT - The system provides a method and apparatus for editing, filtering, ranking and approving content. In one embodiment, the system provides a browsing environment for children that routes all internet requests through a central server. A request to a blocked website is automatically forwarded to one of a plurality of editors who can then access the site and determine on a page or site basis as to whether the request is suitable for the browsing environment. The system includes a workflow management system that determines which of the plurality of editors will be assigned a link to review. Approved content is categorized by the age and gender of the users of the content. The approved content is also categorized as a resource or reference to assist in accomplishing homework assignments. Parents can receive updates and can manage the content remotely.08-23-2012
20100205651SECURITY OPERATION MANAGEMENT SYSTEM, SECURITY OPERATION MANAGEMENT METHOD, AND SECURITY OPERATION MANAGEMENT PROGRAM - Provided is a security management system for managing the security of a managed system including during operation of the managed system, the security management system comprising: state changing means for determining a state that satisfies a state rule, which defines a desired state of the managed system, as a target state if the state of the managed system does not satisfy the state rule; and action determining means for determining a predetermined process, which is for changing the difference between the state of the managed system when the target state is determined and the target state, as a countermeasure that needs to be carried out in the state of the managed system when the target state is determined.08-12-2010
20100205650METHOD OF PERFORMING SOFTWARE UPDATES (INSTALLATIONS), ON NETWORKED 32/64-BIT MICROSOFT COMPUTERS IN AN AUTOMATED ENVIRONMENT WITHOUT INTRODUCING A POSSIBLE SECURITY THREAT - A method of monitoring all network communications, including a real-time analysis of intercepting all networked connections and closing those network connections, including all connections across the Internet, except for those specific connections that will function to update a networked computer with new software or updates to existing software.08-12-2010
20100205649CREDENTIAL GATHERING WITH DEFERRED INSTANTIATION - Credentials may be gathered to support an access request. In one example, a template describes the credentials to be gathered. A set of credential providers may be consulted, in a particular sequence, to provide the credentials. Credentials may contain variables, and each credential provider may impose its own constraints on the values to be assigned to the variables. Instantiation of the variables may be deferred to a downstream credential provider, thereby allowing each credential provider to specify its constraints on the variables before specific values for the variables are chosen. In one example, an instantiation fact (or “inst fact”) is used to represent the deferred instantiation. A provider may use an inst fact to make its credentials conditional on the instantiation of the variables that the credential contains, where some downstream provider may attempt to instantiate the variables to specific values.08-12-2010
20120137340IMPLICIT AUTHENTICATION - Embodiments of the present disclosure provide a method and system for implicitly authenticating a user to access controlled resources. The system first receives a request to access the controlled resource from a user. Then, the system determines whether the user request is inconsistent with regular user behavior by calculating a user behavior measure derived from historical contextual data of past user events. Next, responsive to the determined inconsistency of the user request, the system collects current contextual data of the user from one or more user devices without prompting the user to perform an explicit action for authentication. The system further updates the user behavior measure based on the collected current contextual data, and provides the updated user behavior measure to an access controller of the controlled resource to make an authentication decision based at least on the updated user behavior measure.05-31-2012
20120137342MALICIOUS CODE INFECTION CAUSE-AND-EFFECT ANALYSIS - A malware analysis system for automating cause and effect analysis of malware infections is provided. The malware analysis system monitors and records computer system activities. Upon being informed of a suspected malware infection, the malware analysis system creates a time-bounded snapshot of the monitored activities that were conducted within a time frame prior to the notification of the suspected malware infection. The malware analysis system may also create a time-bounded snapshot of the monitored activities that are conducted within a time frame subsequent to the notification of the suspected malware infection. The malware analysis system provides the created snapshot or snapshots for further analysis.05-31-2012
20110185395COMPUTER READABLE MEDIUM FOR ACCESS RIGHT MANAGEMENT, ACCESS RIGHT MANAGEMENT APPARATUS AND DATA PROCESSING SYSTEM - A non-transitory computer readable medium for an access right management includes: reading correspondence information from a storage unit for storing correspondence information indicating the correspondence between (i) a unique access right of an access right in a data management unit for managing electronic data and the access right to the electronic data and (ii) a common access right of an access right in an interface providing unit intervening between an operation main body for giving an operation command to the electronic data and the data management unit; accepting a setting request for requesting setting of the common access right; and determining whether or not the setting request of the common access right accepted by the accepting is a non-match request.07-28-2011
20120254939SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.10-04-2012
20120254936APPARATUS AND METHOD FOR SECURITY AND NETWORK MANAGEMENT BASED ON FLOW - There are provided an apparatus and method for security and network management based on flows. The flow-based security and network management apparatus generates data flows from network packets, and performs network management in connection with security management based on the generated data flows. Accordingly, it is possible to maximally guarantee traffic fairness between users against attack or intrusion traffic.10-04-2012
20120137341SYSTEM AND METHOD FOR DETERMINING A SECURITY ENCODING TO BE APPLIED TO OUTGOING MESSAGES - A system and method for determining a security encoding to be applied to a message being sent by a user of a computing device. In one broad aspect, the device comprises a processor configured to: determine whether a general message encoding configuration setting indicates that when a security encoding is to be applied to a message then the security encoding is to be established by a policy engine; if the general message encoding configuration setting so indicates, query the policy engine for the security encoding to be applied to the message; otherwise, determine the security encoding to be applied to the message in accordance with a user-selected security encoding; and apply the determined security encoding to the message prior to transmission of the message to at least one recipient.05-31-2012
20100175106Systems and Methods for Performing Remote Configuration Compliance Assessment of a Networked Computer Device - The disclosed principles describe systems and methods for assessing the policy compliance of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Also, conducting a compliance assessment according to the disclosed principles allows for the target device to be assessed after policy updates and changes, without requiring the target device to be re-scanned. Thus, the disclosed principles reduce the need for internal IT resources to manage the assessment and updates of client configuration settings on the target device.07-08-2010
20100175105Systems and Processes for Managing Policy Change in a Distributed Enterprise - A method for managing changes to policies in an enterprise includes receiving a systems policy change request to change a systems policy that implements a published enterprise policy, determining whether the requested systems policy change complies with the published enterprise policy, and updating the systems policy according to the requested systems policy change if the requested systems policy change complies with the published enterprise policy. A system for managing policies in an enterprise includes a policy management module configured for receiving published policies and generating corresponding systems policies having data for implementing the published policies, and a policy library storing the published policies and the systems policies.07-08-2010
20100175103REACTIVE THROTTLING OF INBOUND MESSAGES AND RANGES - A method for throttling inbound email messages in an enterprise email system including a plurality of inbound mail servers and at least one management server is provided. Policies defining message event limits for each unique sender are applied to messaging events from the unique sender at each inbound server. Feedback from each of the inbound mail servers to the management server is provided. When events from a unique sender exceed a threshold, as determined by the management server using the feedback, an alert is generated and a new, more restrictive policy for the unique sender is created. The more restrictive policy is broadcast the more restrictive policy to each of the inbound mail servers.07-08-2010
20120174186Policy Based Capture with Replay to Virtual Machine - A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data to flag the network data as suspicious, and simulate transmission of the network data to a destination device.07-05-2012
20120174185GENERALIZED IDENTITY MEDIATION AND PROPAGATION - Provided are techniques for providing security in a computing system with identity mediation policies that are enterprise service bus (EBS) independent. A mediator component performs service-level operation such as message brokering, identity mediation, and transformation to enhance interoperability among service consumers and service providers. A mediator component may also delegate identity related operations to a token service of handler. Identity mediation may include such operations as identity determination, or “identification,” authentication, authorization, identity transformation and security audit.07-05-2012
20120174184Method and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall - A distributed firewall system is used to implement a network firewall with enhanced control over network traffic to allow policy to be implemented on a per-user basis, a per-application basis, a per-user and application basis, and to allow ports to be dynamically opened and closed as needed by the applications. The distributed firewall system may include application identifiers associated with applications running on a network element, one or more firewall agents instantiated on the network element hosting the applications, and a firewall configured to interface with the firewall agents. Communications between the distributed components are secured to allow the firewall to detect if an agent has been compromised, and to allow the firewall agent to determine if the application has been compromised. The distributed firewall system may work in a VPN environment, such as in connection with a VPN server, to implement firewall policy at the point where VPN traffic enters the protected network.07-05-2012
20120174183SYSTEM FOR MANAGING PROPRIETARY DATA07-05-2012
20120174181Method and Apparatus to Create and Manage a Differentiated Security Framework for Content Oriented Networks - A network component comprising a receiver configured to receive a signed content item and an associated security information from a publisher, wherein the security information indicates which group from a plurality of groups is allowed to access the signed content item, a storage unit configured to cache the content item and the associated security information, a processor to implement procedures to enforce security policies defined by the security information, and a transmitter configured to send the signed content item from the cache to a subscriber when the subscriber is a member of a group indicated by the security information as authorized to access the signed content item.07-05-2012
20100050232SYSTEMS AND METHODS FOR MANAGING POLICIES ON A COMPUTER - An apparatus, system, and method are disclosed for managing policies on a computer having a foreign operating system. Policies may specify hardware or software configuration information. Policies on a first computer with a native operating system are translated into configuration information usable on a second computer having a foreign operating system. In an embodiment, a translator manager manages the association between the policy on the first computer and the translator on the second computer. Computer management complexity and information technology management costs are reduced by centralizing computer management on the native operating system. Further reductions in management complexity are realized when the present invention is used in conjunction with network directory services.02-25-2010
20100050231Resolving retention policy conflicts - Resolving retention policy conflicts is disclosed. An indication is received that two or more retention policies apply to an item of content. A merged retention policy that is based at least in part on the respective requirements of the two or more retention policies is generated automatically for the item of content.02-25-2010
20100050230Method of inspecting spreadsheet files managed within a spreadsheet risk reconnaissance network - A method of inspecting spreadsheet files managed within a spreadsheet risk reconnaissance network. The method involves a spreadsheet inspector logging-on to the network, and selecting a spreadsheet inspection from the list of spreadsheet inspections to be performed. In response to the selection, the network automatically generates an inspection worksheet for each policy component which is to be manually inspected by the inspector. The inspection worksheet includes all policy compliance components which require human judgment to assess the degree to which an item passes compliance, as well as general notes to allow for inspection items which are not related to the specific compliance items. Upon receiving the network-generated inspection worksheet, the spreadsheet inspector opening the spreadsheet file to be inspected, via a provided hyperlink, and applying human judgment in assessing whether or not the spreadsheet file successfully passes each set of criteria established in the spreadsheet policy. For each policy component being assessed, the spreadsheet inspector evaluating the spreadsheet file and providing a passing grade if the spreadsheet file meets the criteria established in the policy component, and a failing grade if the spreadsheet file does not meet the established criteria in the policy component. An overall assessment score of passing or failing is provided to each spreadsheet file under assessment, based on automated and/or manual assessments.02-25-2010
20100050229VALIDATING NETWORK SECURITY POLICY COMPLIANCE - The present invention may provide the ability to determine the actions triggered by a network security policy given a set of conditions. Embodiments of the invention involve testing the security policy at specified times, documenting and analyzing the test results for compliance, recording the results for auditing purposes, writing events to warn of non-compliance findings, and dynamically taking defensive action to prevent security breaches as the result of non-compliance findings.02-25-2010
20100299717System for Annotation-Based Access Control - A system for annotation-based access control stores a network of interconnected data entities including Person, Resource and Policy entities, each Resource entity designated as being owned by a Person entity. The system enables a user to: define Annotations and to associate the Annotations with stored entities, each Annotation comprising terms defining the sharing of a Resource with Person entities; define Policies having associated Annotation(s); define Actions for each Policy, an action being performed on a Resource; and assign a Policy including an Annotation referring to a Person, a Person Annotation, to selected Resources. The system responds to a request from a user associated with a Person entity to perform an Action on a Resource if the Person satisfies Policies assigned to the Resource i.e. if a Resource is assigned a Policy having a Person Annotation and the Person entity has an Annotation corresponding to the Person Annotation.11-25-2010
20120216240PROVIDING DATA SECURITY THROUGH DECLARATIVE MODELING OF QUERIES - Data security is implemented through a query based policy constraining a primary table. Nested tables inherit the security policy by implementing the policy queries of the primary table. Operations on nested tables such as join actions execute the security policy queries once due to inheritance from the primary table therefore optimizing query modeling. A security policy may respond to a context or a role by executing queries responsive to the context.08-23-2012
20120216239Integration of network admission control functions in network access devices - In one embodiment, a method includes receiving a communication from an endpoint device at a network access device located within a data path between the endpoint device and a network, identifying a network admission control policy for the endpoint device, enforcing at the network access device, the network admission control policy for traffic received from the endpoint device, and forwarding at the network access device, traffic from the endpoint device to the network in accordance with the network admission control policy. An apparatus is also disclosed.08-23-2012
20110191817Host apparatus, image forming apparatus, and method of managing security settings - An image forming apparatus is provided. The image forming apparatus includes a storage unit which stores security settings information of the image forming apparatus, an image forming unit to perform an image forming job, a function management unit which controls the functions of the image forming unit, a communications interface unit which is connected to a host apparatus, and a security settings management unit which transmits stored security settings information through the communications interface unit and changes stored security settings information according to a packet of changing the received security settings, if a packet of changing the security settings is received from the host apparatus through the communications interface unit.08-04-2011
20120260308METHOD AND SYSTEM FOR CONDITIONALLY LIMITING COMMUNICATIONS - A server, system, and method configured to limit communications. The server includes a processor for executing a set of instructions and a memory for storing the set of instructions. The set of instructions are executed to receive a list of one or more communicating parties that are authorized to communicate with a user at any time, receive a selection to limit communications, determine whether an identifier associated with a communicating party is in the list in response to processing a communication, and connect the communication to a communications device in response to determining the identifier is in the list.10-11-2012
20120260307SECURE DISPLAY SYSTEM FOR PREVENTION OF INFORMATION COPYING FROM ANY DISPLAY SCREEN SYSTEM - Devices, methods, and computer programs are presented for displaying information output of a host. One apparatus includes a housing that includes a panel, a scalar, a sensor, an integrated circuit (IC), and a communications device. The panel includes a plurality of light emitting devices arranged to define an area for displaying information output from the host. The scalar is for receiving pixel data from the host computer to be displayed on the panel, and the sensor is for capturing data proximate to the panel. The IC is in communication with the scalar and the panel, the integrated circuit configured to intercept the information output from the host computer, the data of the sensor being analyzed for security control when the information output is to be presented to the scalar. The communications device is for enabling the IC to communicate with a remote computer without communicating through the host computer.10-11-2012
20090100498METHOD AND SYSTEM FOR ANALYZING POLICIES FOR COMPLIANCE WITH A SPECIFIED POLICY USING A POLICY TEMPLATE - A method and system are disclosed for analyzing policies for compliance with a specified policy. The method comprises the steps of creating a policy template representing said specified policy, and comparing a group of given policies to said policy template to determine whether said given policies conflict with said specified policy. In the preferred embodiment of the invention, the specified policy may include specified rules, the given policies include a plurality of given rules, and the policy template expresses said specified rules. In this preferred embodiment, the comparing step includes the step of comparing said plurality of given rules to the policy template to determine whether any of said given rules conflicts with said specified rules. In addition, preferably, if conflicts are found between said given policies and said specified policy, the given policies are modified to eliminate the conflicts.04-16-2009
20100275241SECURELY HOSTING WORKLOADS IN VIRTUAL COMPUTING ENVIRONMENTS - Methods and apparatus involve securely hosting workloads. Broadly, computing workloads are classified according to security concerns and those with common concerns are deployed together on common hardware platforms. In one instance, security tags are bi-modally attached or not to workloads meeting a predetermined security threshold. Those with tags are deployed on a common machine while those without tags are deployed on other machines. Tags may be embedded in meta data of open virtual machine formats (OVF). Considerations for re-booting computing devices are also contemplated as are multiplexing workloads. Computer program products are further disclosed.10-28-2010
20120180104METHOD OF GENERATING SECURITY RULE-SET AND SYSTEM THEREOF - There are provided a method of automated generation of a security rule-set and a system thereof. The method comprises: obtaining a group of log records of communication events resulting from traffic related to the security gateway; generating a preliminary rule-set of permissive rules, said set covering the obtained group of log records; generating, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the group of log records; and generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records.07-12-2012
20120180106TRUSTED QUERY NETWORK SYSTEMS AND METHODS - Systems and methods are disclosed with which queries can be sent to various clients of a trusted query network in a trusted query network message. In one embodiment, each registered client receives the message and determines whether or not it will participate in the query. If so, the client adds to the message in a first data round a true response to the query and obfuscation data, and then forwards the message on to the next client (or back to the client that initiated the query if each client has added its data to the message). In a second round, the message is again sent to each participating client, which this time removes its obfuscation data. Once each client has removed its obfuscation data, a final result is obtained that can be sent to each of the clients.07-12-2012
20120260306META-EVENT GENERATION BASED ON TIME ATTRIBUTES - First stage meta-events are generated based on analyzing time attributes of base events received from a network component. Second stage meta-events are generated based on a number of the first stage meta-events that have a time attribute falling within a time period. An amount of time that has passed since a most-recent second stage meta-event was generated is determined, and if a threshold time period does not exceed the amount of time that has passed since the most-recent second stage meta-event was detected, a third stage meta-event is determined.10-11-2012
20100037289MERGE RULE WIZARD - Various embodiments include a system comprising an interface coupled to a computer network, the interface operable to provide a merge rule wizard operable to generate one or more displayable dialog boxes that include selectable criteria for merging a plurality of sets of security rules into a single security rule base.02-11-2010
20100011409NON-INTERACTIVE INFORMATION CARD TOKEN GENERATION - Systems and methods for automatic, non-interactive generation of information card tokens are provided. An apparatus can include a receiver, a transmitter, and an information card token generator, wherein the information card token generator is operable to generate an information card token in response to an information card token request received from a relying party site, the information card security token being based at least in part on a user-defined policy.01-14-2010
20100011412METHOD FOR MANAGING CRYPTOGRAPHIC EQUIPMENT WITH A UNIFIED ADMINISTRATION - A unified and universal management system for one or more items of cryptographic equipment, comprising a federating portal that is adapted to allow a user to access services, one or more interfaces for the interchange of information between the management system and equipment outside the system, one or more modules having one or more sub-modules or technological bricks suitable to carry out a unified and universal management method.01-14-2010
20100011411Policy-Based Usage of Computing Assets - Policy is defined for usage of computing assets (including remote, or external, assets) in a computing environment. The policy may identify the assets by (for example) asset name, asset type, asset version, location in a repository, or some combination thereof. Policy definitions for remote assets are provided in a consistent manner. Policy for particular assets (for example) may vary from one role to another. Policy definitions are preferably used when initializing a computing environment, and also when subsequently importing an asset into that computing environment. The disclosed techniques may also, or alternatively, be used to ensure that a secure computing environment is created whereby only hardware and/or software in a policy can be installed into the computing environment.01-14-2010
20100011410SYSTEM AND METHOD FOR DATA MINING AND SECURITY POLICY MANAGEMENT - A system and method to generate and maintain controlled growth DAG are described. The controlled growth DAG conveys information about objects captured by a capture system.01-14-2010
20090083829COMPUTER SYSTEM - The present invention is directed to computer systems, methods and/or hardware where one or more guest operating systems exchange instructions with the processing hardware (see DEFINITIONS section) through a controller kernel. Even though the instructions are exchanged through the controller kernel, rather than directly between the OS and the processing hardware, the controller kernel does not change the instructions out of native form. The controller kernel refrains from virtualizing or emulating the instructions. For this reason, the controller kernel cannot be considered to be and/or include middleware, a hypervisor or VMM. The use of the controller kernel can be helpful in computer systems with multiple guest OS's because it allows multiple containerized OS's to simultaneously run on a single set of processing hardware. For example, the multiple containerized OS's can be used to run multiple terminals. The use of the controller kernel may also be useful even if there is a single guest operating system. For example, a LINUX controller kernel has been found to speed up the operation of the Windows Vista operating system running as the guest OS, relative to the speed of Windows Vista running directly on the same processing hardware in the conventional way.03-26-2009
20120185914IMPLEMENTING NETWORK TRAFFIC MANAGEMENT FOR VIRTUAL AND PHYSICAL MACHINES - A virtualization framework provides security between multiple virtual machines with respect to network communications between the virtual machines and between the virtual machines and a physical network coupled to the underlying physical computer platform. The virtualization framework includes a network interface controller driver that provides an interface to the platform network interface controller and supports execution of a plurality of virtual machines. Each virtual machine includes a virtual network interface controller that provides a network communications path between the virtual machines and to the network interface controller driver. Each virtual network interface controller further contains a programmable network packet filter that controls the selective transfer of network packets with respect to a corresponding virtual machine.07-19-2012
20120185913SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER WITH SECURITY ZONE FACILITIES - In embodiments of the present invention improved capabilities are described for a virtualization environment adapted for development and deployment of at least one software workload, the virtualization environment having a metamodel framework that allows the association of a policy to the software workload upon development of the workload that is applied upon deployment of the software workload. This allows a developer to define a security zone and to apply at least one type of security policy with respect to the security zone including the type of security zone policy in the metamodel framework such that the type of security zone policy can be associated with the software workload upon development of the software workload, and if the type of security zone policy is associated with the software workload, automatically applying the security policy to the software workload when the software workload is deployed within the security zone.07-19-2012
20120185912SYSTEM AND METHOD FOR GRANTING AUTHORIZATION OF APPLICATION IN WIRELESS COMMUNICATION SYSTEM - A system and a method for grant authorization of an application in a wireless communication system. A method for being assigned authorization of an application in a mobile station includes when an application is installed, transmitting permission request information for at least one authorization required by the application, to a server; when receiving a response message from the server, identifying authorization assigned to the application in the response message; and controlling the application using the assigned authorization.07-19-2012
20120185911MLWEB: A MULTILEVEL WEB APPLICATION FRAMEWORK - A method of transferring data from a server via a web application by receiving a request from a user operating in a disparate security domain for data on a data store. Generating a labeled view of the data requested from the data store, wherein the label-data relationship can be trusted at a level commensurate to the trust level of the operating system. Next, determining if the data is authorized by a security policy with a policy design engine; and then transmitting the data to the user if the data is authorized. Data can also be transferred by receiving a data flow from the user for writing to the data store. Next, the data flow can be inspected for disallowed content, and a determination is made if the data flow is authorized. If the data flow is authorized, mediating the data flow between the user and the data store with a trusted monitor.07-19-2012
20120185910METHOD AND APPARATUS FOR ADJUSTING CONTEXT-BASED FACTORS FOR SELECTING A SECURITY POLICY - An approach is provided for selecting a security policy. A security policy manager determines one or more factors for adjusting a safety score associated with a device. The safety score is based, at least in part, on a context associated with the device. The security policy manager then processes and/or facilitates a processing of the one or more factors and the safety score to calculate an adjusted safety score, and determines to select a security policy based, at least in part, on the adjusted safety score.07-19-2012
20120185915SECURE ENTERPRISE NETWORK - A method and system enables transparent authentication and transparent policy enforcement in a fabric of a network. In an exemplary embodiment thereof, a packet stream sent from a network host to a network resource is received at a security system. The security system identifies an authentication exchange packet in the packet stream and determines, using the authentication exchange packet and a directory service, a user identity associated with the packet stream and whether the identified user has authorization to access the network resource. A network policy is created that defines whether the user has access to the network resource.07-19-2012
20120084831METHOD AND APPARATUS FOR PROVIDING PRIVACY MANAGEMENT IN MACHINE-TO-MACHINE COMMUNICATIONS - A method, non-transitory computer readable medium and apparatus for processing a request from a server of a machine-to-machine service provider are provided. For example, the method receives the request from the server of the machine-to-machine service provider to communicate with a machine-to-machine device, determines whether to authorize the request based upon a policy in a privacy database, and enables communications between the server of the machine-to-machine service provider and the machine-to-machine device if the request is authorized based upon the policy.04-05-2012
20120227081WEB USER AGENT BASED INSPECTION - Among other things, one or more systems and/or techniques for web user agent based inspection are provided herein. In particular, content provided by a user (e.g., to a server) may be processed using one or more web user agents (e.g., web browsers). The processing may involve opening and/or interpreting content provided by the user with one or more web user agents. Based on the processing, one or more profiles for the website may be created (e.g., for respective web user agents). Respective profiles may be evaluated based on one or more policies (e.g., for respective web user agents), and a determination may be made (e.g., to perform and/or not perform an action) based on the evaluation (e.g., allow a comment to be posted (or not) to a blog).09-06-2012
20120227082IDENTITY MEDIATION IN ENTERPRISE SERVICE BUS - A method for identity mediation in an enterprise service bus is provided in the illustrative embodiments. A security information is received at the enterprise service bus from a first application executing in a first data processing system. The security information is a part of a request for service from a second application executing in a second data processing system. A part of the security information is identified to be transformed such that the part upon transformation is usable for handling the request by the second application. A security policy applicable to the identified part is selected and the identified part is transformed according to the security policy. The transforming results in a transformed security information. The transformed security information is sent to the second application.09-06-2012
20120260304METHODS AND APPARATUS FOR AGENT-BASED MALWARE MANAGEMENT - Methods and apparatus for providing protection against malware are disclosed. An exemplary method includes executing an agent program on a remote computer connected to a network, the agent program being configured to communicate with a base computer via the network, the agent program including a firewall arranged to block communications between the remote computer and entities on the network in accordance with predetermined rules; and configuring the firewall in accordance with rules received from the base computer.10-11-2012
20090019518Virtual firewall system based on commons security policy and method of controlling the same - A virtual firewall system based on a common security policy and a method of controlling the same. The virtual firewall system includes one or more virtual security policy modules, each of which includes a local security policy database; a security policy determiner, which determines, from the one or more virtual security policy modules, a virtual security policy module corresponding to a packet received from outside; and a common security policy database, which stores security policies. Each of the one or more virtual security policy modules determines whether or not to apply a security policy of the common security policy database to the received packet, and when the security policy of the common security policy database is applied, does not apply the security policy of a local security policy database. An operator can easily and conveniently set and restore the system.01-15-2009
20090019517Method and System for Restricting Access of One or More Users to a Service - The present invention relates to method and system for restricting access of one or more users to a service provided by a service provider. The one or more users are affiliated with an entity. The method comprises providing the entity with an ability to create one or more rules for restricting access of the one or more users to the service. The one or more rules are then obtained from the entity. When a request is received from a user for accessing the service, it is identified if the request is a request to which the one or more rules are to be applied based on a first identification criterion. The one or more rules are then applied to such a request.01-15-2009
20090019515METHOD AND SYSTEM FOR SECURE ACCESS POLICY MIGRATION - A method for deploying a directory server that includes receiving a new version of the directory server on a server to replace a prior version of the directory server, wherein the new version of the directory server uses a new version of an access policy and the prior directory server uses a prior version of the access policy, and configuring the new version of the directory server to use both the prior version of access policy and the new version of the access policy, wherein the new version of the directory server maintains compatibility between the new version of the access policy and the prior version of the access policy.01-15-2009
20090019514METHOD AND SYSTEM FOR ENFORCING PASSWORD POLICY IN A DISTRIBUTED DIRECTORY - The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date. According to still another aspect, the proxy server enforces password policy on bind plug-ins and, in particular, through a pair of pre-bind and post-bind extended operations. In particular, pre-bind processing includes checking if an account is locked. Post-bind processing includes checking for expired passwords, grace logins and updating failed/successful bind counters.01-15-2009
20110126259Gated Network Service - A method includes identifying at a gateway device of a network a plurality of devices connected to the network. The method includes monitoring network traffic at the gateway device and determining that a particular traffic flow associated with one of the plurality of devices violates a privacy constraint. The method also includes providing a risk assessment associated with the privacy constraint violation. The risk assessment is at least partially based on terms and conditions associated with a particular device of the plurality of devices.05-26-2011
20120233657Method And Apparatus For Network Access Control - A method and apparatus for network access control includes an apparatus for granting a computing device access to a network, the apparatus having a plurality of substantially similar access devices, wherein each access device comprises a status-determination module to determine an access status based at least in part on whether the computing device is compliant with an access policy, an access-grant module configured for receiving an access status corresponding to the computing device from one or more of the access devices, and granting the computing device access to the network according to at least one of the access status determined by the status-determination module or the received access status.09-13-2012
20080301763SYSTEM AND METHOD FOR MONITORING COMPUTER SYSTEM RESOURCE PERFORMANCE - According to the present invention, policies are prepared for a plurality of resources residing in a computer system comprising a storage system for copying data from a copy source volume to a copy target volume, and an evaluation is carried out for an evaluation-target resource of the plurality of resources for determining whether or not to execute a predefined action based on the policy of this evaluation-target resource. A policy corresponding to a resource related to copying of the plurality of resources is determined based on a time period related to the copying.12-04-2008
20080301766CONTENT PROCESSING SYSTEM, METHOD AND PROGRAM - Access control for each part in an HTML document constituting a Web page is performed according to the origin of the part in the document. Thereby, a content provided by a malicious user or server is prevented from fraudulently reading and writing other parts in the HTML document. More precisely, on a server side, each content (including a JavaScript program) is automatically provided with a label indicating the domain that is the origin of the content. Thereby, the control of accesses to multiple domains (cross domain access control) can be performed on a client side. Under this configuration, a combination of the contents, metadata and the access control policy is transmitted from the server side to the client side.12-04-2008
20080301765ANALYSIS OF DISTRIBUTED POLICY RULE-SETS FOR COMPLIANCE WITH GLOBAL POLICY - A method for analysis of distributed device rule-sets for compliance with global policies includes enabling an administrator to specify a network topology with intercommunicating elements and parameters required to secure the intercommunication with access control elements of the network topology; establishing connections to the access controls elements to capture a snapshot configuration of device rule-sets of the access control elements; enabling the administrator to specify a set of global access constraints with reference to the access control elements; enabling the administrator to select between exhaustive analysis and statistical analysis; conducting the selected analysis to determine violations by the device rule-sets that fail to comply with the set of global access constraints, wherein statistical analysis quantitatively characterizes a level of compliance without conducting analysis of all potential network paths; and providing results of the selected analysis to the administrator through a graphical user interface (GUI) as the results are obtained.12-04-2008
20080301764PORTABLE ELECTRONIC ENTITY, HOST STATION AND ASSOCIATED METHOD - A host station includes: 12-04-2008
20080301762Information Management System - An information management system is described comprising one or more workstations running applications to allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyzer, which monitors transmission data that the application is about to transmit to the network or about to receive from the network and which determines an appropriate action to take regarding that transmission data. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage in a database; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission data is in force, and determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made. The analyzer may consult a policy data containing a policy to govern the workstations in order to make its determination. The information management system provides many advantages in the eCommerce environment to on-line trading companies, who may benefit by being able to regulate the transactions made by their staff according to their instructions in a policy data, automatically maintain records of passwords and business conducted on-line, avoid paying for unnecessary checks on the validity of digital certificates and ensure that transmissions of data made by their staff are always protected at an agreed strength of encryption.12-04-2008
20080301761Information Management System - An information management system is described comprising one or more workstations running applications to allow a user of the workstation to connect to a network, such as the Internet. Each application has an analyzer, which monitors transmission data that the application is about to transmit to the network or about to receive from the network and which determines an appropriate action to take regarding that transmission data. Such actions may be extracting data from the transmission data, such as passwords and usernames, digital certificates or eCommerce transaction details for storage in a database; ensuring that the transmission data is transmitted at an encryption strength appropriate to the contents of the transmission data; determining whether a check needs to be made as to whether a digital certificate received in transmission data is in force, and determining whether a transaction about to be made by a user of one of the workstations needs third party approval before it is made. The analyzer may consult a policy data containing a policy to govern the workstations in order to make its determination. The information management system provides many advantages in the eCommerce environment to on-line trading companies, who may benefit by being able to regulate the transactions made by their staff according to their instructions in a policy data, automatically maintain records of passwords and business conducted on-line, avoid paying for unnecessary checks on the validity of digital certificates and ensure that transmissions of data made by their staff are always protected at an agreed strength of encryption.12-04-2008
20080301758Distributed knowledge access control - Techniques for distributed knowledge access control are disclosed herein. These techniques may enable access control information to be provided in the form of a statement that includes an assertion and a construct that targets the assertion to one or more intended entities. By targeting the statement to intended entities, the construct may help protect resources from unauthorized use and may also help protect the issuer of the statement from accountability resulting from misuse of the statement.12-04-2008
20080301757Systems and methods for policy enforcement in electronic evidence management - Systems and methods are provided for policy enforcement on electronic evidence captured from at least one source. The contents of the captured electronic evidence are indexed, and the captured electronic evidence is classified based on the indexed contents by associating the electronic evidence with one or more classes. It is determined whether one or more policies apply to the classified captured electronic evidence. When two or more policies apply to the classified captured electronic evidence, a conflict between the two or more policies is resolved to select the one or more policies to enforce. The systems and methods also enforce the selected one or more policies on the classified captured evidence.12-04-2008
20080301756Systems and methods for placing holds on enforcement of policies of electronic evidence management on captured electronic - Systems and methods for placing a hold on captured electronic evidence are provided, the captured electronic evidence having one or more associated policies that are applied to the captured electronic evidence. The captured electronic evidence is stored in a repository. The exemplary systems and methods determine whether to place a hold on the captured electronic evidence, and indicate the captured electronic evidence as being on hold. The exemplary systems and methods place the one or more policies of electronic evidence management associated with the captured electronic evidence indicated as being on hold in a pending state.12-04-2008
20080301754Management of Mandatory Access Control For Graphical User Interface Applications - Granular policy management is provided based upon an active status of a process and the display status of an associated visual display. A policy is constructed and applied to a process by a combination of individual control policy parameters associated with the status of a process or a graphical user interface. Each active policy is dynamically adjusted in response to a change in at least one policy condition.12-04-2008
20080301755Flexible Access Control Policy Enforcement - A method and system for applying access-control policies. In particular implementations, a method includes determining one or more policies, and a prioritization order for the determined policies, based on the one or more parameters; accessing an indirection table to create an entry for the client, wherein the entry indicates the prioritization order of the determined policies; and creating one or more entries in one or more policy data structures for the one or more determined policies.12-04-2008
20130174214Management Tracking Agent for Removable Media - A management agent stored on removable storage media is operable, when the storage media is coupled with a host device, to, via the host device, track data events and report the data events to a remote management console.07-04-2013
20120266210METHOD AND APPARATUS FOR CREATING AN INFORMATION SECURITY POLICY BASED ON A PRE-CONFIGURED TEMPLATE - A method and apparatus for creating a policy based on a pre-configured template is described. In one embodiment, source data having a tabular structure is identified. Further, one of multiple policy templates is used to automatically create a policy for detecting information from any one or more rows within the tabular structure of the source data.10-18-2012
20110004916SECURELY USING SERVICE PROVIDERS IN ELASTIC COMPUTING SYSTEMS AND ENVIRONMENTS - Access permission can be assigned to a particular individually executable portion of computer executable code (“component-specific access permission”) and enforced in connection with accessing the services of a service provider by the individually executable portion (or component). It should be noted that least one of the individually executable portions can request the services when executed by a dynamically scalable computing resource provider. In addition, general and component-specific access permissions respectively associated with executable computer code as a whole or one of it specific portions (or components) can be cancelled or rendered inoperable in response to an explicit request for cancellation.01-06-2011
20110004915METHOD AND APPARATUS FOR MANAGING ACCESS TO IDENTITY INFORMATION - Various methods for managing access to identity information are provided. One example method includes accessing media content received via a broadcast. The media content may be formatted such that a presentation of the media content is adaptable based at least in part on user identity information. The example method may also include determining whether the user identity information is accessible for retrieval based at least in part on an access control rule. Similar and related example methods and example apparatuses are also provided.01-06-2011
20110004914Methods and Apparatus for Identifying the Impact of Changes in Computer Networks - The impact of device configuration changes on operational issues and policy compliance in a computer network can be discerned from a visual data presentation that jointly shows representations of changes, issues, and policy compliance in a common view for a group of network devices. Configuration information is collected from devices in the computer network and processed to determine whether a change has occurred in a configuration of any of the devices, whether any operational issues exist for each of the devices, and whether any of the devices are not in compliance with any applicable operational policies. A display device displays the visual data presentation to allow an operator to see trends and relationships between device configuration changes and operational issues and incidents of policy non-compliance. The visual data presentation can be depicted as a graphical timeline view, a network topology view, or a table view of the information.01-06-2011
20110004913ARCHITECTURE FOR SEAMLESS ENFORCEMENT OF SECURITY POLICIES WHEN ROAMING ACROSS IP SUBNETS IN IEEE 802.11 WIRELESS NETWORKS - In a network which includes a first subnet which includes a home wireless switch which includes at least one first interface, and a second subnet which includes a current wireless switch, a method is provided for applying a first set of original security policies associated with the at least one first interface to a packet transmitted from a particular wireless communication device after the particular wireless communication device roams from the first subnet to the second subnet. A method is also provided for applying a first set of original security policies associated with the at least one first interface to a packet being transmitted to a particular wireless communication device after the particular wireless communication device roams from the first subnet to the second subnet.01-06-2011
20100100928Secure network computing - A host based security system for a computer network includes in communication with the network a credential host that is operative in concert with a local computer and a destination site. The destination site has a credential authentication policy under which credentials associated with the local computer upon being authenticated authorizes data to be communicated between each of the destination site and the local computer during a communication session over the network. The credential host stores the credentials to be used by the destination and is operative to transmit the credentials onto the network in response to a request received from the local computer. The destination site upon the credentials being received and authenticated thereat is operative to transmit session information onto the network. In turn, the local computer is then operative to commence the communication session upon receipt of said the information.04-22-2010
20110131629METHOD AND SYSTEM FOR CONTENT LEVEL REACTIVE AUTHORIZATION - Disclosed is a new system and method for the “Content-level Reactive Presence Authorization”, wherein the Presentity would be able to reactively authorize the Watcher requested contents of the Presentity's Presence Information. According to the system and method for the Content-level Reactive Presence Authorization, it is possible for the Presence Server to convey the identity of the Watchers and the protected contents to the Presentity on the states of the Watcher's requested contents of the Presence Information. According to the systems and methods, it is also possible for Presentity to specify the conditions when the Presence Server triggers such Content-level Reactive Presence Authorization.06-02-2011
20110131627METHOD AND DEVICE FOR DATA PROCESSING AND COMMUNICATION SYSTEM COMPRISING SUCH DEVICE - A method and a device for data processing are provided comprising a first instance comprising at least one local trusted unit (LTU) and a local trust manager (LTM), the method comprising the step: The local trust manager provides a policy related information to the at least one local trusted unit and/or to a second instance.06-02-2011
20120240189METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.09-20-2012
20120240190METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR FACILITATING COMMUNICATION IN AN INTEROPERABILITY NETWORK - Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.09-20-2012
20120240187POLICY BASED AUDITING OF WORKFLOWS - An auditing system is disclosed comprising a Policy Validation Mechanism Program (PVMP) that operates in conjunction with a Workflow Engine (WE), and a Policy Validation Server Program (PVSP) that operates on a Policy Validation Server (PVS) connected to the WE by a secure communication link. The PVMP converts a workflow to a workflow representation (WR) and sends the WR to the PVS. The PVSP compares the steps in the WR to a security policy identified for that WR and determines whether the WR is in compliance. In addition, the PVSP validates a checksum for the WR and logs the checksum for subsequent comparisons. The PVSP uses the checksum to determine whether a policy has changed during execution of the workflow.09-20-2012
20120240186SOC-BASED DEVICE FOR PACKET FILTERING AND PACKET FILTERING METHOD THEREOF - Provided is a device including a chip that includes a first storage unit that stores a rule DB for packet filtering, and a firewall engine that allows or blocks transmission of a packet by applying the rule DB; and a rule converter that receives a rule for packet filtering from a user and converts the rule into a format to store the rule in a rule list, wherein the chip receives a rule list converted by the rule converter and stores the rule list in the first storage unit as a rule DB.09-20-2012
20120240184SYSTEM AND METHOD FOR ON THE FLY PROTOCOL CONVERSION IN OBTAINING POLICY ENFORCEMENT INFORMATION - A system, machine readable medium and method for utilizing protocol conversions in policy changing enforcement is disclosed. A message, in a first protocol, is received from a network gateway device including identifying information unique to a client attempting to access a resource from a server. The message is processed using one or more portions of the client identifying information as a unique key identifier. A policy access request is generated, in a second protocol, and includes at least the unique key identifier. The policy access request is sent to a policy server, wherein the policy server is configured to provide policy enforcement information of the client associated with the policy access request. The policy enforcement information is received and one or more policies from the policy enforcement information are enforced to network traffic between the client and the server.09-20-2012
20120240183CLOUD BASED MOBILE DEVICE SECURITY AND POLICY ENFORCEMENT - The present disclosure relates to cloud based mobile device security and policy systems and methods to use the “cloud” to pervasively enforce security and policy on mobile devices. The cloud based mobile device security and policy systems and methods provide uniformity in securing mobile devices for small to large organizations. The cloud based mobile device security and policy systems and methods may enforce one or more policies for users wherever and whenever the users are connected across a plurality of different devices including mobile devices. This solution ensures protection across different types, brands, operating systems, etc. for smartphones, tablets, netbooks, mobile computers, and the like.09-20-2012
20120240182SECURITY ENFORCEMENT IN VIRTUALIZED SYSTEMS - A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.09-20-2012
20120240181TECHNIQUES FOR SECURING A CHECKED-OUT VIRTUAL MACHINE IN A VIRTUAL DESKTOP INFRASTRUCTURE - Techniques for securing checked-out virtual machines in a virtual desktop infrastructure (VDI) are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for securing a checked-out guest virtual machine including receiving a request for checking-out a guest virtual machine hosted by a server network element, wherein checking-out the guest virtual machine comprises transferring hosting of the guest virtual machine from the server network element to a client network element. The method for securing a checked-out guest virtual machines may also include configuring a security module for the guest virtual machine in order to secure the guest virtual machine and providing the security module to the guest virtual machine when the guest virtual machine is checked-out.09-20-2012
20110047594SYSTEM AND METHOD FOR MOBILE COMMUNICATION DEVICE APPLICATION ADVISEMENT - This disclosure is directed to a system and method for providing advisement about applications on mobile communication devices such as smartphones, netbooks, and tablets. A server gathers data about mobile applications, analyzes the applications, and produces an assessment that may advise users on a variety of factors, including security, privacy, battery impact, performance impact, and network usage. The disclosure helps users understand the impact of applications to improve the experience in using their mobile device. The disclosure also enables a server to feed information about applications to other protection systems such as application policy systems and network infrastructure. The disclosure also enables advisement about applications to be presented in a variety of forms, such as through a mobile application, as part of a web application, or integrated into other services via an API.02-24-2011
20110047592PRE-REGISTRATION SECURITY SUPPORT IN MULTI-TECHNOLOGY INTERWORKING - Pre-registration security support in a multiple access technology environment is disclosed. For example, a method is disclosed for use in a computing device of a communication system. The communication system supports two or more access technologies for permitting a communication device to access the communication system, and at least part of a first security context is generated at the computing device for a given communication device permitting the given communication device to access the communication system via a first access technology. The method comprises generating at the computing device at least part of at least a second security context for the given communication device such that the given communication device is pre-registered to access the communication system via at least a second access technology while maintaining the first security context such that the given communication device continues to access the communication system via the first access technology and is pre-registered to subsequently access the communication system via the second access technology.02-24-2011
20110047591APPLICATION NETWORK COMMUNICATION METHOD AND APPARATUS - A method and apparatus is provided to discover and integrate applications in an application router framework. The discovery operation includes receiving a registration notification for an application on a network, adding information describing the application to a repository into a data structure and publishing the data structure onto an application router. The association operations include querying one or more application routers on an application network for meta-data and other information on applications, exchanging the meta-data and other information between the application routers and associating the applications together automatically using their respective application protocols. Routing operations include receiving application information in an application protocol format, converting the application information in the application protocol format into a neutral protocol format and forwarding the application information in the neutral protocol format along with state information to other application router devices on the network.02-24-2011
20110047589DYNAMIC SWITCHING OF SECURITY CONFIGURATIONS - Disclosed is a computer implemented method, computer program product, and apparatus to switch security configurations. A data processing system accesses a first security configuration via a thread of execution, wherein a security configuration comprises at least one security parameter. The thread receives an incoming request. The thread switches to a second security configuration that specifies a resource, based on the incoming request, responsive to receiving the incoming request. The thread stores the second security configuration or a reference to the second security configuration to a stack. The thread authenticates the incoming request based on the second security configuration. The thread grants or denies access to the resource. The thread executes a method referenced in the incoming request. The thread restores to a first security configuration, responsive to completing the method.02-24-2011
20120324526SYSTEM AND METHOD FOR LIMITING DATA LEAKAGE - System and methods for connection processing with limited data leakage. The system records state associated with a connection request in a connection state engine, records state associated with a connection acknowledgement in the connection state engine, stores data sent after the connection acknowledgement in a buffer and determines, without a proxy, whether to allow or deny a connection as a function of the data stored in the buffer.12-20-2012
20120324529ENFORCING DATA SHARING POLICY THROUGH SHARED DATA MANAGEMENT - Enforcing data sharing policy through shared data management, in one aspect, may include extracting data access rights from the one or more data policies based on a user role, data purpose, an object set and a constraint identification; extracting a data domain from the one or more data policies based on the data purpose and the object set; associating the data access rights and the data domain with data attributes of the shared data; automatically responding to application-based offers and requests for the shared data within a Software-as-a-Service platform based on the data access rights.12-20-2012
20120324532PACKET ROUTING SYSTEM AND METHOD - Methods and systems for offering network-based managed security services are provided. According to one embodiment, an IP service processing switch includes multiple service blades and one or more packet-passing data rings. The service blades each have multiple processors for providing customized security services to subscribers of a service provider. Upon receipt of a packet by a service blade from the one or more packet-passing data rings, a PEID value within the packet is inspected and when the PEID value corresponds to a PEID assigned to a processor associated with the service blade, the packet is steered to a software entity of a VR on the processor that corresponds to an LQID value within the packet. And, when the PEID value does not correspond to any PEIDs assigned to processors on the service blade, the packet is passed to a next service blade on the one or more packet-passing data rings.12-20-2012
20120324533WIRELESS NETWORK HAVING MULTIPLE SECURITY INTERFACES - A number of wireless networks are established by a network device, each wireless network having an identifier. Requests are received from client devices to establish wireless network sessions via the wireless networks using the identifiers. Network privileges of the client devices are segmented into discrete security interfaces based on the identifier used to establish each wireless network session.12-20-2012
20120324530RULE-BASED APPLICATION ACCESS MANAGEMENT - A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules.12-20-2012
20120324528System and method for merging security constraints when using security annotations - A method is described for merging security constraints associated with an application when using security annotations. The application comprises one or more servlets, such as a Java servlet. During application deployment, a list of role names is generated by merging static security constraints, for example, identified in a deployment descriptor, and in a static security annotation that defines a list containing the names of authorized roles for a servlet. Later, during application runtime in an application server, security constraints are retrieved from a plurality of sources, including both dynamic and static security annotations. Using the list of role names and the security constraints retrieved, a set of merged security constraints having a defined and proper order of precedence is generated. In particular, preferably one or more dynamic security annotations are first merged with one or more static security annotations to generate a set of runtime constraints. The security constraints from the deployment descriptor are then merged with the set of runtime constraints and the list of roles to generate the set of merged security constraints. These merged security constraints are then applied to process a request being handled by the application server.12-20-2012
20120324527TECHNIQUES FOR WORKLOAD SPAWNING - Techniques for spawning workloads are provided. A single repository is read once to obtain an image for a workload or files and resources for the image. The read operation spawns multiple, and in some cases, concurrent write operations, to instantiate the workload over a network as multiple occurrences or instances of the workload in multiple processing environments.12-20-2012
20120324531AUTOMATIC DETECTION OF NON-COMPLIANT CONTENT IN USER ACTIONS - Described herein are methods, systems, apparatuses and products for automatic detection of non-compliant content in user actions. An aspect provides a method including, responsive to receiving a user selection to share data via an electronic device, analyzing the data to be shared; and automatically identifying non-compliant content within the data prior to sharing the data. Other embodiments are disclosed.12-20-2012
20120272290System and Method for Reducing Security Risk in Computer Network - Disclosed are systems, methods and computer program products for reducing security risk in a computer network. The system includes an administration server that collect information about one or more computers in the network, including the following information: computer user's external drive usage history, software installation history, and Web browsing history. The server calculates based on the collected information a security rating of the computer user. The server then adjust a security rating of the computer user based on the security rating of at least one other user of another computer connected to the same computer network. The server then selects security policy of the security software based on the adjusted security rating of the computer user. Different security policies provide different network security settings and prohibitions on launching of executable files from external drives.10-25-2012
20120272291Methods, Communication Networks, and Computer Program Products for Monitoring, Examining, and/or Blocking Traffic Associated with a Network Element Based on Whether the Network Element can be Trusted - A communication network is operated by determining whether a network element can be trusted and monitoring traffic associated with the network element based on whether the network element can be trusted. At least some of the monitored traffic may be selected for examination based on the degree of trust for the network element. At least some of the monitored and/or examined traffic is selected to be blocked based on the degree of trust for the network element.10-25-2012
20120272287LOCATION BASED CONTENT FILTERING AND DYNAMIC POLICY - In one implementation, a social media device receives social interaction data including an identity of neighboring mobile devices that have been within a physical proximity of an object mobile device. The social media device hosts a social network service and provides content to a user associated with the object mobile device according to the identity of more neighboring mobile devices. The user of the object mobile device may opt to receive content only from those users that are identified in the social interaction data. The user of the object mobile device may opt to permit only those users that are identified in the social interaction data to receive content generated by the user of the object mobile device. The user may opt to alter the status policy seen by other users so that only users that are identified in the social interaction data see the user as available or online.10-25-2012
20120331517METHOD AND SYSTEM FOR FILTERING OBSCENE CONTENT FROM ELECTRONIC BOOKS AND TEXTUALIZED MEDIA - A method and system is disclosed for filtering obscene content from digital media comprising textualized script, such as electronic books commonly read on iPads®, Kindles®, and the like. Obscene content, in some embodiments, is redacted from the textualized media. In other embodiments, the obscene content is substituted with less obscene content. In still further embodiments, obscene content is flagged and a reader or administrator prompted to instruct the system how to handle the obscene content.12-27-2012
20110225622SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DISPLAYING NETWORK EVENTS IN TERMS OF OBJECTS MANAGED BY A SECURITY APPLIANCE AND/OR A ROUTING DEVICE - A system, method, and computer program product are provided for displaying network events in terms of objects managed by at least one of a security appliance and a routing device. In use, network events are received. Furthermore, the network events are displayed in terms of objects being managed by at least one of a security appliance and a routing device.09-15-2011
20110231900APPARATUS, METHOD, AND COMPUTER-READABLE MEDIUM FOR DISTRIBUTING ACCESS CONTROL INFORMATION - An access-control-information distributing apparatus includes: a processor configured to determine a destination device to which access control information is to be distributed, the access control information describing an object on an information processing device and a condition which permits access to the object, on the basis of at least the condition or an attribute of the object.09-22-2011
20110231899SYSTEM AND METHOD FOR A CLOUD COMPUTING ABSTRACTION LAYER - According to one system of the invention, the system provides a cloud-computing service from a cloud-computing environment comprising a plurality of cloud-computing resources. The system may comprise: a management module configured to manage a cloud-computing resource of the plurality of cloud-computing resources as a cloud-computing service, wherein the cloud-computing service performs a computer workload; an adapter configured to connect to the cloud-computing resource to the system and translate a management instruction received from the management module into a proprietary cloud application program interface call for the cloud-computing resource; a cloud service bus configured to route the management instruction from the management module to the adapter; a consumption module configured to allow a user to subscribe the cloud-computing service; a planning module configured to plan the cloud-computing service; and a build module configured to build the cloud-computing service from the cloud-computing resource and publish the cloud-computing service to the consumption module.09-22-2011
20110239269AUTOMATED SECURITY ANALYSIS FOR FEDERATED RELATIONSHIP - A computer monitoring system uses a set of parameterized models to gather information about monitored devices. The models include scripts for gathering information, as well as type validation and data validation functions. The parameters within the model are used to generate user interface prompts and to populate discovery scripts as well as data validation scripts. In some cases, the models may include localization settings that may customize the user interface and validation output for different languages. A processing engine may generate a user interface from the parameters defined in the models, customize the scripts from the user input, and cause the scripts to be executed. The data gathered by the scripts may be analyzed using type validation and data validation.09-29-2011
20110239268NETWORK POLICY IMPLEMENTATION FOR A MULTI-VIRTUAL MACHINE APPLIANCE - A networking policy implementation for a multi-virtual machine appliance that includes a method for selecting a network implementation by applying a network policy to existing network configurations within a virtualization environment of a computing device. A control program that executes within the virtualization environment, receives an event notification generated by a virtual machine in response to a lifecycle event. The control program, in response to receiving the notification, invokes a policy engine that applies a network policy to existing network configurations of the virtualization environment. This network policy can correspond to the virtual machine or to a network object connected to virtual interface objects of the virtual machine. The policy engine then identifies an existing network configuration that has attributes which satisfy the network policy, and selects a network implementation that satisfies the network policy and the network configuration.09-29-2011
20110239267PASSWORD COMPLEXITY POLICY FOR EXTERNALLY CONTROLLED SYSTEMS - In embodiments of the present invention improved capabilities are described for password policy enforcement, such as passwords not normally in the administrative domain of the corporation, unlike common local policy enforcement. Password policy enforcement may include the steps of identifying a presentation of a software application user interface, wherein the presentation involves communicating the user interface over the Internet; evaluating the user interface for a presence of a user password field; and in response to a positive detection of the user password field, implementing a compliance process to ensure that any password entered into the user password field is compliant with a corporate policy relating to passwords.09-29-2011
20100251329SYSTEM AND METHOD FOR ACCESS MANAGEMENT AND SECURITY PROTECTION FOR NETWORK ACCESSIBLE COMPUTER SERVICES - A method for providing access management and security protection to a computer service includes providing a computer service that is hosted at one or more servers and is accessible to clients via a first network, providing a second network that includes a plurality of traffic processing nodes and providing means for redirecting network traffic from the first network to the second network. Next, redirecting network traffic targeted to access the computer service via the first network to a traffic processing node of the second network via the means for redirecting network traffic. Next, inspecting and processing the redirected network traffic by the traffic processing node and then routing only redirected network traffic that has been inspected, processed and approved by the traffic processing node to access the computer service via the second network.09-30-2010
20120331516Method for Personalizing Parental Control in a PCC Architecture - A Parental Control Manager “PCM” server of a Policy and Charging Control “PCC” architecture with the Parental Control Manager “PCM” server, a Policy Control Enforcement Function device with Deep Packet Inspection capabilities “PCEF-DPI device”, and a Policy Control Rules Function “PCRF” server. The PCM server includes a user interface unit for receiving a logon from a user, and for receiving from the user monitoring criteria on Internet traffic types to be monitored for the user, and corresponding actions to be carried out when any monitoring criteria fit a given Internet traffic type. The PCM server includes a network interface unit for submitting the monitoring criteria and corresponding actions received from the user to a PCRF server. A PCRF server of a PCC architecture with a PCM server, a PCEF-DPI device, and the PCRF server. A PCEF-DPI device of a PCC architecture with a PCM server, the PCEF-DPI device, and a PCRF server. A method of parental control by a user for access to websites, multimedia contents and Internet services with a PCC architecture having a PCM server, a PCEF-DPI device, and a PCRF server.12-27-2012
20120278853ENFORCING ALIGNMENT OF APPROVED CHANGES AND DEPLOYED CHANGES IN THE SOFTWARE CHANGE LIFE-CYCLE - On a host, host content change requests are intercepted in real-time. In a tracking mode, the change requests are logged and allowed to take effect on the host. In an enforcement mode, the change requests are logged and additionally compared against authorized change policies and a determination is made whether to allow the change to take effect or to block the changes, thereby enforcing the authorized change policies on the host. Tracking and enforcement can be done in real-time. In either mode and at any time, the logged changes can be reconciled against a set of approved change orders in order to identify classes of changes, including changes that were deployed but not approved and changes that were approved but not deployed.11-01-2012
20120090014ACCESS CONTROL APPARATUS, INFORMATION MANAGEMENT APPARATUS, AND ACCESS CONTROL METHOD - An access control apparatus that controls access to an information management apparatus that stores configuration elements and relationship elements indicating relationships between the configuration elements, includes a storage unit that stores one or more predetermined configuration elements in association with user information that identifies a user and stores one or more combinations of a type of a configuration element and a type of a relationship element in association with the user information, as an access control rule set for each user, and a determining unit that determines that, when a combination of a type of a configuration element stored in the storage unit in association with user information and a type of a relationship element indicating a relationship between the configuration element and another configuration element is stored in the storage unit in association with the user information, the another configuration element is accessible.04-12-2012
20110277013Methods and Systems for Forcing an Application to Store Data in a Secure Storage Location - The present application is directed to methods and systems for redirecting write requests issued by trusted applications to a secure storage. Upon redirecting the write requests, the data included in those requests can be stored in the secure storage area of a client computer. In some embodiments, the methods and systems can include determining whether an application issuing the request is a trusted application that requires data to be stored in a secure storage repository. Upon making this determination, a filter driver can identify a secure storage area on a client computer and can redirect the write request to this secure storage. In other embodiments, the filter driver may deny requests of trusted applications to write to unsecure storage areas.11-10-2011
20110277012SYSTEM FOR AUGMENTING ACCESS TO RESOURCES - The different illustrative embodiments provide a method, data processing system, and computer program product for managing access to resources. A number of access permissions of a first user to a number of resources in a computer system are provided to a second user in response to a presentation of first credentials for the first user to the computer system. A level of presence of the first user relative to the computer system and/or the second user is monitored. The number of access permissions of the first user to the number of resources in the computer system continues to be provided to the second user as long as a preselected level of presence of the first user is present.11-10-2011
20120331519DEVELOP AND DEPLOY SOFTWARE IN MULTIPLE ENVIRONMENTS - Developing, deploying, and operating an application in a plurality of environments is disclosed, including: defining runtime specific configuration information for a plurality of environments, wherein the runtime environment specific configuration includes topology configuration and security configuration, wherein the runtime environment specific configuration information is stored separately from other configuration information and is protected by an identity management system; executing an application in one of the plurality of environments, wherein execution of the application is controlled by a first role; and presenting a credential associated with the first role to the identity management system to obtain a portion of the runtime environment specific configuration information corresponding to the environment associated with the executing application.12-27-2012
20120331518FLEXIBLE SECURITY TOKEN FRAMEWORK - A computer-implemented server system includes or supports applications that use security tokens. The server system includes a security token module to create token types for use with the applications, to generate security tokens corresponding to created token types, and to enforce token use policies for generated security tokens. The server system also includes a database to store security tokens for the token module. The token module accommodates creation of different token types having different token formats and different token use policies, based on obtained values of a plurality of token configuration variables. The token module generates security tokens in accordance with the different token formats, and enforces the different token use policies when processing incoming security tokens.12-27-2012
20110283336METHOD AND SYSTEM FOR SUPPORTING THE GENERATION OF ACCESS CONTROL PREFERENCES AND/OR PRIVACY PREFERENCES FOR USERS IN A PERVASIVE SERVICE ENVIRONMENT - A method and a system for supporting the generation of access control preferences and/or privacy preferences for users in a pervasive service environment, wherein an automated user information management system stores and/or manages personal information items owned by and/or associated to a user, wherein an access control system is provided for processing requests from a pervasive service and/or application that query a set of the user-specific information items being stored in and/or managed by the user information management system, are characterized in that an entity—feedback collector—is provided, the feedback collector being configured to collect individual access control and/or privacy preferences from a plurality of users, to derive a popular rule set of access control and/or privacy preferences from the collected individual access control and/or privacy preferences, and to provide the popular rule set of access control and/or privacy preferences to users of the pervasive service environment.11-17-2011
20110289547TAKING CONFIGURATION MANAGEMENT DATA AND CHANGE BUSINESS PROCESS DATA INTO ACCOUNT WITH REGARD TO AUTHORIZATION AND AUTHENTICATION RULES - An approach receives a request from a user, typically a change implementer, on a computer system. The request includes a user identifier and a requested action. A current timestamp corresponding to a computer system clock is retrieved. Scheduled changes are retrieved from a data store accessible by the processor. The current timestamp is compared to the scheduled change periods. The requested action is allowed if the comparison reveals that the current timestamp is within one of the retrieved scheduled changes, and the requested action is denied if the comparison reveals that the current timestamp is outside of the retrieved scheduled change periods.11-24-2011
20110321123ACCESS CONTROL LIST CONVERSION SYSTEM, AND METHOD AND PROGRAM THRERFOR - An access control list conversion system includes: a first rule judgment unit 12-29-2011
20110321122SPECIFYING AN ACCESS CONTROL POLICY - A system for specifying an access control policy comprises: A user interface (12-29-2011
20110321121INFORMATION PROCESSING SYSTEM AND OPERATION METHOD OF INFORMATION PROCESSING SYSTEM - An information processing system is equipped with a first information processing device that stores first object group, and a second information processing device that obtains an operation request from a subject, said operation request indicating content of an operation for an object to be operated, and processes the object to be operated on the basis of the operation request. The first information processing device is equipped with a storage means for additional access control policies, wherein for each first object in the first object group, a set of second objects for which the feasibility of an operation is determined using the same control rule as the first object is indicated as a changed object group. In cases when the object to be operated is included in the aforementioned changed object group, the second information processing device references the additional access control policy and acquires the changed object group corresponding to the object to be operated. Thereafter, the determination of whether an operation request can be processed for the object to be operated is made by determining whether the operation request can be processed for the changed object group.12-29-2011
20110321120METHOD AND SYSTEM FOR PROVIDING MASKING SERVICES - A system and method for presenting on-demand masking of data as a software service in a distributed environment is provided. An application hosted on a computing device receives request for access to application data from a user. Credentials of the user are first validated in order to determine whether the user is authorized to access the requested application data. For an authorized user, a category of the user is determined to ascertain whether the user is privileged to obtain full access. In case the user is a privileged user, unmasked application data is fetched from a database utility and provided to the user. In case the user is not a privileged user, application data access request is transferred to a data masking service. Application data is fetched from database utility, masked based on pre-defined masking rules and provided to the user.12-29-2011
20110321119Consigning Authentication Method - A method for sharing content between clients at a common trust level in a trust hierarchy associated with a network implementing policy-based management includes making a first request for delivery of content, receiving the requested electronic content, receiving a second request for delivery of the electronic content, communicating the second request, receiving a decision, and delivering the electronic content if the second request is granted. The first request is made to a policy enforcement point in the network for delivery of content to a first client, and includes a trust level of the first client. The second request is for delivery of the content to a second client at the trust level of the first client and includes integrity information about the second client, and is communicated to the policy enforcement point. If the second request is granted, the content is delivered from the first client to the second client.12-29-2011
20110321118METHOD AND APPARATUS FOR PERFORMING A MULTI-ROLE COMMUNICATION USING A MEMORY TAG - An approach is presented for performing a multi-role communication using a Radio Frequency (RF) memory tag. The control manager receives a content request, at a memory tag, from a first device according to a first access policy. Further, the control manager determines one or more sources of content data responsive to the content request. Then, the control manager provides access from the one or more sources to the memory tag according to a second access policy. The access facilitates transmission of the content data to the first device according to a third access policy.12-29-2011
20110321117Policy Creation Using Dynamic Access Controls - A method and system for dynamically managing access to assets such as an electronic document or a hardware component, using policies that comprise one or more dynamic access controls, which are linked to data sources such as databases or web services. The access controls are dynamic because, each time the policy is invoked, the policy and its component access controls must be evaluated with respect to the current information in the linked data sources.12-29-2011
20120102540Single-Point-Of-Access Cyber System - The system and system components of the present invention provides individuals with both a safe and a secure cyber environment. Within this safe and secure cyber environment each individual and each cyber device will always be properly identified for all cyber interactions with others and for all cyber interactions with the cyber devices of others. The present invention also provides individuals with privacy as required by each individual for the individual's cyber activities and cyber assets. Further, the present invention provides for environment-wide interoperable use of any cyber device, cyber programming, or cyber content.04-26-2012
20120102539CLOUD SERVICES LAYER - A method including receiving a service registration request to register a service with a multi-tenant, multi-service cloud network from a user; registering object types that pertain to the service, wherein the object types include at least one service object type that is not an object type offered by the cloud network to the user; and registering objects based on the object types, wherein the objects include at least one object associated with the at least one service object type.04-26-2012
20120102544CONTROLLING, FILTERING, AND MONITORING OF MOBILE DEVICE ACCESS TO THE INTERNET, DATA, VOICE, AND APPLICATIONS - Systems and methods for controlling, filtering, and monitoring mobile device access to the internet are disclosed. According to an embodiment a server is responsible for controlling, filtering and monitoring internet activity. For every request, the server interacts with back-end databases that categorize requests, and based on user/carrier/corporate settings, allow or disallow access to particular content.04-26-2012
20120102541Method and System for Generating an Enforceable Security Policy Based on Application Sitemap - A system for generating a security policy for protecting an application-layer entity. The system comprises a security sitemap generator for generating a security sitemap of a protected application-layer entity, the security sitemap is stored in a first repository connected to the security sitemap generator; and a policy builder for generating a security policy for the application-layer entity based on the security sitemap, the security policy is stored in a second repository connected to the policy builder, wherein the security policy includes a plurality of enforcement rules for at least one of a resource, a group of resources, and a client-side input parameter of at least a portion of the protected application-layer entity.04-26-2012
20120291091CONTROLLING LOCKING STATE TRANSITIONS IN A TERMINAL - A method and a control module for controlling locking state transitions in a terminal are described, wherein said terminal is configured for checking said transition in accordance to one or more state transition rules and wherein the method comprises the steps of: providing at least one one-way writable memory location comprising first state information associated with a first locking state of said terminal; receiving a request for a transition to a second locking state, said request comprising second state information associated with said second locking state; on the basis of said first and second state information and said transition rules checking whether said requested transition is allowable or not; and, storing said second state information in said one-way writable memory if said requested transition is allowable according to said state transition rules.11-15-2012
20120291090ACCESS MANAGEMENT ARCHITECTURE - An access management system architecture is provided. In one embodiment, the architecture comprises modular and decoupled components, which allow composability of heterogeneous solutions.11-15-2012
20120291089METHOD AND SYSTEM FOR CROSS-DOMAIN DATA SECURITY - A data management system includes a microprocessor and a data manager executing on the microprocessor. The data manager is communicatively coupled to a first domain and a second domain and includes a first domain security process associated with a first domain security policy and operable to provide access to first domain data based on the first domain security policy. The data manager further includes a second domain security process associated with a second domain security policy and operable to provide access to first domain data based on the second domain security policy.11-15-2012
20120291087Preventing Inappropriate Data Transfers Based on Reputation Scores - A method and apparatus for detecting violations of data loss prevention (DLP) policies based on reputation scores.11-15-2012
20120291092METHOD AND SYSTEM FOR DISTRIBUTING MEDIA CONTENT - A system that incorporates teachings of the present disclosure may include, for example, a set-top box operating from an interactive television (iTV) communication system having a controller to receive from the iTV communication system media content with metadata, record the media content, detect in the metadata a description of the media content correlating with one or more preferences in a preference profile, present at a media presentation device a first prompt requesting an acceptance or rejection of the media content, present at the media presentation device a second prompt requesting a selection of one or more communication devices to direct in whole or in part the media content thereto, detect the selection of at least one of the one or more communication devices, and transmit in whole or in part the media content to the at least one communication device. Other embodiments are disclosed.11-15-2012
20120137343TERMINAL, COMMUNICATION SYSTEM, DATA MANAGEMENT METHOD, SERVER AND STORAGE MEDIUM - [Problem] To make it possible to prevent certainly user's personal information from flowing out without burdening the user, and to manage sensor information and result information which is acquired through processing a service by use the sensor information, on the basis of importance, classification, personal property, utilization form or the like.05-31-2012
20100199324SYSTEM AND METHOD FOR POLICY-BASED REGISTRATION OF CLIENT DEVICES - A system and method for policy-based registration of client devices is provided. Policy-based registration may use registration keys to register devices on a network. For example, registration keys may include policy assignments, folder assignments, group assignments, or other assignments for registering, identifying, and managing the device on the network. Devices can register one or more times (e.g., using one or more registration keys), resulting in the device being added to any number of folders and groups. Further, the policies may be used to control a registration process or to enforce registration rules. As such, administrators can construct folders or groups of devices with a set of keys, providing a consistent mechanism to easily register and manage a device.08-05-2010
20100199323System for Dynamically Turning On or Off Log On Methods Used for Access to PC or Network Based Systems - A method or system for dynamically changing the log on environment to a PC or networked based system that allows IT administrators, security personnel or system owners to decide to enable or disable log on methods used for access.08-05-2010
20100263019SECURE EXCHANGE OF MESSAGES - An arrangement for declaration of security level of transport paths/routes in one or more data networks where the arrangement at least comprises: an entity (10-14-2010
20130014206METHOD AND SYSTEMS FOR SECURING REMOTE ACCESS TO PRIVATE NETWORKS - A method for securing remote access to private networks includes a receiver intercepting from a data link layer a packet in a first plurality of packets destined for a first system on a private network. A filter intercepts from the data link layer a packet in a second plurality of packets transmitted from a second system on the private network, destined for an system on a second network. A transmitter in communication with the receiver and the filter performing a network address translation on at least one intercepted packet and transmitting the at least one intercepted packet to a destination.01-10-2013
20130014212PERMISSION-BASED ADMINISTRATIVE CONTROLS - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing permission-based administrative controls. In one aspect, a method includes receiving an administrator-defined pairing that identifies a permission and one or more applications, and receiving a request from a requesting application to perform one or more operations that are associated with the permission. The method also includes determining whether the requesting application is identified in the pairing, and selectively allowing the requesting application to perform the operations based on determining whether the requesting application is identified in the pairing.01-10-2013
20130014211APPLICATION IDENTITY DESIGN - Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user's credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.01-10-2013
20130014210SYSTEM AND METHOD FOR SELECTION OF SECURITY ALGORITHMS - A method of managing security for a connection between a user device and a communications network including a plurality of base stations and a core network, the method including receiving at the core network security capability information for the user device connecting to the communications network via a first base station, retrieving security capability information at the core network for the first base station from a database that stores security capability information for the plurality of base stations, processing in the core network the security capability information for the user device and the security capability information for the first base station to select a security policy for a connection between the user device and the first base station, and transmitting the selected security policy to the first base station.01-10-2013
20130014209Content Management System - Content rights holders provide digital content to a hosting site to be used as reference content. The content owner specifies a policy for each digital content item, indicating how that content may be used on the site when uploaded by someone other than the content owner. An identification module compares the uploaded content against reference content. If the content matches reference content, the specified policy for that reference content is applied to the uploaded content. Policy options provided by the content owner include tracking the content to see how it is viewed, preventing the content from being distributed on the site, and allowing the content to be displayed in a revenue-sharing environment. In one embodiment, if the identification module matches the uploaded content to a reference item but the match does not have a sufficiently high level of confidence, the suggested match is queued for review by the content owner.01-10-2013
20100132014SECURE COMPOSITION OF WEB SERVICES - A method includes providing a model which allows to define acceptable sets of security features ((sf05-27-2010
20100132013RELIABLY TERMINATING PROCESSES IN A SYSTEM WITH CONFINED EXECUTION ENVIRONMENTS - Terminating a process executing within a container is described. An access restriction applicable to the process is temporarily modified with a policy change that prevents creating new processes within the container. The policy change prevents operations that would allow processes within the container from performing a fork operation, or otherwise spawning new processes within the container. The policy change may be, for example, applied by means of a rule added or removed from an access restriction policy. While the processes are prevented from creating new processes, one specified process or all processes within the container are terminated. After termination of the process(es), the policy change can be reversed, allowing normal use of the container.05-27-2010
20100132012MERGING MANDATORY ACCESS CONTROL (MAC) POLICIES IN A SYSTEM WITH MULTIPLE EXECUTION CONTAINERS - Application of a local instance of a general security policy is described. In a system with an instance of a program executing in a path container, a security policy applicable the the instance of the program is managed locally for the path container. The path container provides a confined execution environment for the program instance, and the security policy defines permitted operations for the program an all its instances. The instance of the security policy is associated with the path container, which allows the program instance to “see” management within the path container as though with the security policy, while entities having permissions outside the path container “see” the program instance limited to the path container and its associated security policy instance.05-27-2010
20130019277Zone-Based Firewall Policy Model for a Virtualized Data CenterAANM Chang; DavidAACI MilpitasAAST CAAACO USAAGP Chang; David Milpitas CA USAANM Patra; AbhijitAACI SaratogaAAST CAAACO USAAGP Patra; Abhijit Saratoga CA USAANM Bagepalli; NagarajAACI San JoseAAST CAAACO USAAGP Bagepalli; Nagaraj San Jose CA USAANM Sethuraghavan; Rajesh KumarAACI San JoseAAST CAAACO USAAGP Sethuraghavan; Rajesh Kumar San Jose CA US - Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed.01-17-2013
20130019276Automatic Generation of User Account Policies Based on Configuration Management Database InformationAANM Biazetti; Ana C.AACI CaryAAST NCAACO USAAGP Biazetti; Ana C. Cary NC USAANM Robke; Jeffrey T.AACI ApexAAST NCAACO USAAGP Robke; Jeffrey T. Apex NC US - Mechanisms are provided for generating user account policies for generating user accounts to access resources of the data processing system. A determination is made that a user account policy for an identified resource in the data processing system is to be generated. Configuration information associated with the identified resource is retrieved from a configuration information database. A predefined user account policy template is retrieved from a user account policy template database system. A user account policy data structure is generated based on the retrieved configuration information and the retrieved predefined user account policy template.01-17-2013
20110145886METHODS AND SYSTEMS FOR ALLOCATING A USB DEVICE TO A TRUSTED VIRTUAL MACHINE OR A NON-TRUSTED VIRTUAL MACHINE - The methods and systems described herein provide for allocating a universal serial bus (USB) device to one of a trusted virtual machine and a non-trusted virtual machine. A control program receives data indicating a USB port on the computing machine received a USB device and identifies at least one attribute of the USB device. The control program selects, based on application of a policy to the identified at least one device attribute, one of a trusted virtual machine and a non-trusted virtual machine executing. The control program grants, to the virtual machine selected by the control program, access to the USB device.06-16-2011
20110162036IMAGE FORMING APPARATUS AND METHOD OF SETTING SECURITY POLICY THEREOF - An image forming apparatus including a communication interface unit to access an external device storing at least one security provider corresponding to user authentication, a user interface (UI) unit to select the security provider, a storage unit to receive the selected security provider from the external device and store the received security provider, a control unit to install the stored security provider in the image forming apparatus, select at least one application to apply the installed security provider, and set the installed security provider as a user authenticator for the at least one selected application.06-30-2011
20130024909ACCESS CONTROL PROGRAM, SYSTEM, AND METHOD - Authority permission grants/denials associated with each of a plurality of roles (R1, R2, . . . , Rm) assigned to one subject are derived by inheritance based on a subject assignment associating a role and a subject, an authority permission assignment associating a role, an authority permission, and a grant/denial, and a role hierarchy indicating an inheritance relation between roles. Among the derived authority permission grants/denials, grants/denials of authority permissions (A1, A2, . . . , An) which are each derived from two or more different roles (R1, R2, . . . , Rm) and which are each granted to one of the plurality of roles R1, R2 . . . Rm but denied to another one of the plurality of roles R1, R2 . . . Rm are determined in accordance with an input. As exceptional authority permission assignment for a virtual exceptional role constituted of a combination of roles (R1, R2, . . . , Rm), authority permission grants/denials associated with each role (R1, R2, . . . , Rm) are derived by inheritance based on the role hierarchy, authority permission assignment, and the exceptional authority permission assignment.01-24-2013
20080250471PARENTAL CONTROL USING SOCIAL METRICS SYSTEM AND METHOD - A parent defines friend rules for on-line association with their child. Upon a request of an on-line stranger to be a new friend of the child, stranger information about the on-line stranger is retrieved and compared to the friend rules to determine whether the stranger is allowed, blocked or restricted from being a friend with the child. Accordingly, the parent only has to use a minimal amount of time in establishing the friend rules to protect the parent's child from on-line strangers.10-09-2008
20080244697Security Objects Controlling Access To Resources - Controlling access to resources through use of security objects including creating a security object in dependence upon user-selected security control data types, the security object comprising security control data and at least one security method; receiving a request for access to the resource; receiving security request data; and determining access to the resource in dependence upon the security control data and the security request data. Creating a security object includes storing in the security object a resource identification for the resource; storing in the security object an authorization level of access for the resource; storing in the security object user-selected security control data types; and storing in the security object security control data for each user-selected security control data type. Embodiments include deploying the security object on a security server or on a client device.10-02-2008
20080244696Dynamic Access Control in a Content-Based Publish/Subscribe System with Delivery Guarantees - Improved access control techniques for distributed messaging systems such as content-based publish/subscribe systems are disclosed. For example, a method for providing access control in a content-based publish/subscribe system, wherein messages are delivered from publishing clients to subscribing clients via a plurality of brokers, includes the following steps/operations. One or more changes to an access control policy are specified. An access control version identifier is associated to the one or more changes. The one or more changes are sent to one or more brokers of the plurality of brokers that have a publishing client or a subscribing client associated therewith that is affected by the one or more changes. The access control version identifier associated with the one or more changes is sent to each of the plurality of brokers.10-02-2008
20080244693SMART WEB SERVICES POLICY SELECTION USING MACHINE LEARNING - A computer-implemented method to select a Web Service policy alternative can use previously collected data concerning Web Service to select a desirable Web Service policy alternative at runtime. The selected Web Service policy alternative can then be applied to a Web Service message such as a SOAP message.10-02-2008
20080235758Method for processing securities data - A method for processing securities data comprises: analyzing a plurality of fields of a plurality of securities data in order to respectively conclude the statistic distribution summary of the values of each field of each securities data; defining a grouping and encoding process for the fields according to the distribution summary, and unifying the grouping and encoding processes for all fields into an encoding rule; and encoding the other securities data according to the encoding rule. The encoding rule can greatly reduce the amount of data and it comprises: classifying and rearranging number according to the codes of securities data in order to reduce the size of the transmission serial codes; indicating the relative price for the price of the securities data; indicating the relative time difference for the securities data which have any trading records in the previous one minute; and offering suitable field width and encoding process according to the size of each securities data to indicate its amount.09-25-2008
20080235755Firewall propagation - Methods and systems for propagating data security policies and rules up a chain of network components, for example, from an end-user device having a firewall, to a network component at the “edge” of the network, such as a so-called “edge” firewall server, from where a policy statement can be transmitted to a service provider, such as an ISP, are described. A device, such as a computer or mobile phone, has, as part of its firewall software, a policy propagation file, that communicates with pre-existing firewall software. The firewall software creates a policy statement upon detecting a triggering event, which is transmitted from the device to the next data security component up the chain, “upstream,” in the network. In some cases this device may be a firewall server or a firewall policy server. The firewall server may combine policy statements from numerous end-user type devices and transmit the policy statement to an external network component, such as an ISP firewall server or similar device. The ISP or other service provider may then use the policy statement to implement date security rules for the devices in the network. In this manner, the firewall operated by the ISP implements rules and policies of a network owner or the owner of a stand-alone device, thereby preventing unwanted traffic from entering the network.09-25-2008
20080235754Methods and apparatus for enforcing launch policies in processing systems - A processing system has a processing unit, nonvolatile storage, and secure nonvolatile memory with inherent access control. The nonvolatile storage includes an authenticated code (AC) module, a launch policy setting, and a second code module. The secure nonvolatile memory includes an integrity metric for the launch policy setting. When executed by the processing unit, the AC module computes a new integrity metric for the launch policy setting, and uses the new integrity metric for the launch policy setting and the integrity metric for the launch policy setting to determine whether the launch policy setting should be trusted. The AC module may also compute a new integrity metric for the second code module, and may use the launch policy setting and the new integrity metric for the second code module to determine whether the second code module should be allowed to execute.09-25-2008
20080229384POLICY-BASED AUDITING OF IDENTITY CREDENTIAL DISCLOSURE BY A SECURE TOKEN SERVICE - A user defines an audit policy. The audit policy identifies one or more triggers that, when related information is included in a security token, trigger the performance of the audit. The audit can include notifying the user in some manner that the trigger occurred. The audit can require in-line confirmation of the audit, so that the security token is not transmitted until the user confirms the audit.09-18-2008
20110247048TESTING POLICIES IN A NETWORK - A device may include first logic configured to receive a data unit and to receive a network policy. The device may include second logic configured to identify how the data unit will be handled by the network policy and to generate a result that includes information about how the data unit will be handled by the network policy.10-06-2011
20110247047METHOD FOR SECURING DATA AND/OR APPLICATIONS IN A CLOUD COMPUTING ARCHITECTURE - A method for securing data and/or applications within a cloud computing architecture is provided. According to the invention, a security module is provided, the security module being administered by the user of said virtual server(s) which is/are dedicated to said user; said security module is provided with one or more security policies to be applied to the data managed by the virtual servers dedicated to said user; said security module is provided with identifiers as well as keys to access the user's dedicated virtual servers; the security module accesses the user's dedicated virtual server; the security module exports the security policies, which have been provided to it, to the dedicated virtual servers; and the dedicated virtual servers apply the security policies, which have been provided to them by the security module, to the data they manage.10-06-2011
20110247045Disposable browsers and authentication techniques for a secure online user environment - Disclosed herein are systems and methods that allow for secure access to websites and web-based applications and other resources available through the browser. Also described are systems and methods for secure use and retention of user credentials, as well as methods for dynamic authentication of users and integrity checking of service providers in online environments. Thus, described in the present specification are systems and methods for constructing and destroying private, secure, browsing environments (a secure disposable browser), insulating the user from the threats associated with being online for the purposes of providing secure, policy-based interaction with online services.10-06-2011
20130174213IMPLICIT SHARING AND PRIVACY CONTROL THROUGH PHYSICAL BEHAVIORS USING SENSOR-RICH DEVICES - A system for automatically sharing virtual objects between different mixed reality environments is described. In some embodiments, a see-through head-mounted display device (HMD) automatically determines a privacy setting associated with another HMD by inferring a particular social relationship with a person associated with the other HMD (e.g., inferring that the person is a friend or acquaintance). The particular social relationship may be inferred by considering the distance to the person associated with the other HMD, the type of environment (e.g., at home or work), and particular physical interactions involving the person (e.g., handshakes or hugs). The HMD may subsequently transmit one or more virtual objects associated with the privacy setting to the other HMD. The HMD may also receive and display one or more other virtual objects from the other HMD based on the privacy setting.07-04-2013
20130174216Application of Differential Policies to at Least One Digital Document - In a method (07-04-2013
20130174210SYSTEM FOR DATA FLOW PROTECTION AND USE CONTROL OF APPLICATIONS AND PORTABLE DEVICES CONFIGURED BY LOCATION - The present invention relates to a system for implementing a firewall service on portable devices such as mobile phones, tablets or notebooks, which has changed their security settings depending on the location where they are. More specifically, the invention relates to a method of protecting data flow and control of use of devices and functional applications present in a portable device and configured from their location.07-04-2013
20130174211Method And Apparatus Providing Privacy Setting And Monitoring User Interface - A method and an apparatus provide for operating a user interface of a device to receive from a user, for individual ones of a plurality of user privacy categories, a user privacy setting; to map each user privacy setting to one or more device sensors to form a sensor policy for the user privacy category; and to monitor application program accesses to device sensors to detect a violation of a sensor policy. An aspect of the exemplary embodiments of this invention is the user interface that can represent privacy levels of each application program to the user in a “user-friendly” format. Another aspect of the exemplary embodiments is to provide the user device with an ability to detect and act on or at least report privacy violations by the application programs.07-04-2013
20130174212Indication of Authorized and Unauthorized PCC Rules - Various exemplary embodiments relate to a method and related network node including one or more of the following: receiving the set of PCC rules at the network device from a partner device; determining that the set of PCC rules includes an unauthorized PCC rule, wherein the unauthorized PCC rule fails an authorization; determining that the set of PCC rules includes an authorized PCC rule, wherein the authorized PCC rule passes the authorization; generating an unauthorized rules list including an indication of the unauthorized PCC rule; generating an authorized rules list including an indication of the authorized PCC rule; transmitting the unauthorized rules list and the authorized rules list to the partner device.07-04-2013
20130174217ACCESS CONTROL INFORMATION GENERATING SYSTEM07-04-2013
20080222698Secure Computer Communication - A method of improving the security of computer communications over a connecting network comprising the steps, carried out before a data packet enters the connecting network from a user domain, of tagging the data packet from a user domain with a security level marking and appending the tagged data packet with a string formed from a check-sum made over the data packet and security level marking tag to form a datagram. The integrity of the data is protected and the method can be used to prevent the mis-routing of data packets to user domains of lower security classification.09-11-2008
20080222697Application Server Object-level Security for Distributed Computing Domains - Objects on application servers may be defined into classes which receive different levels of security protection, such as definition of user objects and administrative objects. Domain-wide security may be enforced on administrative objects, which user object security may be configured separately for each application server in a domain. In a CORBA architecture, IOR's for shared objects which are to be secured on a domain-wide basis, such as administrative objects, are provided with tagged components during IOR creation and exporting to a name server. Later, when the IOR is used by a client, the client invokes necessary security measures such as authentication, authorization and transport protection according to the tagged components.09-11-2008
20080222696System, Method, Apparatus, and Computer Program Product for Facilitating Digital Communications - A computer-implemented method and apparatus prevents unsecured access to a computer over a network by a client running on a remote computer. In one aspect of the present invention, a client policy is stored on the remote computer. The client policy includes a configuration of the remote computer that reduces the likelihood of a security breach of the computer as a result of the remote computer accessing the computer. A request is received from a user for access to the computer. It is verified that the remote computer conforms with the client policy, and the client is connected to said computer.09-11-2008
20080222695Key management for content protection - A method for content access control operative to enable authorized devices to access protected content and to prevent unauthorized devices from accessing protected content, the method comprising: providing a plurality of authorized devices; dividing the plurality of authorized devices into a plurality of groups, each of the plurality of authorized devices being comprised in at least one of the plurality of groups, no two devices of the plurality of authorized devices being comprised in exactly the same groups; determining whether at least one device of the plurality of authorized devices is to be prevented from having access to the protected content and, if at least one device is to be prevented, removing all groups comprising the at least one device from the plurality of groups, thus producing a set of remaining groups; and determining an authorized set comprising groups from the set of remaining groups, such that each device of the plurality of authorized devices which was not determined, in the determining whether step, to be prevented from having access is comprised in at least one group of the authorized set.09-11-2008
20080222694System, server, and program for access right management - Each domain is provided with an access right management device which creates a resource-sharing policy and performs processing for resource-sharing policy negotiation between a plurality of domain administrators. An access right management device that has created a resource-sharing policy identifies, for each policy unit included in the resource-sharing policy, an access right management device that is a negotiating partner to negotiate with about the policy unit in question. The access right management device generates negotiation information including an identification name of the identified negotiating-partner access right management device and the policy unit in question and sends the negotiation information to the negotiating-partner access right management device. Only when all policy units are agreed on by respective identified negotiating-partner access right management devices, the resource-sharing policy is set on shared resources.09-11-2008
20080222693Multiple security groups with common keys on distributed networks - A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly, various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.09-11-2008
20080222692DEVICE-INITIATED SECURITY POLICY - A method and system for executing a security policy at a mobile terminal is provided. The mobile terminal may contact an authentication entity based on the security policy. The mobile terminal may receive a response from the authentication entity indicative of a security status of the mobile terminal. The mobile terminal may execute a security action based on the received response.09-11-2008
20130152159ENHANCED LIFECYCLE MANAGEMENT OF SECURITY MODULE - A method, computer program, apparatus and a secure module are described. By example, in the method there are steps of receiving a request from a first entity for a secure module to enter an unlock lifecycle state; requesting confirmation to enter the unlock lifecycle state; and if the request is confirmed, transitioning the secure module from a current lifecycle state to the unlock lifecycle state.06-13-2013
20130152160SYSTEMS AND METHODS FOR USING CIPHER OBJECTS TO PROTECT DATA - Systems, methods, and devices configured to provide an intelligent cipher transfer object are provided. The intelligent cipher transfer object includes a set of participants protected by cloaking patterns. A portable dynamic rule set, which includes executable code for managing access to the protected set of participants, is included within the intelligent cipher transfer object. For a given user, the intelligent cipher transfer object may provide access to some of the participants while preventing access to other participants, based on the portable dynamic rule set.06-13-2013
20130179936Security policy management using incident analysis - A security analytics system receives incident data (from an incident management system) and security policy information (from a security policy management system). The security analytics system evaluates these data sets against one another, preferably using a rules-based analysis engine. As a result, the security analytics system determines whether a particular security policy configuration (as established by the security policy management system) needs to be (or should be) changed, e.g., to reduce the number of incidents caused by a misconfiguration, to increase its effectiveness in some manner, or the like. As a result of the evaluation, the security analytics system may cause a policy to be updated automatically, notify an administrator of the need for the change (and the recommendation), or take some other action to evolve one or more security policies being enforced by the security policy management system.07-11-2013
20130179937SECURITY MODEL ANALYSIS - A customized security model template is created that is customized for a specific organization's security related procedures. The customized security model template is instantiated with parameters associated with the organization to create an instantiated security model, and a report is produced based on simulations of the instantiated security model that specifies metrics of the organization's security implementation.07-11-2013
20130179938Security policy management using incident analysis - A security analytics system receives incident data (from an incident management system) and security policy information (from a security policy management system). The security analytics system evaluates these data sets against one another, preferably using a rules-based analysis engine. As a result, the security analytics system determines whether a particular security policy configuration (as established by the security policy management system) needs to be (or should be) changed, e.g., to reduce the number of incidents caused by a misconfiguration, to increase its effectiveness in some manner, or the like. As a result of the evaluation, the security analytics system may cause a policy to be updated automatically, notify an administrator of the need for the change (and the recommendation), or take some other action to evolve one or more security policies being enforced by the security policy management system.07-11-2013
20130179939METHOD AND APPARATUS FOR PROVIDING EXTENDED AVAILABILITY OF REPRESENTATIVES FOR REMOTE SUPPORT AND MANAGEMENT - A network appliance is configured to determine a security policy controlled by a system of an organization. The network appliance creates an association between the security policy and support agent access to the system. The network appliance creates portals where the access is based on the security policy and access includes connectivity for providing remote support service to the system from a remote support service disconnected from the system.07-11-2013
20130145421POLICY EVALUATION IN CONTROLLED ENVIRONMENT - A module may include interface logic to receive information identifying a state related to a client device via logic related to a controlled environment, and to send a valid policy result to a host device, where the valid policy result is related to the state. The module may include processing logic to process policy content according to a resource policy, where the processing is based on the information, and to produce the valid policy result based on the processing using the resource policy, where the valid policy result is adapted for use by the host device when implementing the network policy with respect to a destination device when the client device attempts to communicate with the destination device.06-06-2013
20130145422Security Techniques For Device Assisted Services - Methods and systems for receiving a report from an end-user device, the report comprising information about a device service state; determining, based on the report, that a particular service policy setting of the end-user device needs to be modified, the particular service policy setting associated with a service profile that provides for access to a network data service over a wireless access network and configured to assist in controlling one or more communications between the end-user device and the wireless access network, the particular service policy setting stored in a protected partition configured to deter or prevent unauthorized modifications to the particular service policy setting; and, in response to determining that the particular service policy setting needs to be modified, sending configuration information to the end-user device, the configuration information configured to assist in modifying or allowing modifications to the particular service policy setting.06-06-2013
20130145423METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR TAGGING CONTENT ON UNCONTROLLED WEB APPLICATION - Communications by a device in a private network to a site operating outside of the network can be programmatically inspected. Unstructured data, including messages and application content, originating from outside of the network may be dynamically converted to structured data that can be tagged. Interactions and activities can be monitored and processed differently according to internal policies and/or business rules. For example, at least a portion of the structured data can be modified prior to forwarding to the device, access by the device to at least a portion of the structured data can be blocked or limited, access by the device to one or more features associated with the structured data can be blocked or limited, etc.06-06-2013
20130174215Multi-Layer System for Privacy Enforcement and Monitoring of Suspicious Data Access Behavior - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy.07-04-2013
20120254938SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.10-04-2012
20120254937SYSTEMS AND METHODS OF CONTROLLING NETWORK ACCESS - A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.10-04-2012
20120254935AUTHENTICATION COLLABORATION SYSTEM AND AUTHENTICATION COLLABORATION METHOD - An authentication collaboration server of an authentication collaboration system performs a secrecy calculation process using authentication information as input for an authentication process, generating secret authentication information for each piece of the authentication information. An authentication information verification server obtains and compares sets of the combination of secret authentication information generated by the authentication server, and a user ID identifying a user of a user terminal using the authentication information that is a source of the secret authentication information. The authentication information verification server extracts the plurality of pieces of authentication information that have been applied. The authentication collaboration server approves a service, when a user authentication state is removed as authentication results constituting the user authentication state satisfies the policy for the service, after an authentication result in which application of the authentication information has occurred. A collaboration service is achieved including multiple low cost Web services.10-04-2012
20130091538SECURE FIREWALL RULE FORMULATION - A kernel extension is configured to intercept a call to associate a socket with a port of a node in a network. The call originates from a kernel of the node. The kernel extension is configured to determine the port from the call. The kernel extension is configured to determine that the port is one of a plurality of ports for which the node has authority to modify firewall rules of a firewall of the network. The kernel extension is configured to modify firewall rules maintained by the firewall to allow communications for the port to the node through the firewall.04-11-2013
20130091539SYSTEM AND METHOD FOR INSIDER THREAT DETECTION - A system and method include obtaining data related to accessing cyber assets and accessing physical assets from a combined cyber access and physical access control system that protects cyber and physical assets of an organization from both authorized and unauthorized access with malicious intent. The system and method compare the data to known patterns of expected behavior, and identify patterns of suspicious behavior as a function of comparing the data to the patterns of expected behavior. The comparison is utilized to identify potentially malicious insider behavior toward the cyber and physical assets.04-11-2013
20130091544SYSTEM AND METHOD FOR ENFORCING A POLICY FOR AN AUTHENTICATOR DEVICE - A system and method including defining at least one device authentication policy; at a policy engine, initializing authentication policy processing for an authenticator device; collecting device status assessment; evaluating policy compliance of the device status assessment to an associated defined device authentication policy; and enforcing use of the authenticator device according to the policy compliance.04-11-2013
20130091543SYSTEM AND METHOD FOR CREATING SECURE APPLICATIONS - A method for generating a secure application is described herein. The method can include the steps of obtaining a target application and decomposing the target application into original files that contain predictable instructions. One or more predictable instructions in the original files may be identified. In addition, the target application may be modified to create the secure application by binding one or more intercepts to the target application. These intercepts can enable the modification of the predictable instructions in accordance with one or more policies such that the behavior of the secure application is different from the original behavior of the target application. Modification of the target application may be conducted without access to the source code of the target application.04-11-2013
20130091542APPLICATION MARKETPLACE ADMINISTRATIVE CONTROLS - The subject matter of this specification can be embodied in, among other things, a method that includes receiving, by one or more servers associated with an application marketplace, a policy that includes data that identifies one or more users, and a restricted permission. A request is received, by the servers associated with the application marketplace, to access one or more applications that are distributed through the application marketplace, wherein the request includes data that identifies a particular one of the users. One or more of the applications that are associated with the restricted permission are identified by the servers associated with the application marketplace, and access by the particular user to the applications that are associated with the restricted permission is restricted by the servers associated with the application marketplace.04-11-2013
20130091541EFFECTIVE TESTING OF AUTHORIZATION LOGIC OF WEB COMPONENTS WHICH UTILIZE CLAIMS-BASED AUTHORIZATION - An authorization algorithm of a software component can be selected. A static code analysis can be performed to determine a conditional statement within an algorithm of the software component. The outcome of the conditional statement can be established based on an input and a criteria using dynamic code analysis. The input can be a value associated with a claim set of a claims-based authentication policy. The criteria can be an authentication criteria specified within the algorithm. Responsive to the outcome, an execution path associated with the outcome can be determined and a code coverage criterion can be met for the conditional statement.04-11-2013
20130091540SOCIAL DEVICE SECURITY IN A SOCIAL NETWORK - A social network (SNET) is divided into one or more circles employing separate security secrets, e.g. keys, for communication between members. A device can be a member of more than one circle, and store different keys for each of those circles in separate, restricted portions of memory. When a member leaves a circle, new keys can be generated and distributed to the remaining members. Before and after joining a circle, a level of trust associated with the device or human member can be determined based on third party trust verification and a trust history. A requirement for multiple current circle members to vouch for the prospective member can be imposed as a condition of membership. Each circle can be assigned different trust and access levels, and authorization to receive information can be checked before transmitting information between circles.04-11-2013
20130091534NETWORK APPLIANCE FOR CUSTOMIZABLE QUARANTINING OF A NODE ON A NETWORK - A system, method, and apparatus are directed to managing access to a network. An agent may intercept a network packet transmitted by an enforcement point in response to a request from a device to join the network. The agent identifies, based on the network packet, a port number on the enforcement point at which the request is received. The agent